CCT 176: Policies and Procedures - Candidate Screening, Employment Agreements, and Background Checks for the CISSP (Domain 1.9.1-4)
Sep 16, 2024Are you ready to uncover the secrets behind successful candidate screening and robust employment agreements in cybersecurity? Join us on this episode of the CISSP Cyber Training Podcast, where we promise to equip you with essential techniques to vet the right candidates for sensitive security roles. From structured interviews to behavioral questions and technical assessments, we cover the full spectrum of best practices. Plus, we'll discuss the critical importance of maintaining up-to-date systems and managing end-of-life devices, spotlighting recent vulnerabilities in the Ivanti Cloud Services Appliance.
Next, we tackle the nuanced world of employment background checks and onboarding security. Discover why separation of duties and the principle of least privilege are non-negotiable in safeguarding sensitive information. We explore the complexities of background checks, including criminal history, credit checks, and education verification, to help you navigate the legal and HR hurdles effectively. Learn how to secure candid feedback from professional references to mitigate insider risks and bolster your organization's defenses.
Finally, we delve into the intricacies of employee transfers and contractor agreements, addressing the significant risks of credential creep and unauthorized data retention. Our discussion emphasizes the importance of a well-structured termination process and automated access removal to protect your data. We wrap up with a simplified approach to preparing for the CISSP certification, offering a step-by-step plan to help candidates succeed on their first attempt and enhance their skills in their security roles. Don’t miss these invaluable insights and strategies designed to elevate your cybersecurity practices!
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go.
Speaker 2:
Cybersecurity knowledge All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training and hope you all are having a wonderful day today. Today is an amazing day. It is Today we are going to be talking about some different cool stuff related to candidate screening and employment agreements. Yeah, baby, it's going to be fun. Yeah, so we are now domain one of the CISSP. Again, what we do is we go back from domain one all the way to domain eight and then we roll back through again just to kind of go for grab topics that are tied to the ISC squared CISSP exam and we're going to pull up different areas and you have access to them.
Speaker 2:
All this content that I am talking about here at CISSP Cyber Training is available through at CISSP Cyber Training and again, I wanted to reiterate the fact that any of the content that you buy from CISSP Cyber Training, all of the proceeds go to a nonprofit for adoptive families. That's kind of our my wife and i's goal is that all proceeds will go to a basically helping fund parents who want to adopt children in a way to help give them some money so that help either provide low interest loans or actually grants so that they can go through the adoptive process. Adopting children is a very expensive endeavor, especially raising them is even more expensive, but adopting them can be very challenging. So we want to make sure that we go through and have at least provide opportunities for people if they want to do so. But today we're going to be talking about candidate screening. Yes, that is what's the topic for today, but before we do, I wanted to talk about a real quick article.
Speaker 2:
I saw that just popped up just today, I think, or yesterday it came out was around the Ivanti cloud services appliance. Now, to put it in perspective, these cloud service appliances they're allowing you to do remote access into your cloud environment, and Ivanti has a cloud service appliance. There's a lot of these out there. Different companies have them, but this one specifically is brought up by SysA. It's because of a remote code execution flaw that's in it. That would allow you to have basically an attacker to have remote access into your cloud environment if you use this Ivanti cloud appliance. Now I want to set some expectations around it a little bit. A lot of times, with these different types of threats, they're not always a OMG, this is bad and this is a critical vulnerability as it relates to Avanti and on the CVE score. I think it's got it as a 7.2.
Speaker 2:
One of the big things that comes up with this is you have to have admin credentials to get into it. So there's a couple of key factors. One, you have to have admin. Second, you also have to have remote codec or remote capability to it, and you've got to be running a system that is no longer being supported. So those three things are kind of the nexus for you to be able to gain access to this if you're an attacker.
