3.6 KiB
Control 6.1 Screening
6.1 Screening
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human_resource_security | #Governance_and_Ecosystem |
Control Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Purpose To ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment.
Guidance A screening process should be performed for all personnel including full-time, part-time and temporary staff. Where these individuals are contracted through suppliers of services, screening requirements should be included in the contractual agreements between the organization and the suppliers.
Information on all candidates being considered for positions within the organization should be collected and handled taking into consideration any appropriate legislation existing in the relevant jurisdiction. In some jurisdictions, the organization can be legally required to inform the candidates beforehand about the screening activities.
Verification should take into consideration all relevant privacy, PII protection and employment-based legislation and should, where permitted, include the following:
a) availability of satisfactory references (e.g. business and personal references); b) a verification (for completeness and accuracy) of the applicant’s curriculum vitae; c) confirmation of claimed academic and professional qualifications; d) independent identity verification (e.g. passport or other acceptable document issued by appropriate authorities); e) more detailed verification, such as credit review or review of criminal records if the candidate takes on a critical role.
When an individual is hired for a specific information security role, the organization should make sure the candidate: a) has the necessary competence to perform the security role; b) can be trusted to take on the role, especially if the role is critical for the organization.
Where a job, either on initial appointment or on promotion, involves the person having access to information processing facilities and, in particular, if these involve handling confidential information (e.g. financial information, personal information or health care information) the organization should also consider further, more detailed verifications.
Procedures should define criteria and limitations for verification reviews (e.g. who is eligible to screen people and how, when and why verification reviews are carried out).
In situations where verification cannot be completed in a timely manner, mitigating controls should be implemented until the review has been finished, for example:
a) delayed onboarding; b) delayed deployment of corporate assets; c) onboarding with reduced access; d) termination of employment.
Verification checks should be repeated periodically to confirm ongoing suitability of personnel, depending on the criticality of a person’s role.
Other information No other information.