Personnel Security – SY0-601 CompTIA Security+ : 5.3

There are many security policies required to protect employee data. In this video, you’ll learn about acceptable use policies, least privilege, background checks, user training, and more.


Most organizations will have a documented set of rules called an Acceptable Use Policy, or an AUP. This is detailed documentation that covers how all of the different technologies in your environment should be used. This covers your internet use, your telephones, computers, mobile devices, tablets, and anything else that is technology in your company. It’s important to document this information so that you have something to go back to if one of these rules is broken. This provides the employer with a way to set expectations across everyone in the organization, and if any of these rules are violated, they can specify exactly which part of the AUP was not followed.

In many organizations, there are security policies in place that help to minimize risk. One of these is a job rotation where you would have people rotate through different jobs and never stay in the same job for any long period of time. This means there would always be someone new in a position, and therefore less of a chance for someone to take advantage of a particular security issue. Another useful policy is to always require vacations. This means that people would need to leave their job and go on vacation for a certain amount of time. And usually when someone is on vacation, someone else is brought in to cover that person’s responsibilities. This is an opportunity for that person to make sure that everything is performing as expected, and it would limit the ability of any one person to commit a type of fraud. This is not a commonly seen business policy, but it’s one that you might run into if you work in a very high secure environment.

Another set of business policies associated with security would be separation of duties. One type of a separation of duty would be a split knowledge. That means that one person might have some of the details, and another person would have the other part of the details. You can think of this split knowledge being used with something like a safe combination, where one person might have part of a safe combination and another person would have the other part of the safe combination. Individual users would not be able to open the safe on their own and we would need to gather the knowledge from everyone to have the full combination.

This is similar to dual control where two people have to be there in person to be able to perform this particular business function. Instead of knowledge of a combination, perhaps the users have keys and to be able to open the safe both users have to turn both keys simultaneously. In that particular case, they would need to be present and that would be dual control. In environments where you’re working with very sensitive data you may have a clean desk policy. This means if you ever get up and leave your desk for any reason, you have to make sure that no information is left on your desk. This means if you get up to get some coffee, you go to lunch, or you leave for the day, you have to clean your desk, lock everything away, and only then can you leave your desk.

In an earlier video, we talked about the need of limiting access in an operating system. We don’t want to assign every user to have administrator access, otherwise everyone would have access to all of the data. Instead, you want to configure each user with a least privileged policy. This means that the rights and permissions for that user should only allow them to do their job and nothing beyond that. This means that every account that you have in your organization must have limits that are focused on the needs of that user. Applications should be configured to run with minimal privileges that will only allow that application to operate, and nothing beyond that scope. We never want to assign access to users that go beyond the scope of their position, and we certainly don’t want to assign administrator access to every user in the organization.

This also limits the scope of what malicious software might be able to do if they get on a user’s workstation. If the user’s permissions are limited, then the malware will also be limited. If the user has full rights and permissions as an administrator then the malware would also have rights as an administrator and we want to be able to limit the scope of malicious software by configuring least privilege. If you’re applying for a job, an employer will commonly run a background check. This is a screening that is done prior to employment to verify the information that you provided in your application and on your resume.

Background checks can provide credit information, it can identify any criminal history, or other information that can help the employer make a decision on whether to hire that person. The details of what an organization may be able to discover with a background check will vary from location to location, so you want to check with the rules and regulations in your geography to see what options are available for you. If a background check is done and an employer decides not to hire someone based on the information in that background check, we refer to that as an adverse action. This may require extensive documentation to be provided for the applicant so that they understand exactly what information was gathered during the background check and why the company decided not to hire them based on that information. In some jurisdictions an organization may be allowed to run background checks on existing employees, and if they find something appearing in the background check they might also provide an adverse action.

If you’re ever working with a third party that would like to limit the information that could be shared, they may ask you to sign an NDA, or Non-Disclosure Agreement. This is a confidentiality agreement where both sides will agree what information can be shared, and what information should be kept private. These are relatively common contracts and they’re used constantly to ensure privacy between two parties. Another procedure that’s commonly done during the hiring process, is to evaluate someone’s presence on social media. The employer will gather information from social media such as your Facebook, Twitter, LinkedIn or Instagram profile to understand more about your presence on the internet. Since it’s difficult to get an accurate representation of somebody in a single interview, using a social media analysis can provide more context and help a company make a hiring decision with an individual.

So now we’ve decided to hire someone. So we’ll begin the on-boarding process where we’ll bring on a new person, or bring in a transfer to the organization. On the IT side, there are a number of steps that have to be followed during this on-boarding process. For example, there may be agreements that need to be signed such as the employee handbook, or an acceptable use policy. This user will need accounts to log in to the network, they’ll need a phone number, and they’ll need emails for communication. And if they don’t currently have a system to use, we’ll need to provide them with a desktop, a laptop, or some type of mobile device to use for their daily work.

Just as we need a set of procedures for on-boarding, we also need a set of procedures for off-boarding. There should be something that should be well planned prior to someone leaving the organization, so that you know exactly what process should be followed with the technology that they use. For example, if they have a laptop or mobile device, then there needs to be a process for turning in that equipment and verifying that it has been returned. We also need to understand what happens with the data that they’ve been using. There may be important documents, and information that’s encrypted and we need to be sure we have access to those details.

That’s why it’s very common to often disable the account that someone might use, so they’re not able to log in, but we’re not deleting anything from their account, especially not deleting any of their encryption keys. Training is always important and many organizations have shifted to a gamification style of training where they can train and give people points, have them compete with others, and have them collect badges that show that they’ve progressed in the training. Another type of training, especially for security professionals is a Capture The Flag or CTF. This is usually a security related competition where someone is trying to hack into a system to gain access to data. If you’re part of the red team and you’re responsible for finding ways into systems, capture the flag can be a good way to keep your skills up and to be aware of some of the most recent vulnerabilities and attacks.

We might also provide training for our user community in the form of phishing simulations. This is where we would send phishing emails to our users, convince them to click on the links inside of the email, which would bring them to a website, which would ask for their login credentials. Or this might be vishing, where we’re doing voice phishing over the phone to see if we can get information from our end users. If someone does provide information during the simulation, then we can do additional training so that they are aware of exactly what happened and how to prevent this in the future. And if you’re watching this video, then you’re participating in computer-based training. You’re not sitting in a training class, this isn’t a live event that you’re attending, this is something that you’re doing on your own time or in time that you can schedule on a computer. This often includes video, audio, Q&A, or some of the games that we mentioned earlier. Instead of sitting in a training room and receiving a different type of training that perhaps someone else may be receiving, they can take computer-based training and everyone would receive exactly the same training.

And in some organizations, users are required to go through an IT security program before they gain access to the network. This might be a training that is specific to the role that they have in the organization, so they receive a specialized training that prepares them for their job role. These types of training sessions might also apply to partners or vendors that would access your network, to ensure that they understand the minimum security requirements for their access as well. And in some environments, it’s important that everyone receive this training, so it’s useful to keep detailed records to ensure that everyone is informed of all the security requirements.