Speaker 2:
That being said, the reason the CISA has such a big concern about it is the fact that it is in your cloud environment and then, once you gain access to it, anywhere in the world someone can remotely gain access to your cloud environment through their cloud service appliance. So it's important for you just to make sure you take a look at this and see if it might affect you and your company. They're talking about it's an OS command injection vulnerability. They basically have a patch, version 4.6, and it's patch 5.18. Will allow an attacker to have remote authentication into your environment. Again, the CSA 4.6 is also end of life, so make sure you check on that. Again, we've always talked about this with CISSP, cyber Training and we talk about through the fact of if you're ensuring that you keep your systems up to date and they are the most current possible. Now, I understand the fact that you may not have let's say that just came out yesterday version X and you have version let's just say, oh, version D or E or F, but all of that is still within the company's timeframe. You have to keep informed on if version D is a good enough substitute for version F or version Y. That's in place right now, and so what I'm just trying to say is that you need to keep on top of your vulnerability management, because these things can come out and then, all of a sudden, you have something to deal with In this situation.
Speaker 2:
If you're dealing with end-of-life devices, they should be gone. You should have a plan to get rid of all end-of-life devices before they actually run. End-of-life that in the in the company doesn't no longer supports them. That is something you don't want to get into and what ends up happening a lot of times. Companies will do this. They will wait till the last minute to change these, or because of the fact that maybe funds are tight and IT doesn't seem as important to them because they're there to make money and I get it, totally get it. They will leave some of these devices to just run, even if they are end of life, just because they're like you know what? There's end of life, which we talked about in CISSP cyber training. There's end of life, which we talked about in CISSP cyber training. There's end of life and there's end of support. They may be end of life, but they're still supported in some form or fashion.
Speaker 2:
You have to determine which one is best for you and if you're going to continue using these devices after they reach that end of life period, bottom line you, as a cybersecurity professional, need to be update and abreast of all of the systems that are in your environment and their patching levels and where they're specifically at in their overall lifecycle management plan. So, again, just all that is bringing it up is the fact that you need to have a plan, and because, if you don't have a plan, something like this will come up eventually. It's just a matter of time. Okay, so in this episode, we are going to be getting into personal security policies and procedures, which is around candidate screening, employment agreements, those kinds of things, and so we're going to get into each of those little topics and see how you need to be better prepared. One for the CISSP, but two, as you may already have expected, a lot of folks that listen to this podcast already have IT backgrounds and they're already in this space, so a lot of this information can be extremely valuable to you, depending upon your role within the company. Okay, so, job description.
Speaker 2:
So when we're looking to hire somebody, especially in today's world, you're looking to hire someone that's a background in IT, or maybe a security person or something like that, you need to have a good job description, which is extremely important. A lot of times this will run into. You need to work with your HR people to really come up with a good plan on what is a good job description. This would be requirements, responsibilities and skills needed. Is this person going to be a leader or a technical person? And then you need to also think about what is the career progression for the individual. Like I've mentioned to folks that have asked me, from a mentorship standpoint, what do I do to look for my progression with the company? And you need to. When you're going and looking for an interview and you're looking to interview for a role, you need to be very transparent with people, and you need to ask them, and because you know what, even though you're looking for a job, you're interviewing. They're interviewing you for a job. You are also interviewing them for the role.
Speaker 2:
One thing that you have, as far as a security person goes, is there's plenty of opportunities in the market right now tons of opportunities and what that means is, though, is you do not have to be super picky about, or I shouldn't say, you do not have to be one that just takes the first opportunity that comes up. You need to look at. Do you want to be picky about what you're going after Now? There's a big difference with this right. If you are out of a job, you might not be as picky and you might take whatever comes along. If you currently have a job, you can be a little bit more selective in what you're trying to find. Currently have a job, you can be a little bit more selective in what you're trying to find. The best time to look for a job is when you have one. That is the best time to look. When you don't have a job, that is not a good time to be looking for a job, because sometimes, you can be a bit more desperate about what you're trying to find, but if you're putting together some sort of job description to hire somebody, these are all the things you need to think about, and again, the person coming in may ask you these questions.
Speaker 2:
You also need to consider separation of duties and principle of least privilege. So, as you are bringing somebody on board, what do you want them to have access to? Company I'm working with right now, one of the questions that came up is they're working with some stuff that is extremely sensitive. They said we do not want contractors working on this. I go any contingent worker, I get it totally, even though I'm a contingent worker. They don't want them working on it. Totally understand, because there is sensitivity around these folks working on these systems, and so, therefore, it's important that you determine who is allowed to do this, what is the role of their job and what are they allowing them to have access to? And again, this comes back to principle of least privilege. You give them the least amount of privileges they need to do their job, no more, no less.
