Don't Login on Untrusted Computers
You Are a Target
Never Give Your Password Over the Phone

powered by zFeeder

Staff Management

Type: general threat extra security

The management of staff is not only a critical part of administration but also of security. By processing potential staff, current staff and former staff correctly, security vulnerabilities can be minimised.

When recruiting and initiating new staff, it is vital that certain security procedures are followed. All job applications must be screened using any previous job reference or background checks available, information such as honesty and susceptibility should be established and if there are any previous criminal or security incidents connected to the individual then the application should be considered a risk. Once a new member of staff has been accepted, they should be given an induction that should involve a detailed introduction to the security policies and given any security training available. The new member of staff should be given a computer account based on their requirements, the minimum access that still allows them to complete their job.

All staff should be given security training and exposed to security policies via presentations or posters. Also computer accounts should not be considered static in regard to the access rights, as staff responsibilities evolve so do their access requirements. All accounts should provide the minimum access required for individuals to complete their jobs.

Also all staff should be given the option to change their password at any time and informed that if they suspect their password could have been compromised then they should change the password. However it is inadvisable that passwords are set to expire, thereby forcing users to constantly change the password. While this may seem like an astute way to make passwords more secure by constantly changing them in order to make any compromised password change in the near future, it results in users producing either very predictable and repeated passwords or users create good passwords but need to make a record of them as it is a new password and not easy to remember. This record is usually in the form of a piece of paper stored near the computer with the password written on it and this is a significant security risk in itself.

When a member of staff leaves a company, regardless of the circumstances, the user account must be cancelled. An unused user account could be compromised and used for malicious intent, this access would go undetected as the account would be part of a legitimate group but the original user would not be present to notice anything unusual. Also the original member could use it to maliciously attack their former employers, the legitimate access and rights that had been given to them could be used to commit an offence against the company. It is essential that the only active accounts are for users currently working at the company.

Staff background checks and user account maintenance is often overlooked, this is a major problem as allowing an individual access to the company network without knowing their history is potentially a severe security risk. User accounts are often not managed and neglected; this creates vulnerabilities and security holes via old and unmonitored accounts. A strict procedure of user account management must be in place to avoid such obvious security vulnerabilities, this management of user accounts can be made easier by using techniques such as observing accounts that have not been used recently or observing login times of users for unusual access times.