Sep 04 2012

Human Resources Security and ISO 27001

Category: ISO 27kDISC @ 3:19 pm
English: A candidate icon for Portal:Computer ...

Pre-Employment Background Investigations for Public Safety Professionals

One of the most popular misconceptions about ISO27001 is that this standard may only deal with IT related information security controls. The truth is ISO27001 covers information security controls for several different business functions of an organization including human resources.

Section 8 of ISO27001 specification in annex A is regarding human resources security. Human resources domain addresses three different stages of the employment: pre-employment, during employment and post employment. In this post we will address the importance of pre-employment controls for personnel who may manage ISMS or handle the sensitive information in an organization. Control A8.1 deals with pre-employment. The basic objective of this control is to minimize the loss of information which may occur but not limited to fraud and human mishandling. This control requires organization to document the roles, responsibilities and accountability to manage and maintain ISMS (Information Security Management System)

Control A8.1.2 requires organization to perform verification checks on permanent employees, contractors and third parties. Any screening must be carried out in accordance with the relevant local laws. This may be especially true for the international organizations which have presence around the world. Control A8.1.3 requires organization to ensure that the employees, contractors and third parties all agree and sign the employment contract that contains terms and conditions covering, their and the organization’s responsibilities for information security.

Below are the basic job verification checks which must be completed:

  1. Character reference check for at least one personal and one business reference. Take comprehensive notes for the records.
  2. Verify the accuracy of employee’s resume.
  3. Conformation of academic and professional qualifications.
  4. Passport verification for identity check
  5. Verify that an individual has an authorization to work in the country

Bear in mind the personnel vetting process may vary for government jobs or for the personnel handling highly classified material/data.

Tags: Human resources, Information Security Management System, iso 27001, ISO/IEC 27001

Nov 26 2008

Cyber threats and overall security assessment

Category: Information Warfare,Risk AssessmentDISC @ 3:13 am

The main screen showing star names (color-code...
Image via Wikipedia

In the past when senior management (execs) needed to understand the financial implication of cyber threats and their exposures, they turned their questionnaires toward IT for relevant answers. In other words IT risk assessment was the answer in the past to understand the financial implications of cyber threats. The IT risk assessment is not the comprehensive or overall assessment of the company to understand the total implications of cyber threats. The overall assessment will not only include IT but also other departments like HR and legal etc… Basically cyber threats are neither IT issue and nor a legal or HR issue any more, it’s simply an enterprise management issue.

In old days the firewall was used as a major defense against potential cyber threats. The new cyber threats are sophisticated enough to demand better defense. New threats (virus, adware, worms, Trojan, spyware, spam, phishing) use modern techniques to bypass defenses. The potential risks of these new threats demand an immediate attention (of CFO or higher) and approval for resource allocation to protect against cyber threats. To make a solid business case for security ROI, senior level execs need to know the overall risk they are reducing, and their highest priority.


ANSI and ISA have jointly released a document to assist senior management to prepare for financial implications for cyber threats. Basic essence of the guide is to provide a tool to execs to understand the financial implications of potential cyber threats to their organizations.

“The 40 page guide was put together by task force of risk management execs from more than two dozen organizations. The new guide offered by ANSI and the ISA recommends that CFO ask their various team’s questions about the biggest threats to data confidentiality, integrity and availability,” to get to know the existing controls in place and any relevant mitigation plan. Risk analysis of this information can help execs to map the cyber threats risks into correct financial terms and make better resource allocation.
The senior execs who want to implement information security as a process in their organization should consider ISO 27001 (ISMS) as a best practice, which provides a reasonable on-going due diligence to protect and safeguard organization data.

Reblog this post [with Zemanta]

Tags: availability, Business, Chief financial officer, cyber threats, data confidentiality, exposure, Financial services, Human resources, Insurance, integrity, isms, ISO/IEC 27001, Management, overall assessment, risk analysis, Risk Assessment, Risk management, roi, Security