ORP.2 Personnel
The personnel of a company or authority play a decisive role in the success or failure of the institution. Employees have the important task of implementing...
Description
Introduction
The personnel of a company or authority play a decisive role in the success or failure of the institution. Employees have the important task of implementing information security. The most elaborate security precautions can come to nothing if they are not applied in day-to-day work. The fundamental importance of information security for an institution and its business processes must therefore be communicated to personnel in a transparent and comprehensible manner.
Objective
The objective of this building block is to show which “personnel-related” security measures the HR Department or line managers must take so that employees handle the institution’s information responsibly and behave in accordance with the applicable requirements.
Scope and Modeling
The building block ORP.2 Personnel MUST be applied once to the information network.
This building block addresses the requirements that must be observed and fulfilled by the HR Department or line managers of an institution. Personnel requirements tied to a specific function, such as the appointment of a LAN system administrator, are set out in the building blocks that address the respective subject area. The building block ORP.2 Personnel does not address specific aspects relating to the training of employees or the management of identities and permissions. These aspects are covered in the building blocks ORP.3 Sensibilisierung und Schulung zur Informationssicherheit and ORP.4 Identitäts- und Berechtigungsmanagement Identity and Access Management.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance to the building block ORP.2 Personnel.
Staff Absence
The absence of staff can result in certain tasks no longer being performed or not being performed promptly.
Insufficient Knowledge of Regulations
Establishing regulations alone does not guarantee that they will be observed and that operations can run without disruption. All employees must be aware of the applicable regulations, especially those in key roles. Damage resulting from the fact that existing regulations were not known should not be excusable with statements such as: “I didn’t know I was responsible for that.” or “I didn’t know how to proceed.”
Carelessness in Handling Information
It is frequently observed that although institutions have many organisational and technical security procedures, these are circumvented by the careless behaviour of employees. A typical example of this is sticky notes on monitors on which access passwords are written.
Insufficient Qualifications of Employees
Many disruptions and errors can occur in the day-to-day IT operations of an institution. If the responsible employees are not sufficiently qualified, security-aware, and trained — for example if they have outdated knowledge for performing their tasks — they may not be able to identify security-relevant events as such, and cyberattacks may go undetected. Even if employees are sufficiently qualified, security-aware, and trained in information security matters, it cannot be ruled out that they will fail to recognise security incidents. In some situations, such as staff shortages or resignations, employees may have to temporarily take on the tasks of other employees. Errors can arise in such cases if employees do not have the necessary qualifications or have received insufficient training to take on the task.
Requirements
The following are the specific requirements of the building block ORP.2 Personnel. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and reviewed in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These SHOULD be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | HR Department |
| Additional responsibilities | IT Operations, Supervisors |
Exactly one role SHOULD hold Primary responsibility. There may also be Additional responsibilities. If one of these additional roles holds primary responsibility for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not indicate how many people are intended to fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
ORP.2.A1 Structured Onboarding of New Employees (B) [Supervisors]
The HR Department and line managers MUST ensure that employees are inducted into their new tasks at the start of their employment. Employees MUST be informed about existing regulations, operating instructions, and procedures. A checklist and a direct point of contact (“buddy”) can be helpful and SHOULD be established.
ORP.2.A2 Structured Procedures When Employees Leave (B) [Supervisors, IT Operations]
When employees leave the institution, the successor MUST be briefed in good time. Ideally, this SHOULD be done by the departing employee. If a direct handover is not possible, the departing employee MUST prepare comprehensive documentation.
In addition, all documents, keys, and devices as well as ID cards and access authorisations issued to departing employees in connection with their work MUST be retrieved.
Before the departure, the obligation of confidentiality MUST be emphasised once more. Particular care SHOULD be taken to ensure that no conflicts of interest arise. To avoid conflicts of interest after a change of employer, non-competition clauses and notice periods SHOULD be agreed.
Furthermore, emergency and other procedural plans MUST be updated. All relevant parties within the institution, such as security personnel or the IT department, MUST be informed of the employee’s departure. A checklist SHOULD also be drawn up to ensure that all associated tasks arising when an employee leaves are completed. In addition, there SHOULD be a designated point of contact in the HR Department to manage the departure of employees.
