Personnel security is one of the most critical (and most often overlooked!) areas of information security. The people inside your organization need access to data and resources to complete their assigned tasks and, therefore, have the potential to abuse these access privileges. Therefore, it's important that your security policy include a sound personnel security program.
The employee life cycle consists of four basic phases: pre-employment, orientation, employment and post-employment. Let's take a look at each of these and consider the appropriate personnel security policies during each stage.
Phase I: Pre-employment
Before bringing new employees on board within your organization, you should perform some level of background investigation. The exact type of investigation that you perform will depend heavily on the type of business you conduct and the level of trust inherent in the specific position. For example, a defense contractor dealing with national secrets would probably conduct much more thorough pre-employment screening than a telemarketing firm. On the other hand, that telemarketing firm might conduct extremely detailed checks when hiring a new accountant.
One word of warning on pre-employment screening: You must consult your attorney prior to initiating a background investigation program. The laws regarding the types of investigations you may perform, the level of consent required from the candidate and the ways you may use the information you uncover vary widely from state to state and country to country. If you aren't aware of the laws in your jurisdiction, you may quickly find yourself at the wrong end of a lawsuit.
Phase II: Orientation
The orientation program is your chance to ensure that your new employees are provided with adequate security training and are aware of their ongoing responsibilities.
Phase III: Employment
The personnel security program does not end once an employee joins your organization. Of course, you should conduct ongoing security training to keep employees abreast of new security issues. Depending upon your security needs, you may also wish to implement an ongoing background investigation program. In some industries this program may be a legal or regulatory requirement. Once again, be sure to consult an employment lawyer before initiating a background investigation program or taking any adverse action based upon your findings.
Phase IV: Post-employment
All security professionals are aware of the importance of a smooth transition for employees leaving an organization (voluntarily or involuntarily). In addition to collecting keys, deactivating accounts and similar activities, take the opportunity to remind employees of any ongoing security responsibilities that they may bear. This is a good opportunity to provide employees with a copy of any confidentiality or non-disclosure agreements they may be subject to and refresh them on the details.
Your security policy planning team should consider each of these phases when drafting a personnel security program policy. Remember – the human factor is the weakest link in any security chain.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley.
For more information on this topic, visit these other resources:
- Security Policies Tip: Seven secrets to successful employee involvement in security policies
- Security Policies Tip: Handling a workstation after an employee leaves
- Security Policies Tip: Termination proceedures and the exit interview