Do you know who has access to your computer? Many agencies and corporations spend a majority of their budgets on new technological security software gimmicks while forgetting the human factor. Personnel security must be included as an integral part of information security. All of the technological safeguards are meaningless if the “fox is already in the hen house”.
We have all heard stories of moles inside the FBI, CIA and other public enterprises, where the consequences were the compromise of classified information or trade secrets. This may lead you to think that even the most thorough, in-depth personnel checks are not infallible…and you would be right. But just imagine how many more moles and corresponding number of incidents there would be without such checks. Sacrificing these basic principles of personnel security can lead to the compromise of what you may think is the most secure information system. You should encourage your organization to make the human factor its number ONE security priority.
- Conduct pre-employment background checks.
- Create access barriers to computers and related support systems.
- Establish emphatic policies regarding protection/secrecy of individually assigned passwords (this should be as common as buckling your seat belt).
- Implement methods of verification for visiting IT installation and maintenance personnel.
- Provide shredders and mandate timely use. Don’t leave discarded paper unattended until an office employee conducts the necessary shredding or the shredder service shows up once a week.
- Allow cleaning personnel to work only during duty-hours. Most “clean desk policies” go unchecked, and any documents with sensitive information or personal identifying information (PII) become susceptible to compromise. Cleaning personnel can also become facilitators, providing access to a third party.
- Ensure terminated and suspended employees are escorted immediately from the premises and their computer access stopped.
Your response regarding your own experiences with the issue of personnel security, the human factor, is tantamount to the enhancement of security practices for all of us. Please share!