S 1.2 Personnel
Description
This module illustrates the generic IT-Grundschutz safeguards that should be implemented as standards in the area of personnel. A number of safeguards are necessary starting from the time the employees are hired and continuing until they leave the organisation. Adequate security safeguards also need to be implemented to handle external personnel such as visitors or maintenance technicians. Personnel recommendations linked to a specific role such as the appointment of a system administrator for a LAN are provided in the modules dealing with the corresponding topic.
Threat scenario
The following typical threats to IT-Grundschutz are examined in this module:
Force Majeure
| T 1.1 | Loss of personnel |
| T 1.2 | Failure of the IT system |
Organisational Shortcomings
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.7 | Unauthorised use of rights |
Human Error
| T 3.1 | Loss of data confidentiality or integrity as a result of user error |
| T 3.2 | Negligent destruction of equipment or data |
| T 3.3 | Non-compliance with IT security measures |
| T 3.8 | Improper use of the IT system |
| T 3.9 | Improper IT system administration |
| T 3.36 | Misinterpretation of events |
| T 3.37 | Unproductive searches |
| T 3.43 | Inappropriate handling of passwords |
| T 3.44 | Carelessness in handling information |
| T 3.77 | Insufficient acceptance of information security |
Deliberate Acts
| T 5.1 | Manipulation or destruction of equipment or accessories |
| T 5.2 | Manipulation of information or software |
| T 5.20 | Misuse of administrator rights |
| T 5.23 | Malicious software |
| T 5.42 | Social Engineering |
| T 5.80 | Hoax |
| T 5.104 | Espionage |
Method recommendation
In order to secure the information system examined, other modules will need to be implemented in addition to this module with these modules being selected based on the results of the IT-Grundschutz modelling process.
A series of safeguards need to be implemented for the personnel employed at a company or a government agency, starting with proper training for new employees and further training and continuing right up to until an employee leaves the organisation. The steps to be followed in this case as well as the safeguards to be taken into consideration in the respective steps are listed in the following.
Implementation
The company and/or government agency must familiarise new employees with the existing regulations and instructions (see S3.1 Well-regulated familiarisation/training of new staff with their work) so that they can be integrated quickly into the existing processes. Likewise, it is also essential to inform all employees of any changes to these regulations and the exact effects of the changes for a process or for individual employees. In operating environments critical to security it is particularly recommendable to have the employees sign corresponding obligations and to have the trustworthiness of the employees confirmed (see S 3.33 Security vetting of staff). Here, specific emphasis must be placed on the trustworthiness of people fulfilling special roles and having special authorisations (see S 3.10 Selection of a trustworthy administrator and his substitute).
Operation
The motivation of all employees regarding their acceptance of information security in the business processes and also their taking responsibility for its implementation must be ensured and supported at a technical level through suitable training (see S 3.5 Training on security safeguards) and through detailed knowledge of the applications (see S 3.4 Training before actual use of a program). In this case, training the administration and maintenance personnel (see S 3.11 Training of maintenance and administration staff) is particularly important, since this group of people bears a lot of responsibility with regard to handling the IT due the extensive rights granted to them.
In order to achieve continuous availability of important processes, it must be ensured that key positions are filled at all times when this is required by the procedures used (see S 3.3 Arrangements for substitution).
Communication problems, personal problems, a poor work climate, extensive organisational changes, and the like also are factors that can result in security risks. For such cases, points of contact and confidants should be available (see S 3.7 Point of contact in case of personal problems).
Changing roles or functions
The existing regulations must be implemented with greater care for employees leaving the organisation or taking over other roles or functions (see S 3.6 Regulated procedure as regards termination of employment). If an employee suddenly leaves the organisation, there is a potential risk of the employee taking confidential information without authorisation or manipulations regarding equipment, IT systems, or data are only detected much later.
The bundle of safeguards for personnel is presented in the following:
Planning and design
| S 2.226 | (A) | Procedures regarding the use of outside staff |
| S 3.51 | (Z) | Appropriate concept for assignment and qualification of employees |
| S 3.83 | (Z) | Analysis of security-relevant personnel factors |
Purchasing
| S 3.50 | (Z) | Selection of employees |
Implementation
| S 3.1 | (A) | Well-regulated familiarisation/training of new staff with their work |
| S 3.10 | (A) | Selection of a trustworthy administrator and his substitute |
| S 3.33 | (Z) | Improper use of cryptomodules |
| S 3.55 | (C) | Non-disclosure agreements (NDAs) |
Operation
| S 3.3 | (A) | Arrangements for substitution |
| S 3.4 | (A) | Training before actual use of a program |
| S 3.5 | (A) | Training on security safeguards |
| S 3.7 | (Z) | Point of contact in case of personal problems |
| S 3.8 | (Z) | Avoidance of factors impairing the organisation climate |
| S 3.11 | (A) | Training of maintenance and administration staff |
Disposal
| S 3.6 | (A) | Regulated procedure for when employees leave the organisation |