Speaker 2:
The other thing to think about, as we'll get into, is rotating jobs, roles and experience. Something to consider is and this happens especially in the banking industry, where you'll have someone that's a security professional working in a role and they will mandate you have two weeks vacation you have to take, but they will tell them you can't, you're going to take it when I tell you you can take it. You can't tell me when you're going to take it, I'm going to tell you when you'll take it. And they may even give them three weeks of vacation because of that situation, right where you don't have the flexibility to say, well, I'm going to take two weeks in December and I'm going to take one week in June. They may come down and say, no, you're going to take it all in July. But the reason is because they want to put somebody else in that role to look at it, to make sure someone isn't doing something nefarious, and so that's the part that comes into when you're dealing with rotating jobs or also substituting jobs. So something that you'll want to consider if that is going to be happening within that role.
Speaker 2:
Another thing to consider is the background checks piece. Now, a background check is obviously you're looking into the person's background. What do they have? What about criminal history, credit checks and so forth?
Speaker 2:
Background checks can be a bit squishy. I've had some senior leaders within various organizations tell me that the background checks are very light. They don't do them because they're worried about lawsuits and they're worried about individuals thinking of them being preselected, picking them up for something that they didn't do, that they did a long time ago. And then there's all those ramifications you have to determine does the role need to have a background check? And if so, you need to specify that in the documentation. It could be something where you just specify, saying it could be warranted if it's by the individual. Like, say, I'm hiring somebody and I go. You know what I'm going to put in there. I want a background check, but I'm not going to say it's mandatory. I might say the background checks could occur for an employee. Should we choose to do so? It leaves a little bit open-ended. I know it's kind of that squishiness. You'll have to work with your legal team and your HR team to determine what is best for you.
Speaker 2:
But a background check again looks at criminal history. Do they have a background of any sort of criminal record for theft, fraud, any of those aspects? One thing that comes up that I deal with is when someone leaves an organization to go to another organization. Technically you're not. You'll say, well, do you have any references? Most big companies will not call the other company, say, hey, billy Joe just left company X, I'm going to call Billy Joe's. Billy Joe just left Company X, I'm going to call Billy Joe's company, company X and see how Billy Joe did. Large organizations they tend to not do that. They just kind of move along and they try to weed that out within the interview process. Smaller companies may do something like that and they may look also to determine if the person does have a criminal record Data theft, those types of aspects. When you're dealing with the insider risk, those can get really squishy because most people, most companies, will not prosecute for an insider risk unless it's something very blatant and so that you could be hiring somebody within your organization that was an insider in another organization and you may not know it.
Speaker 2:
So you need to really be careful about how you interview the people for the roles, especially for the role that you're getting. That might be very sensitive. You need to have a really good plan on how you're going to interview them and ask questions of them. Credit checks kind of understands the financial responsibility where people are at in their financial world. Education verification. We've been watching the Netflix series on suits and the young man basically lied about the fact that he went to Harvard Law. You may want to do an education verification to ensure that the people that you are hiring actually have the background they say they do. I have seen this personally where there's been a lot of fraud when it comes to having their background and not going to the school or the certifications. One way to solve this is by asking some very poignant questions and then also maybe potentially finding folks within your organization. If it is a concern on how you can reach out to these different education places to make sure they were on their role.
Speaker 2:
Professional references always a good one. Again, that is something that you can reach out to and ask about. I would highly recommend that, but I'd also get people I ask the question to folks of going. Okay, you give me these professional references. Obviously you have coached these people and talked to them. They know I'm coming.
Speaker 2:
Is there somebody in your background that maybe wouldn't give you the best professional recommendation that you might be willing to let us talk to? It catches people off guard. Why? Because you know what. You don't get along with everybody and that's okay. But if there's somebody out there that would be like you know what. Sean is a really good worker. I didn't get along with him. I did not like the man. He and I had difference of opinion, but he will work hard for you. I would go talk to that person just because I know that you don't get along with everyone, so understanding who that could be could be valuable.
