In the article on Security Organization Management, we discussed the importance of assigning the responsibility of day-to-day information security tasks to a person (or ideally, to a team of people). But how do you know when you’ve found the right person for the job? An important first step is to document your information security job descriptions.
In my experience, there are three (3) types of information security professionals:
The people-oriented security professional is your security team manager. This is the individual that can speak the language of business and the language of security. This individual will be tasked understanding and driving everything that falls under Security Organization Management.
The process-oriented security professionals are your security “accountants.” These team members have a blend of business skills and technical skills, and they thrive on understanding policies, procedures, standard, and business flows. They will be tasked with risk management, HR security, business continuity, security incident management, compliance, and policy.
The technology-oriented security professionals are your geeks. These are the sys admins who love rolling up their sleeves and diving into the tech while remaining active in professional groups like ISSA, InfraGard, and OWASP. They will be tasked with physical security (particularly if you have electronic locks and/or access control systems), asset management, security operations, and security systems administration.
Keep in mind that the security professionals you hire are going to have access to some very sensitive information. Come to think of it, chances are that your current HR, finance, and help desk employees already have access to even more sensitive data that the security team ever will. How do you know that you’re putting trustworthy individuals in these positions?
Background checks are one way to answer that question. A basic background check will verify education, driving, and criminal records. If you need to dive deeper, you can also include items like credit checks and credential verification. You don’t need to perform background checks for everyone in the organization, but you should definitely perform them for individuals who will access personally identifiable information (PII), electronic protected health information (EPHI), and/or payment card information (PCI).
You can also institute a non-disclosure agreement (NDA) for both employees and non-employees. Document your definition of sensitive information (as it pertains to your organization), and then set clear expectations around how that data is to be handled. In addition to being legally binding, NDA’s are especially useful when you engage in business with third parties who may not be fully aware of your internal policies.
Speaking of which, security awareness training is another critical HR security control. If you truly want your employees to handle sensitive data properly, teach them how to do so. Keep in mind that this training doesn’t need to adhere to older models of boring computer-based training modules or all day lectures. You can also offer this training through games, animations, and short online videos.
Remember: your security awareness training should be aligned with your internal policies. An unfortunate necessity for those policies is the inclusion of the phrase, “up to and including termination.” At some point, you may need to dismiss an employee for violating company policy. By documenting your disciplinary procedures ahead of time, you’ll make it a little easier to cross that bridge when you come to it. Remember, though, that enforcing policy violations isn’t about following the rules. It’s about protecting your people and your business.
Although we’ll touch on access management in detail in a future article, there are two (2) critical access management controls that are essential to effective HR security management. One is to regularly review employee access rights. Make sure that employees with access to sensitive data have gone through the necessary steps to gain that access. Otherwise, you should either remove their access or put them through the paces to legitimately gain access. The other is to document your access termination procedure. We touched on this subject in the article on Policy Management, and we’ll mention it again in future articles and blog posts. It’s that important.
To recap, every business owner should do the following:
- Document information security job descriptions
- Perform background checks
- Document a non-disclosure agreement
- Provide security awareness training
- Document your disciplinary procedures
- Regularly review employee access rights
- Document your access termination procedure
Need more information on information security basics for small and medium-sized businesses? Head on over to Infosec Simplified.