Tuesday, 15 April 2008

HRM, it’s not just hiring for compliance

Introduction
The greatest threat to an organisation’s security comes from inside its own walls. Staff, ex-staff and consultants are the greatest risk faced by any organisation. Most of the risk is a direct result of inadequate HRM processes and awareness. The rise in IT governance legislation and other requirements has driven organisations to monitor and implement controls over the Human Resources operations.

Not only does this process make them more effective when implemented appropriately, it is helping make the organisation more secure.

Security, a cost now leads to savings later. Through the effective management of Human Resources may be an expenditure now, it leads to reduced risk and long term savings.

The drive for compliance
Compliance has become a prime business concern across most sectors[1]. Changes to reporting and regulatory regimes such as Sarbanes Oxley, BASEL II, FISMA, and the changes to the privacy legislation have changed the face of business in general and information technology’s role in governance.

Grembergen (2004) in the chapter, “Governing Information Technology through COBIT’ asserts that “the four main focus areas for IT Governance are driven by stakeholder value. Two are outcomes: value delivery and risk mitigation. Two are drivers: strategic alignment and performance measurement.”

Protiviti (2003) assert that entry level considerations for compliance with Sarbanes Oxley legislation hinges on the effective management of human resources. Control frameworks to achieve statutory compliance all require HR control implementation and monitoring.
These changes to compliance requirements have focussed a growth in IT recruitment not experienced since before the dot-com crash of 2001. This has even led to the Sarbanes Oxley act being dubbed the zero unemployment for auditors act (Apani 2002).

With these changes and the rapid growth in staff complements, it is essential to remember that the skill set of IT staff is a key determinant in measuring how effective they are likely to be in implementing and maintaining an organisation’s business requirements. In addition, training may also function as a set of golden handcuffs (Treen 2001) to IT Staff helping retain them in times of mobility.

Hawkins et al describe and interpret several central existing suppositions, models and practices in the IT Governance domain. Further, they support a goal of increasing the comprehension and knowledge of IT Governance. In particular they detail the role of Human Resources management from both an IT and overall perspective as it applies to IT Governance. Organisational security awareness is determined to be essential to achieving compliance. It is also important to remember that IT governance applies to all staff and not just those involved in IT.

Minimising the IT Governance breach has become essential (Coe 2003). It has turned out to be increasingly difficult for many organisation's to divide overall tactical operations from the contributory IT plan that facilitates the business mission to be satisfied.
COSO and COBIT define effective IT Governance[2] as including:

  • Protection of shareholder/stakeholder value,
  • Quantification and comprehension of IT risks,
  • Organising IT ventures, opportunity, return and risks
  • Aligning IT with the goals of the organisation while accepting IT as a critical input to and component of the strategic plan,
  • Maintaining current operations and plans for the future
COSO[3] asks the question of organisation’s as to whether their IT function subscribes to a philosophy of continuous learning. COSO further details that organisations provide “necessary training and skill development to its members” in order to be compliant. As COSO is the foundation for many of the Sarbanes Oxley baselines, most large US organisations and their international subsidiaries have to come to terms with HRM and training issues which they have thus far been able to sweep under the carpet.

Personal requirements are a key requirement in many sections of COBIT[4]. Of particular importance is the section “PO7 - Manage Human Resources”. The ISACA has defined the control of managing human recourses as:
The control over the IT process of managing human resources that satisfies the business requirement to acquire and maintain a motivated and competent workforce and maximise personnel contributions to the IT processes is enabled by sound, fair and transparent personnel management practices to recruit, line, vet, compensate, train, appraise, promote and dismiss.

