The purpose of personnel security and training is to reduce the risk of insider threat.  

Screening

Screening is one method of ensuring the right people are hired in your organization.  The following screening practices are acceptable:

  • Financial profile (credit check) – to ensure trust in higher trust positions (investigators, investment portfolio managers, public social service agencies) – requires explicit written agreement by the prospective employee.
  • Background check – screens against different types of databases; credential databases, degrees/colleges, criminal history checks (public record).
  • Reference checks – contacting people on the candidate’s list of personal/professional references.  There are two issues with this:
    • Honesty – the references may not be honest unless discussions are simple and revolve around eligibility for rehire.
    • Unreliable – since the information was provided by candidate, the references may not be wholly reliable.
  • Employment history – the validation of employment claims can be problematic, so be sure to obtain a signed waiver to obtain the information from reliable sources, such as a taxing agency.

Hiring

The job description should dictate what tasks the employees should undertake, which could be important during  litigation. The hiring manager should work with HR to write the job description to ensure proper separation of duties.  The hiring manager knows the job best and HR knows the laws. Hiring (and termination) must obviously follow a defined process that includes concepts that follow. 

Employment Agreements and Policies

Employee handbook – how everyone should behave in the organization – includes policy and standards of expected behaviors, and procedures for noncompliance.  

Employment contract – legally and financially enforceable agreement of employment.

Nondisclosure agreement (NDA) – an agreement that employees and contractors sign that contains stipulations that the subject should not disclose proprietary/sensitive information before, during, and after working on the project or during employment.  Some new “AKA” terms for a nondisclosure agreements are:

  • Confidential disclosure agreements (CDAs)
  • Proprietary information agreements (PIAs) 
  • Secrecy agreements (SAs)

There are also several types of NDAs to be aware of for the exam.  These are:

  • Unilateral NDA.  This is basically a one-way disclosure, meaning that one company is disclosing something, for example a flat file that’s sent to another organization for its own contracted use.
  • Multilateral NDA is where you have three or more exchanges happening.
  • Non-compete agreement (NCA) is basically an agreement where the subject party says that they won’t use your stuff to become your competition. 

Acceptable use policy – how we use company assets and software – this also provides notification to employees that their activities are monitored.

Privacy policy – there should be two versions:

  • Internal – for employees; stipulates that they must keep data confidential while employed and after employment, and how to handle the data.
  • External – for public users; stipulates why data is collected, how it is used, and general information on the privacy tenets covered earlier.  

Vendors/contractors/consultant “employees” – these are individuals who perform similar work to that of employees and are subject to all the same laws, requirements, and agreements, with the exception that they are paid under the terms of the contract.  Some secure practices surrounding the use of non-employee workers are:

  • Payment – can be withheld if terms of the contract are not met
  • Distinct accounts – system accounts that are limited in access may have extra audit trails
  • Escort requirements – includes monitoring, surveillance, or similar controls
  • Distinguished ID badges – employee badges can be a different color, have a slightly different logo or shape.