3.2 Personnel

Description

This Chapter states the generic IT baseline protection safeguards which, on a standard basis, should be implemented with regard to personnel matters. A wide variety of safeguards are required, commencing with the taking on of new staff until the termination of their employment. Personnel-related safeguards linked to a specific function, e.g. the appointment of a system administrator of a LAN, are listed in the IT-specific chapters.

Threat Scenario

In this Chapter, the following typical threats (T) are considered as regards IT baseline protection:

Force Majeure:

• T 1.1 Loss of personnel

Organisational Shortcomings:

• T 2.2 Insufficient knowledge of requirements documents

Human Failure:

• T 3.1 Loss of data confidentiality/integrity as a result of IT user error
• T 3.2 Negligent destroying of equipment or data
• T 3.3 Non-compliance with IT security measures
• T 3.8 Improper use of the IT system

Deliberate Acts:

• T 5.1 Manipulation/destruction of IT equipment or accessories
• T 5.2 Manipulation of data or software
• T 5.42 Social engineering

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.
In the following, the safeguard package for "Personnel" is set out:

Personnel:

• S 3.1 (1) Well-regulated familiarisation/training of new staff with their work
• S 3.2 (2) Commitment of staff members to compliance with relevant laws, regulations and provisions
• S 3.3 (1) Arrangements for substitution
• S 3.4 (1) Training before actual use of a program
• S 3.5 (1) Education on IT security measures
• S 3.6 (2) Regulated procedure as regards termination of employment
• S 3.7 (3) Point of contact in case of personal problems (optional)
• S 3.8 (3) Avoidance of factors impairing the organisation climate (optional)