From a security perspective, hiring a new employee is one of the most important decisions that an organization makes. In this video, you will learn about the importance of candidate screening, reference checks, and employment/education verification. You will also learn about including policy reviews and employment agreements in the hiring process.
- [Narrator] From a security perspective, hiring a new employee is one of the most important decisions that an organization makes. The insider threat is real, and organizations' employees have privileged access to all kinds of sensitive information and systems. Of course it's impossible to filter out all of the bad apples. But organizations have a responsibility to ensure that security plays a prominent role in the hiring process. Spending a little extra time on security issues before hiring an employee, can help avoid costly mistakes.
Every organization should perform pre-employment screening to verify the backgrounds of potential hires. The timing and contents of this screening will vary based upon the type of organization, the job position, and legal constraints in the specific state or country where the employee is hired. Some common components of pre-employment screening include checking for a criminal background in all states and countries where the employee has lived or worked. Verifying that an employee is not listed on the sex offender registry.
This is often a mandatory part of pre-employment screening for positions where the employee will work with children, such as in a school or childcare facility. Checking references provided by the employee, as well as using personal contacts at past employers to learn more about a job candidate. Verifying that the educational and employment experience on a resume is accurate by contacting schools and employers. And in some cases, organizations may perform credit checks to further investigate an employee's background.
Although obtaining and using this information requires written consent of the employee, and is heavily regulated, so many organizations skip this portion of background checks. Organizations should use written employment agreements that spell out the employee's responsibilities in many different areas. For the purposes of the exam, you should know that this may include security-related responsibilities. Two specific areas that organizations should consider including in employment agreements, are nondisclosure agreements, or NDAs, where the employee agrees not to disclose any confidential information learned during the course of employment, even after the employee leaves the organization.
And asset return agreements, where the employee agrees to return all of the organization's property at the end of employment. This should include both information and physical assets. Finally, employers should use the hiring and orientation process as an opportunity to familiarize employees with the organization's security policies, through training, and perhaps a written acknowledgment from each new hire that her or she has read, and agrees to the organization's security policies.
Members who complete this course will be prepared to answer questions on the Security and Risk Management domain of the CISSP exam, and establish a critical foundation for the rest of their careers.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Aligning security with the business
- Using control frameworks
- Understanding compliance ethics
- Implementing effective security policies
- Ensuring the security of employees
- Managing risk
- Identifying threats
- Managing vendors
- Building security awareness and conducting security training