Personnel Security & Insider Threat

Bảo mật Nhân sự & Mối đe dọa Nội bộ

Employment Lifecycle Security

Pre-Employment

• Background checks: criminal history, credit history (for financial roles), employment references
• Security clearance verification where required
• NDA signing before employment starts — not on first day
• Reference checks with previous employers
• Drug screening where legally permissible

During Employment

• Security awareness training (at hire and annually)
• Least privilege — access only to what is needed for current role
• Periodic access reviews and recertification
• Mandatory vacation — detects fraud by requiring coverage
• Job rotation — exposes different roles to audit
• Monitoring of privileged user activity

Termination — CRITICAL

• IMMEDIATE account disable upon termination decision — not at end of notice period
• Collect physical access badges, keys, hardware
• Revoke all logical access: GitHub, Vault, cloud IAM, Kubernetes RBAC, all SaaS tools
• Recover company equipment (laptop, phone)
• Exit interview — identify potential data exfiltration
• Transfer of sensitive knowledge (runbooks, credentials)

Key Personnel Security Controls

Control	Tiếng Việt	Purpose	CISSP Distinction
Separation of Duties (SoD)	Phân tách trách nhiệm	No single person can complete a critical transaction alone — requires minimum 2 people	Prevents both fraud AND errors; requires process split
Dual Control	Kiểm soát kép	Two people required physically at the same time to perform an action (e.g., open a safe)	Both present simultaneously; e.g., dual-key nuclear launch
Two-Person Integrity	Tính toàn vẹn hai người	Two people must oversee sensitive operations to prevent single-person fraud	Similar to dual control; used in code review + deploy separation
Mandatory Vacation	Nghỉ phép bắt buộc	Requires coverage by another person — detects fraud that would be covered up if person stayed	DETECTS fraud (not prevents); fraud becomes apparent during coverage
Job Rotation	Luân chuyển công việc	Move employees between roles — exposes different people to the same function, enabling detection of improper activity	Also helps with cross-training and BCP coverage
Least Privilege	Đặc quyền tối thiểu	Grant minimum access needed to perform job — reduce insider threat surface	Access should be role-based, not person-based where possible
Need-to-Know	Cần biết	Even if clearance level permits access, only grant if the person needs it for their specific job	Clearance = maximum allowed; Need-to-Know = actual access granted

Social Engineering Attacks

Attack	Tiếng Việt	Definition	Example
Phishing	Lừa đảo qua email	Mass email impersonating trusted entity to steal credentials	Fake "Bank A security alert" email to all employees
Spear Phishing	Lừa đảo có chủ đích	Targeted phishing using personal info about the victim	Email to Hoa mentioning Platform C project by name
Whaling	Lừa đảo lãnh đạo	Spear phishing targeting senior executives (CEO, CTO, CFO)	Fake "Partner A audit request" to CTO
Vishing	Lừa đảo qua điện thoại	Voice phishing — calls pretending to be IT support or authorities	"This is GCP support, we need your admin password"
Smishing	Lừa đảo qua SMS	SMS-based phishing	SMS "Your Platform C account is locked — verify here: [link]"
Pretexting	Dựng chuyện	Creating a fabricated scenario to manipulate a target into providing information	"Hi, I'm the new Platform A contractor — can you send me the API credentials?"
Baiting	Câu nhử	Leaving infected USB drives or offering something enticing	USB labeled "Partner A Payroll Q4" left in office parking lot
Tailgating	Đi theo	Physically following an authorized person through a secured door	Following an employee through server room door while hands are full

Insider Threat Types

Malicious

Intentional harm — data theft, sabotage, fraud. Financial stress, disgruntlement, or external coercion.

Negligent / Unintentional

Accidental harm — clicking phishing link, misconfiguring system, losing laptop. Most common type.

Compromised

Legitimate account taken over by an external attacker. Appears as legitimate insider activity.

