10. Human factors in information security & 11 Ethical aspecs of cybersecurity

  1. Human factor in Information security 

  1. Human resource security 

ISO 27001 is the international standard that describes best practice for implementing an ISMS (information security management system), and Annex A.7 addresses human resource security specifically. 

It’s broken down into three sections: 

  • Annex A.7.1, which covers activities before employment. 

  • Annex A.7.2, which contains guidelines to ensure that employees and contractors are aware of and fulfil their information security responsibilities. 

  • Annex A.7.3, which covers the termination and change of employment. 

The main goal of Annex A.7 is to guarantee that all employees, suppliers, and contractors are qualified for and understand their engagement/job tasks and responsibilities, and that access is revoked after the engagement is finished. 

  1. A.7.1: Before employment 

  1. A.7.1.1 Screening 

Employee screening is the process of verifying an applicant’s credentials and ensuring that they meet the conditions for employment. 

The screening process should, for example, establish whether the applicant has concealed or falsified information, such as their qualifications and job history. 

Annex A.7.1.1 advises organisations to adjust the stringency of employee screening based on the role that they are applying for. Applicants whose jobs would involve accessing sensitive information should be subject to more extensive screening. 

Organisations must document the screening process to demonstrate which procedures are carried out. 

  1. Annex 7.1.2 Terms and conditions of employment 

An employment contract must include a section related to the information security responsibilities of the organisation and the employee. 

This is a compliance requirement of ISO 27001 and the GDPR (General Data Protection Regulation). 

  1. Annex A.7.2: During employment 

This section's goal is to ensure that all workers and contractors understand and fulfil their duties related to information security while on the job. There may be a variety of approaches taken. 

Start with a well-structured induction. Integrate the concept of information security into your new employee orientation programme. All your policies, asset management, system access, building access, password strength, malware, backups, software controls, networks, buying, incidents, and business continuity will be covered depending on your system. 

Implement a programme of ongoing education and training for your whole workforce next. Cover the above-mentioned topics. This is a continuous effort. It is not enough to conduct one-time training and teaching sessions. 

  1. A. 7.2.1 Management responsibilities 

Managers should ensure that employees who report to them understand information security threats and that appropriate controls are in place to mitigate risks. 

Managers must also ensure that employees complete regular information security staff awareness training. This is addressed further in Annex A.7.2.2. 

  1. A. 7.2.2 Information securityawareness, education and training 

Employees and relevant contractors must receive information security staff awareness training. 

These training courses should be retaken at regular intervals to refresh employees’ knowledge and to account for changes in the way the organisation operates. 

  1. A. 7.2.3 Disciplinary process 

Organisations must create and document a disciplinary process for when an employee violates their employment contract. 

Annex A.7.2.3 focuses on action related to information security breaches, but there doesn’t need to be a separate process. Organisations can use the same framework for information security breaches as they would for disciplinary actions related to other violations. 

  1. Annex A.7.3 - Termination and change of employment 

Annex A.7.3 focuses on termination and job changes. It is the goal of this Annex to safeguard the interests of the organisation during the process of modifying and terminating employment arrangements. 

You are required to have mechanisms in place to handle the situation when an employee or contractor quits or changes jobs. The following questions would need to be answered: 

  • What happens to your systems' integrity? 

  • Are there any permissions that need to be changed? 

  • How often do you alter your passwords? 

  • Have building passwords been altered? 

  • What happens to information stored on their work devices? And many more. 

  • The core of understanding how to implement Annex A.7 controls is first understanding what human resource security is. 

  1. A. 7.3.1 Termination or change of employment responsibilities 

The final clause of Annex A.7 addresses what happens when an employee leaves their job. This includes staff who have left voluntarily, been fired or changed role. 

Annex A.7.3.1 recognises that some information security responsibilities are applicable after the employee has left the role. For example, they are still expected to protect confidential information, and they are prohibited from keeping sensitive information belonging to the employer. 

Organisations must define the responsibilities that come with the termination of or change in employment, communicate them to the employee and make sure they are enforced. 

Additionally, there are steps that employees must take when they leave their role, such as returning company equipment and keys, fobs, passes, etc. to the premises. 

Annex A.7.3.1 also specifies what organisations must do if an employee moves to another position within the same company. 

For example, if an employee moves to a different department, the organization must ensure that they no longer have access to information assets that aren’t required for their new role. 

