CSL Bulletin
                             October 1993

PEOPLE:  AN IMPORTANT ASSET IN COMPUTER SECURITY
People are an important factor in ensuring the security of computer
systems and the valuable information resources which they process.
This bulletin looks at some of the issues involved in staffing
positions which interact with computer systems, the administration
of users on a system, and the termination of user accounts.

STAFFING
Staffing is the process of defining a position, normally involving
the development of a position description; determining the
sensitivity of the position; filling the position, which involves
screening applicants, conducting background checks, and selecting
the individual; and training the new employee.

Position Definition
Managers should identify and address security issues early in the
process of defining a position.  Once a position has been broadly
defined, management must determine the type of computer access
needed for the position.  Management should consider two general
principles when determining access:  separation of duties and least
privilege.

Separation of duties refers to the division of roles and
responsibilities so that a single individual cannot subvert a
critical process.  In accounting systems, for example, no
single individual is given authority to issue checks.  Rather, one
person initiates a request for a payment and another authorizes
that same payment.  In effect, checks and balances are designed
into the process based on the individual positions.

Least privilege refers to the security objective of granting users
only those accesses required to perform their duties.  Least
privilege may mean that some employees have significant access if
required for their position.  However, application of this
principle may limit the damage resulting from accidents, errors, or
unauthorized use of system resources.  For example, data entry
clerks may have no need to run analysis reports of their database.

A supervisor must carefully determine the duties, responsibilities,
and access levels in accordance with the principles of separation
of duties and least privilege prior to actually staffing a
position.  Knowledge of the duties and access levels that a
particular position will require is necessary for determining the
sensitivity of the position.

Determining Position Sensitivity
Managers should correctly identify position sensitivity levels so
that appropriate, cost-effective screening can be accomplished.
The position sensitivity designation directly affects resources
since screening can be costly.

Various levels of sensitivity are assigned to positions in the
government.  Determining the appropriate sensitivity level is based
upon such factors as the type and level of harm (disclosure of
private information, interruption of agency critical processing,
computer fraud) the individual can cause through use of the
computer system as well as more traditional factors such as access
to classified information and fiduciary responsibilities. The
Office of Personnel Management's Federal Personnel Manual (Section
732-5, subchapter 7) provides detailed guidance on computer/ADP
risk levels.  Three separate levels are defined, as shown below.



Filling the Position - Screening and Selection
Once a position's sensitivity has been determined, the position is
ready to be staffed.  In the government, this typically includes
publication of a formal vacancy announcement followed by a review
of candidates to determine which meet the requirements of the
position.  More sensitive positions typically require
pre-employment background screening while post-employment screening
is often acceptable for less sensitive positions.

Background screening determines whether a particular individual is
suited to occupy a given position.  In positions requiring a high
degree of trust, the screening process will attempt to document the
person's trustworthiness and the appropriateness of holding a
particular position.  In the government, the screening process is
formalized through a series of background checks.  The importance
of selecting the appropriate position sensitivity becomes obvious,
since screening in excess of the sensitivity of the position wastes
resources, while the reverse causes unacceptable risks.

Within the government, the most basic screening technique involves
a check for a criminal history, checking the FBI fingerprint
records, and other federal indices.  More extensive background
checks examine other factors such as a person's work and
educational history, personal interview, possession or use of
illegal substances, and interviews with current and former
colleagues, neighbors, and friends.  The exact type of screening
that takes place depends upon the sensitivity of the position to be
occupied and applicable agency implementing regulations.  Screening
is not conducted by the prospective employee's manager; rather,
agency security and personnel officers should be consulted for
agency-specific guidance.

Outside of the government, screening processes are often less
formalized.  However, depending upon the harm that a particular
employee may be able to cause, background screening is often
considered a wise investment.  With limited expenditures,
supervisors or personnel officers can telephone or write
references, including personal and work, provided by the applicant.
A small investment in employee screening before hiring can alert
management to serious questions about a person's trustworthiness.


