Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 54

Personnel vulnerabilities are vulnerabilities in the hiring, management, and termination of personnel involved with the organization. Obviously, you want to hire law abiding and ethical employees. However, hiring processes frequently are flawed. Poor background checks can let people slip through the cracks. Even when there are processes in place, they are sometimes ignored.

Such was the case with Edward Snowden. Snowden resigned from the CIA in anticipation of being fired due to a variety of troubles. However, he was able to obtain a job as an NSA contractor, because USIS, the company responsible for performing his background check, did not interview Snowden's CIA co-workers, who would have disclosed his questionable activities.

Personnel vulnerabilities extend beyond hiring and into the day-to-day management of employees. Some organizations fail to review employees on a regular basis and fail to take action when warranted. Chelsea Manning reportedly had violent confrontations with her parents before enlisting in the U.S. Army, which included threatening her stepmother with a knife. Before Manning stole classified information, she was involved in several incidents, including assaulting a supervisor and sending an email to superiors that literally stated she was emotionally troubled. There should have been adequate enforcement of policies in place so that these incidents would have resulted in rescinding access to classified information long before she stole it.

Most environments do not typically see behaviors and circumstances as egregious as those of Manning and Snowden. However, there is a great deal of mismanagement of employees who give signs of concern. While you do not want to overreact to less than ideal circumstances and behaviors, you do not want to let them go unexamined. It is important to have policies and procedures in place to govern personnel vulnerabilities, and these should be driven by the balance of your risk equation.

Similarly, there needs to be a process when people leave an organization, regardless of whether they are fired or leave voluntarily. When people depart, they frequently take information with them. They can cause other damages. There need to be specific processes implemented for employee separation.

You also need to have criteria for anyone else with access to your organization. Contractors, vendors, temporary employees, and any other individual who has any involvement with sensitive processes or data, or might be able to create loss, represents the same potential vulnerability as your employees.

Much as with operational vulnerabilities, poor governance and its implementation are significant vulnerabilities with regard to the management of personnel.