Speaker 2:
Now you may want to pull that out in the interview and maybe not call them, but just maybe ask a question of going. Is there ever been a time in your life where you've worked with somebody who you did not get along with and can you tell me about that situation and ask for a situation, a behavior, an outcome? How did it all turn out? All of those aspects can occur during the interview process. Social media screening that's a good one. You got to look at what people put on their own post on the line. I'd say it's highly recommended. Now, obviously you want your HR people to do this for you. It's not best for you to go poking around. If you have HR folks, have them dig around a little bit if they have the ability to do so. They've been working with legal on what they can and cannot do. So I would highly recommend you go with somebody that knows what they're doing in this space.
Speaker 2:
So in the interview process, you want to have a structured interview set up and you want to have a plan so that you're going to be asking them very consistent questions from all candidates. So candidate one, two and three, the questions need to be the same. They also need to look for behavioral type interviews. Provide them abilities around decision-making, problem-solving, work ethic. You want to have a problem-solving skill conversation with them.
Speaker 2:
We've seen it time and again and you hear people I mean, I'm an old guy and you hear people that I'm around that are in my sphere of influence and they're like man, these kids, they don't know how to work. They don't. It's just not like the old days. I laugh because I sound like my grandfather, because I remember when I was a kid going yeah, these young people, they're just clueless. So you know, I think it's all generational, but you do need to ask. One thing we have seen in this the younger generation from me is the problem solving skills are a bit lacking because of the fact that they have the internet at their fingertips and so, rather than think through some of the problems and then try to solve the problems, they'll go directly to the internet. My daughter, walking out the door, says hey, siri, tell me this, hey, siri, tell me that. And what ends up happening? And she just started talking to me because I said that what ends up happening is then they can't think about the problem and they can't solve it themselves.
Speaker 2:
You should have a technical assessment. Have somebody on your team that, if you're not the technical person, have someone on your team who can be that technical person. It's important that someone can dig into to find out what kind of background these people have. Do they have the technical chops to be able to give you what you want? Reference checks, look for references. Do they have that we talked about a little bit earlier? Do they have those? Can they provide those to you? And then I would recommend maybe not calling them all, but maybe sampling a few.
Speaker 2:
Now, employment eligibility depending upon what you're hiring somebody for your I-9 in the United States. You have your I-9 forms for candidates that are out workouts in the United States that may not be part of the United States. You have E-Verify and you have your immigration laws. I will tell you that when you're dealing with security, that's a very touchy subject. Some companies will allow individuals from outside the company or outside the country to be able to work on their stuff. I would say most cases they will not outsource some of the more sensitive areas to external locations. So sending this kind of capability to India, if it's for somebody in the United States, let's say, around insider threat, may not be the right choice for your organization. Now, your organization might be okay with that, but in many cases that would be a little bit too sensitive for some in those situations. That being said, security operations centers SOCs many times are being operated very well by organizations outside of the United States. I know some really good SOC teams that are in India and they're amazing, and so it's important for you to understand that. What are you actually looking for?
Speaker 2:
And then you may have to have some sort of compliance around eligibility of employees that are either in the United States or outside Employment agreements. So when you're dealing with hiring somebody, you need to have various types of agreements in place with them, especially in the security space. You need to have this, but pretty much in all roles, depending upon what the company does for a role, what it does for a job. One of those would be confidentiality agreements. Obviously, you want your employees to have confidentiality agreements that they sign within your organization while they join the company and then, when they exit, they just make sure, if they need to, to sign those confidentiality agreements or nondisclosure agreements after they leave.