  1. Why is human resource securityimportant for your organisation? 

By adopting the framework's principles, organisations may maintain a human resources management system that fits their needs and ensures data availability, integrity, and confidentiality. 

Additionally, human resource security will prove that you have the ability to: 

  • Establish a secure human resources management framework. 

  • Follow the framework and concepts of ISO 27002 in the establishment of human resources security controls in businesses. 

  • Understand the roles and responsibilities of human resources security management components, such as education, training and termination of activities and hiring and recruiting. 

  • Assist a company in the implementation and management of ISO/IEC 27002-based human resources security controls. 

  • Assist organisations in the application of KEY controls before, during, and after the employment of human resources. 

  1. Ethical aspects of cybersecurity 

  1. Professional Code of Ethics 

A professional code of ethics is a set of principles designed to help a business govern its decision-making and distinguish right from wrong. 

In some industries, such as finance or public health, specific laws dictate professional conduct. In other industries, a code of ethics may be voluntarily adopted. 

  1. Objectives of code of ethics 

1. To guide information security professionals on how to align behavior, action and decision with highest standards of professionalism 

2. To provide a benchmark for information security professionals to use for self-evaluation 

3. To minimize problems with ethical behaviors and encourages responsible behavior 

4. To help professionals identify and resolve the inevitable ethical dilemmas that they will confront during the course of their information security career. 

  1. Code of Ethics in Cybersecurity 

Mile2 Code of Ethics: https://mile2.com/code-of-ethics/  

ISSA Code of Ethics: https://www.members.issa.org/page/CodeofEthics  

UK Cyber Security Council Code Of Ethics: https://www.ukcybersecuritycouncil.org.uk/professional-standards-and-ethics/codeof-ethics/  

EC-Council: https://www.eccouncil.org/code-of-ethics/  

GIAC Code of Ethics: https://www.giac.org/policies/ethics/  

ISACA Code of Ethics: https://www.isaca.org/credentialing/code-of-professionalethics  

CCoP from Trusted Introducer is a ready-to-use document to define cybersecurity ethics: https://www.trusted-introducer.org/TI-CCoP.pdf  

  1. TOP statements 

1. Do not use a computer to harm other people. 

2. Protect society and the common good. 

3. Be trustworthy, meaning only enter commitments you can keep, and uphold 

trusted connections with people. 

4. Have a plan for coordinated vulnerability disclosure. 

5. Respect human rights. 

6. Disclose data on a need-to-know basis and maintain privacy. 

7. Comply with legal standards. 

  1. Is employee monitoring legal in the EU? (Yes) 

Yes, employers in the EU have the right to monitor employees at work as long as there is a legitimate business interest. That said, it is crucial to balance an employer’s right to lawfully monitor and manage the work process and an employee’s right to privacy. It is within the employee’s right to be notified before any monitoring is carried out. Direct consent is not required everywhere, but in some places, it is mandatory, and so it is important to know what rules apply in your area. Most importantly, the monitoring process must comply with the EU General Data Protection Regulation (GDPR). The GDPR maintains that consent, transparency, and data protection are essential. These rules apply to organizations (public and private) in the EU and those based outside the EU that offer the EU services. 

  1. Is it legal to monitor company’s computers? (Yes) 

Yes, employers in the EU have a legitimate interest in monitoring the use of the computers they have provided and ensuring that the use remains related to business. However, employers also need to balance the monitoring of use while respecting the privacy of their employees. Employers should take the following approach: 

  • Ensure that employees are notified in advance of the monitoring through a clear monitoring policy. 

  • Ensure that monitoring is for legitimate business purposes only and does not interfere with the employee’s fundamental right to privacy. 

  • Ensure that data protection rights are respected. 

  1. Is it legal to monitor employee internet and social media activities? (Yes) 

Yes. Although legislation on monitoring social media and internet activities varies across the EU, in most EU countries, monitoring the use of the internet and social media depends on its purpose (business-related or private use). According to article, 29 of the Data protection working party, a legal ground such as legitimate interest is required for processing an employees’ social media profiles. Employers are only allowed to collect and process personal data relating to employees to the extent that the collection of those data is necessary and relevant to the performance of the job for which is being applied. Employers may monitor employees to restrict the use of the internet and social media during working hours. Employers are also recommended to establish well-defined policies on social media and internet usage so that employees know what is acceptable or not. 

