People, facilities and security skills are important parts of the security trail and are
directly under the control of your organization. Employees, officers and service
suppliers should have compartmentalized and audited access only to data assets
relevant to their immediate duties. Their backgrounds, integrity and loyalties should
be investigated on a level corresponding to the value of the assets they have access
to and the amount of damage they could do by abusing that access. People with poor
internet and data skills are as dangerous as people who can abuse access to data
assets. An organization must have very clear policies on what its computer
infrastructure may be used for. Personnel must be trained to understand basic facts
about e-mail, computer viruses, social networking risks and the legal situs location of
data and transactions.

Operating systems, software and equipment may directly expose organizations to
espionage or leakage of data assets when they allow “back door” access by the
manufacturer or external parties or perform network transactions which are not
clearly visible to or authorized by the user. This includes routers and other peripheral
equipment in the data environment. The most common operating systems and
software are more likely to be targeted by government and non-government parties
engaged in espionage and surveillance. Many security experts currently believe that
software with code that can be freely examined poses less of a risk for these
dangers than proprietary software where examination of the code is restricted or not
possible.