CHAPTER 45

EMPLOYMENT PRACTICES AND POLICIES

M. E. Kabay and Bridgitt Robertson

45.1 INTRODUCTION

45.2 HIRING

45.2.1 Checking Candidate's Background

45.2.2 Employment Agreements

45.3 MANAGEMENT

45.3.1 Identify Opportunities for Abuse

45.3.2 Access Is Neither a Privilege Nor a Right

45.3.3 The Indispensable Employee

45.3.4 Career Advancement

45.3.5 Vacation Time

45.3.6 Responding to Changes in Behavior

45.3.7 Separation of Duties

45.3.8 No Unauthorized Security Probes

45.4 TERMINATION OF EMPLOYMENT

45.4.1 Resignations

45.4.2 Firings

45.5 SUMMARY

45.6 FURTHER READING

45.7 NOTES

45.1 INTRODUCTION.

Crime is a human issue, not merely a technological one. True, technology can reduce the incidence of computer crimes, but the fundamental problem is that people can be tempted to take advantage of flaws in our information systems. The most spectacular biometric access control in the world will not stop someone from getting into the computer room if the janitor believes it is “just to pick up a listing.”

People are the key to effective information security, and disaffected employees and angry ex-employees are important threats according to many current studies. For example, the 2007 CSI Computer Crime and Security Survey, published by the Computer Security Institute, reported on responses from 494 participants in a wide range of industries, nonprofits and government agencies; the authors stated: