AJAY KUMAR GARG ENGINEERING COLLEGE, GHAZIABAD

Subject: Security Assessment and Risk Analysis (HTCS601)

Unit-4 (Part-A)

Topic: Personnel Security Practices and Procedures

Delivered by:
Mr. Updesh Kumar Jaiswal
Assistant Professor,
Department of CSE,
AKGEC, Ghaziabad.
Syllabus
Unit 1: SECURITY BASICS: Information Security (INFOSEC) Overview: critical
information characteristics – availability information states – processing security
countermeasures-education, training and awareness, critical information , characteristics
– confidentiality critical information characteristics –
integrity, information states – storage, information states –transmission, security ,
countermeasures- policy, procedures and practices, threats, vulnerabilities.

Unit 2: Threats to and Vulnerabilities of Systems: Threats, major categories of threats

(e.g., fraud, Hostile Intelligence Service (HOIS). Countermeasures: assessments (e.g., surveys,
inspections). Concepts of Risk Management: consequences (e.g., corrective action, risk
assessment), cost/benefit analysis and implementation of controls, monitoring the efficiency
and effectiveness of controls (e.g., unauthorized or inadvertent disclosure of information).

Unit 3: Security Planning: directives and procedures for policy mechanism.

Contingency Planning/Disaster Recovery: agency response procedures and continuity
of operations, contingency plan components, determination of backup requirements,
development of plans for recovery actions after a disruptive event.
 Syllabus
Unit 4: Personnel Security Practices and Procedures: access
authorization/verification (need- to-know), contractors, employee clearances,
position sensitivity, security training and awareness, systems maintenance
personnel.

Auditing and Monitoring: conducting security reviews, effectiveness of security

programs, investigation of security breaches, privacy review of accountability
controls, review of audit trails and logs.

Unit 5: Operations Security (OPSEC): OPSEC surveys/OPSEC planning INFOSEC:

computer security – audit, cryptography-encryption (e.g., point-to-point, network,
link). Case study of threat and vulnerability assessment.
 Content
• Introduction to Personnel Security Practices and
Procedures
• access authorization/verification and need- to-know
• Four Key Practices in Access Authorization and Verification
• contractors
• employee clearances
• position sensitivity
• security training and awareness
• systems maintenance personnel
• References
Introduction to “Personnel Security Practices and Procedures”

Personnel security practices and procedures are critical components of any

organization's overall security framework. They focus on safeguarding sensitive
information, assets, and operations from internal threats—whether intentional or
accidental—by ensuring that individuals who access these resources are
trustworthy, properly trained, and appropriately authorized.

Unlike physical or technical security, personnel security emphasizes the human

element of security: verifying that employees, contractors, and other individuals
when access to sensitive environments/information they meet necessary standards
of integrity, reliability, and awareness.

As insider threats continue to be a significant risk in both public and private

sectors/organizations, so, robust personnel security practices help mitigate such
threats by enforcing strict vetting (पन ु रीक्षण), access control, training, and
accountability measures.
 Introduction con…
Personnel Security Practices include:
1) Granting access based on the need-to-know principle,
2) Managing contractor access with due diligence,
3) Issuing and maintaining employee security clearances,
4) Evaluating position sensitivity to assign appropriate levels of access,
5) Conducting security training and awareness programs,
6) Overseeing systems maintenance personnel with elevated privileges.

By implementing well-defined personnel security policies and procedures,

organizations can reduce the risk of unauthorized access, data breaches, sabotage
(बाधित करने), and espionage (गुप्तचर रखना) —thus, maintaining the
confidentiality, integrity, and availability of critical resources.
 Access Authorization/Verification
(Need-to-Know Principle)
Access Authorization is the process of granting individuals the right to access
specific information, systems, or facilities based on their role and responsibilities.
Access Authorization ensures that only authorized personnel can view, use, or
modify sensitive data or systems.

Access Verification involves confirming an individual’s identity and access level

before permitting them to engage with secure systems or information. This can
include checking security credentials, identification badges, or biometric data.

The Need-to-Know Principle is a fundamental security concept stating that

individuals should only have access to information necessary for them to perform
their duties. Even if someone is cleared at a certain security level, they shouldn't
have access to data unrelated to their role.
 Key Practices in
Access Authorization and Verification

1. Role-based access control (RBAC)

2. Multi-factor authentication (MFA)

3. Regular Access Audits

4. Clearance verification before data sharing

 1- Role-Based Access Control (RBAC)

• Access permissions are tied to roles, not individuals.

• Roles reflect job functions (e.g., HR, Finance, IT).

• Simplifies access management and improves security.

Example: An HR employee can access personnel files, but not

financial systems.
 2- Multi-Factor Authentication (MFA)

• MFA requires two or more forms of verification:

1. Something you know (password).

2. Something you have (smartphone, token).

3. Something you are (biometrics).

• Adds a critical layer of security beyond passwords.

Example: Login requires a password plus fingerprint or OTP

from a mobile device.
 3- Regular Access Audits

• Periodic reviews of user permissions.

