New employees, full-time or non-employee contractors, present a number of risks in regards to information security. These risks can be mitigated with well-designed and thorough interview and onboarding processes. An organization’s human resources department must have guidelines in place for interviewers and hiring managers to follow to allow for high-risk potential candidates to be filtered out prior to hiring. The importance of information security as part of the hiring process is so important; the PCI Security Council has implemented a section in hits reference guide to maintain PCI compliance. PCI-DSS Section 12.7 states, “Screen employees prior to hire to minimize the risk of attacks from internal sources” (PCI Quick Reference Guide, 2009, p. 24).
Interviews, background checks, and in the case of non-employee contractors and some employment scenarios, employment contracts are all used to identify new employees and contractors that have minimal risks to information security. An organization’s information security department will work with human resources to develop the policies and guidelines that will assist in the hiring selection process.
The need for Information Security in Hiring
“People are often described as the weakest link in any security system” ("Human Resources Security (ISO 8) - Information Security Guide - Internet2 Wiki", n.d.). This quote sums up the importance of verifying a candidate’s risk level prior to hiring. An organization’s information assets are critical to the organization’s operation and security. In addition to validating a candidate’s legitimacy, the interviewers and hiring managers must be careful to not divulge too much information during the hiring process that may put the organization’s systems at risk. Human resources and information security departments should work in tandem to create the hiring process’s rules and guidelines to reduce the risk of both hiring a new employee or contractor as well as protecting the organization’s assets and information.
Most organizations will at some point require the hiring of employees or non-employee contractors to meet the needs of the business. Employees and non-employee contract workers must all be vetted to ensure they do not pose threats to the organization’s physical and information assets. It is up to the organization to determine what levels of access or levels of restriction should be in place on employees and contractors post-hire. These levels should be identified prior to the hiring process to drive how thorough the candidate screening should be. The amount of background checks and reference checks for a waiter at a restaurant may not be as thorough as those of a candidate for a network engineering role in the restaurant’s corporate headquarters IT department.
Once a position’s scope of work and access has been determined, the job must be posted to receive responses from interested candidates. It is important for the posting to “avoid...