Personnel Security as an Anti-Terrorist Measure
Dave Carlson - February 15, 2008
This article concentrates on concerns about a company insider providing vital confidential information to a terrorist organization. To reduce the possibility of an employee aiding a terrorist cause, an organization must, at a minimum, consider the following: 1) Pre-Employment Procedures -- screening personnel before employment. 2) Confidentiality Agreements -- establishing confidentiality procedures and agreements. 3) Security Training -- implementing a user security training program. 4) Employment Termination -- enforcing policies upon termination of employment. An organization must remain vigilant in its protection of confidential information from terrorist organizations. The greatest threat to information security is company insiders. To deter this threat, an organization must have effective personnel security policies in place to deal with employees before, during, and after employment.
Personnel Security as an Anti-Terrorist Measure
“History is filled with stories of insiders and spies who aided terrorist groups either directly (planting bombs) or indirectly (providing intelligence or other vital information about a target and, in many cases, funneling money to support the cause)” (Bidgoli, 2006, p. 9). This research will concentrate on concerns about a company insider providing vital confidential information to a terrorist organization. Janczewski and Colarik (2005) argued that “the importance of security issues relating to personnel policies has and continues to be a factor in the overall protection of organizational systems” (p. 163). To reduce the possibility of an employee aiding a terrorist cause, an organization must, at a minimum, consider the following:
- Pre-Employment Procedures: Screening personnel before employment.
- Confidentiality Agreements: Establishing confidentiality procedures and agreements.
- Security Training: Implementing a user security training program.
- Employment Termination: Enforcing policies upon termination of employment.
“People, without a doubt, are an organization’s greatest assets—but also one of its greatest risks” (Layton, 2007, p. 62). Janczewski and Colarik (2005) suggested that the best way to reduce the chance of hiring someone who may aid terrorist organizations is to conduct a detailed background check of each candidate. These researchers believe that the background check should include “character references, verification of the completeness and accuracy of the candidate’s resume, verification of all academic and professional qualifications, a credit and police records check, and a confirmation of identity by multiple sources” (p. 165). In addition to ensuring the organization receives a qualified worker, a detailed background check helps reduce the chance of someone with ties to a terrorist organization gaining inside access to the organization.
It is important to protect confidential company information from disclosure to outside agents, including terrorists. Arthur (2001) suggested that requiring employees to sign confidentiality agreements is a common business practice in high-tech industries and industries that deal with financial or other sensitive data. These agreements act as a deterrent by providing legal protection from unauthorized disclosure of sensitive information.
Layton (2006) recommended confidentiality agreements contain the following details to ensure they are legally enforceable:
- Ensure confidential information is defined and someone is responsible for its upkeep.
- Clearly state the duration of the agreement. Specify if it continues beyond the current employment term.
- Include the right for management to audit and monitor external parties when confidential information is involved.
- Clearly state the actions required in the event of an unauthorized breach of information.
Layton (2007) argued that information security awareness and training “are overarching principles that must be implemented in every organization” (p. 62). It is important that employees understand information security procedures, which must be clearly defined and enforced at all levels. Janczewski and Colarik (2005) insisted that employees must receive adequate training about everything related to security matters mentioned in any company documentation. It is not reasonable to assume that every employee will automatically understand the importance of protecting computer systems and confidential data. Neither is it reasonable to assume that every employee should understand the threat terrorist organizations may pose.>/p>
Janczewski and Colarik (2005) categorized security training as either individual or organizational. Each employee must understand their individual responsibility for safeguarding confidential documents. Additionally, the organization must have a business continuity plan in place for dealing with the fallout associated with the loss of confidential information.
The task most managers place at the top of the list of things they would rather avoid is the termination of employees. A manager’s job is to place the good of the organization above the good of a terminated employee. “It is this simple fact that is the main source of security problems” (Janczewski & Colarik, 2005, p. 170). The organization needs to have a policy concerning employee termination in place, so managers will have a guide to follow during the highly-emotional incidents related to firing someone.
As a minimum, Fisher and Green (2004) offered the following security suggestions for dealing with departing employees:
- Conduct exit interviews and check compliance with security requirements.
- Collect credit cards, access cards, keys, manuals, and other company property.
- Terminate all types of employee accounts related to company business.
- Change locks or other access mechanisms to which the employee was given access.
- Remove terminated employees from all company-related access rosters.
An organization must remain vigilant in its protection of confidential information from terrorist organizations. The greatest threat to information security is company insiders. To deter this threat, an organization must have effective personnel security policies in place to deal with employees before, during, and after employment.
Arthur, D. (2001). The employee recruitment and retention handbook. New York: AMACOM.
Bidgoli, H. (2006). Handbook of information security. Hoboken, NJ: Wiley.
Fisher, R. J. and Green, G. (2004). Introduction to security (7th ed). Burlington, MA: Elsevier.
Janczewski, L. and Colarik, A. (2005). Managerial guide for handling cyber-terrorism and information warfare. Hershey, PA: Idea Group Publishing.
Layton, T. P. (2007). Information security: Design, implementation, measurement, and compliance. Boca Raton, FL: Auerbach Publications.