Booklet: Information Security
Section: Security Controls Implementation
Subsection: Personnel Security

Personnel Security

Action Summary additional information.

Application owners grant legitimate users system access necessary to perform their duties; security personnel enforce access rights in accordance with institution standards.  Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data.  Employees, contractors, or third-party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons.  Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include

  • Altering data,
  • Deleting production and back-up data,
  • Disrupting systems,
  • Destroying systems,
  • Misusing systems for personal gain or to damage the institution,
  • Holding data hostage, and
  • Stealing strategic or customer data for corporate espionage or fraud schemes.

Background Checks and Screening

Financial institutions should have a process to verify job application information on all new employees.  The sensitivity of a particular job or access level may warrant additional background and credit checks.  Institutions should verify that contractors are subject to similar screening procedures.  Typically, the minimum verification considerations include

  • Character references;
  • Confirmation that the prospective employee was never convicted of a criminal offense, as detailed in 12 USC 1829;additional information
  • Confirmation of prior experience, academic record, and professional qualifications; and
  • Confirmation of identity from government issued identification.

After employment, managers should remain alert to changes in employees’ personal circumstances that could increase incentives for system misuse or fraud.

Agreements: Confidentiality, Non-Disclosure, and Authorized Use

Financial institutions should protect the confidentiality of information about their customers and organization.  A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution’s reputation, violate customer privacy and associated rights, and violate regulatory requirements.additional information  Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs.  Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.

Authorized-use agreements are discussed in the “Access Rights Administration” section of this booklet.

Job Descriptions

Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security.  Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions.  Management should expect all employees, officers, and contractors to comply with security and acceptable-use policies and protect the institution’s assets, including information.  The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible.  Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.

Training

Financial institutions need to educate users regarding their security roles and responsibilities.  Training should support security awareness and strengthen compliance with security policies, standards, and procedures.  Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management.  Training materials for desktop and workstation users would typically review the acceptable-use policy and include issues like desktop security, log-on requirements, password administration guidelines, etc.  Training should also address social engineering and the policies and procedures that protect against social engineering attacks.  Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.