The control framework, PO7 requires that an organisation implements processes to monitor and maintain:
  • Recruitment and promotion
  • Training and qualification requirements
  • Awareness building
  • Cross-training and job rotation
  • Hiring, vetting and dismissal procedures
  • Objective and measurable performance evaluation
  • Responsiveness to technical and market changes
  • Proper balance of internal and external resources
  • Succession plan for key positions
Other than the baseline of meeting statutory requirements, organisations should look to the benefits they can obtain from these controls (ISACA). Adequate staffing of the IT section within an organisation has been shown to provide effective and efficient operations throughout the business. Other paybacks comprise of improved motivation, retention and development of individuals and teams within the organisation (NSF Project #9708399).

It has been further demonstrated that employee inclusiveness; increased personnel contribution; and improved resilience and information security within operations all return beneficial results within an organisation far exceeding the compliance requirements (Romeo 2002 and O’Bryan et al 1995). Many organisations have provided testimonial support to benefits delivered to the management of the organisation including cost savings and superior effectiveness of operations (Mead 1998).

BS 7799.2:2002 or AS/NZS 7799.2:2003[5] has been adopted as a model for many organisations within both the commercial and government sectors. The NSW state government has mandated compliance with this framework for all state owned bodies.
Human resource management is a key control within the ISMS framework. In particular, section 5.2.2 (below) deals almost exclusively with the control over Human Resource Management:
Section 5.2.2 Training, awareness and competency
The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by:
a) determining the necessary competencies for personnel performing work effecting the ISMS;
b) providing competent training and, if necessary, employing competent personnel to satisfy these needs;
c) evaluating the effectiveness of the training provided and actions taken;
d) maintaining records of education, training, skills, experience and qualifications.
The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives.

Organisations seeking certification or compliance against ISO 17799 need to have integrated the Human Resources and security functions in order to maintain an effective training and awareness system. Further, they need to evaluate training in order to implement system of continuous learning within the organisation.

In order to mandate the implementation of ISO 17799, the NSW Government OIT[6] has developed a set of standards and guidelines for any NSW government agency to use in developing an ISO 17799 compliant strategy.

From the perspective of the Human Resources professional, the key sections which need to be addressed in the guidelines are:
1 Segregation of duties,
2 Recruitment, and
3 The Monitoring of personal.

Many of these controls are essential requirements for either COSO or COBIT. It is thus possible to conclude that Human Resource management is an essential function in achieving IT Governance. Banerjee et al, further assert that HR management is not only a stage in IT Governance, but is essential to ensuring continued ethical behaviour from staff.

Christopher (2003) demonstrates that a lack of training can lead to employees making “one of the worst mistakes” and “giving out sensitive data”. He highlights the point that training and education are essential components which may be used to effectively empower staff to make correct decisions.

He further states that most breaches of corporate security are caused as a result of “weakness in human firewalls”. This details the need for awareness training for staff as technology will fail where staff are not fully educated in stopping attacks against the organisations information infrastructure.

It is emphasised that training and technology needs to be used together to ensure strategic security in corporations is successfully deployed. To achieve this effectively, horizontal teams need to be implemented from IT, HR and department heads to develop effective security management strategies[7]. “Policy setting is a give and take between business and security”[8].
The key issue at stake is that management needs to educate and communicate both the corporate policy itself, and the need for its being, across the organisation (O’Brien 1999). Management must place channels for feedback within the organisation (Mitnick and Simon 2002) to ensure that the message of security is being communicated.

Turnbull (2004) argues that organisations face new challenges and that they need to plan for these to be successful. Best practice is achieved through a process of knowledge and empowerment across all staff. New domestic and global HR privacy demands are driving many of these changes adding yet another layer to the compliance framework.

Defining the roles, HR needs to work with Info Sec
Kovacich, presents a total systems approach to the all the topics needed for the “infosec professional”. He asserts that defining the position of the information systems security officer (ISSO) is just a beginning.

Compliance is just the foundation for HR security controls; there are numerous reasons to ensure that Human Resources have defined the roles within IT and in particular Security (Dhillon 2001).