Speaker 2:
Now, one thing I've run into is I have signed confidentiality and nondisclosure agreements throughout my entire career and that's something to be expected. That's why, when you hear me talk on CISSP, cyber Training, what do I do? I use in generalities, I don't go specifically around. Hey, on this day I was working with company X at company X and we were working on X, y and Z, and when we were working on X, y and Z, this went bad. Yeah, I won't do that, because at least I try not to do that because it would be potentially potentially doesn't mean it has potentially could violate any sort of nondisclosure agreements or confidentiality agreements I have with different companies. So it's better to keep all of these things in generalities. Now, it doesn't mean you can't talk about things as long as you don't give enough information out that someone could put one plus one equals two together to realize that you know what? Hey, oh, this vulnerability is at company X. I'm going to go attack them? That would be bad. So you need to make sure that you are very closed and very confidential with the information you're sharing with other parties.
Speaker 2:
Now there's another one called a non-compete agreement. So these are for employees who are working with competitors or potentially starting a competing business. I've had to deal with these as well. Now these are a little bit more squishy and I've heard people say, well, you can puncture a non-compete. That depends right. Realistically, this is all it's designed to do. It's a piece of paper designed think twice before you act.
Speaker 2:
If you decide to start up a company and you are, it's like, in that squishy gray area you want to make sure that you have a lawyer that has looked at everything you do and it will give you an idea of what he or she thinks will be this next situation. Because if you are in that squishy gray area and the company feels threatened, they will come after you and it's a really good way to shut you down. I've had I've been in various different discussions with senior leaders within a companies to say, yeah, this person here is potentially breaking their non-compete and we're going after them and then it ties everything up in legal fees and lawyers and it gets extremely expensive and it's bad. It's really bad. So you need to really think hard about doing non-competes and if you're going to go into a field that potentially could get into some sort of challenges, intellectual property agreements again, these are in the case of you are developing intellectual property for a company. Do you have an agreement with them?
Speaker 2:
Now, most companies will have some sort of broad brush intellectual property agreement that when you sign, when you start on with a company, and the goal is that whatever you make for that company is that company's property. They may not. There might be situations where they will allow you to keep it on your own, such as when I signed up with some various contracting firms. Part of my agreement with them is that I get to keep my own IP and the purpose is I want to be able to reuse it for stuff that I do. Now it just depends on who you're working with and what is the situation. If you're an employee, odds are high. You're going to sign an intellectual property agreement and anything you create is their IP.
Speaker 2:
So something to consider if you are hiring people in the security space, when you're bringing somebody on board, you need to have an orientation program and that basically walks employees through what's the company's culture, process, procedures, so on and so forth. The reason I say that you're going well, that isn't cyber, you're right, that part necessarily isn't. But you need to work with your HR teams to have something to give them that is cyber related, ie remote access, password policies, you name it. All of those pieces you need to provide to your hr team so that they have that information on new employees that start up. Another one, if you have an insider risk program, is the fact that you have a document that doesn't say what you're looking for but just say, hey, if you see something, say something. And it's more or less to tell people that if you see something with bill, what bill's doing. That is inappropriate. That with with company data let us know.
Speaker 2:
We want to know about it. Well, it's also letting them know that, hey, if Bill sees you doing something you shouldn't be doing, he's going to let us know too. So that's kind of that subtle little passive, aggressive stuff, right, the goal is just to inform them that we're looking, not at them specifically, unless I do something wrong, or we're just moving forward, and that's the ultimate goal. You want to have a good relationship with your HR teams. Now I will tell you, hr teams will struggle with this. Sometimes, especially in a new company or company that didn't have a program before. They don't know how to take the IT guy. And this is where we come into. We talk about to be a senior leader with an organization whether it's a CISO, vice president of technology and IT You've got to be able to speak with the dolphins and you've got to be able to speak with the sharks, and so, therefore, it's important that, whatever program you do, whatever you build with a company, that you are that intermediary between them. You are the one that can speak the technical pieces but also can speak the corporate jargon. It's important to have that, and if you don't have that now, that's okay. You just need to make sure that you start building that capability within yourself over time. And also, I would highly recommend you build that capability into your people. Give them opportunities, progression, ways that they can take that and then when they leave your company they can go someplace else. You set them up for success you really truly want.