  1. Is it legal to monitor screen contents and keystrokes? (Yes) 

Yes. Although businesses operating in the EU can use screen capture and keylogging software to monitor their employees, such monitoring must serve a legitimate business purpose, and employees must consent. It is worth mentioning that this kind of monitoring may be seen as a violation of privacy in most cases. Therefore, before choosing to do so, employers should identify the issues they intend to address and determine whether this form of monitoring is necessary. Most importantly, they should take into account and comply with GDPR requirements. 

  1. Is it legal to monitor email content? (Yes) 

Yes, an employer may monitor email content received or sent on the company computer, provided that the information is not private and the monitoring is justified on legitimate grounds. It is also crucial for businesses to distinguish between private and work-related emails. Conversely, employees should also avoid accessing personal emails on devices provided for professional purposes. To balance the monitoring of email content while respecting employees’ privacy, employers should: 

  • Ensure that the employee is aware of and has agreed to the monitoring. 

  • Ensure that personal data collected or connected to the employee e-mail accounts are not accessed, and where such situations arise, data should only be shared with their consent. 

  • Ensure that they retain emails and delete them after the period is up. 

  1. Is it legal to monitor or record phone conversations? (Yes) 

Yes. Under the Personal Data Protection Act, monitoring and recording phone conversations may be permitted under certain conditions. For example, if the party has given explicit consent or monitoring/recording is necessary to protect the employer’s legitimate interests. A company with a works council must get permission from the works council before phone monitoring or recording is carried out. Employers intending to record telephone conversations are obliged to comply with this code. 

  1. Is it legal to use video monitoring systems in the workplace? (Yes) 

Yes. In the EU, video monitoring systems are permitted provided: 

  • There is a legitimate purpose for the surveillance. 

  • The surveillance is appropriate for this purpose. 

  • The monitoring is necessary and less intrusive. 

The bottom line, the monitoring must be reasonable, and employers must consider the employee’s privacy rights. Under the GDPR, employees must be notified of: 

  • The fact that they’re being monitored. 

  • The purpose of monitoring. 

  • How long monitored data will be stored. 

  • Who has access to the monitored data. 

The use of hidden video surveillance is considered a violation of Article 8 of the European Convention on Human Rights (‘ECHR’). Also, monitoring in sensitive areas, such as restrooms, religious spaces, and break rooms, is prohibited. 

  1. Is it legal to monitor private messages and email content? (Yes) 

Yes. Employers are justified in controlling certain activities such as sending or receiving private messages or emails, to ensure that employees perform their duties during working hours, particularly on the company device. The ECHR sets clear guidelines on the extent of how and when such monitoring is permitted. Businesses must develop policies that allow employees to know the extent of the monitoring. Private messages and emails fall within the category of personal data (as described in Article 4 of the GDPR). Therefore organizations must prove that they have the legal basis to collect and monitor such information. 

  1. Is it legal to monitor employees’ personal devices? (Yes) 

Yes. There are some valid reasons why employers may need to monitor their employees’ personal devices. For example, with more employees working from home in the EU and worldwide, many employers want to keep up with work processes. Monitoring is, therefore, reasonable in such cases, but there are limits to the monitoring. The GDPR requires the employer to explicitly inform the employee of what information they intend to collect and how they intend to use it. Additionally, the GDPR requires the employer to be transparent about the monitoring process and provide the employee with ample information on how and for what purpose they’ll be monitored. It is recommended that employers implement BYOD policies and understand where to draw the line with employee privacy and best practice when developing such policies. 

  1. Is it legal to monitor employees’ personal computers? (Yes) 

Yes, if the employee performs work duties on a personal computer, monitoring such devices may be considered to serve a legitimate interest in the protection of business information. However, if such monitoring also captures data relating to the employee’s private life, it is considered unlawful. Appropriate measures should be taken to distinguish between personal and business use of the device and the implementation of BYOD policies should be created to strike a balance. 

  1. Is it required to inform employees of the monitoring? (Yes) 

Yes. In the EU, this is a crucial step. Many EU countries require employers to inform their employees and discuss any monitoring process issues before monitoring. Article 29 data protection working party (WP249) emphasizes that transparency should be applied to data processing at work. Employees must be aware of the monitoring, the purposes for which personal data are to be collected, and any other information necessary to ensure fair processing. Two legal approaches arise across the EU when it comes to co-determination rights. In some countries, employees have the right to agree to the monitoring or not. In other jurisdictions, employees have less power. They must be notified of the monitoring, but consent is not required. 