One concern influencing HR practice recently has resulted from a widespread shortage of security, audit and compliance skills (McCarthey 2001). The compliance drive detailed in the previous paragraphs has led to a debate amongst many professionals (not just those from HR) over the practice of hiring criminal hackers.

The claim that hackers are the proverbial “fox in the henhouse” (Savage 2004) strongly supports the claim that criminal hackers should not be hired into the security industry. Being that these people are able to utilise their skills productively within the information industry without being involved in security and that there are others who are trustworthy in the industry leads strongly to the conclusion that past convictions should exclude one from employment within the security industry.

“Trust has to be evaluated on a case by case basis" has been touted as a reason for hiring hackers on a case by case basis. Mitnick, the president of an information security firm and past convicted “hacker” uses this stating that his clients are happy with his services. He has said that he should be judged by his actions (Savage 2004).

Mitnick’s actions speak for themselves as he committed several felony offences while on parole for earlier offences (Associated Press 2004). The example may have been extreme, hiring criminals and handing them the keys, but the practice is not uncommon which further emphasises the need for high-quality practice and compliance within a organisations HR function (Wood 1997).

Good hiring policy, detailed background checks and controls should all be designed to increase the chances of hiring the correct person for the role and ensuring that they remain satisfied and effective (Wood 1993). This creates a series of processes that help reduce risk and improve efficiency within an organisation.

Awareness – where does this take us
Dhillon (2001) stated that “education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment”.
Further, “a mismatch between the needs and goals of the organization could potentially be detrimental to the health of an organization and to the information systems in place…. organizational processes such as communications, decision making, change and power are culturally ingrained and failure to comprehend these could lead to problems in the security of information systems" .

Mitnick and Simon state that there are three key steps that should be instilled within employees thought process:
  • Step One: Verification of Identity
  • Step Two: Verification of Employment Status
  • Step Three: Verification of Need to Know
They further state that deceptive tactics are generally used to access or obtain private company information by masquerading as a trusted party. For this reason it is essential to verify the legitimacy of employees, contractors, vendors, or business partners.

It is further stated by Mitnick and Simon that effective information security is maintained only if an employee receiving a request to perform an action or provide sensitive information must positively identify the caller and verify his authority prior to granting a request.

For this reason, a well-rounded awareness program must cover as many of the following key areas as possible[9]:
Security policies related to systems passwords (these include computer and voice mail).
The procedure for disclosing sensitive information or materials.
Email usage policy, including the safeguards to prevent malicious code attacks including viruses, worms, and Trojan Horses.

Physical security requirements such as wearing a badge.
The responsibility to challenge people on the premises who aren't wearing a badge.
Best security practices of voice mail usage.

How to determine the classification of information, and the proper safeguards for protecting sensitive information.

Proper disposal of sensitive documents and computer media that contain, or have at any time in the past contained, confidential materials.

Additionally, the awareness program relies on the following tasks to be successful:
The development and distribution of an IT security policy that reflects business needs tempered by known risks;
Informing users of their IT security responsibilities, as documented in the organisation’s security policy and procedures; and
Establishing processes for monitoring and reviewing the program.
The NIST manual states that effective IT security awareness and training programs explain the appropriate conventions of conduct for the use of the organisation’s IT systems and information.
HRM is crucial as changing peoples’ attitudes and behaviour in terms of IT security can be a challenging task (NIST 800-50). New controls often appear to conflict with the way staff have done their job for years. An awareness and training program is crucial in that it is the vehicle for disseminating information that employee’s, including managers, need in order to do their job.
Coe (2003) has stated that “recurring evaluation and maintenance of employee awareness, specialized training and management awareness are all required components of a successful security program”. An effective information security program needs to properly account for the strengths and limitations of employees to successfully secure an organisation’s data.
“Keeping your network safe, HR must protect sensitive data from internal and external security threats” (Romeo, 2002).

Peter Hind (2004) has asked the question of, “why the IT department has responsibility for IT security?” General training is essential and should be amortised as a cost over the entire organisation.