Speaker 2:
A lot of times companies will say, well, I don't want to teach my people this stuff because then they'll leave. I guarantee you this. They will leave period, no matter what they're going to leave. So if you set them up for success and help, mentor them and guide them and lead them here's the deal I've learned If you do that and you have a really good, open relationship with them, you're going to have a good idea of when they're going to leave before they leave and therefore then you can plan, because I would rather plan for somebody leaving my company than me just all of a sudden getting sprung upon. Hey, I'm out the door Because I've done that and my boss wasn't real happy when I did that. But what it came down to was my boss was not really in touch with what I wanted, and when he's not in touch with me, I'm looking, and if I'm looking and I leave, I put people in a bit of a in a crux and a little of a position. That's what you want to avoid, and the way to avoid that is having good relationships with your people. It doesn't mean it's going to solve it, but it can at least kind of cross or cross short it, short it out a bit.
Speaker 2:
Training and development you need to have training and development programs for your people, help them develop skills and knowledge necessary to perform their jobs effectively. Access provision how do you give them access? I've been working with a company that is a nightmare to get access. It was just terrible. Big company understand it, totally get it, but getting access was a total pain in the bottom and so therefore, because of that, it takes time. You want to be able to get them the access to the applications, the systems and the data the way they need, in a timely manner so that they can get on with their job. Equipment distribution you need to have a plan around that. How do you get them laptops and phones and all those different pieces of equipment to do their job? And then you need to make sure they have a compliance training plan in place. This would be acceptable. Use discuss prohibitive activities All of those aspects are an important factor that you need to give to people to get them up to speed and ready to go.
Speaker 2:
Now one thing to think about when you're dealing with employees. This comes into the transfers piece. What is that? So let's say you have an individual who wants to leave your company or who's in your company and goes from section A to section B, to different parts of the company. That's a transfer. So you have to determine do you treat this as a fire and hire versus a personal move? What that would means is is that okay? So if I fire somebody, I terminate access and then I hire them someplace else. I reestablish their access. That's a fire and hire type of move. So bill is moving from company a. That's within the overall umbrella. So let's go. He's in company A and he's in section B and he's moving to section C. Do you fire him from an access standpoint and rehire him from a role standpoint or do you just transfer him over like a personal move? Each of those have different kinds of positives and negatives, but if you just do a transfer, it can introduce significant risk to your company, especially if their access is never removed in the transfer. It's called credential creep. We've talked about this. If a person leaves one company, go into another and they take their credentials with them, it can open up all kinds of challenging things within a company.
Speaker 2:
You also collect any sensitive data during these transfers. Did they take any IP with them when they went? Is there potentially insurance or any non-compete, non-disclosure a company? You also collect any sensitive data during these transfers. Did they take any IP with them when they went? Is there potentially, are you sure there's any non-compete, non-disclosure agreements in place If you're going from, maybe, one company? You have a large subsidiary of lots of companies and you go from one company to another company. Is there non-competes and non-disclosure agreements between the two organizations? That needs to be determined. Also, potentially higher activity depending upon the role. Do you need to look at their activity that they did within their company and now they move to a new one? What do they do with their role? So these are just some things you need to consider as you're looking at transfers within your company.
Speaker 2:
Termination process needs to be a good, planned out effect. Here's one thing to think about. So you work at a company, you're working as an employee. You get terminated to be a contractor. So what happens? You return as a contractor. What do they do with your credentials? Do they totally shut them down, blow them away and then bring you on as a contractor? That is what they should do. They should not. I repeat, should not. And if you're listening to this and you have a company, do not move your employee from an employee state to a contractor state and leave the credentials the same. You need to go through the fire and hire type of process because it's very squishy.
Speaker 2:
When you get to contractors and employees, they're very different and what can happen is is if you do that, you also could run into a situation with HR where they go if you give too many credentials to a contractor or you. One thing I ran into is if you hire them for a long period of time. What can happen is is then if they will think of themselves as a full-time employee, so as a contractor, I can be fired at any point because I have a contract and they can let me go as an employee. If you get fired at any time, depending on the state you're in, there can be legal ramifications for doing that, but if I bring you as a contractor and I give you all the same rights as I did as an employee and I fire you because you know it's just not working out. That person could come back and say you know what? Well, hey, I was an employee, even though I was in contractor status. I was an employee, they can't fire me this contractor status. I was an employee, they can't fire me.
