CSL Bulletin October 1993 PEOPLE: AN IMPORTANT ASSET IN COMPUTER SECURITY People are an important factor in ensuring the security of computer systems and the valuable information resources which they process. This bulletin looks at some of the issues involved in staffing positions which interact with computer systems, the administration of users on a system, and the termination of user accounts. STAFFING Staffing is the process of defining a position, normally involving the development of a position description; determining the sensitivity of the position; filling the position, which involves screening applicants, conducting background checks, and selecting the individual; and training the new employee. Position Definition Managers should identify and address security issues early in the process of defining a position. Once a position has been broadly defined, management must determine the type of computer access needed for the position. Management should consider two general principles when determining access: separation of duties and least privilege. Separation of duties refers to the division of roles and responsibilities so that a single individual cannot subvert a critical process. In accounting systems, for example, no single individual is given authority to issue checks. Rather, one person initiates a request for a payment and another authorizes that same payment. In effect, checks and balances are designed into the process based on the individual positions. Least privilege refers to the security objective of granting users only those accesses required to perform their duties. Least privilege may mean that some employees have significant access if required for their position. However, application of this principle may limit the damage resulting from accidents, errors, or unauthorized use of system resources. For example, data entry clerks may have no need to run analysis reports of their database. A supervisor must carefully determine the duties, responsibilities, and access levels in accordance with the principles of separation of duties and least privilege prior to actually staffing a position. Knowledge of the duties and access levels that a particular position will require is necessary for determining the sensitivity of the position. Determining Position Sensitivity Managers should correctly identify position sensitivity levels so that appropriate, cost-effective screening can be accomplished. The position sensitivity designation directly affects resources since screening can be costly. Various levels of sensitivity are assigned to positions in the government. Determining the appropriate sensitivity level is based upon such factors as the type and level of harm (disclosure of private information, interruption of agency critical processing, computer fraud) the individual can cause through use of the computer system as well as more traditional factors such as access to classified information and fiduciary responsibilities. The Office of Personnel Management's Federal Personnel Manual (Section 732-5, subchapter 7) provides detailed guidance on computer/ADP risk levels. Three separate levels are defined, as shown below. Filling the Position - Screening and Selection Once a position's sensitivity has been determined, the position is ready to be staffed. In the government, this typically includes publication of a formal vacancy announcement followed by a review of candidates to determine which meet the requirements of the position. More sensitive positions typically require pre-employment background screening while post-employment screening is often acceptable for less sensitive positions. Background screening determines whether a particular individual is suited to occupy a given position. In positions requiring a high degree of trust, the screening process will attempt to document the person's trustworthiness and the appropriateness of holding a particular position. In the government, the screening process is formalized through a series of background checks. The importance of selecting the appropriate position sensitivity becomes obvious, since screening in excess of the sensitivity of the position wastes resources, while the reverse causes unacceptable risks. Within the government, the most basic screening technique involves a check for a criminal history, checking the FBI fingerprint records, and other federal indices. More extensive background checks examine other factors such as a person's work and educational history, personal interview, possession or use of illegal substances, and interviews with current and former colleagues, neighbors, and friends. The exact type of screening that takes place depends upon the sensitivity of the position to be occupied and applicable agency implementing regulations. Screening is not conducted by the prospective employee's manager; rather, agency security and personnel officers should be consulted for agency-specific guidance. Outside of the government, screening processes are often less formalized. However, depending upon the harm that a particular employee may be able to cause, background screening is often considered a wise investment. With limited expenditures, supervisors or personnel officers can telephone or write references, including personal and work, provided by the applicant. A small investment in employee screening before hiring can alert management to serious questions about a person's trustworthiness. For both the government and private sector, finding something negative or detrimental in a person's background does not necessarily mean that they are unsuitable for a particular job. A determination must be made based on the type of job, the type of finding or incident, and other relevant factors. In the government, this process is referred to as adjudication. Employee Training and Awareness Once a candidate has been hired, the staffing process continues with training in the computer security responsibilities and duties of the position. Training can be very cost-effective in promoting security. Some computer security experts argue that