Personnel security policies

Personnel security policies concern people associated with the organization, such as employees, contractors, and consultants. These policies encompass the following:

• Screening processes to validate security requirements
• Understanding their security responsibilities
• Understanding their suitability to security roles
• Reducing the risk of theft, fraud, or the misuse of facilities

Employment candidate screening

Background verification checks are primarily used in employment candidate screening processes. They may include the following:

1. Character references to evaluate the personal traits of the applicant. Best practice guidelines indicate character references from at least two entities, such as from business and personnel.
2. Completeness and accuracy of the applicant's curriculum vitae and the verification of claimed academic and professional qualifications are critical checks in the screening process.
3. Identity checks by verifying identification documents.
4. Checking criminal records as well as credit checks.

Employment agreement and policies

Besides general job roles, based on the business requirements, information security responsibilities that include information handling requirements should form part of the employment agreement and policies.

Employees should also be aware of organization's information security policies, and when they are given access to sensitive or confidential information, they need to additionally sign confidentiality and nondisclosure agreements.

Employment termination processes

Employee termination processes have to be in accordance with the established security policies and practices. The primary objective of the process is to ensure that employees, contractors, and third-party users exit or change employment as per established procedures without compromising security. The procedures may include termination of responsibilities, return of assets, removal of access rights, and so on.

Vendor, consultant, and contractor controls

Third-party users, such as vendors, consultants, and contractors, need access to the information and associated systems based on the job function. Information protection starts from screening process, confidentiality, and nondisclosure agreements.

Compliance and privacy

Adherence to policies, procedures, and so on, performing job functions as per the legal, regulatory requirements, and adherence to privacy protection mechanisms, are applicable across the board in an organization.