For both the government and private sector, finding something
negative or detrimental in a person's background does not
necessarily mean that they are unsuitable for a particular job. A
determination must be made based on the type of job, the type of
finding or incident, and other relevant factors.  In the
government, this process is referred to as adjudication.

Employee Training and Awareness
Once a candidate has been hired, the staffing process continues
with training in the computer security responsibilities and duties
of the position.  Training can be very cost-effective in promoting
security.

Some computer security experts argue that employees must receive
initial training before granting them any access to computer
systems.  Others argue that this must be a risk-based decision,
perhaps only granting restricted access or access only to their PC
until the required training is completed.  Both approaches,
however, recognize that adequately trained employees are crucial to
the effective functioning of computer systems and applications.
In addition, although training of new users is critical, managers
must recognize that security training and awareness activities
should be ongoing throughout the time that an individual is a
system user.

USER ADMINISTRATION
The purpose of user administration is to make sure that the
information in the computer system about a user is correct and that
access privileges are authorized and up-to-date.  In addition, user
administration can detect some unauthorized and illegal
activities.

User Account Management
User account management encompasses the process of requesting,
establishing, issuing, and closing user accounts.  It includes
tracking of users and their respective access privileges and the
management of these functions.

User account management typically begins with a request from the
user's supervisor to the system manager for a system account.  If
a user is to have access to a particular application, this request
may be sent through the application manager to the system manager.
This assures that the systems office receives formal approval from
the "application manager" for the employee to be given access.  The
request normally states the level of access to be granted, perhaps
by function or by specifying a particular user profile.  Often when
more than one employee is doing the same job, a "profile" of
permitted authorizations is created.

Systems operations staff use the account request to create an
account for the new user.  The access levels of the account should
be consistent with those requested by the supervisor.  This account
is normally assigned selected access privileges which are sometimes
built directly into applications, and other times rely upon the
operating system.  "Add-on" access applications are also used.
These access levels and privileges are often tied to specific
access levels within an application.


Next, an employee is given their account information, including the
account identifier (USERID) and means of authentication (password
or smart card/PIN).  One issue which frequently arises at this
stage is whether the USERID is to be tied to the particular
position an employee holds (ACC5 for an accountant) or the
individual employee (BSMITH for Brenda Smith).  Tying accounts to
positions can often simplify auditing.  However, if the USERID is
created in this manner, procedures should be established to change
them if employees switch jobs or are otherwise reassigned.

At the time employees receive their account, managers should
provide initial or refresher training and awareness on computer
security issues.  Users should be asked to review a set of rules
and regulations for system access.  To indicate their understanding
of these rules, many organizations require employees to sign a
"computer account receipt," which may also state causes for
dismissal or prosecution under the Computer Fraud and Abuse Act and
other applicable state and local laws.

When user accounts are no longer required, the supervisor should
inform the application manager and IRM office so that accounts can
be removed in a timely manner.  One useful secondary check is to
work with the local organization's personnel officer to establish
a procedure for routinely notifying the systems office of employee
departures.

Access and privilege administration is a continuing process.  New
users are added while old users are deleted.  Permissions change,
sometimes permanently, sometimes temporarily.  New applications are
added, upgraded, and removed.  Tracking this information ensures
that the principle of least privilege is maintained.  In
administering these accounts, managers must balance timeliness of
service and record keeping.  While sound record keeping
practices are necessary, delays in processing change requests may
lead to requests for more access than is necessary to avoid delays
should such access ever be required.

Managing the process of user access is one that is often
decentralized, particularly for larger systems.  Regional offices
are typically granted the authority to create accounts and change
user privileges.  Proper oversight can help avoid major security
risks.

Temporary Assignments and In-house Transfers
User privileges must be kept up-to-date.  Privileges are typically
changed when there is a change in job role, either temporarily,
such as covering for an employee on sick leave, or permanently,
following an in-house transfer or termination.