employees must receive initial training before granting them any access to computer systems. Others argue that this must be a risk-based decision, perhaps only granting restricted access or access only to their PC until the required training is completed. Both approaches, however, recognize that adequately trained employees are crucial to the effective functioning of computer systems and applications. In addition, although training of new users is critical, managers must recognize that security training and awareness activities should be ongoing throughout the time that an individual is a system user. USER ADMINISTRATION The purpose of user administration is to make sure that the information in the computer system about a user is correct and that access privileges are authorized and up-to-date. In addition, user administration can detect some unauthorized and illegal activities. User Account Management User account management encompasses the process of requesting, establishing, issuing, and closing user accounts. It includes tracking of users and their respective access privileges and the management of these functions. User account management typically begins with a request from the user's supervisor to the system manager for a system account. If a user is to have access to a particular application, this request may be sent through the application manager to the system manager. This assures that the systems office receives formal approval from the "application manager" for the employee to be given access. The request normally states the level of access to be granted, perhaps by function or by specifying a particular user profile. Often when more than one employee is doing the same job, a "profile" of permitted authorizations is created. Systems operations staff use the account request to create an account for the new user. The access levels of the account should be consistent with those requested by the supervisor. This account is normally assigned selected access privileges which are sometimes built directly into applications, and other times rely upon the operating system. "Add-on" access applications are also used. These access levels and privileges are often tied to specific access levels within an application. Next, an employee is given their account information, including the account identifier (USERID) and means of authentication (password or smart card/PIN). One issue which frequently arises at this stage is whether the USERID is to be tied to the particular position an employee holds (ACC5 for an accountant) or the individual employee (BSMITH for Brenda Smith). Tying accounts to positions can often simplify auditing. However, if the USERID is created in this manner, procedures should be established to change them if employees switch jobs or are otherwise reassigned. At the time employees receive their account, managers should provide initial or refresher training and awareness on computer security issues. Users should be asked to review a set of rules and regulations for system access. To indicate their understanding of these rules, many organizations require employees to sign a "computer account receipt," which may also state causes for dismissal or prosecution under the Computer Fraud and Abuse Act and other applicable state and local laws. When user accounts are no longer required, the supervisor should inform the application manager and IRM office so that accounts can be removed in a timely manner. One useful secondary check is to work with the local organization's personnel officer to establish a procedure for routinely notifying the systems office of employee departures. Access and privilege administration is a continuing process. New users are added while old users are deleted. Permissions change, sometimes permanently, sometimes temporarily. New applications are added, upgraded, and removed. Tracking this information ensures that the principle of least privilege is maintained. In administering these accounts, managers must balance timeliness of service and record keeping. While sound record keeping practices are necessary, delays in processing change requests may lead to requests for more access than is necessary to avoid delays should such access ever be required. Managing the process of user access is one that is often decentralized, particularly for larger systems. Regional offices are typically granted the authority to create accounts and change user privileges. Proper oversight can help avoid major security risks. Temporary Assignments and In-house Transfers User privileges must be kept up-to-date. Privileges are typically changed when there is a change in job role, either temporarily, such as covering for an employee on sick leave, or permanently, following an in-house transfer or termination. During the absence of others, users are often required to perform duties outside their normal scope, requiring additional access privileges. Such necessary access privileges should be granted sparingly and carefully monitored, consistent with the need to maintain separation of duties for internal control purposes. Also, these privileges should be removed in a timely manner when no longer required. Permanent changes in access privileges are usually necessary when employees change positions within an organization. In this case, the process of granting account privileges occurs again. Access privileges of the prior position should be promptly removed. Many instances of "privilege creep" have occurred with employees continuing to maintain their access rights for all previously held positions within an organization. This practice is inconsistent with the principle of least privilege. Audit and Management Reviews From time to time, a review of an entire system becomes necessary. For personnel issues, such reviews may examine the levels of access of each individual, consistent with the concept of least privilege; whether all accounts are still active; whether management authorizations are up-to-date; and whether required training has been completed. These reviews can be conducted on at least