EDUCATION · PERSONNEL SECURITY

👥 Security of personnel

Staff controls shall cover staff, contract staff and partners before, during and after work. A man is the most common attack vector (social engineering) and the most powerful line of protection (human firewall). Basically ISO/IEC 27002 Chapter 6 (8 controls), NIST SP 800-53 PS and safety culture practices. Examples are fictional, intended for teaching.

Legend: codes as 6.3 refers to ISO/IEC 27002:2022 Chapter 6 (Personal) controls. Some (e.g. 5.11) refers to control of another chapter.

What is staff control

ISO 27002:2022 four control themes - Staff highlighted

ISO 27002:2022 kontroļu tēmas Četras ISO 27002:2022 kontroļu tēmas. Personāla kontroles (6. nodaļa, 8 kontroles) ir izceltas. ISO/IEC 27002:2022 - 4 kontroļu tēmas Organizatoriskās nodaļa 5 · 37 kontroles Personāla nodaļa 6 · 8 kontroles ← šī sadaļa Fiziskās nodaļa 7 · 14 kontroles Tehnoloģiskās nodaļa 8 · 34 kontroles Personāla kontroles ir mazākā tēma pēc skaita, bet attiecas uz katru cilvēku organizācijā

Human - weakest link and stronger protection: most violations include the human element (error, manipulation or malice). Staff controls therefore cover the entire working cycle, from pre-acceptance to post-departure duties. A well-trained worker becomes a 'human firewall'.

To people, no technique

Personnel controls manage human behaviour and reliability: testing, contracts, training, reporting, discipline. They are complemented by technical controls - the technique does not stop a worker who is deliberately or accidentally acting incorrectly.

Applicable to all

Not only permanent staff - including contract agents, trainees, partners and service providers with access. Controls are proportionate to the risk of role designation.

Relationship to NIS2 and MK 397

Article 21 of the NIS2 requires basic cyber-hygiene practices and security training, including management. Cabinet Regulation No 397 provides for security measures for personnel. Training is a direct regulatory requirement, not only good practice.

Compliance in Latvia - main requirement MK 397: Cabinet Regulations No.397 is the binding regulation in Latvia, which determines what must be done (in the national cybersecurity framework, implementing the NIS2). Implementing Regulation (EU) 2024/2690 and GDPR complement the requirements. International standards (ISO 27001/27002, COBIT, SABSA, TOGAF, NIST) provide a recognised auditable method for their implementation.

Atbilstības slāņi - no ES tiesībām līdz ieviešanai Trīs slāņi: ES tiesiskais pamats (NIS2, Īstenošanas regula 2024/2690, GDPR), Latvijas saistošā prasība MK 397, un starptautiskie ieviešanas standarti (ISO, COBIT, SABSA, TOGAF, NIST). No prasības līdz ieviešanai: MK 397 nosaka KO, standarti - KĀ ES TIESISKAIS PAMATS NIS2 direktīva (ES) 2022/2555 Īstenošanas regula (ES) 2024/2690 GDPR (ES) 2016/679 transponē nacionāli MK noteikumi Nr. 397 - Latvijas saistošā prasība KO obligāti jāizdara · nacionālais kiberdrošības tiesiskais ietvars ievieš ar atzītiem standartiem STARPTAUTISKIE IEVIEŠANAS STANDARTI - KĀ ISO 27001 / 27002 COBIT SABSA TOGAF NIST CSF / 800-53

MK 397 determines the result required by law. The international standard is a verifiable way to achieve it - without it compliance remains declarative.

MK 397 - National requirement

The binding regulation in Latvia provides for security and training measures for staff. Implementation is based on ISO 27002 Chapter 6 and NIST SP 800-50/800-53 PS - they provide a specific auditable programme.

Implementing Regulation (EU) 2024/2690

The Annex directly requires basic cyber-hygiene practices and security training (including management) and human resources security. This makes awareness and training (6.3) a legal requirement, not a choice.

GDPR - employee data

Inspection of staff (6.1), monitoring and internal threat programme must be balanced with the protection of employees' personal data (GDPR): proportionality, transparency and legal basis. Excessive observation is both a legal and a cultural risk.

