Web Security, Privacy and Commerce, 2nd Edition

14.4 Personnel

The people who have access to your system may not all have your best interests in mind. We've heard stories in home environments where playmates of children have introduced viruses into home office systems, and where spouses have scoured disks for evidence of marital infidelity and then trashed systems where they have found it. In business environments, there are stories of cleaning staff and office temps who have been caught sabotaging or snooping on company computers.

You may not be able to choose your family, but you can have some impact on who accesses the computers at your company location. You can do this with background checks (it is amazing how many people don't adequately check references) and periodic rechecks. Depending on the nature of your business and the laws in place governing employment law, you may also be able to execute credit checks, lie detector tests, and criminal background checks. You may even be able to execute a security clearance requirement. You can also require that personnel be bonded special assurance from a third party that the individual is trusted, in which the third party performs the background investigation.

Examples of people whose backgrounds should be examined include:

• System operators and administrators

• Temporary workers and contractors who have access to the system

• Cleaning and maintenance personnel

• Security guards

• Delivery personnel who have regular or unsupervised access

• Consultants

The personnel who do have access should be trained about security and loss prevention and periodically retrained. Personnel should also be briefed on incident response procedures and on the penalties for security violations.