two levels: an application-by-application basis or a system-wide basis. Both kinds of reviews can be conducted by, among others, "in-house" personnel, contractor personnel, or audit personnel such as the Inspector General (IG) or the General Accounting Office (GAO). Application managers may wish to review all access levels of all users of the application on a monthly basis. While it may appear that such reviews should be conducted by systems personnel, they usually are not fully effective. System personnel can verify that users have only those accesses which their managers have specified. However, in light of ongoing changes, the application manager is often the only individual likely to know what access the user should have. Audits can also look at least privilege or separation of duties issues, such as a review of permissions which may involve discussing the need for particular access levels for specific individuals or the number of users with high levels of access. For example, how many employees should really have authorization to the check printing function? Auditors may also look at non-computer access by reviewing who should have physical access to the check printer or blank stock of checks. Detecting Unauthorized and Illegal Activities Auditing user accounts can detect unauthorized and illegal activities. If fraudulent activities require the regular physical presence of the perpetrator(s), the fraud may be detected during the employee's absence. Mandatory vacations for critical systems and applications personnel can help detect such activity. Managers should avoid creating an excessive dependence upon any single individual, since the system will have to function during the vacation period. Periodic re-screening of personnel may also provide indications of illegal activity, such as living a lifestyle in excess of known income level. TERMINATIONS Managers should consider security issues that arise due to terminations, both friendly and unfriendly. Friendly termination may occur when an employee is voluntarily transferred, resigns to accept a better position, or retires. Unfriendly termination may include situations when the user is being fired for cause, "RIFed," or being involuntarily transferred. Security issues must be faced in both situations. Friendly Termination Since mutually acceptable terminations occur regularly, most agencies follow a standard set of procedures for outgoing or transferring employees. These are part of the standard employee "out-processing," and can be used to ensure that system accounts are removed in a timely manner. In this case, the personnel office may send a memo to the head of the computer processing office with the employee's scheduled date of departure. Other issues must be examined by the agency as well. The continued availability of data must often be assured. In both the manual and electronic world, this may involve documenting procedures or filing schemes. How are documents stored on the hard disk and how are they backed up? Are employees instructed whether or not to "clean up" their PC before leaving? If cryptography is used to protect data, how will the availability of cryptographic keys to management personnel be assured? Are employees asked to document how they accomplish their tasks? What procedures are in place to make sure this is accomplished? Managers must also address the confidentiality of data. Do employees know what information they are allowed to share with their immediate organizational colleagues? Does this differ from the information they may share with the public? These and other agency-specific issues should be addressed throughout an organization to assure continued access to data and to provide continued appropriate protection for its confidentiality and integrity during personnel transitions. The agency's training and awareness program should include such issues, as appropriate. Unfriendly Termination The greatest threat from unfriendly terminations is likely to come from systems personnel, as they are best positioned to wreak considerable havoc on systems operations. Without appropriate safeguards, systems personnel can place logic bombs (e.g., a hidden program to erase a disk) in code which will not even execute until after the employee's departure. Backup copies can be destroyed. There are even examples where code has been "held hostage." But other employees, such as general users, can also cause damage. Errors can be input purposefully. Documentation can be misfiled. Other "random" errors can be made. Correcting these situations can be resource-intensive. Given the potential for adverse consequences, security specialists routinely recommend that system access be terminated as quickly as possible in such situations. If an employee is to be fired, system access should be removed at the same time (or just before) the employee is notified of dismissal. When an employee notifies an agency of a resignation and it can be reasonably expected that it is on unfriendly terms, system access should be immediately terminated. During the "notice" period, it may be necessary to assign the individual to a less sensitive area and function. This may be particularly true for systems personnel. In other cases, physical removal may be warranted. SUMMARY We have considered the personnel security issues including the staffing and screening of employees for positions and the management of user privileges. Particularly important are security issues involved in user administration, including identification and authentication management and access and privilege administration. Audit and other management reviews are useful in detecting unauthorized and illegal activities. Finally, agencies must be aware of security issues involved in removing access privileges for both friendly and unfriendly terminations. For more information, we suggest that you consult: Office of Personnel Management, Federal Personnel Manual NIST CSL Bulletin on Security Issues in Public Access Systems, May 1993 5 CFR Part 903, "Training Requirements for the Computer Security Act"