A.10 Chapter 9: Personnel Security

  • Conduct background checks of individuals being considered for sensitive positions. Do so with the permission of the applicants. Repeat them periodically to look for changes.

  • If the position is extremely sensitive, and if it is legally allowable, consider performing a polygraph examination of the candidate.

  • Have applicants and contractors in sensitive positions obtain bonding.

  • Provide comprehensive and appropriate training for all new personnel and for personnel taking on new assignments. Document acceptance of security policies in writing.

  • Provide refresher training on a regular basis.

  • Make sure that staff have adequate time and resources to pursue continuing educational opportunities.

  • Institute an ongoing user security-awareness program.

  • Have regular performance reviews and monitoring. Try to resolve potential problems before they become real problems.

  • Make sure that users in sensitive positions are not overloaded with work, responsibility, or stress on a frequent basis, even if they are compensated for the overload. In particular, users should be required to take holidays and vacation leave regularly.

  • Monitor users in sensitive positions (without intruding on their privacy) for signs of excess stress or personal problems.

  • Audit access to equipment and critical data.

  • Apply policies of least privilege and separation of duties where applicable.

  • When any user leaves the organization, make sure that access is properly terminated and duties transferred.

  • Make sure that no user becomes irreplaceable.

    Part VI: Appendixes