Conclusion
Human Resources Management is an often overlooked, but essential component of information security within an organisation. Information security personal and Human resources need to work together to ensure the overall effectiveness of controls. Technology is no longer the panacea it has been touted to be.

The increase in threats coupled with the growing need to ensure compliance make HR’s involvement with security all the more crucial to an organisation’s continued success. With the greatest threat to an organisation’s security inside its own walls, the majority of information security risk is a direct result of inadequate HRM processes and awareness.
Human Resources operations and controls over information security increase an organisation’s effectiveness when implemented appropriately.

Bibliography
1. Australian Standards Institute, AS/NZS 7799.2:2003,BS 7799.2:2002, “Information security management systems; Part 2: Specification for information security management systems” [BS title: Information security management systems, Part 2: Specification with guidance for use]
2. Apani Networks 2002 “Sarbanes-Oxley Act and its impact on IT Security”, 2004 CNET Networks
3. Banerjee, Debasish; Jones, Thomas W. and Cronan, Timothy Paul, 1996 “The association of demographic variables and ethical behaviour of information system personnel”, Industrial Management & Data Systems 96/3 [1996] 3–10 MCB University Press
4. Coe, Kathleen, Aug 2003, “Closing the Security Gap, Data Protection initiatives should include employee training”, “HR Magazine – Vol 48 No8”
5. Dhillon, Gurpreet (ed), 2001, “Information Security Management: Global Challenges in the New Millennium” Idea Group Publishing, ISBN:1878289780
6. Grembergen, Wim Van (ed), 2004, “Strategies for Information Technology Governance” Idea Group Publishing, ISBN:1591402840
7. Hawkins, Steve; Yen, David C. and Chou, David C. 2000 “Awareness and challenges of Internet security”, Information Management & Computer Security 8/3 [2000] 131-143 MCB University Press
8. Hind, Peter; 2004 “Give it Away, Take my security please… (At the Coal Face)”, CIO Magazine, IDG Communications NSW Australia, May 2004, ISSN 1328-4045
9. Kovacich, Gerald L. “The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program, Second Edition”, ISBN:0750676566, Butterworth Heinemann © 2003
10. Information Systems Audit and Control Association, ISACA, “COBIT”, IL 60008 USA,
11. IT Governance Institute, “IT CONTROL OBJECTIVES FOR SARBANES-OXLEY” Rolling Meadows, IL 60008 USA, ISBN: 1-893209-67-9
12. Mead, Richard, 1998, ‘International Management, Cross-Cultural Dimensions‘, 2nd Edn, Blackwell Publishing, UK
13. Mitchell, Ruth C. and Marcella, Rita, and Baxter, Graeme, 1999 “Corporate information security management” New Library World Volume 100. Number 1150. 1999. pp. 213-227, MCB University Press
14. Mitnick, Kevin D. and Simon, William L. 2002, “The Art of Deception: Controlling the Human Element of Security” John Wiley & Sons, USA, ISBN:0471237124
15. National Science Foundation, 1999, “NSF Research Needs Workshop: Building Systems Integration for Performance and Environmental Quality Final Report 99”, NSF Project #9708399, “Results from Oct. 97 Workshop and Research Community” Center of Building Performance and Diagnostics, Carnegie Mellon Univeristy
16. NSW Government (OIT)
Information Security Guideline for NSW Government
· Part 1 Information Security Risk Management
· Part 3 Information Security Baseline Controls
17. O’Brien, James A., 1999, ‘Management Information Systems, Managing Information Technology in the Internetworked Enterprise‘, 4th Edn, Irwin McGraw-Hill Ltd, US
