5

When recruiting for positions that require a level of integrity and trust, I'm looking for objective ways of accessing that, either positively or negatively.

Is there any any guidance one should use for accessing an individual's propensity for theft, or other unsavory acts w.r.t. Information Security?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 2
    I think the best way to go is by gradually granting them trust. Trust is not given, it is earned. Also, it needs to be clear that if the level of trust given is breached, they will be immediately terminated (and could also serve jail time, if you pressed charges, of course). Make them prove that they are trustworthy over time. It could takes months for someone to show their true colors, unfortunately. – Sakamaki Izayoi Aug 09 '15 at 17:34
  • 1
    If you're sneaky enough you could give them bait to go after. –  Aug 11 '15 at 00:32
  • Logging and verifying. Having others review his/her work. – cybernard Aug 14 '15 at 21:44
  • It's easier to trust teams than people -- https://www.trusted-introducer.org -- the best way to establish any semblance of team-based trust is to enforce the two-person-integrity rule -- https://en.wikipedia.org/wiki/Two-man_rule -- see more in the book, Managing the Insider Threat: No Dark Corners – atdre Oct 15 '15 at 17:50

1 Answers1

1

It would be similar to the challenge of hiring a janitor for a building, he would get to have all the keys, he can open any door, but the reason is because he needs them to do his job. Symmetrically one can think of this age old problem and look at ways trust is granted historically.

Although there's no clean-cut technical solution to this human problem, the fact that there's none shouldn't be a reason that we don't try any, an aggregation of imperfect solutions can give somewhat great results.

A model where trust is earned:

  • Give less permissions to begin with
  • Gradually increase permissions
  • Put a honeypot and monitor what happens in the coming days
  • If he reports it and doesn't use it for his advantage, that's a good start

Implement several levels of administrative powers:

  • Level 1: Can modify lower tier of configuration files
  • Level 2: Can modify slightly higher tier of configuration files
  • Level 3: Can modify slightly higher tier of configuration files and OS settings

Always create an environment where total access by one person is not possible:

  • Split systems in clusters
  • Give cluster admin powers to different groups
  • Minimum 2 groups

Use the Two-man rule when doing high-level core changes:

Trust and verify:

  • Log everything
  • Log monitoring and alerting
  • Ensure all actions are distinguishable

Paperwork:

  • Have them sign paperwork to have the legal system be able to help you by suing them if they hurt you gives more incentive not to do so
Wadih M.
  • 1,102
  • 6
  • 20