Important elements in constructing a job description include separation of duties, job responsibilities, and job rotation. Separation of duties Separation of duties is the security concept in which critical, significant, and sensitive work tasks are divided among several individuals. This prevents any one person from having the ability to undermine or subvert vital security mechanisms. This unwanted activity is called collusion. Job responsibilities Job responsibilities are the specific work tasks an employee is required to perform on a regular basis. Depending on their responsibilities, employees require access to var- ious objects, resources, and services. On a secured network, users must be granted access priv- ileges for those elements related to their work tasks. To maintain the greatest security, access should be assigned according to the principle of least privilege. The principle of least privilege states that in a secured environment, users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities. Job rotation Job rotation, or rotating employees among numerous job positions, is simply a means by which an organization improves its overall security. Job rotation serves two functions. First, it provides a type of knowledge redundancy. When multiple employees are each capable of performing the work tasks required by several job positions, the organization is less likely to experience serious downtime or loss in productivity if an illness or other incident keeps one or more employees out of work for an extended period of time. Second, moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information. The longer a person works in a specific position, the more likely they are to be assigned additional work tasks and thus expand their privileges and access. As a person becomes increasingly famil- iar with their work tasks, they may abuse their privileges for personal gain or malice. If misuse or abuse is committed by one employee, it will be easier to detect by another employee who knows the job position and work responsibilities. Therefore, job rotation also provides a form of peer auditing. When multiple people work together to perpetrate a crime, it’s called collusion. The likeli- hood that a coworker will be willing to collaborate on an illegal or abusive scheme is reduced due to the higher risk of detection the combination of separation of duties, restricted job respon- sibilities, and job rotation provides. Job descriptions are not used exclusively for the hiring process; they should be maintained throughout the life of the organization. Only through detailed job descriptions can a comparison be made between what a person should be responsible for and what they actually are responsible for. It is a managerial task to ensure that job descriptions overlap as little as possible and that one worker’s responsibilities do not drift or encroach on those of another’s. Likewise, managers should audit privilege assignments to ensure that workers do not obtain access that is not strictly required for them to accomplish their work tasks. Screening and Background Checks Screening candidates for a specific position is based on the sensitivity and classification defined by the job description. The sensitivity and classification of a specific position is dependent upon the level of harm that could be caused by accidental or intentional violations of security by a person in the position. Thus, the thoroughness of the screening process should reflect the secu- rity of the position to be filled. Background checks and security clearances are essential elements in proving that a candidate is adequate, qualified, and trustworthy for a secured position. Background checks include obtaining a candidate’s work and educational history; checking references; interviewing col- leagues, neighbors, and friends; checking police and government records for arrests or illegal activities; verifying identity through fingerprints, driver’s license, and birth certificate; and hold- ing a personal interview. This process could also include a polygraph test, drug testing, and per- sonality testingevaluation. Creating Employment Agreements When a new employee is hired, they should sign an employment agreement. Such a document outlines the rules and restrictions of the organization, the security policy, the acceptable use and activities policies, details of the job description, violations and consequences, and the length of time the position is to be filled by the employee. Many of these items may be separate docu- ments. In such a case, the employment agreement is used to verify that the employment candi- date has read and understood the associated documentation for their perspective job position. In addition to employment agreements, there may be other security-related documentation that must be addressed. One common document is a nondisclosure agreement NDA. An NDA is used to protect the confidential information within an organization from being disclosed by a former employee. When a person signs an NDA, they agree not to disclose any information that is defined as confidential to anyone outside of the organization. Violations of an NDA are often met with strict penalties. Throughout the employment lifetime of personnel, managers should regularly audit the job descriptions, work tasks, privileges, and so on for every staff member. It is common for work tasks and privileges to drift over time. This can cause some tasks to be overlooked and others to be performed multiple times. Drifting can also result in security violations. Regularly review- ing the boundaries defined by each job description in relation to what is actually occurring aids in keeping security violations to a minimum. A key part of this review process is mandatory vacations. In many secured environments, mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This removes the employee from the work environment and places a different worker in their position. This often results in easy detection of abuse, fraud, or negligence. Employee Termination When an employee must be terminated, there are numerous issues that must be addressed. A ter- mination procedure policy is essential to maintaining a secure environment even in the face of a disgruntled employee who must be removed from the organization. The reactions of termi- nated employees can range from understanding acceptance to violent, destructive rage. A sen- sible procedure for handling terminations must be designed and implemented to reduce incidents. The termination of an employee should be handled in a private and respectful manner. How- ever, this does not mean that precautions should not be taken. Terminations should take place