Information security is not mistrust
It is by no means a matter of mistrust if a company issues appropriate guidelines to make unauthorized access from the inside more difficult or, better still, to prevent it altogether. After all, one thing is clear: If an employee's termination is imminent or has already been announced, his or her dissatisfaction can lead to targeted data theft. This happens especially when the terminated employee believes he or she has proprietary rights to project data. Conversely, an application for a particular job may already be made with the intent to commit a criminal act.
Other scenarios indicate grossly negligent behavior or simply recklessness, which can have similarly serious consequences. It happens, for example, that entire IT departments do not adhere to their own rules - too cumbersome, too time-consuming. In the office, it's the careless handling of passwords or unprotected smartphones. But also careless connecting of USB sticks, open documents on the screen, secret documents in empty offices - the list of possible omissions is long.
Annex A.7 of ISO 27001 - Personnel security
Companies that have implemented an information security management system (ISMS) in accordance with the ISO 27001 standard are in a better position here. They know the requirements and the practice-relevant Annex A.7 of the internationally recognized standard. Because ISO 27001 has a lot to offer here: Although the reference measures refer directly to the standard requirements, they are always aimed at direct company practice.
Companies with an effective ISMS are familiar with the targets specified in A.7, which must be implemented with a view to personnel security for full compliance with the standard - across all phases of employment.
What does the ISO 27001 standard say in Annex A.7?
Measures before employment
The organization must ensure that a new employee understands their future responsibilities and is suitable for their role before employing them - according to Annex A.7.1. In the requirements section (Chapter 7.2), the standard talks about "competence."
As a goal-oriented reference measure, applicants for a job first receive a security clearance that complies with ethical principles and applicable laws. This check must be appropriate in relation to business requirements, the classification of the information to be obtained and possible risks (A.7.1.1). In order to be able to achieve this, the following should, among other things, be in place, ensured or verified:
- A procedure for obtaining information (how and under what conditions)
- A list of legal and ethical criteria to be observed
- The security check must be appropriate, related to risks and the company's needs
- The plausibility and authenticity of C.V., financial statements and other documents
- The trustworthiness and competence of the applicant for the intended position