Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information. In today’s world of changing threat landscape, Employee Management Security Controls ensure employees are accountable for their actions.

Below are most common employee management security controls:

1. Employment Agreements

2. Job requirements

3. Background Checking

4. Awareness and Training

5. Separation of Duties

6. Least Privilege

7. Job Rotation

8. Vacation and Leave

9. Terminations

10. Monitoring and Audit

1. Employment Agreements:

• An employment agreement (or contract) sets out the conditions for employment with the organization. The employment contract is agreed to and signed by the employee before employment begins

• The employment agreement specifies the employee’s job title, pay rate, vacation and holidays, benefits, and so on. The employment agreement might require that the employee pass a drug test and other types of pre-employment assessments

• The employee agrees to abide by organizational policies and procedures. The employment agreement usually specifies grounds and processes for termination of the employee

• The employment agreement should specify who owns intellectual property (IP) developed by the employee and place restrictions on what can be done with IP when the employee leaves the company

• A Nondisclosure Agreement (NDA), which can also be used to control ownership and distribution of sensitive information and IP among nonemployees (that is, contractors, vendors) doing business with the organization

• The employee agreement is an important employee management security control that protects the organization and the employee by defining the employment relationship in legal terms

2. Job Requirements:

• A job requirement (or job description) document details the responsibilities and duties of the employee. This employee security control sets boundaries for what the employee can do

• The job requirements’ security control expands on the employment agreement by providing specific job duties for the employee’s job title. Organizations need a system of classifying jobs and keeping job descriptions up-to-date

• Having well defined job classifications and job descriptions makes it easier to implement the separation of duties and least privilege security controls discussed later in the paper.

3. Background Checking:

• The background check employee security control provides the organization with assurance that the employee has not lied on the job application, and that the employee does not have something in his past that could be used to blackmail or otherwise compromise him in his position

• Background checks are especially important for employees in trusted positions (such as system administrators, payroll system managers). Background checks can be as simple as verifying employment application information and doing a credit check. They can also be extensive by interviewing the employee’s friends and neighbors

• Background checks should be carried out on new employees but also should be done on existing employees when job responsibilities increase. The background check should be renewed on a regular basis to look for new information that might compromise the employee

4. Awareness and Training:

• Awareness and training are ongoing activities to be sure that employees know their security roles and responsibilities. When new employees are hired, they should be formally trained in organizational security policies and processes. If the employee has specific information security-related duties, the employee should be formally trained to carry out those duties

• To reinforce security awareness and training, the training should be carried out on a regular basis (at least annually).

• Following are three types of security awareness and training:

    o	Security awareness – The goal of security awareness is informing employees of their security roles and responsibilities and keeping those roles and responsibilities in their minds as they go about daily tasks. Security awareness training takes place when an employee is first hired and then at regular intervals (at least annually) afterwards
    o	Security training – For employees with specific security roles and responsibilities that require special knowledge and abilities, security training provides the needed skills. Security training is specific to a technology or job function
    o	Security education – Security education is broad-based and applies to employees with overall organizational security responsibilities. Security education supplies the theory behind specific security techniques and technologies. Obtaining the CISSP certification is an example of security education

5. Separation of Duties:

• Separation of duties is an important concept for protecting sensitive information systems. Used extensively in financial institutions, separation of duties requires at least two people to accomplish a sensitive task. For example, in an information system, an example is that a system administrator can examine security logs, but only a security administrator can clear the logs

• The separation of duties security control can be defeated through collusion. If the bank teller and the bank manager work together to defraud the bank, they have used collusion to overcome the separation of duties control. But the more people involved in a crime, the more likely the crime will be discovered

• Two types of separation of duties:

    o	Split Knowledge - With split knowledge separation of duties, each person involved in the transaction knows only her own job function. For example, the bank teller would not have the information to know how to approve the withdrawal, and the bank manager would not have the information needed to initiate the withdrawal
    o	Dual Control - In the dual control type, both persons know how to carry out the task, but they must both synchronize their actions to accomplish the task. For example, in a bank, two people must turn a key or enter a code simultaneously to open the bank vault

6. Least Privilege:

• The least privilege principle is implemented through various employment management security controls. Least privilege means that the employee is given access only to the resources and information needed to accomplish his specific job

• The employee’s official job description should be the basis for the assigning privileges. Least privilege can be used to set up separation of duties

• “Need to Know” is similar to least privilege. The “Need to Know” right restricts sensitive information to only those that need that information to accomplish a task or make a decision. “Need to Know” is generally more granular than least privilege and can have content and time limits assigned

7. Job Rotation:

• Rotation of job duties and responsibilities is an employee security control that breaks up opportunities for collusion and fraudulent activities. An employee working alone or in concert with others to defraud the organization is more likely to be caught when a new person examines the system’s work processes and notices irregularities

• Job rotation is difficult in small organizations with limited staff. A possible downside to job rotation is that an employee, over time, gains knowledge of enough business processes to make it easier to the employee to commit an attack. As employees rotate through positions, careful attention must be paid to control logical and physical access to information resources

8. Vacation and Leave:

• Mandatory vacation is a less extreme (compared to job rotation) employee security control used to detect fraud. In many fraud schemes, the attacker must be present each day to carry out some action to commit the fraud or cover his tracks so he will not be caught. But while on vacation, it is more likely the illegal activity will be detected

• For sensitive positions (such as system administrator), many organizations schedule audits of the employees’ system activities while they are on vacation

9. Terminations:

• Voluntary and involuntary terminations of employees from the organization are danger points for sensitive information systems. Security controls put into place around terminations attempt to reduce the risk the terminated employee will do damage to the organization

• Employees terminated involuntarily may sabotage systems or attempt to disrupt operations. Even employees who terminate employment voluntarily may attempt to take organizational intellectual property or other assets

• Many organizations require terminated employees be escorted from the property to reduce the risk that they would leave with organizational property. Care must be taken when invoking termination control processes not to overdo things and turn what may be an amenable employee into a resentful employee

• Related to termination employee security controls are job action controls. Job actions are punishments or consequences of an employee violating organizational policy (that is, acceptable use policy). One such action is unpaid time off. Another job action is demotion or reassignment of responsibilities. When job actions take place, the employees’ system permissions should be reviewed and adjusted as needed

10. Monitoring and Audit

• Monitoring and Audit security controls are used to verify that the employee is complying with security policy and procedures. The goal of monitoring and audit security controls is to make the employees accountable for their activities. Note that in most cases, the employees must be informed that their business activities are subject to monitoring

• The knowledge that monitoring is taking place is a deterrent to unauthorized activity in itself. Monitoring is generally the activity of looking for violations of security controls

• The term audit is sometimes used in the same context as monitoring, but audit is different. Audit is the activity to ensure that security controls are properly implemented and applied

• An audit would determine that all employees have received security awareness training and have signed appropriate NDA and employment agreements.