Because people execute security policies (or violate them), hiring, managing and (alas) firing are important aspects of information assurance (IA) management. In a recent class discussion of personnel policies and security, the IS342 Management of Information Assurance class reviewed some of the fundamental principles of personnel and security.
To start with, we face two fundamental problems in all discussions of crime, especially white-collar crime, and particularly computer crime: we have incomplete ascertainment and we have incomplete reporting.
The problem of ascertainment lies in the difficulty of identifying crimes or errors that compromise confidentiality and control, at least until the malefactors reveal the data leakage by using the purloined information. And unfortunately, we don’t yet have any centralized reporting of computer crimes or legal requirements for contributions to such a central database – so we lack reliable estimates of the frequency and severity of computer security breaches.
Nonetheless, a broad consensus among IA practitioners does support the belief that a sizable proportion of damage to computer systems may be from errors and omissions – perhaps even half. The attacks from the outside of systems and networks have increased over the last two decades because of the huge increase in interconnectivity due to wide use of the Internet.
Under these conditions, selecting appropriate employees can be a major contribution to effective IA. This review looks at hiring, management and firing from the perspective of IA managers.