2.6 Personnel Security, Training, Awareness, and Culture

People Controls Across The Lifecycle

Personnel security begins before access is granted and continues after access is removed. Screening, background checks where lawful, employment agreements, acceptable use acknowledgement, confidentiality obligations, role-based access, training, supervision, monitoring, transfer controls, termination procedures, and post-employment reminders all reduce people-related risk. The right control depends on role sensitivity, law, contract, and business context.

Pre-employment screening should be proportional and lawful. A finance administrator, system engineer, delivery contractor, and call center agent may need different checks. Screening is not proof of trustworthiness, and it should not become discriminatory or excessive. It is one input to risk management, combined with least privilege, separation of duties, logging, supervision, and a culture where concerns can be reported.

Onboarding should connect identity proofing, job role, manager approval, policy acknowledgement, training, device issuance, and access provisioning. Access should be based on role and business need, not copied blindly from a previous employee. Privileged access should require stronger approval, separate accounts where appropriate, MFA, session logging, and periodic review. Emergency access should be controlled and reviewed after use.

Transfers are high risk because access accumulates. A developer who moves into product management may retain repository admin rights. A support lead who transfers to sales may keep case export privileges. A privileged administrator who joins a vendor management role may retain production access without need. Joiner, mover, and leaver processes should remove access no longer required and document approval for new access.

Termination procedures should be coordinated with HR, legal, management, physical security, identity teams, and IT support. Timing matters. A planned departure may allow normal offboarding, while an involuntary termination involving privileged access may require synchronized account disablement, badge revocation, session termination, device collection, and monitoring. Shared accounts make termination control weaker because access cannot be tied to one person.

Awareness, training, and education are not synonyms. Awareness creates recognition and attention, such as phishing reporting reminders or data handling notices. Training builds task-specific skill, such as secure coding, incident triage, or data classification. Education develops deeper understanding for professionals who design, manage, or audit programs. Role-based learning is more effective than one generic annual slide deck.

A role-based learning plan might include:

• All workforce members: phishing recognition, reporting channels, acceptable use, data handling, and physical security basics.
• Developers: secure design, code review, dependency risk, secrets handling, and threat modeling.
• Administrators: privileged access, logging, change control, backup, and emergency access.
• Executives: risk appetite, incident decision-making, legal notification, and crisis communications.
• Help desk: identity verification, social engineering, password reset, and escalation.

Culture is what people do when policy and pressure collide. If leaders reward speed while punishing security reporting, employees will hide risk. If controls are impossible to use, people will create workarounds. If phishing reporters are mocked, reporting will drop. A healthy security culture makes reporting easy, treats honest mistakes as learning opportunities, and applies accountability consistently when people knowingly bypass controls.

Insider risk programs need care. Indicators such as unusual downloads, access outside normal hours, privilege misuse, policy violations, or resignation timing can be relevant. They are not proof of wrongdoing by themselves. Programs should be authorized, privacy-aware, proportional, documented, and reviewed for fairness. Legal, HR, works councils, or labor representatives may need involvement depending on jurisdiction and organization.

Scenario: a high-performing engineer keeps production admin access after moving to a product strategy role. The manager says the access is convenient for occasional questions. The CISSP answer is to remove unneeded privileged access and provide a controlled request path for rare support needs. Convenience does not justify standing privilege when job duties changed.

Scenario: phishing simulation metrics show that employees click less often but also report fewer suspicious messages. The program may be discouraging reporting or confusing users. A better metric set includes report rate, time to report, true positive reports, repeat susceptibility, department trends, and whether employees know how to report real incidents. Training should improve behavior, not just reduce embarrassment.

Scenario: a customer support team routinely exports full customer records to spreadsheets because the official tool is slow. More awareness training alone will not fix this. The control design must address workflow usability, least-privilege exports, DLP, manager review, tool performance, data minimization, and clear accountability. Culture improves when secure behavior is practical.

Personnel controls should be measured. Useful metrics include access review completion, terminated account disablement time, privileged account recertification, training completion by role, phishing report quality, policy exception trends, and unresolved separation-of-duties conflicts. Metrics should drive action. A dashboard that shows overdue privileged reviews but has no escalation path is a weak control.