Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 64

Personnel countermeasures are those that deal with the hiring, managing, and firing of people. We say specifically say “people” and not “employees” because this applies to everyone, including customers, business partners, and any and all users. Anyone with access to your facilities and information needs to be considered a potential threat and should be subject to these countermeasures.

Applying requirements to people who are giving you money and you technically serve is a sensitive matter, but you have to at least limit their access to only the functions required. You may also need to audit those customers and potentially pursue penalties against them. Such is the case where Cambridge Analytica violated Facebook's policies to use Facebook users' information by misrepresenting to users the scope and use of the information collected.

When you hire or otherwise bring someone into your organization, countermeasures include background checks and a consistent process to have people sign the appropriate agreements and to make them aware of their responsibilities. Regarding background checks, this should ideally include criminal and financial checks, as well as confirmation of stated employment and educational histories. When possible, this would also include talking to past employers to ensure there were no concerns. This again is where Snowden's background check failed.

Countermeasures for personnel can vary depending on the nature of your organization. In high security environments, this may include periodic updates of background and criminal records checks. There should be tracking of incidents to ensure that there are not patterns of concerning behaviors. There should also be periodic training and reinforcement of employee responsibilities. In major financial organizations, it is common practice to force employees to take a two-week vacation. During that vacation, there are teams in place to go through all business functions, financial transactions, records, and so on, to ensure there are no concerning behavior or actions.

During separation, there should be established processes for people's departure. This should include review of information access, equipment in their possession, and any other concerns. When possible, there should be a review of activities to see whether the person in question took any information with them. There should also be a reinforcement of any obligations to include protection of sensitive information.

It is critical to involve the IT department to ensure that the individual's access is proactively limited, as feasible, and that their accounts are deactivated as soon as possible. We have investigated incidents where a salesperson still had access to his former company's proposal system. The salesperson would download proposals from his former company and then create a proposal from his new company that was more competitive. This is unfortunately not an uncommon circumstance.

Enforcement also must be consistent. You can't punish one employee for mishandling information and not punish another employee for the same infraction. Inconsistent enforcement exposes your organization to claims of bias, confuses your users about which policies they're truly expected to follow, and emboldens people who are inclined to commit violations.