• Identify outdated or unnecessary access rights.

• Ensure compliance and reduce insider risk.

• Benefits: Prevents privilege creep, supports accountability

and security audits.

Example: Detecting and removing a former intern’s lingering

system access.
4- Clearance Verification before Sharing Data

• Confirm recipient’s clearance level before sharing sensitive

info

• Ensures compliance with internal and legal standards

• Supports the Need-to-Know policy

• Methods: Clearance databases, digital permission checks

• Example: Verifying Top Secret clearance before emailing a

classified report.
 Contractors
Contractors are individuals or supporting organizations hired
externally to perform specific tasks or services for a particular
organization, typically for a limited time or project work.
Unlike regular employees, contractors are not on the company payroll and
may work under a separate contract or agreement.

In the context of personnel security practices, Contractors:

•Must be vetted (इसका ननरीक्षण ककया) through background checks before

gaining access to sensitive information or systems.
•Should receive security training similar to that of employees, especially if
they handle critical operations.
•Are typically granted limited and role-based access under the principle
of least privilege.
•Must comply with all applicable security policies and procedures
outlined in their contract.
•Require close monitoring and auditing to ensure security compliance
throughout their engagement.
 Contractors con…
Contractors pose a unique challenge to personnel security because
they are not permanent employees and may work across multiple
organizations on ad-hoc basis.

Cyber Security Measures for Contractors:

•Define contractually what information and systems they can access.
•Limit duration and scope of access to the period and task of the
contract.
•Use Non-Disclosure Agreements (NDAs).
•Monitor contractor activities on the network.
•Organizations must manage contractors' access rigorously, treating
them with the same (or greater) scrutiny as full-time employees due
to their transient/variant status. So, Conduct background checks
before granting access them.
 Employee Clearances
Employee clearance is the process of assessing an individual’s suitability
to access classified or sensitive information. This is typically based on
background checks, financial history, criminal records, and personal
references.

Clearances are matched with job requirements and typically reviewed on a

periodic basis or when the employee changes roles.

Types of Clearances:
•Confidential
•Secret
•Top Secret

Best Practices:
•Periodic reinvestigations.
•Clearance termination upon role change or exit.
•Clearance reciprocity between agencies when appropriate.
 Position Sensitivity

Position sensitivity refers to evaluating how critical a job is in terms of

access to sensitive information or systems. This evaluation determines
the level of background check and clearance required.

Categories:
•Non-sensitive: No access to classified/sensitive data.
•Public Trust: Access to systems or roles that impact public safety or
trust.
•National Security: Positions that could cause damage to national
security, if compromised.

Process:
•Conduct position risk assessments.
•Categorize roles accordingly.
•Implement clearance and monitoring based on sensitivity.
 Security Training and Awareness
Security training and awareness programs are designed to educate
employees about security policies, threats, and best practices to maintain a
secure workplace.

Goals:
•Ensure personnel understand their responsibilities
•Prevent insider threats (accidental or malicious)
•Encourage reporting of suspicious activities

Training Types:
•New hire orientation
•Annual refresher courses
•Role-specific training (e.g., for IT or HR personnel)
•Phishing simulations and social engineering drills

Delivery Methods:
•Online modules
•Instructor-led sessions
•Posters and newsletter
 Systems Maintenance Personnel
These individuals maintain, troubleshoot, and upgrade IT systems. Due to
their elevated/improved access, they are a high-risk group and must be
carefully managed.

Risks:
•Unauthorized access or changes to systems.
•Potential for data exfiltration.
•Exploitation by external threat actors.
•Proper oversight of systems maintenance personnel is crucial because
they often possess "superuser" or administrative rights, which can be
misused if not monitored.

Controls:
•Background checks before hiring.
•Strict access control and logging.
•Supervised access in high-security environments.
•Segregation of duties.
•Regular review of administrative privileges.
References
Text books:
1. Information Systems Security, 2ed: Security Management, Metrics, Frameworks and Best
Practices, Nina Godbole, John Wiley & Sons.
2. Principles of Incident Response and Disaster Recovery, Whitman & Mattord, Course
Technology ISBN:141883663X.
3. Dr. Surya Prakash Tripathi, Ritendra Goyal, Praveen Kumar Shukla, KLSI. “Introduction to
information security and cyber laws”. Dreamtech Press. ISBN: 9789351194736, 2015.

Websites:
1.https://swayam.gov.in/nd2_nou20_cs01/preview
2.http://www.cnss.gov/Assets/pdf/nstissi_4011.pdf

Research papers:
1.Fotis, F. (2024). Economic impact of cyber attacks and effective cyber risk management
strategies: A light literature review and case study analysis. Procedia Computer Science, 251,
471–478.
2.Al-Gburi, Q.A., Mohd Ariff, M.A. Dynamic Security Assessment for Power System Under
Cyber-Attack. J. Electr. Eng. Technol. 14, 549–559 (2019).

19
 Thank-You
If you have any question then feel free to contact me.
My email-id is:- [email protected]

Subject: HTCS-601