Policies for human resources

Human resources departments have a special charge to protect employees from those attempting to discover personal information through their workplace. HR professionals also have a responsibility to protect their company from the actions of unhappy ex-employees.

 

1 7-1 Departing employees
Policy: Whenever a person employed by the company leaves or is terminated, Human Resources must immediately do the following:

 

Remove the person's listing from the on-line employee/telephone directory and disable or forward their voice mail;

 

Notify personnel at building entrances or company lobbies; and

 

Add the employee's name to the employee departure list, which shall be emailed to all personnel no less often than once a week.

 

Explanation/Notes:Employees who are stationed at building entrances must be notified to prevent a former employee from re-entering the premises. Further, notifying other personnel may prevent the former employee from successfully masquerading as an active employee and duping personnel into taking some action damaging to the company.

 

In some circumstances, it may be necessary to require every user within the former employee's department to change his or her passwords. (When I was terminated from GTE solely because of my reputation as a hacker,

 

the company required all employees throughout the company to change their password.)

 

1 7-2 IT department notification

Policy: Whenever a person employed by the company leaves or is terminated, Human Resources should immediately notify the information technology department to disable the former employee's computer accounts, including any accounts used for database access, dial-up, or Internet access from remote locations.

 

Explanation/Notes: It's essential to disable any former worker's access to all computer systems, network devices, databases, or any other computer- related devices immediately upon termination. Otherwise, the company may leave the door wide open for a disgruntled employee to access company computer systems and cause significant damage.

 

1 7-3 Confidential information used in hiring process

Policy: Advertisements and other forms of public solicitation of candidates to fill job openings should, to the extent possible, avoid identifying computer hardware and software used by the company.

 

Explanation/Notes:Managers and human resources personnel should only disclose information related to enterprise computer hardware and software that is reasonably necessary to obtain resumes from qualified candidates.

 

Computer intruders read newspapers and company press releases, and visit Internet sites, to find job listings. Often, companies disclose too much information about the types of hardware and software used to attract prospective employees. Once the intruder has knowledge of the target's information systems, he is armed for the next phase of attack. For example, by knowing that a particular company uses the VMS operating system, the attacker may place pretext calls to determine the release version, and then send a phony emergency security patch made to appear as if it came from the software developer. Once the patch is installed, the attacker is in.

 

1 7-4 Employee personal information

 

Policy: The human resources department must never release personal information about any current or former employee, contractor, consultant, temporary worker, or intern, except with prior express written consent of the employee or human resources manager.

 

 

Explanation/Notes: Head-hunters, private investigators, and identity thieves target private employee information such as employee numbers, social security numbers, birth dates, salary history, financial data including direct deposit information, and health-related benefit information. The social engineer may obtain this information so as to masquerade as the individual. In addition, disclosing the names of new hires may be extremely valuable to information thieves. New hires are likely to comply with any request by persons with seniority or in a position of authority, or anyone claiming to be from corporate security.

 

1 7-5 Background checks

Policy: A background check should be required for all new hires, contractors, consultants, temporary workers, or interns prior to an offer of employment or establishing of a contractual relationship.

 

Explanation/Notes:Because of cost considerations, the requirement for background checks may be limited to specific positions of trust. Note, however, that any person who is given physical access to corporate offices may be a potential threat. For example, cleaning crews have access to personnel offices, which gives them access to any computer systems located there. An attacker with physical access to a computer can install a hardware keystroke logger in less than a minute to capture passwords.

 

Computer intruders will sometimes go to the effort of obtaining a job as a means of gaining access to a target company's computer systems and networks. An attacker can easily obtain the name of a company's cleaning contractor by calling the responsible employee at the target company, claiming to be from a janitorial company looking for their business, and then obtaining the name of the company that is currently providing such services.