Secure Hiring Practice and Employee Controls

As part of our popular series on assessment and mitigation of risk in an enterprise, I thought I’d put forward some thoughts on hiring practice and controls that can mitigate the risk posed by employees.

Hiring Practices

Firstly, and even before a prospective employee is brought in for interview, the organisation should understand what they are looking for. A comprehensive Job Description is essential. It should be used not only for long listing, but also as the basis for ongoing performance reviews.

Reference Checks should be used to determine the truthfulness of a candidate’s employment history, in addition to providing context on generic competencies like communication, management, teamwork, efficiency and innovation. Employment referees should be contacted in addition to personal, or character, referees. Given the difficult legal climate and the potential liability associated with supplying a negative reference, refusal to provide one should increasingly be interpreted as indicative of prior problems in the workplace.

Background Checks that go beyond reference checks should be completed. Depending on the legal framework in the country in question, these checks could include:

• financial
• criminal
• medical
• drug testing
• education.

These checks can be expensive and should be concentrated on those individuals through whom the organisation is exposed to most risk:

• Technology workers
• Financial workers
• Workers with access to proprietary information
• Client facing workers

The benefits of conducting such checks are numerous. Staff turnover is reduced, risk of insider threat is reduced and the company’s reputation, and bottom line, is protected.

Employee Controls

Job Rotation – regular rotation of staff reduces the risk of collusion between individuals. When the position is rotated, the organisation may uncover evidence of errors or fraudulent activity.

Separation of Duties – this control ensures that no one employee has the access necessary to carry out a particular operation on their own. It makes collusion a prerequisite for fraudulent activity. Typically duties will be split between multiple employees or, ideally, teams of employees, with each group serving as a check and balance on the other.

Least Privilege (Need to Know) – is the principle that just because an employee is cleared to access a particular file, or topic, doesn’t mean they should be able to. Employees are given just enough access to allow them to conduct their normal duties, and no more. If job rotation is in place in the organisation, administrators must be careful to ensure that employees do not carry their accesses with them to a new job, building up an ever increasing set. Role based access control, which assigns privileges by the job that a person does, rather than to them as an individual, is an effective way to achieve this.

Mandatory Vacations – some organisations require that their employees take a vacation once a year of a set length. This allows the audit team to monitor the system for irregularities when that employee’s work is redirected to a colleague. Some organisations remove all access during this period to ensure that workers are not connecting in remotely, or working in the evenings or weekends.