Key Terms

Term	Tiếng Việt	Core Meaning
Separation of Duties	Phân tách trách nhiệm	Split critical tasks across ≥2 people to prevent single-person fraud
Dual Control	Kiểm soát kép	Two people physically present simultaneously to perform action
Mandatory Vacation	Nghỉ phép bắt buộc	DETECTS fraud by requiring another person to cover the role
Job Rotation	Luân chuyển công việc	Move between roles — enables audit and detection of improper activity
Background Check	Kiểm tra lý lịch	Pre-employment vetting: criminal, credit, employment history
Need-to-Know	Cần biết	Access granted only if required for the specific job — even if clearance level allows more
Insider Threat	Mối đe dọa nội bộ	Security risk from current/former employees, contractors, or partners
Pretexting	Dựng chuyện	Fabricated scenario used to manipulate someone into revealing information

Exam Tips

1. Mandatory vacation DETECTS fraud, not prevents it. The fraud must continue while the person is away — requiring coverage makes the fraud visible to the person covering.
2. Termination: disable access IMMEDIATELY upon decision, not after notice period ends. A disgruntled employee with 2-week notice still has access and motive — disable first, then handle notice period separately.
3. SoD requires minimum 2 people; prevents both intentional fraud and unintentional errors by requiring a second person to complete a transaction.
4. Phishing vs Spear Phishing vs Whaling: Phishing = mass, untargeted; Spear Phishing = targeted at specific person using personal info; Whaling = spear phishing targeting senior executives specifically.
5. NDA should be signed BEFORE employment starts — before the employee has access to any confidential information, not on their first day after they've already been briefed.

Work Application — FinTech Company X

SoD for Platform C deployments: Enforce Separation of Duties using ArgoCD — developer cannot both write AND deploy code. PR approval (at least 1 additional approver) and ArgoCD's separate deployer role ensure no single engineer can push to Platform C production unilaterally. This is especially critical for the Partner A VN live environment.

Mandatory vacation policy: Ensure engineers rotate on-call and take leave. A solo engineer managing production payments with no documented runbooks and no backup coverage is both a fraud risk and a BCP risk. Partner A H2H disbursement SLA means any knowledge-silo failure is a critical operational incident.

Offboarding checklist — target: all access disabled within 2 hours of departure:

Access Systems

✓ GitHub (org + all repos)

✓ Vault (all policies)

✓ GCP IAM (all projects)

✓ AWS IAM (if applicable)

✓ Kubernetes RBAC

SaaS & Tools

✓ ArgoCD

✓ Datadog

✓ Slack workspace

✓ Jira / Confluence

✓ Google Workspace

Practice Questions

Q1. A fintech company requires all engineers with access to production databases to take two consecutive weeks of vacation annually. What is the primary security purpose of this policy?

A) To detect fraud — requiring coverage by another person makes ongoing fraud schemes visible

Rationale: Mandatory vacation is a detective control. If an engineer is committing fraud, they must either stop while on vacation (making the irregular activity disappear and then reappear suspiciously) or their scheme becomes visible to the person covering their role. It does NOT prevent fraud from starting — it detects fraud already in progress.

Q2. A senior engineer at FinTech Company X resigns and gives 2-weeks notice. When should their system access be revoked?

A) Immediately upon resignation — access should be revoked the same day the decision is made, regardless of notice period

Rationale: A departing employee, especially one who may feel resentful, presents an elevated insider threat risk during their notice period. Access should be revoked immediately upon the termination decision. Knowledge transfer and notice period activities should be conducted under supervision, not with full system access.

Q3. In Platform C, no single developer can push code directly to production without a peer review AND ArgoCD deployment approval. What control does this implement?

A) Separation of Duties — critical operations are split across multiple people, preventing single-person fraud or error

Rationale: Separation of Duties requires that no single person can complete an entire critical transaction alone. Requiring both PR approval (developer + reviewer) and ArgoCD deployment (separate deployer role) means at least 2–3 people are involved in any production change. This prevents a developer from introducing malicious code AND deploying it without detection.

Q4. An attacker researches a FinTech Company X engineer on LinkedIn and sends them an email mentioning their Platform C project and a fake "urgent security audit from BSP." What attack type is this?

A) Spear phishing — targeted phishing that uses specific personal/professional information about the victim

Rationale: Spear phishing is distinguished from regular phishing by its use of personal information about the target (name, role, projects, employer) to make the attack more convincing. Regular phishing is mass/generic. Whaling would target the CEO/CTO specifically. Using the Platform C project name and BSP regulatory context makes this a spear phishing attack.

Q5. A person calls the Platform C support team claiming to be a new contractor from eKYC Vendor who needs temporary API credentials to test the integration — but they never met anyone and want credentials over the phone. What attack is this?

A) Pretexting — a fabricated scenario (fake contractor identity) used to manipulate someone into providing sensitive information

Rationale: Pretexting involves creating a fabricated but plausible story (a "pretext") to manipulate the target. The attacker is posing as a eKYC Vendor contractor to get API credentials. This is different from phishing (email-based) or vishing (phone call without a specific story). The key: the attacker invented an identity and scenario to justify their request.

← 07 BCP & BIA 09 Threat Modeling →