Probably the biggest problem that we have in the world of IoT security are people, people need training. So what I want to do in this particular episode is talk about some of the aspects of training and what people need to be aware of. So that our IT security infrastructure is sound. Now, the whole idea of training pretty much starts from the moment somebody starts with the company until the day that they leave. So what I'd like to talk about first is what we call onboarding. Now, onboarding is simply the process that takes a person who is outside of your infrastructure and brings them in pretty much new hires.
But that can also be contractors, temporary workers, stuff like that as well. So when someone is on boarded, they go through a very big process of making sure that they're the type of person we want to do and all kinds of training and all kinds of stuff. However, for the exam, there's just a very few specific areas that I want to cover onboarding will in many cases. require a good background check, making sure that this is the type of person that you want working for your organization. In certain cases, they might have to sign a nondisclosure agreement to make sure that they're not going out with information that they shouldn't be talking about. They should also be aware of standard operating procedures, anything that you do within your organization that has a procedure, and that is standardized.
This is where they begin to learn about that. Also specialized issues for example, in many organizations, there's a requirement for a clean desk by requiring a clean desk it prevents the opportunity for passwords to be written and other bits of critical information to be left about. The other big area that we deal with an onboarding is rules of behavior. And in particular, what we're talking about is a good acceptable use policy. Here's where we go through the process of having the person read the acceptable use policy, often signing the policy in front of them. Someone to make sure they understand exactly what they can and cannot do with the company's equipment.
On top of that, there'll be a number of general security policies. For example, what can they do with social media networks? What can they do with different applications? And even personal email? training? does it end at the onboarding process, training keeps going forever and ever.
All good employees are always going to be subject to continuing education. For example, if there's a major change in a policy, new technology, new applications, new things that come along, we need to make sure that our people are up and trained. And also, it's always a good idea to give good refreshers. Make sure people are aware on things like watching for different types of malware or making sure that their passwords are being handled properly. Once a person decides to break away from your infrastructure, then we go through the process known as off boarding. Now off boarding is a very complex process and all types of things but at least for the exam, The things I want you to concentrate on is number one, we're almost always going to disable someone's account.
We never delete an account because they're different permissions and such, we are also going to have them return any credentials they might have. That would be very important from a security standpoint. But the other one and this is a big one is the exit interview. We should always have an exit interview during the onboarding process, for one reason, at least from an IT security side. And that is knowledge transfer. This is the opportunity for us to go to that particular soon to be ex employee and say, talk about where their data is where their storage is there anything personal that might be helpful for us.
And this is often a good opportunity to discover that important thumb drive or whatever it might be, that can really help us, especially when the next person comes along. Now speaking of data, there's a big issue that comes into play and that is the concept known as personally identifiable information PII Ai is a big deal when it comes to security and we need to be training our people to be aware of personally identifiable information for a myriad of reasons. There are a number of legal issues involved with that. There are problems where we run into where we have personal information stolen, and we need to watch out for that. Now, what's interesting is that we have a lot of resources for this. So let's start off with the good old NIS T. NIS t document 800 dash 122 goes into great detail on the concept of personally identifiable information.
Some of the things we need to be watching out for would be for example, a full name, a home address, a personal email address, a identification number here in the United States, that would be a social security number, a passport number, vehicle registration plate numbers, their driver's license number, any face fingerprint or handwriting information, credit card numbers, digital identity and date of birth. Another big issue when we're talking about personnel, our personnel management controls now we're actually in this case talking about how we deal with what people do in terms of their work to be able to keep our infrastructure as secure as possible. So let's take a quick look at these very common and very well known personnel management controls. First are mandatory vacations. A mandatory vacation is the requirement that someone take a vacation get away from the Office for a while. In many industries, people are required to take two weeks at a time.
Now a mandatory vacation does some powerful tools number one, others can fill in if needed. So it shows our infrastructure that if someone's gone for two weeks, other people can cover for them. It also makes fraud much more difficult. And if more than one person at a time is doing something naughty, it prevents collusion. By keeping these people separated. Another important personnel management control is job rotation.
Job rotation prevents a single person from being the only set of eyes for a job. It also makes fraud more difficult, and it allows for cross training. Job rotation is fantastic for larger organizations, although it's often difficult to do with smaller ones. Third is separation of duties. separation of duties simply means that at least two people are required to do a sensitive function. Again, this makes sure that no single person is always an only doing a particular function.
Everybody who touches your secure data in your infrastructure does this under what we call a role. Now Different people have different roles depending on how and what they do within the infrastructure. So when we're talking about dealing with data, we often use very specific well known industry defined rules. Help us decide what different types of people what different types of roles are done. When it comes to handling data. The best way to see how this works is actually just to see these very good examples.
So let's go through different well known role based data controls. First is a system owner, a system odor is a management level role. Their job is to maintain the security of a system. Now when I say system, I don't necessarily mean a single computer, it could be a network or whatever you break down as a system. A system owner will also define a system administrator who will see next and a system owner works with data owners, we'll see who data owners are in a minute to ensure data security. A system administrator is usually someone who is assigned by the system owner to perform day to day administration of a system.
These are the people who actually implement security controls on that particular system. A data owner is the person in charge of the data on that system, they're going to define the sensitivity of the data on that system. They're also going to define the protection of that data, whatever they need to do to protect it. They are going to work with the system owner to protect that data. And then usually the poor system administrators, the one who has to actually implement the controls. And it's the data owner who defines access to the data.
So a data owner is also going to work with a system administrator to see what can people do with that data. Next is the user and the user is the most common person. These are the folks who access and use the assigned data responsibly. The other big job for any user is to monitor and report security breaches. A privileged user is a person who because of a management position or whatever, will have special access to data beyond the typical user, so like the head of accounting is probably going to have more permissions than a regular accounting user. A privileged user also works closely with system administrators to ensure data security.
Last is the executive user. And executive user by definition, will have read only access to pretty much all of the business data on a particular system. There's a lot to security training, make sure you're comfortable with different types of controls and different types of roles. Because this is the stuff that really keeps our IT infrastructure secure.