Joiner - Mover - Leafer

Life cycle of an employee - before, during and after the employment relationship

Darbinieka dzīves cikls un personāla kontroles Trīs posmi - stāšanās darbā, darba laiks, aiziešana vai maiņa - katrs ar atbilstošām ISO 6.x kontrolēm. Darbinieka dzīves cikls (Joiner - Mover - Leaver) 1 · Stāšanās darbā (Joiner) 6.1 · Personāla pārbaude 6.2 · Darba līguma noteikumi 6.6 · Konfidencialitāte (NDA) sākotnējā apmācība · piekļuves piešķiršana pēc lomas 2 · Darba attiecību laikā (Mover) 6.3 · Apziņa un apmācība 6.4 · Disciplinārais process 6.8 · Notikumu ziņošana lomas maiņa → piekļuves pārskatīšana (ne tikai pievienot) 3 · Izbeigšana vai maiņa (Leaver) 6.5 · Pienākumi pēc aiziešanas piekļuves nekavējoša atsaukšana aktīvu atdošana (5.11) NDA paliek spēkā · zināšanu nodošana Vājākais posms parasti ir aiziešana - aizmirsta piekļuves atsaukšana rada 'spoku kontus' (orphaned accounts)

Mover - often forgotten stage: changing roles, new rights add, but old ones do not withdraw - over time accumulated excessive privileges (priviilege creep). Periodic review avoids this.

Verification (6.1)

Examination of identity, education and feedback before acceptance, proportionate to the sensitivity of the role and applicable law. Higher risk roles - in-depth testing. Data protection requirements shall be respected.

Onboarding and access

Access on taking up a job shall be granted on the basis of the least privilege and role (RBAC) rather than the copying of the previous employee's account. Initial security training before access to sensitive data.

Offboarding (6.5)

Upon exit, all access (accounts, cards, VPN, keys) shall be immediately withdrawn, recovered and reminiscent of remaining confidentiality obligations. In the case of hateful departure, access shall be withdrawn prior to notification.

International practice

ISO/IEC 27002:2022 Chapter 6 - 8 Staff Control

ISO 6. nodaļas un NIST PS sasaiste ISO 27002 6. nodaļas 8 personāla kontroles sasaistē ar NIST SP 800-53 PS saimi un SP 800-50 apmācību. Personāla kontroles starptautiskajos standartos ISO/IEC 27002 6. nodaļa · 8 kontroles 6.1 - 6.8 NIST SP 800-53 PS saime · PS-1 - PS-9 Personnel Security NIST SP 800-50 apziņa un apmācība + NIS2 21. pants Kontroles kartējas savstarpēji - viena prasība bieži atbilst vairākiem standartiem
6.1Staff screening
6.2Conditions of employment
6.3Awareness, education and training
6.4Disciplinary procedure
6.5Obligations after termination
6.6Confidentiality agreements (NDA)
6.7Remote Work
6.8Reporting of security events

NIST SP 800-53 PS family

Personnel Security: Risk classification of PS-2 role, PS-3 verification, PS-4 termination, PS-5 transfer, PS-6 access arrangement, PS-7 external personnel, PS-8 sanctions. Directly maps to ISO 6.x.

Attributes (2022)

Each control has attributes (type, CIA property, cyber security concept, operational capabilities) for filtering and mapping against other frameworks - as in other ISO 27002 topics.

Choice by Risk

Controls shall be selected following a risk assessment and included in the Application Declaration (SoA) in agreement with organisational security. See 'Organic Security' guide.

ISO 6.3 / NIST SP 800-50

Awareness, training, education - the way to a safety culture

Apziņas, apmācības un izglītības atšķirības Trīs līmeņi - apziņa visiem, apmācība pēc lomas, izglītība speciālistiem - drošības kultūras ietvaros. Apziņa → Apmācība → Izglītība → Kultūra Drošības kultūra - drošība kļūst par ieradumu, ne uzspiestu noteikumu Apziņa (awareness) visiem darbiniekiem ZINA, ka drošība svarīga pikšķerēšana · paroles plakāti · īsi moduļi Apmācība (training) pēc lomas PRASME konkrētam uzdevumam izstrādātāji · administratori praktiski vingrinājumi Izglītība (education) speciālistiem IZPRATNE, kāpēc un kā sertifikāti · padziļināti kursi profesionāla attīstība

Culture is a goal, not a poster: a safety culture means that safe action is a default, incidents are reported without fear, and management sets an example. It shall be composed consistently over time and not of one-off training per year.