  1. Employee monitoring policy – mandatory or not? (Yes) 

Yes. Nothing beats a good, clear policy about the monitoring process. Monitoring policies, handbooks, e.t.c must be carefully tailored to show an organization’s legitimate purpose behind the monitoring and what is acceptable or not. With a comprehensive and easily accessible workplace monitoring policy, employees will be aware of the monitoring. All these must be included in the policies: 

  • The nature and extent of the monitoring process. 

  • The reason for the monitoring. 

  • The impact of the monitoring on the business. 

  • How confidential or sensitive information is handled. (If any is taken) 

  • Point out acceptable and unacceptable uses. 

  • Employers must ensure that their monitoring policies are compliant with legal requirements. 

  1. Monitor or not? 

  • The necessity principle requires that the monitoring be “necessary” for business purposes. 

  • The finality principle requires that data be collected only for specific, explicit, and legitimate purposes and not be processed in any way incompatible with that purpose. 

  • The transparency principle requires an employer to be open and clear about the monitoring. (No covert monitoring is allowed) The transparency rule stipulates that the monitoring and reasons behind it must be fully and explicitly disclosed to all employees in written policies. 

  • The legitimacy principle indicates that the processing of employees’ personal data must be legitimate and necessary for work performance, without violating the employees’ fundamental rights. 

  • The proportionality principle states personal information must be adequate, relevant, and not excessive. 

  • The accuracy principle requires that all records be accurate, up to date, and retained for no longer than necessary given the employer’s legitimate purposes. As a guideline, the Working Party suggests that data retention shouldn’t exceed three months. 

  • The data security principle necessitates that the employer takes appropriate technical measures to ensure that employees’ personal data is safe. 

 

Comments

Post a Comment

Popular posts from this blog

STRESS, BURNOUT, AND SECURITY FATIGUE IN CYBERSECURITY: A HUMAN FACTORS PROBLEM

Image
Received: January 2022 |Accepted: April 2022 | Published: July 2022 Please cite this paper as: Nobles, C. (2022) Stress, burnout and security fatigue in cybersecurity: A human factors problem, Holistica Journal of Business and Public Administration, Vol. 13, Iss. 1, pp. 49-72 Abstract Stress, burnout, and security fatigue continue as slight destroyers of strong cybersecurity and significant human factors concerns. The persistence of these human performance issues is concerning given the lack of mitigation and integration of human factors practitioners to mitigate these adverse risk circumstances. Security fatigue is not a new phenomenon but the evolving nature of cybersecurity results in various sub-categories of security fatigue; thus, making it a difficult problem to solve. Stress and burnout are major causes of short tenures in senior roles for security executives. Business decision-makers lack the expertise to explore the negative influences of stress, burnout, and security fatigue...
Read more

ITSM - All topics

Image
1         Introduction, main principals and definitions / Attacks against information systems 1.1      Introduction ·          Information security vs Information safety ·          Life spheres, influenced by information security: o    Finance and commerce; o    Government; o    Military; o    Private life. ·          Reasons of importance increase. 1.2      Information Security Definition CIA Triad: ·          Confidentiality - preventing the disclosure of information to unauthorized individuals or systems. ·          Integrity - maintaining and assuring the accuracy and consistency of data over its entire life-cycle. ·     ...
Read more

Adaptive Knowledge Assessment Method For Cybersecurity Specialists Evaluating Under Stressful And Emotional Situations

Introduction: The Need For Adaptive Knowledge Assessment In Cybersecurity In the rapidly evolving field of cybersecurity, it is crucial to ensure that professionals possess the necessary knowledge and skills to protect critical information systems. Traditionally, knowledge assessment methods have focused on evaluating individuals' theoretical understanding of cybersecurity principles through standardized tests or practical exercises. However, these approaches often fail to capture the real-world challenges faced by cybersecurity specialists when operating under stressful and emotional situations. [ 0 ,  1 ,  2 ] As cyber threats become increasingly sophisticated and frequent, it is essential to develop an adaptive knowledge assessment method that accurately reflects the dynamic nature of this domain. Such an assessment approach would not only evaluate technical expertise but also measure individuals' ability to make sound decisions while under pressure or in emotionally c...
Read more