During the absence of others, users are often required to perform
duties outside their normal scope, requiring additional access
privileges.  Such necessary access privileges should be granted
sparingly and carefully monitored, consistent with the need to
maintain separation of duties for internal control purposes.  Also,
these privileges should be removed in a timely manner when no
longer required.

Permanent changes in access privileges are usually necessary when
employees change positions within an organization.  In this case,
the process of granting account privileges occurs again.  Access
privileges of the prior position should be promptly removed.  Many
instances of "privilege creep" have occurred with employees
continuing to maintain their access rights for all previously held
positions within an organization.  This practice is inconsistent
with the principle of least privilege.

Audit and Management Reviews
From time to time, a review of an entire system becomes necessary.
For personnel issues, such reviews may examine the levels of access
of each individual, consistent with the concept of least privilege;
whether all accounts are still active; whether management
authorizations are up-to-date; and whether required training has
been completed.

These reviews can be conducted on at least two levels:  an
application-by-application basis or a system-wide basis.  Both
kinds of reviews can be conducted by, among others, "in-house"
personnel, contractor personnel, or audit personnel such as the
Inspector General (IG) or the General Accounting Office (GAO).
Application managers may wish to review all access levels of all
users of the application on a monthly basis.  While it may appear
that such reviews should be conducted by systems personnel, they
usually are not fully effective. System personnel can verify that
users have only those accesses which their managers have specified.
However, in light of ongoing changes, the application manager is
often the only individual likely to know what access the user
should have.

Audits can also look at least privilege or separation of duties
issues, such as a review of permissions which may involve
discussing the need for particular access levels for specific
individuals or the number of users with high levels of access. For
example, how many employees should really have authorization to the
check printing function?  Auditors may also look at non-computer
access by reviewing who should have physical access to the
check printer or blank stock of checks.

Detecting Unauthorized and Illegal Activities
Auditing user accounts can detect unauthorized and illegal
activities.  If fraudulent activities require the regular physical
presence of the perpetrator(s), the fraud may be detected during
the employee's absence.  Mandatory vacations for critical systems
and applications personnel can help detect such activity.  Managers
should avoid creating an excessive dependence upon any single
individual, since the system will have to function during the
vacation period.  Periodic re-screening of personnel may also
provide indications of illegal activity, such as living a lifestyle
in excess of known income level.

TERMINATIONS
Managers should consider security issues that arise due to
terminations, both friendly and unfriendly.  Friendly termination
may occur when an employee is voluntarily transferred, resigns to
accept a better position, or retires.  Unfriendly termination may
include situations when the user is being fired for cause, "RIFed,"
or being involuntarily transferred.  Security issues must be faced
in both situations.

Friendly Termination
Since mutually acceptable terminations occur regularly, most
agencies follow a standard set of procedures for outgoing or
transferring employees.  These are part of the standard employee
"out-processing," and can be used to ensure that system accounts
are removed in a timely manner.  In this case, the personnel office
may send a memo to the head of the computer processing office with
the employee's scheduled date of departure.  Other issues must be
examined by the agency as well.

The continued availability of data must often be assured.  In both
the manual and electronic world, this may involve documenting
procedures or filing schemes.  How are documents stored on the hard
disk and how are they backed up?  Are employees instructed whether
or not to "clean up" their PC before leaving?  If cryptography is
used to protect data, how will the availability of cryptographic
keys to management personnel be assured?  Are employees asked to
document how they accomplish their tasks?  What procedures are in
place to make sure this is accomplished?

Managers must also address the confidentiality of data.  Do
employees know what information they are allowed to share with
their immediate organizational colleagues?  Does this differ from
the information they may share with the public?  These and other
agency-specific issues should be addressed throughout an
organization to assure continued access to data and to provide
continued appropriate protection for its confidentiality and
integrity during personnel transitions.  The agency's training and
awareness program should include such issues, as appropriate.

Unfriendly Termination
The greatest threat from unfriendly terminat