In Lecture 14, we focus on the “people controls” specified in ISO/IEC 27002. Despite being the smallest set of controls, containing just eight, these controls are crucial due to the significant role humans play in cybersecurity. This article provides a detailed breakdown of key points discussed, emphasizing the importance of people controls and their implementation.
Key Concepts
People Controls
Definition: Measures related to the management and training of individuals to ensure they understand and comply with security policies.
Importance: Human beings are often the weakest link in cybersecurity, making people controls essential for maintaining security.
ISO/IEC 27002 Categories
People Controls: Eight controls covering various aspects related to personnel management, training, and awareness.
Detailed Breakdown
Screening and Responsibilities After Termination or Change of Employment
Screening Control:
- Definition: Background verification checks on all candidates should be carried out prior to joining the organization and on an ongoing basis.
- Guidance: Checks could include references, CV verification, qualifications, identity, credit checks, and criminal record reviews.
Responsibilities After Termination or Change of Employment:
- Definition: Defining and enforcing information security responsibilities and duties that remain valid after termination or change of employment.
- Guidance: Includes confidentiality of information, intellectual property, and responsibilities in confidentiality agreements.
Terms and Conditions of Employment
Control Description: Employment contracts should state both the personnel’s and the organization’s responsibilities for information security.
Key Points:
- Security-Specific Points: Contracts should include confidentiality agreements, legal responsibilities, information classification responsibilities, and actions for policy breaches.
Disciplinary Process
Control Description: A formalized and communicated process to take actions against personnel who have violated information security policies.
Consideration: Overemphasizing punishment can damage trust and may discourage staff from reporting errors, which could be catastrophic for security.
Confidentiality or Non-Disclosure Agreements
Control Description: Confidentiality agreements reflecting the organization’s needs for information protection should be identified, documented, regularly reviewed, and signed.
Guidance: Ensure regular reviews and updates to reflect current needs and regulations.
Information Security Awareness, Education, and Training
Control Description: Staff should receive appropriate information security awareness, education, training, and regular updates relevant to their job functions.
Guidance:
- Program Establishment: Align training programs with organizational policies and procedures.
- Awareness Activities: Use diverse channels like campaigns, newsletters, briefings, and emails.
- Focus on Why: Emphasize the importance of cybersecurity and the impact of staff behavior.
Remote Working
Control Description: Security measures should be implemented to protect information accessed, processed, or stored outside the organization’s premises.
Guidance: Establish specific security policies for remote working, covering all necessary topics and measures.
Information Security Event Reporting
Control Description: Provide a mechanism for personnel to report observed or suspected information security events promptly.
Guidance: Ensure the reporting mechanism is easy to access and available. Staff should know the reporting procedures and points of contact.
Practical Applications
Screening and Termination Responsibilities
Scenario: A company needs to ensure that new hires are trustworthy and that departing employees do not compromise security.
Actions:
- Screening: Conduct background checks including criminal records, references, and qualifications.
- Termination Procedures: Clearly define post-employment responsibilities in the employment contract, such as maintaining confidentiality and handling intellectual property.
Implementing Security Awareness Programs
Scenario: An organization wants to enhance its staff’s awareness of cybersecurity risks.
Actions:
- Develop Training Programs: Create comprehensive training programs aligned with the organization’s security policies.
- Regular Updates: Provide regular updates and refresher courses on new threats and best practices.
- Diverse Channels: Use multiple communication channels to disseminate information and maintain high levels of awareness.
Managing Remote Work Security
Scenario: A company allows employees to work from home and needs to secure remote access.
Actions:
- Remote Work Policy: Develop and enforce a security policy specifically for remote working.
- Security Measures: Implement VPNs, two-factor authentication, and regular updates for remote access systems.
- Employee Training: Train employees on secure practices for remote working.
Relevant Standards and Publications
ISO/IEC 27002
Standard: ISO/IEC 27002 provides guidelines for implementing security controls to protect information assets.
Clauses to Review:
- Clause 5.1: Security policies.
- Clause 5.2: Organizational roles and responsibilities.
- Clause 8: Technological controls.
NIST Special Publication 800-53
Document: National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 (Rev 5), 2020.
Chapter to Review: Chapter 2 (pp. 7–15) for an overview of security controls, including those for protecting information processing resources.
Book References for Further Reading
- “Information Security Management Principles” by Andy Taylor, David Alexander, Amanda Finch, and David Sutton
- Provides a foundational understanding of information security management, including measures to implement people controls effectively.
- “Security Risk Management: Building an Information Security Risk Management Program from the Ground Up” by Evan Wheeler
- Discusses practical approaches to managing security risks, integrating broader principles that complement the implementation of people controls.
- “Cybersecurity and Cyberwar: What Everyone Needs to Know” by P.W. Singer and Allan Friedman
- Offers a broader context for understanding cybersecurity principles, including the various types of people controls and how to implement them.
- “Network Security Essentials: Applications and Standards” by William Stallings
- Covers key concepts in network security, including methods to implement and manage people controls effectively.
Summary
Lecture 14 emphasizes the importance of implementing people controls to maintain cybersecurity within an organization. These controls include screening and responsibilities after termination, terms and conditions of employment, disciplinary processes, confidentiality agreements, security awareness, remote working, and event reporting. The ISO/IEC 27002 standard provides detailed guidance on these controls, which are essential for managing the human element in cybersecurity. The recommended books and standards offer further insights and practical guidance on implementing these controls within an organizational context.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.