Personnel Security Practices and Procedures
What it means: This is all about making sure that the people (employees, contractors, technicians, etc.) who have access to a system or data are trustworthy and understand their responsibilities. People are often the weakest link in security, so this step is very important.
Access Authorization / Verification (Need-to-Know)
- Access Authorization: Giving a person permission to access certain data or systems.
- Verification: Checking if they really should have access.
- Need-to-Know: Only give access to people who really need it to do their job.
Example: A software developer should not have access to payroll files.
Contractors
- Contractors are people who work for the company temporarily.
- They must also follow the same security rules as full-time employees.
- Their access should be limited and regularly reviewed.
Employee Clearances
- Some employees may need security clearance before accessing sensitive information.
- Clearance means background checks are done to ensure they can be trusted.
Position Sensitivity
- Every job is given a sensitivity level (low, medium, high) based on how much access it has to sensitive data.
Example: An IT admin has a high-sensitivity position.
- Based on the sensitivity, stricter security rules apply.
Security Training and Awareness
- Employees must be trained in security practices:
- How to create strong passwords
- How to avoid phishing emails
- What to do if they notice suspicious activity
- Regular awareness sessions help employees stay alert and responsible.
Systems Maintenance Personnel
- These are the people who repair or maintain hardware/software.
- Since they often have deep access to systems, they need special training and should be monitored carefully.
- Example: A technician updating server software should not copy sensitive files.
Auditing and Monitoring
What it means: Auditing and monitoring are about keeping an eye on systems and people to make sure security policies are working and detecting if anything goes wrong.
Conducting Security Reviews
- Regular checks of the entire system to see:
- Are security rules being followed?
- Are there any weak points in the system?
- It helps find and fix problems before hackers do.
Effectiveness of Security Programs
- Check whether the current security measures (like firewalls, access control, training) are doing their job properly.
- If not effective, they must be improved or changed.
Investigation of Security Breaches
-If a security incident happens (like hacking, data theft), an investigation is done to:
- Find out what happened
- Who did it
- How it happened
- What damage was done
- This helps prevent similar incidents in the future.
Privacy Review of Accountability Controls
- Accountability controls keep track of who did what on the system.
- A privacy review checks if users' private data is being accessed only by authorized persons and that no misuse is happening.
Review of Audit Trails and Logs
- Audit Trails and Logs record user activities like:
- Logins
- File access
- Changes made to the system
- Reviewing these logs helps:
- Detect unusual activity
- Identify potential security threats
- Find out if someone broke the rules
No comments:
Post a Comment