Unit 4

Personnel Security Practices and Procedures

Personnel security is a foundational element of organizational security. It focuses on reducing

1. Access Authorization and Verification (Need-to-Know Principle)

This ensures controlled access to sensitive resources.

Key Concepts:

• Role-Based Access Control (RBAC): Access is granted based on job role.

• Least Privilege Principle: Users receive the minimum access necessary to perform tasks.

• Access Verification Techniques:

o Two-factor/multi-factor authentication (2FA/MFA)

o Smart cards, biometrics

o Periodic review of access rights

Example in Practice:

In a bank, only branch managers can authorize high-value transactions, while tellers have limits.
Access to the transaction approval system is restricted to them.

2. Contractors

External personnel like consultants or vendors may temporarily work with an organization.

Risks:

• Less organizational loyalty

• May bring infected devices or software

• May access confidential data and leave without accountability

Security Measures:

• Temporary and role-limited access

• Dedicated contractor systems/networks

• Contractor logs and activity monitoring

• Exit clearance when contract ends

Real-Life Scenario:
In 2013, Edward Snowden, a contractor for the NSA, leaked classified information due to inadequate
monitoring and excessive access rights.

3. Employee Clearances

Security clearances align with the sensitivity of the data or systems handled.

Levels of Clearance:

• Public Trust: For non-sensitive positions

• Confidential: Basic sensitive info

• Secret/Top Secret: National security-related or highly sensitive operations

Clearance Process:

• Background verification (criminal, employment, education)

• Psychological evaluations (for high clearance)

• Revalidation every few years

Key Point:

High-clearance roles are audited more frequently and monitored closely.

4. Position Sensitivity

Risk analysis of a job role determines how much security scrutiny it requires.

Factors Considered:

• System/data access level

• Financial transaction power

• Decision-making authority

Example:

A payroll officer has moderate sensitivity, while a cybersecurity analyst in a defense firm has high
sensitivity.

5. Security Training and Awareness

Most cyber-attacks succeed due to human error or negligence.

Training Topics:

• Data protection laws (e.g., GDPR, HIPAA)

• Email and link phishing identification

• Incident reporting procedures

Awareness Methods:

• Monthly newsletters

• Security posters in offices

• Simulation drills (e.g., mock phishing emails)

Real-World Example:

In a 2021 case, attackers sent a phishing email that successfully tricked employees into revealing
login credentials. Post-incident training was made mandatory.

6. Systems Maintenance Personnel

These include:

• System administrators

• IT support staff

• Software patch managers

Unique Challenges:

• Elevated access (often full control)

• Ability to install/uninstall software

• Manage configurations affecting all users

Controls:

• Assign tasks to multiple people (separation of duties)

• Maintain detailed audit logs

• Conduct exit interviews and ensure immediate revocation of access

Auditing and Monitoring

Auditing and monitoring enhance transparency, accountability, and proactive threat detection in
organizations.

1. Conducting Security Reviews

Review Types:

• Physical Security Reviews: Are server rooms secure? Are entry logs maintained?
 • Technical Reviews: Are firewalls, antivirus, and IDS working properly?

• Policy Reviews: Are current security policies still effective and compliant?

Frequency:

• Scheduled (e.g., quarterly)

• Triggered by changes (e.g., after a cyberattack or system upgrade)

2. Effectiveness of Security Programs

Simply implementing a security solution is not enough — evaluating its effectiveness is crucial.

Metrics Used:

• Number of security incidents detected

• Employee response rate to phishing drills

• Average time to detect and respond to a breach

Example:

An organization runs a simulation where a USB labeled “confidential” is dropped in the parking lot. If
staff plug it in, training is re-evaluated.

3. Investigation of Security Breaches

A forensic and legal process, critical for identifying cause, accountability, and impact.

Steps:

1. Detection – IDS alerts, logs

2. Containment – Disconnecting affected systems

3. Analysis – Reviewing logs, interviewing users

4. Eradication – Removing malware or threats

5. Recovery – Restoring systems

6. Lessons Learned – Updating procedures and training

Tools Used:

• SIEM (Security Information and Event Management)

• Digital forensics software (FTK, EnCase)

4. Privacy Review of Accountability Controls

Ensures individuals’ data is processed legally and securely.

• Assess access control policies for personal data

• Review consent mechanisms

• Verify encryption of sensitive data in storage and transit

Example:

Under GDPR, companies must be able to show who accessed personal data, when, and why.

5. Review of Audit Trails and Logs

Logs are a timeline of events in the system — invaluable during audits and investigations.

Types of Logs:

• System Logs: Logins, logouts, file changes

• Application Logs: Software use and errors

• Network Logs: IP addresses, connection attempts

• Security Logs: Intrusion attempts, antivirus activity

Good Practices:

• Logs should be protected from alteration

• Retained as per legal/compliance rules (e.g., 3–7 years)

• Integrated into SIEM for real-time analysis

Real-Life Relevance:

A bank detects a late-night login from a country where it doesn’t operate. Logs confirm unauthorized
access and trigger an investigation. The attack is mitigated before funds are compromised.