5.2.1 Introduction
People controls are presented in Clause 6 of ISO/IEC 27002 document, collecting 8 controls which concern general control aspects related to the security depending on personnel involved in activities that have a relevance in terms of information security, so the correct implementation of such controls contributes to the overall information system security.
Through a simple overview of the attributes, it is clear that people controls are mostly preventive and they operate on governance and ecosystem security domains, with the same purpose of protecting information.
Implementation of audit procedures
The implementation of these controls allows an effective isolation of all those aspects strictly related to individuals, which is why this type of controls mainly groups all those characteristics that depend on the relationship with the people they have to handle in-formation together with the related responsibilities in terms of security. As suggested by the Operational capabilities attribute, the purpose of people controls is devoted to provide an adequate level of protection for the human resources: in the corresponding procedures the auditor’s objective is ensuring that the necessary means and measures are in place in order to guarantee a safe management of personnel by the organization.
The next subsections will present the developed audit procedures.
5.2.2 Audit procedures
6.1 Screening
• Control: "Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks." [11]
The auditing of this control implementation requires the analysis of procedures and activities that are typically carried out by the human resource department. The developed audit procedures aim to interview and analyse documents about the screening process and about the evaluation of competence suitability related to specific information security roles. In addition, the execution of periodic verification checks has been analysed with a dedicated audit procedure.
6.2 Terms and conditions of employment
• Control: "The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security." [11]
This control aims to ensure that the personnel has been made aware of the importance of their assigned roles and related responsibilities, especially in terms of information se-curity. For this purpose, the developed audit procedures analyse employment contracts management and content in order to assess the clarity of contractual obligation for differ-ent roles and the inclusion of fundamdiffer-ental information security related clauses.
6.3 Information security awareness, education and training
• Control: "Personnel of the organization and relevant interested parties should re-ceive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function." [11]
Information security awareness is a difficult specification to be evaluated in a quan-titative manner, thus the strategy adopted should resort to the evaluation of the means
Implementation of audit procedures
used to provide awareness. For this purpose, information security awareness programme is subject to audit to verify that it is in line with the organization’s policies, while the topics that have to be covered are evaluated in a separate audit procedure. The effectiveness of awareness training can be verified reviewing records of information security awareness sessions evaluations of understanding. In addition, audit procedures have been developed to assess education and training programme update and the information security skills of the technical staff, respectively. The full detailed version of the procedures can be found in Annex B.
6.4 Disciplinary process
• Control: "A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation." [11]
In order to ensure that the personnel is made aware of consequences of information security policy violation, a disciplinary process is formalized and verified during the audit through the analysis of related documentation and the observation of disciplinary process records based on the collected violation evidence. In addition, audit procedures have been developed for evaluating the graduated response to the breach and the consideration of relevant legislation, regulations, contractual and business requirements, respectively. In this control documentation and observation methods have been adopted for all developed audit procedures.
6.5 Responsibilities after termination or change of employment
• Control: "Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties." [11]
The auditing of this control aims to verify that the validity of responsibilities and duties after termination or change of employment is imposed through the inclusion of corresponding clauses in employment contracts. In addition, audit procedures have been developed for assessing the transfer of roles and responsibilities from an individual leaving or changing job and for verifying how interested parties are notified about that.
6.6 Confidentiality or non-disclosure agreements
• Control: "Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties." [11]
This control deals with the management of confidentiality or non-disclosure agree-ments: the auditors have to analyse the contracts to verify the proper inclusion of con-fidentiality or non-disclosure clauses and the related content, thus two separate audit procedures have been defined both performed through documentation templates analysis
Implementation of audit procedures
and review of the agreements. Furthermore, the execution of periodic reviews of the agree-ments has been verified in a dedicated audit procedure through interview and observation of records relating to recent reviews.
6.7 Remote working
• Control: "Security measures should be implemented when personnel are working re-motely to protect information accessed, processed or stored outside the organization’s premises." [11]
In this context, a topic-specific policy is defined and properly verified in its content suitability and coverage of important security aspects, through the analysis of the doc-umentation that regulates remote working. In addition, an audit procedure has been developed to verify the equipment and related security guidelines for remote working ac-tivities and, in this case, the configuration method has been applied for the analysis of configured remote equipment. The full detailed version of the procedures can be found in AnnexB.
6.8 Information security event reporting
• Control: "The organization should provide a mechanism for personnel to report ob-served or suspected information security events through appropriate channels in a timely manner." [11]
The implementation of information security event reporting is complementary to the corresponding organizational control described by clause 5.24. In the context of this control, the target of the assessment is the event reporting procedure awareness: the auditor purpose is verifying that users and personnel report information security events as quickly as possible and they are aware of the interested point of contact.
5.2.3 Considerations
The presented people controls cover basic themes and aspects directly involving the per-sonnel: their implementation is mainly devoted to analyse agreements or verify the aware-ness of such individuals and associated responsibilities that have a relevance in terms of information security. In the developed audit procedures, the objective is ensuring that the necessary means are in place in order to guarantee a safe management of personnel by the organization. For this reason, the procedures individually use as many methods as possible in order to collect evidence of different types. An example of this is the fact that very often when contracts are examined, first an inspection of the template is performed and then a sample of actual corresponding contracts is reviewed. A general overview of developed audit procedures highlights a common recurring patterns as regards:
• Specific aspects: in audit procedures where agreements or contracts have been sub-mitted to inspection, the adopted approach has been devised in order to first analyse the corresponding templates and then a sample of agreements or contracts. The
Implementation of audit procedures
guidance of ISO/IEC 27002 reference document is well-detailed and many times is specified that some aspects could be not applicable, especially in small size orga-nization. In those cases, the strategy adopted in writing the audit procedures has tried to include all the aspects suggested by the guidance, specifying that they are intended to be taken into consideration only if applicable.
• Distribution of audit methods: in general, the utilization of interview, documentation and observation methods is equally distributed and widely adopted among all audit procedures, while the analysis of the configuration is almost totally absent, except for one control case in which it was applicable and successfully introduced.