Speaker 2:
This is something that's really challenging in Europe. In Europe, when people are hired, it's got long kinds of tentacles everywhere. So it's important that you have a really good plan on how someone is formally released from their role into a new role if they're coming in as a contractor. Access to sensitive data, all that kind of information that stuff needs to be thought of. So, whatever you do, if you get any nuggets and you're working in this space right now, that is a very important one that can set your company up for a lot of success or a lot of headache, depending upon the situation. So you need to make sure that if they're a contractor, leaving from an employee to a contractor fire and hire I'll leave you with that.
Speaker 2:
Termination process again needs to be very set. It needs to be completed very well. It needs to be a one that is a. It's the disable, all network accounts. It's an automated process that the supervisor must review your access logs. What did this person do, what they do during the period of time. All that stuff needs to be done. You need to remove all remote access capabilities. That that should be. You should have this process so that the moment Sean drops his paper, say I'm out, you either walk Sean out the door or you give him his two weeks, depending upon the situation, but when that two weeks is up, that same day it's gone. All access is shut off, done.
Speaker 2:
I would recommend keeping emails for a period of time anywhere from 60 to 90 to maybe 120 days, just so that, in the event that and as people go through it, there might be a situation where you'll see, maybe the data did leave the organization because this guy just shipped it out. Something to consider and as much as you possibly can automate this thing, because someone could leave on a Friday afternoon, no one removes their access and they have access from Saturday, sunday and, let's say, for two days. They have access to your network and no one revoked their access. Bad idea, really bad idea. It could be very painful for your organization. You can move a lot of data out in a couple days. So make sure you have this process automated. You have separation agreements in place. Do they get severance pay? Do you have confidentiality clauses when they separate? You have non-compete restrictions?
Speaker 2:
We kind of talked about already Returning company property laptops, phones, headsets, monitors. This all happened during COVID. There was a lot of people took all kinds of stuff home to go work. Well, then they leave. What do they do? Oh, I can't find my monitor. I just don't know where it went. Yeah, my laptop, it's disappeared. Just, somebody came in and took it. Elf on the shelf took it. Yeah, I mean all of those things, I've seen them all. My dog ate it, you name it. And so, therefore, you have to have a return process in place for your company property.
Speaker 2:
Now I say that as an organization, you may go. If you're a big company, you may say you know what a phone, I'll turn it off. It's worth $800. I want that back, but they've had it for four years, it's worth $200. Don't care. Okay, you may go with that thought process, it just depends. Now, sometimes with phones you can zero them out and you try to go into T-Mobile and the company will say well, this is a phone from X, Y and Z company. We can't do anything with it and you just got to throw it away Again. Those are things to think about. I've been in parking lots getting laptops. It looked like a drug deal going on, but I'm getting a laptop from somebody who left my company and they give me the laptop. So you just have to determine how do you have to have your return of your company property, because, again, it's the company's property, even though I work on it all the time and it feels like mine, it's not my property, it's the company's property. Vendor, consultant and contractual agreements Okay. So you need to consider this when you're working with contractors.
Speaker 2:
Scope of work Okay, you have your statement of work, your scope of work. What are they allowed to do? What are the expectations on what they're doing for you? Payment terms how often are they going to get paid? Are they going to get paid once a month? Are they going to get paid within 45 days, within 90 days? It was new to me as a contractor. We had terms where you start work okay, I'm producing for them, and one month goes by, not paid. Two months go by, not paid. Three months go by, still not paid. I'm like, what the heck. Well, we have terms of 45 days, well, it's been 90. Then they finally start paying. Well, then it starts coming in.
