Pre employment tasks in the Human resource security clause can have its importance overlooked if we are not careful. Much is said of the Insider Threat and when we are hiring a new employee we are accepting that risk into our companies. We should do everything we can to ensure the employees we hire and to provide them with clear terms of employment to make sure expectations are known and understood.
Screening of candidates should be carried out prior to them being offered a role at your organization. This has a range of benefits if done in an appropriate manner. These benefits can include confirming an employee’s qualifications, work history and finding issues with the person that could compromise their integrity. All screening to be carried out should be executed to a level that is appropriate for the role the candidate is applying for,a prospective CEO should have a stringent check carried out, while an entry level junior may have more relaxed checks. To ensure the correct screening measures are taken all steps in the process should be defined in a procedure document and executed in a manner that meets local laws and regulations. Some concerns that the organization should address when deciding on screening procedures are; which specific employees/roles will be carrying out the screening, what exactly is screened for and who verifies that the screening process was carried out correctly.
Some examples of what we can screen for are;
- Valid references given when candidate applied for the position,
- Garda vetting where required,
- Gaps in CV,
- Criminal conviction,
- Background in drug, alcohol or gambling abuse,
- Verification of the credentials the candidate claims.
Depending on the industry and role the candidate is applying for the depth of the screening can vary but screening should be carried out for employees, contractors, and outsourcing companies.
7.1.2. Terms and conditions of employment.
It is important that information security responsibilities for both employees and contracts are included in their contracts. This can ease confusion as all employees and contractors understand what is expected of them and agree to these terms before joining your organization. These can include confidentiality and non-disclosure agreements for those staff handling sensitive data, they can inform employees of any monitoring that is carried out (within the boundaries of local laws), the use of the employee PII and even acknowledgements that the results and outputs an employee produces within the course of their employment is owned by the company (which would deal with patents, copyrights and other IP types). Lastly it should include general information security requirements and responsibilities.