ATTENTION: This page is intended to be viewed online and may not be printed or copied.
C. Background Screening and Security Clearances
Risk assessments often contain some of the most sensitive information of an organization. Consistent with information protection requirements, privacy legislation, human resource management policies, and stakeholder needs, the risk manager and RTL should establish, document, and maintain a procedure for screening and vetting of all personnel involved in its risk assessment activities. Requirements and the conduct of background checks and security clearances vary significantly between the type of risk assessment and the management practices of the organization. For example, security risk assessments are typically considered high risk and the rigorous background and screening process is conducted by the Chief Security Officer or designee. On the other hand, strategic business risk assessment background checks and screening procedures are typically included as part of the general human resource employee background check and screening process. The risk manager and RTL should review the organization’s approach relative to the objectives and requirements of the type of risk assessment being conducted and ensure that all personnel involved in its risk assessment activities meet these requirements. The vetting and clearance process may include, but not be limited to, background checks, interviews and review of work history.
NOTE: The details provided below represent the more rigorous approach typically required of a security risk assessment. For other types of risk assessment, the level of rigor should be tailored to the objectives and requirements of the risk assessment taking into consideration information protection requirements, privacy legislation, human resource management policies, and stakeholder needs.
C.2 Background Checks
The risk manager and RTL should ensure the establishment of a documented procedure for background checks and vetting of individuals conducting risk assessments on behalf of the organization. The procedure for background checks and vetting should screen out personnel who do not meet minimum qualifications established for positions and select appropriately qualified personnel based on their knowledge, skills, abilities, and other attributes. The screening and selection procedures should be consistent with data protection, privacy legislation, human resource management policies, and client requirements. Where practicable, background checks may be conducted through national agencies or authorities. When this is not practicable, the risk manager and RTL should establish, document, and maintain a procedure to check suitability and integrity by an internal vetting process including records checks and interviews, overseen by the organization’s top management and aligned with general security and human resource policies.
Wherever possible, the screening and vetting process should include:
- Identity verification;
- Personal history verification; and
Exclusions should be documented when information is unavailable, unreliable, or unsuitable.
Identity verification should include verification of the validity of personal history and should consider (but not be limited to):
- Home addresses;
- Employment records;
- Electronic media;
- Criminal and civil record history;
- Records of human rights violations;
- Military or law enforcement service records;
- Motor vehicle records;
- Credit reports;
- Sexual offender indices;
- Government and industry sanctions lists; and
- Industry specific licensing records.
Credentialing involves verifying the experience and qualifications that are presented by the candidate. The organization should look for unexplained gaps. Credentialing provides information on (but is not limited to):
- Education verification;
- Employment verification;
- Licensure/certification/registration verification;
- Personal references;
- Supervisor and coworker interviews; and
- Military history verification.
Candidates should provide two work-related references, as well as one probity reference relevant to their work or local jurisdiction. The vetting process may also include a review of documented submissions by the candidate.
The risk manager and RTL should establish an interview procedure, including the hierarchy of interviewers, which should be overseen by the risk manager. Top management should appoint a risk manager who has been verified by interview and vetted as trustworthy and having the necessary competence and judgment to vet personnel involved in its risk assessment activities. The responsible manager should assess through review of documentation, submitted by candidates, and interviews and on-going monitoring, the trustworthiness and appropriate behavioral characteristics of personnel involved in its risk assessment activities.
C.4 Privacy Protection
The privacy and confidentiality of information about individuals should be protected. Personal documents, such as passports, licenses, and original birth certificates should be returned to personnel within a reasonable timeframe.
Next: Annex D