Speaker 2:
The point is is you got to have a plan for that, you got to think for that, got to have money set aside for those kinds of things? But you need to have the scope of work. You have our payment terms all figured out. When it comes to payment schedules, invoicing procedures, etc. All that stuff needs to be thought of. But and you might be saying well, this is an hr thing. Depending on the size of your shop, you you may be doing hr, you might be doing it and you might also be doing finance stuff. These are things you're gonna have to think about. And also it helps for you as a security professional to know these things Because, like we said, if you're trying to talk shark and dolphin, if you don't know what payment schedules are and you don't know how they're doing their amortization and depreciation and all those big terms, you're like I have no clue what any of that means. Learn it. You need to figure it out, because when you talk to your finance person about this, if you can talk in their language, your stock goes up versus here's just the IT guy and I don't understand what the IT guy says, so I'm going to baby this guy along and help him. If you show interest in what he or she is doing, you now can actually build trust, you can influence them and you can build relationships which will be extremely valuable for you when in your career, and also helping you when you're trying to protect the organization Understanding intellectual property rights, determine ownership, ip.
Speaker 2:
As far as the vendor, consultant and contractor, what are you allowed to have access to? Confidentiality requirements, again, are there any confidentiality requirements required to you? And then indemnification Okay, this comes down to is you indemnify from legal claims or damages? You need to have an indemnity or an insurance whatever you call it, insurance policy in place to keep you from being sued Another part that you got to pay for. All of these different aspects need to be put in place when you're especially being a contractor. But if you're looking to work with a contractor, you need to know do they have these types of processes in place, do they have these different types of insurances in place, et cetera.
Speaker 2:
Also, due diligence you need to do a background check on people. You definitely need to do a background check on me Period. One thing I've told my boss. I've told him all this it doesn't matter If I'm in security TNO, trust no one. You should not trust me now. You can verify me and do a background check of me and understand my background and you can validate that I'm who I say I am. But at the end of the day, you should trust no one because at any point in time, someone can do something that'll put a shiv in your back. They'll do it. They will.
Speaker 2:
Some my most most trusted friends in the it world, um, didn't always do everything up and up and therefore you know what they did, what was best for them and you got to plan for that. Uh, you need to ensure that they have insurance verification. I know you're probably thinking well, it's really a sad life. It's not. You trust people. You do. I mean, I trust people with my personal life, but when it comes to my technical stuff, I don't really trust people because at any point in time they can do something that'd be bad or this is what most likely will occur Someone within the organization or an attacker takes over their account and does something bad on their behalf. Again, you don't know. So it's important that you didn't trust no one, just have plans. Insurance verification you ensure they're verified with insurance, also obtaining references from previous clients and vendors, consultants and contractors as well.
Speaker 2:
Last thing, access management. You need to have privileged access management, implement controls, manage and monitor access to privileged accounts. You have role-based accounts grant access to systems, applications and data based on the user's role or function. And then, least privileged principle Again, give them only the minimum amount of access they need to perform their jobs. Regular reviews and audits is an important factor in all of this. You need to make sure that you're up on top of it on a routine basis, that they have the access they need, but remain up to date on what they should have, and that they have the information they should potentially have. Again, we've talked about this numerous times, so it's nothing new. Make sure you have privileged access management, role-based access management, least privileged and review and audit them routinely. Okay, that's all I have for you today.
Speaker 2:
So today again, we talked about how we're going into the personal security policies and procedures. This is aspects that deal with candidate screening. All of those different pieces was today and we're excited for you to be passing your CISSP. I know you're gonna do it. Head on over to CISSP Cyber Training and get access to my blueprint. Get access to my training. It will help you.
Speaker 2:
If short circuit this cissp process guaranteed, I mean, it's an amazing plan, it will help you. And one of the guys said well, it's very simple. You're right, it's extremely simple and that's the point. Keep it simple, silly. You want to keep it simple. You want to have it so that it's structured to help you pass the cissp the first time.
Speaker 2:
But it gives you the tools you need by going through step by step by step on what you should have to be prepared to take the CISSP and to be able to understand the questions coming in, so that when the question comes in, you go oh, we just talked about personal security and HR and let's answer this. I had one of the guys I'm consulting with and one of my mentors and we were talking back and forth, him and I, and he asked a question about HR. Well, this topic here, like how do I, as a security professional, as a CISO for an organization, how do I interact with HR? Well, no-transcript, but it will also help you with your security role and in your job and handling those different types of situations. All right, have a wonderful day and we will catch you on the flip side, see ya.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!