RESULTADOS PRETEST Figura 15 Resultados Pregunta

Control A.8.1.2 of the standard requires the organization to carry out verifi- cation checks on permanent staff, contractors and third parties at the time of job applications. The organization should identify who will be responsible for carrying this out, how it will be done, how the data will be managed and who will have what authority in respect of the data and the recruitment process. Any screening and data collection activity must be carried out in accordance

with the relevant local legislation. There is, in some roles, a legal requirement to carry out criminal screening, and there are clearly risks in taking unknown staff into the organization, not just in terms of fraud and confidentiality but also in terms of integrity and availability. An inadequately experienced IT staff member could mismanage a vital server or application in such a way that information availability and integrity are compromised. ISO27002 (clause 8.1.2) provides more information about the type of verification envisaged. It sets out four basic checks that should be completed:

1. Character reference checks, one personal and one business. These should, for preference, be written, but a substitute might be a signed and dated detailed note of a telephone reference given by a nominated third party to a competent (ie experienced in carrying out telephone reference checks) member of the organization’s staff.

2. A completeness and accuracy check of the employee’s curriculum vitae; this is usually carried out by means of written references supplied by previous employers or third-party organizations, and most employers will already have standard documents that are sent out to guide these third parties in replying. It is critical that the employer is methodical in ensuring that all facts are corroborated and that all forms are returned, duly completed, by previous employers. Where they are not returned within a defined time period (which should be short – perhaps 10 days at the outside), the organization should arrange to complete the form by means of a telephone interview with the previous employer.

3. Confirmation of claimed academic and professional qualifications, either by means of obtaining from the candidate copies of the certificates or other statement of qualification or through an independent CV checking service. These firms can, for a nominal sum, carry out detailed CV checks (including the checking of academic and other qualifications) that would satisfy the requirements of both point 2 above and point 3.

4. There should be an independent identity check against a passport or similar document that shows a photograph of the employee.

Where a job, either on initial appointment or on promotion, involves access to information processing facilities, and particularly if it involves processing sensitive (financial or highly confidential) information, there should also be a credit check. Where individuals have considerable authority in their position, this check should be repeated regularly, either quarterly or annually as appropriate.

Normal practice would be that, while a draft contract is agreed between the prospective employee and the organization, it is not signed and the employee does not commence work until the checks have been completed. Depending on the outcome of a risk assessment, some organizations might choose to allow people to commence work, particularly in roles that deal with only a low level of information, subject to satisfactory references; in these circum- stances, it is necessary to set a time limit within which the reference checking will be complete. The contract of employment will usually not be signed by the organization until the reference checks are completed, and if they are unsatisfactory or not completed within the allocated time, the employee is dismissed. A similar process should be carried out for temporary or agency staff and contractors.

Where the staff are supplied by another organization (and this is often the case with IT staff, who are often directly employed by or contracted to the agency concerned), the contract with the third party should set out clearly its responsibility to carry out checks to a similar level. The contract also needs to set out what steps the agency has to take where answers to the screening process have been unsatisfactory or the process itself has not been completed. At the very least, these should include informing the employing organization, and in full, without delay, offering to immediately replace any individual who has already started work immediately and at no additional cost. The contracting organization should have adequate professional indemnity insurance, and this should be checked by obtaining and keeping on file a copy of the current insurance certificate.

While this may be relatively easy to implement for future hires, the organi- zation has to decide what to do in respect of existing staff. It will not be suffi- cient simply to adopt the approach that because the staff are already there, there will be no problems. Undoubtedly, the correct approach to this situation is to ensure that the organization has records for existing staff of equivalent completeness to those required for new hires. It will be important that existing staff are made aware that this process is to be carried out and that it will be done openly and quickly.

Statistically, the likelihood is that every organization will discover that one or more members of its staff have incorrect or false CVs. Each of these instances will have to be tackled, and the organization will have to judge the extent to which the individual threatens its information security; the organi- zation’s direct experience of the employee in the work environment may provide sufficient evidence to act on or to set aside the inaccuracy in the CV. If it is to be set aside, the employee should certainly be made aware that the inaccuracy was uncovered, and the reasons for its being set aside should be

explained. This simple step can help the employee avoid such behaviours in the future.

New and/or inexperienced staff may, at certain times, have to be authorized to have access to sensitive systems. The company should identify what level of supervision will be required in such circumstances and ensure that it has in place a procedure for providing the appropriate level of super- vision. The performance of all staff in respect of information security, particu- larly those who have access to sensitive information, should be reviewed on a regular basis (at least annually) and appropriate steps taken to ensure that the standards set by the organization are maintained. This review can be by means of one or more questions that are incorporated into an existing annual appraisal system.

At annual reviews, and on a day-to-day basis, line managers within the organization should be aware of unusual behaviour by members of staff that may be signs of stress, personal problems or financial challenges. Apart from the human benefits of helping employees deal with these challenges, such issues have been known to affect people’s performance negatively (which may, of course, have implications for information security) and may also lead some individuals to commit crimes or fraud. Managers should be appropri- ately trained to spot and handle these situations within the restrictions of the relevant legislation.

Personnel vetting levels in UK government departments can vary according to the classification of material that the job holder will normally need to access. If you require advice on the application of clearance levels in this context, the appropriate department security officer will be able to advise you.