ORP.2.A3 Definition of Substitution Arrangements (B) [Supervisors]
Line managers MUST ensure that substitution arrangements are implemented in ongoing operations. To this end, it MUST be ensured that there are practicable substitution arrangements for all essential business processes and tasks. In these arrangements, the scope of the deputy’s responsibilities MUST be clearly defined in advance. It MUST be ensured that the deputy has the necessary knowledge. If this is not the case, it MUST be reviewed how the deputy is to be trained or whether it is sufficient to document the current status of the process or project adequately. If, exceptionally, it is not possible to designate or train a competent deputy for individual employees, a decision MUST be made at an early stage as to whether external personnel can be brought in for this purpose.
ORP.2.A4 Definition of Regulations for the Use of External Personnel (B)
If external personnel are employed, they MUST be obliged to comply with applicable laws, regulations, and internal rules in the same way as all own employees. External personnel who are deployed on a short-term or one-off basis MUST be supervised in security-relevant areas. External personnel employed on a longer-term basis MUST be inducted into their tasks in the same way as own employees. A substitution arrangement MUST also be introduced for these employees. When external personnel leave the institution, work results MUST be handed over in a structured manner as with own employees, and any access authorisations issued MUST be returned.
ORP.2.A5 Confidentiality Agreements for the Use of External Personnel (B)
Before external persons are granted access to confidential information, confidentiality agreements MUST be concluded with them in written form. These confidentiality agreements MUST take into account all important aspects relating to the protection of institution-internal information.
ORP.2.A14 Tasks and Responsibilities of Employees (B) [Supervisors]
All employees MUST be obliged to comply with applicable laws, regulations, and internal rules. Employees MUST be aware of the legal framework governing their activities. The tasks and responsibilities of employees MUST be documented in an appropriate manner. Furthermore, all employees MUST be informed that all information received during the course of their work is intended exclusively for internal use. Employees MUST be made aware of the need to protect the institution’s information security outside of working hours and outside of the business premises.
ORP.2.A15 Qualification of Personnel (B) [Supervisors]
Employees MUST be regularly trained and further developed. In all areas, it MUST be ensured that no employee works with an outdated level of knowledge. Furthermore, employees SHOULD be given the opportunity to undergo further training within the scope of their area of activity during their employment.
When positions are filled, the required qualifications and skills MUST be precisely specified. It SHOULD then be verified that applicants for the position actually possess these qualifications. It MUST be ensured that positions are only filled by employees who are qualified for them.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be fulfilled.
ORP.2.A6 DISCONTINUED (S)
This requirement has been discontinued.
ORP.2.A7 Verification of the Trustworthiness of Employees (S)
New employees SHOULD be vetted for their trustworthiness before they are hired. Where possible, all parties involved in the personnel selection process SHOULD verify whether the information provided by applicants that is relevant to assessing their trustworthiness is credible. In particular, it SHOULD be carefully checked whether the submitted curriculum vitae is correct, plausible, and complete. Any information that appears conspicuous SHOULD be verified.
ORP.2.A8 DISCONTINUED (S)
This requirement has been discontinued.
ORP.2.A9 DISCONTINUED (S)
This requirement has been discontinued.
ORP.2.A10 DISCONTINUED (S)
This requirement has been discontinued.
Requirements for High Protection Needs
The following are exemplary proposed requirements for this building block that go beyond the level of protection that represents the state of the art. The proposals SHOULD be considered in the case of high protection needs. The specific determination is made within the framework of an individual risk analysis.
ORP.2.A11 DISCONTINUED (H)
This requirement has been discontinued.
ORP.2.A12 DISCONTINUED (H)
This requirement has been discontinued.
ORP.2.A13 Security Vetting (H)
In high-security areas, an additional security vetting SHOULD be conducted in addition to the basic verification of employee trustworthiness.
If employees work with classified information subject to secrecy protection, the relevant employees SHOULD undergo a security vetting in accordance with the Security Vetting Act (Sicherheitsüberprüfungsgesetz, SÜG). In this regard, the Information Security Officer (ISO) SHOULD involve the institution’s classified information protection officer or security officer.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides requirements for personnel security in the standard ISO/IEC 27001:2013 “Information technology — Security techniques — Information security management systems — Requirements” in Annex A.7 Human Resource Security.
The Information Security Forum (ISF) provides requirements for personnel security in its standard “The Standard of Good Practice for Information Security” in chapter PM: People Management.