Undercover

How Not to Hire an Information Security Officer Who's on Parole

After learning that HR "forgot" to do a background check on a security staffer with a felony record, a leader reexamines his organization's policies

By Anonymous

Even more troubling are the incidents involving those in law enforcement who are entrusted to protect, but instead violate that trust. Just in the past few months:

A Virginia police sergeant was charged with accessing the FBI's National Crime Information Center database for personal reasons.

Two Collier County (Florida) Sheriff's Office employees were charged with inappropriately accessing the office's computer system to find out information about other people.

A veteran of the Hartford, Conn., police force looked up information from the National Crime Information Center and gave it to a friend.

Surely these trained law enforcement personnel knew this kind of activity was wrong. These violations do a significant amount of damage to public trust. Although background investigations obviously can't deter or stop everything, they might provide an indicator of future behavior.

The recent case in January of the futures trader at the French bank Société Générale—the one who allegedly bypassed established computer-control systems to generate fictitious financial transactions that caused over $7.2 billion in losses for the bank—is another situation that might have been deterred. That amount of money is going to have a lot of people asking a lot of questions. A recurrent background check may have turned up some information to indicate that this guy was a potential threat to the organization.

So what does a background check consist of, and how do you do one? While background checks were traditionally done by the police, today there are many local and national private companies that offer background check services. Like most things, you get what you pay for. A simple online background check will provide quick, basic information, while a more comprehensive investigation can cost hundreds of dollars and take considerably more time. Either way, the purpose is to give some insight into a person's character based on past actions and records. Depending on the extent of background check desired, it can provide information about a person's financial, criminal and even personal history, including bankruptcies, motor vehicle tickets and employment records. I recommend a personnel security policy that includes, at a minimum, the following components:

• A requirement for all new employees, including contractors, interns or other temporary employees, to pass a basic background check.
• A definition of "positions of trust" that require a higher level of scrutiny for background checks. This might include anyone who has access to large sums of money or financial accounts, citizen or customer personal information, proprietary information or intellectual property, and intelligence- or law-enforcement-related information.
• A requirement that all new employees working in a position of trust, or who routinely have access to any kind of personally identifiable information or other sensitive information, complete a comprehensive background check that includes criminal records, education records, credit history, employment records, driving records and drug testing where applicable.
• A policy defining the specific criteria for what would disqualify a potential employee from working in the organization.
• A requirement that an "update" back­ground check be done at least once every three years on existing employees and contractors in positions of trust.
• A policy that establishes specific passing criteria as a condition of employment.

• Email
• Print
• Comments
• Digg This
• SlashDot

• Succession Planning: The Day After the Deputy CISO Left Work on a Gurney
• Hard Questions About Background Checks
• Good (and Bad) Background Checks
• How to Keep Your Security Team Happy
• Survivor: CSO Longevity