18. O’Bryan, Bernard Burch and Pick, Roger Alan, 1995 ‘Keeping information systems staff (happy)’, Emerald - The International Journal of Career Management, Volume 7 · Number 2 · 1995 · 17–20
19. Protiviti (Independent Risk Consulting), Guide to the Sarbanes-Oxley Act IT Risks and Controls (FAQ) Dec 2003
Publications from the National Institute of Standards and Technology (NIST)
20. NIST Special Publication 800-50, “Building an Information Technology Security Awareness and Training Program”
21. NIST Special Publication 800-35, “Guide to Information Technology Security Services“
22. NIST Special Publication 800-36, “Guide to Selecting Information Technology Security Products”
23. Romeo , Jim, Dec 2002, “Keeping your network safe, HR must protect sensitive data from internal and external security threats”, “HR Magazine – Vol 47 No12”
24. Treen, Doug, 2001, “The HR Challenge for the high-tech start-up”, JANUARY/FEBRUARY 2001, IVEY BUSINESS JOURNAL, The University of Western Ontario Press
25. Turnbull, Ian, “Privacy in the Canadian Workplace — Best Practices”, Paper from HR Privacy 2004: Managing the New Challenges, Society for Human Resource Management/ HR Technology
26. Wood, Charles Cresson, 1997 ” Securely handling staff terminations”, Information Management & Computer Security, Vol. 5 No. 3, 1997, pp. 21-22, MCB University Press Limited, 0968-5227
27. Wood, Charles Cresson, 1993 ” Background checks for employees in computer-related positions of trust (A further contribution on security system checks for employees)”, Information Management & Computer Security, Vol. 3 No. 5, 1995, pp. 21-22, MCB University Press Limited, 0968-5227
Web Sites
1. Christopher, Abby, CIO Magazine, “The human firewall”, 28/10/2003 http://cio.co.nz/cio.nsf/0/CD50373FD1A06BD3CC256DCD00015C68?
2. “Computer Security Awareness – Quiz from the Fermi National Accelerator Laboratory”, http://computing.fnal.gov/security/checklist.html
3. Countering financial crime risks in information security [Financial Crime Sector Report] http://www.fsa.gov.uk/pubs/other/fcrime_sector.pdf
4. Hay/McBer (2000). “Research into teacher effectiveness: A model of teacher effectiveness report by Hay McBer to the Department for Education and Employment”. Report prepared by Hay/McBer for the government of the United Kingdom, http://www.dfee.gov.uk/teachingreforms/mcber/.
5. McCarthey, John, CIO Magazine, Nov. 15, 2001 “RISK MANAGEMENT, Plan for People, Not Just Systems” http://www.cio.com/archive/111501/where.html
6. McLelland, Ross (2004), “Emotional intelligence in the Australian context”, Pacific Consulting, http://www.pacificconsulting.com.au/articles_ei.htm
7. Savage, Marcia, Hiring Hackers, A Heated Debate, 16th Apr 2003, CRN, viewed 06th Mar 2004, <http://www.techweb.com/wire/story/TWB20030416S0003>.
8. The Associated Press. “Famous hacker Kevin Mitnick gets hacked”, 11th Feb 2003, CNN, viewed 22nd Mar 2004 < http://www.cnn.com/2003/TECH/internet/02/11/hacker.hacked.ap/>
9. The House of Representatives (H.R. 5005)Homeland Security Act of 2002, November 19, 2002, viewed 6th March 2005 <http://news.findlaw.com/hdocs/docs/terrorism/hsa2002.pdf >

[1] IT Governance Institute
[2] COBIT Version 3.2
[3] COSO, Committee of Sponsoring Organisations of the Treadway Commission
[4] COBIT, is maintained by the ISACA
[5] Information security management (ISMS) Part 2: Specification for information security management systems (Australian Standards Institute)
[6] OIT, Office of Information and Communications Technology, NSW Department of commerce
[7] NIST 800-50, “Building an Information Technology Security Awareness and Training Program”
[8] Christopher (2003), The Human Firewall.
[9] Modified from the controls listed in NIST Special Publication 800-50

No comments: