Personnel security is one of the most critical (and most often overlooked!) areas of information security. The people inside your organization need access to data and resources to complete their assigned tasks and, therefore, have the potential to abuse these access privileges. Therefore, it's important that your security policy include a sound personnel security program.

The employee life cycle consists of four basic phases: pre-employment, orientation, employment and post-employment. Let's take a look at each of these and consider the appropriate personnel security policies during each stage.

Phase I: Pre-employment

Before bringing new employees on board within your organization, you should perform some level of background investigation. The exact type of investigation that you perform will depend heavily on the type of business you conduct and the level of trust inherent in the specific position. For example, a defense contractor dealing with national secrets would probably conduct much more thorough pre-employment screening than a telemarketing firm. On the other hand, that telemarketing firm might conduct extremely detailed checks when hiring a new accountant.

One word of warning on pre-employment screening: You must consult your attorney prior to initiating a background investigation program. The laws regarding the types of investigations you may perform, the level of consent required from the candidate and the ways you

    Requires Free Membership to View

may use the information you uncover vary widely from state to state and country to country. If you aren't aware of the laws in your jurisdiction, you may quickly find yourself at the wrong end of a lawsuit.

Phase II: Orientation

The orientation program is your chance to ensure that your new employees are provided with adequate security training and are aware of their ongoing responsibilities.

Phase III: Employment

The personnel security program does not end once an employee joins your organization. Of course, you should conduct ongoing security training to keep employees abreast of new security issues. Depending upon your security needs, you may also wish to implement an ongoing background investigation program. In some industries this program may be a legal or regulatory requirement. Once again, be sure to consult an employment lawyer before initiating a background investigation program or taking any adverse action based upon your findings.

Phase IV: Post-employment

All security professionals are aware of the importance of a smooth transition for employees leaving an organization (voluntarily or involuntarily). In addition to collecting keys, deactivating accounts and similar activities, take the opportunity to remind employees of any ongoing security responsibilities that they may bear. This is a good opportunity to provide employees with a copy of any confidentiality or non-disclosure agreements they may be subject to and refresh them on the details.

Your security policy planning team should consider each of these phases when drafting a personnel security program policy. Remember – the human factor is the weakest link in any security chain.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley.


For more information on this topic, visit these other resources:

This was first published in June 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.