All personnel need to be screened prior to starting employment. This helps to ensure organizations hire knowledgeable, ethical individuals with the appropriate skill sets and experience to fill open positions. Personnel screening is the topic of pitfall #16 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Documented procedures should be used to ensure organizations follow standard processes to successfully complete personnel screening in a repeatable and reliable manner. For example, background verification checks on candidates for employment should be carried out in accordance with relevant laws, regulations, and ethics. Background checks should be proportional to the business requirements, classification, or type of the information to be accessed by the role being presented to candidates, and the perceived risks associated with the position.
To support the personnel screening process, appropriate risk designations should be assigned to each position within your organization. This provides the ability to distinguish between different levels of screening, if doing so is appropriate. For example, someone filling a position with access to financial information of your organization may be screened with a higher level of scrutiny than a person filling a position without access to financial information of the organization.
Similarly, someone filling an IT position that will have administrative access to your organization’s networks, may need to be subjected to a higher level of scrutiny than someone filling a data entry role that will not have administrative network access. Keep in mind that personnel with administrative access to your network basically have the “keys to the kingdom” from an access perspective. As such, they should be screened accordingly. Whatever screening process is deemed appropriate for your organization, make sure it is documented and followed.
As permitted by law, and when appropriate, verification checks should include satisfactory character references, checks to confirm that an accurate resume (curriculum vitae) has been provided, confirmation of claimed academic qualifications, confirmation of professional qualifications, criminal history clearance, as well as independent identity verification.
To learn more about this pitfall, and 99 more, get my Book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.