Home

Personnel Security Policies

|
|  Updated:  
2016-09-12 16:55:42
|   From The Book:  
No items found.
CISSP For Dummies
Explore Book
Buy On Amazon
An organization needs clearly documented personnel security policies and procedures in order to facilitate the use and protection of information. There are numerous conceptual best practices for protecting the business and its important information assets. These best practices all have to do with how people — not technology — work together to support the business.

This is collectively known as administrative management and control.

Employment candidate screening

Even before posting a "Help Wanted" sign (Do people still do that?!) or an ad on a job search website, an employer should ensure that the position to be filled is clearly documented and contains a complete description of the job requirements, the qualifications, and the scope of responsibilities and authority.

The job (or position) description should be created as a collaborative effort between the hiring manager — who fully understands the functional requirements of the specific position to be filled — and the human resources manager — who fully understands the applicable employment laws and organizational requirements to be addressed.

Having a clearly documented job (or position) description can benefit an organization for many reasons:

  • The hiring manager knows (and can clearly articulate) exactly what skills a certain job requires.
  • The human resources manager can pre-screen job applicants quickly and accurately.
  • Potential candidates can ensure they apply only for positions for which they're qualified, and they can properly prepare themselves for interviews (for example, by matching their skills and experiences to the specific requirements of the position).
  • After the organization fills the position, the position description (in some cases, the employment contract) helps to reduce confusion about what the organization expects from the new employee and provides objective criteria for evaluating performance.
Concise job descriptions that clearly identify an individual's responsibility and authority, particularly on information security issues, can help
  • Reduce confusion and ambiguity.
  • Provide legal basis for an individual's authority or actions.
  • Demonstrate any negligence or dereliction in carrying out assigned duties.
An organization should conduct background checks and verify application information for all potential employees and contractors. This process can help to expose any undesirable or unqualified candidates. For example
  • A previous criminal conviction may immediately disqualify a candidate from certain positions within an organization.
  • Even when the existence of a criminal record itself doesn't automatically disqualify a candidate, if the candidate fails to disclose this information in the job application or interview, it should be a clear warning sign for a potential employer.
  • Some positions that require a U.S. government security clearance are available only to U.S. citizens.
  • A candidate's credit history should be examined if the position has significant financial responsibilities or handles high-value assets, or if a high opportunity for fraud exists.
  • It has been estimated that as many as 40 percent of job applicants "exaggerate the truth" on their résumés and applications. Common sources of omitted, exaggerated, or outright misleading information include employment dates, salary history, education, certifications, and achievements. Although the information itself may not be disqualifying, a dishonest applicant should not be given the opportunity to become a dishonest employee.
Most background checks require the written consent of the applicant and disclosure of certain private information (such as the applicant's Social Security number). Private information obtained for the purposes of a background check, as well as the results of the background check, must be properly handled and safeguarded in accordance with applicable laws and the organization's records retention and destruction policies.

Basic background checks and verification might include the following information:

  • Criminal record
  • Citizenship
  • Employment history
  • Education
  • Certifications and licenses
  • Reference checks (personal and professional)
  • Union and association membership
Pre- and post-employment background checks can provide an employer with valuable information about an individual whom an organization is considering for a job or position within an organization. Such checks can give an immediate indication of an individual's integrity (for example, by providing verification of information in the employment application) and can help screen out unqualified applicants.

Personnel who fill sensitive positions should undergo a more extensive pre-employment screening and background check, possibly including

  • Credit records (minimally, including bankruptcies, foreclosures, and public records; possibly a full credit report, depending on the position)
  • Drug testing (even in countries or U.S. states where certain narcotics are legal, if the organization's policies prohibit narcotics use, then drug testing should be used to enforce the policy)
  • Special background investigation (FBI and INTERPOL records, field interviews with former associates, or a personal interview with a private investigator)
Periodic post-employment screenings (such as credit records and drug testing) may also be necessary, particularly for personnel with access to financial data, cash, or high-value assets, or for personnel being considered for promotions to more sensitive or responsible positions.

Employment agreements and policies

Various employment agreements and policies should be signed when an individual joins an organization or is promoted to a more sensitive position within an organization. Employment agreements often include non-compete/non-disclosure agreements and acceptable use policies. Typical employment policies might include Internet acceptable use, social media policy, remote access, mobile and personal device use (for example, "Bring Your Own Device," or BYOD), and sexual harassment/fraternization.

Employment termination processes

Formal termination procedures should be implemented to help protect the organization from potential lawsuits, property theft and destruction, unauthorized access, or workplace violence. Procedures should be developed for various scenarios including resignations, termination, layoffs, accident or death, immediate departures versus prior notification, and hostile situations. Termination procedures may include
  • Having the former employee surrender keys, security badges, and parking permits
  • Conducting an exit interview
  • Requiring that security escort the former employee to collect his or her personal belongings and/or to leave the premises
  • Asking the former employee to return company materials (notebook computers, mobile phones and devices, PDAs, and so on)
  • Changing door locks and system passwords
  • Formally turning over duties and responsibilities
  • Removing network and system access and disabling user accounts
  • Enforcing policies regarding retention of e-mail, personal files, and employment records
  • Notifying customers, partners, vendors, and contractors, as appropriate

Vendor, consultant and contractor controls

Organizations commonly outsource many IT functions (particularly call-center or contact-center support and application development) today. Information security policies and procedures must address outsourcing security and the use of vendors or consultants, when appropriate. Access control, document exchange and review, maintenance hooks, on-site assessment, process and policy review, and service level agreements (SLAs) are good examples of outsourcing security considerations.

Compliance

Individual responsibilities for compliance with applicable policies and regulations within the organization should be understood by all personnel within an organization. Signed statements that attest to an individual's understanding, acknowledgement, and/or agreement to comply may be appropriate for certain regulations and policies.

Privacy

Applicable policy regulations and policy requirements should be documented and understood by all personnel within the organization. Signed statements that attest to an individual's understanding, acknowledgement, and/or agreement to comply may also be appropriate.

About This Article

This article is from the book: 

No items found.

About the book author:

Peter H. Gregory, CISSP, is a security, risk, and technology director with experience in SAAS, retail, telecommunications, non-profit, manufacturing, healthcare, and beyond. Larry and Peter have been coauthors of CISSP For Dummies for more than 20 years.

Lawrence C. Miller, CISSP, is a veteran information security professional. He has served as a consultant for multinational corporations and holds many networking certifications.