Role-based

The content is adapted to the role of: developers - safe coding, management - risk decisions and fraud, support - social engineering. General 'one for all' training is inefficient.

Pishing simulations

Controlled phishing training measures real behavior and teaches to recognize. The aim is learning, not punishing - the 'captured' at once micro-learning, not public shame.

Measuring efficiency

Training without measurement is a formality. Follow the reporting level, phishing clicks and reporting indicators, the number of incidents - and adjust the program according to the results.

Social engineering and internal threats

Human factor - manipulation from outside and risk from inside

Sociālā inženierija un iekšējo draudu veidi Augšā sociālās inženierijas paņēmieni, apakšā trīs iekšējo draudu veidi - ļaunprātīgs, nolaidīgs, kompromitēts. Cilvēka faktors - divi virzieni Sociālā inženierija (manipulācija no ārpuses) Pikšķerēšana e-pasts · SMS · zvani Pretekstēšana izdomāts iemesls · loma Steiga un autoritāte 'vadītājs' · 'tūlīt' Vilināšana USB · 'balva' Iekšējie draudi (insider threat) - risks no iekšpuses Ļaunprātīgs apzināta kaitēšana sabotāža · datu zādzība naidīga aiziešana Nolaidīgs neuzmanība · slinkums apieta politika ērtības dēļ visbiežākais veids Kompromitēts nozagti pieejas dati pārņemts konts upuris, ne vainīgais

Most internal threats are not abusive: the most frequent is the negligent employee who makes mistakes or circumvents the control due to convenience. Training, convenient security tools and innocent reporting are therefore more effective than a culture of suspicion.

Protection against manipulation

Training to recognize hurry, authority and curiosity tricks. Procedures for sensitive actions (e.g. changes in payments through a separate channel). 'Stop and Test' culture. Technically - MFA and e-mail filters.

Internal threat indicators

Unusual data download, access outside role or working time, frustration before leaving. Discovered by behavioural analysis (UEBA), magazines and the minimum principle of privilege - not by all supervision.

Balance with privacy

The internal threat programme respects employees' privacy and law - supervision proportionate, transparent and documented. Excessive observation undermines trust and culture by increasing risk.

ISO 6.8 / 6.4 / 6.7

Event reporting, discipline and remote work

Drošības notikumu ziņošanas plūsma Plūsma no notikuma pamanīšanas līdz reaģēšanai un atgriezeniskajai saitei, ar bezvainas kultūras pamatu. Notikumu ziņošana (6.8) - jo ātrāk, jo mazāks kaitējums 1 · Pamana darbinieks 2 · Ziņo viens kanāls · ātri 3 · Triāža izvērtē · klasificē 4 · Reaģē incidentu process 5 · Saite pateicas atgriezeniskā saite mudina ziņot atkārtoti - ziņotājs redz, ka tas svarīgi Bezvainas kultūra (just culture) ziņo bez soda bailēm par godīgām kļūdām → vairāk un ātrāku ziņojumu; sods tikai par ļaunprātību vai apzinātu pārkāpumu

Rapid reporting limits damage: if the employee is afraid to report 'I click on the link', the attacker gets hours or days. Easy reporting channel and blameless culture (6.8) are the cheapest and most effective control of early detection.

Event reporting (6.8)

Clear, easily accessible channel (button in e-mail, one number), known to all. Report suspicions, not just confirmed incidents. Speed more important than perfection - details specify triage.

Disciplinary process (6.4)

Formal, fair and proportionate proceedings in case of infringements - known in advance, consistently applied. This discourages intentional violations without creating a culture of fear for honest mistakes.

Remote work (6.7)

Home and public environments pose new risks: screen insight, unsafe networks, private devices, family access. Control - VPN, screen privacy, individual work devices, clear remote work policy.