Link to the home page.
Print from PDF version
 

Security Disciplines for Objective 1: Support

1-3. Personnel Security Screening

Description

Ensuring that the personnel within an organization who have authorized access to sensitive systems are suitable and trustworthy is the cornerstone of a good security system. Statistics show that the majority of system misuse is conducted by those with authorized access to the information. As trusted partners in justice and public safety information sharing, it is imperative that employees undergo a significant screening process to determine their suitability for access to sensitive systems and those to which they are connected. This applies to all positions and to all phases of the contracting process where access to critical systems is authorized.

Purpose

The personnel security screening discipline describes the methods that agencies must use to screen an applicant’s background for past inappropriate behavior that may put unclassified but sensitive data at risk. The rigor of the screening may vary based on the applicant’s access requirements to computer systems and databases. It is imperative that all applicants be screened in a standardized manner. Personnel security screening will promote trust among agency partners.

Principles

  • The level of assurance of the screening mechanism employed should be balanced against the cost of the mechanism and the risk associated with incorrectly “passing” an individual trying to gain access to the information system.
  • Users should be properly screened. Proper screening requires that an employer use a consistent and reliable means to conduct such screening to perform an adequate background check before authorizing access to the system.
  • Personnel with direct and appropriate access to critical systems and partner systems should undergo a more rigorous background check than those with secondary access.
  • Mechanisms should be in place to relieve personnel from duties requiring direct access to critical systems should their initial or subsequent background checks reveal information that would preclude their access.

Policies

Once an organization decides on an approach for personnel screening, the policies related to that approach should be documented so that there is a written guideline specifying the consistent and comprehensive application of the screening process. The personnel department will play an important role in this policy development, and new tools may need to be developed for the selection process. The Global Security Working Group maintains a library of security screening policies samples.

Best Practices

It is a best practice to require background checks on all employees every five years. The initial personnel screening process comprises the following steps.

Step One: Determine the Appropriate Screening Requirements—Screening must be carried out according to the highest level of information that will be accessed in the performance of assigned duties or during the contracting process. If the employee will access only information contained within their jurisdiction with no gateway access to justice partners, the screening process may differ from that incumbent who has access to multiple justice partner information.

Step Two: Identify Required Checks—

  • Basic Reliability Check for No Direct Access to Other Systems—When a basic reliability check for no direct access to critical and other systems is needed, the following checks may be appropriate: (1) verification of personal data, education, professional qualifications, employment, and references; (2) a declaration signed by the incumbent concerning any conviction for a criminal offense (may be a part of the application process); and (3) a criminal history records check based on a full name and date-of-birth search of state and federal records for criminal justice employment (which should be completed within thirty days of employment and after a name and date-of-birth check is completed with either positive or negative results).
  • Enhanced Reliability Check for Direct Access to Critical Systems and Other Systems—When a reliability check for direct access to critical systems and other systems is needed, the following checks may be appropriate: (1) verification of personal data, education, professional qualifications, employment, and references; (2) a declaration signed by the incumbent concerning any conviction for a criminal offense (may be a part of the application process); (3) a criminal history records check based on a full name and date-of-birth search of state and federal records for criminal justice employment (which should be completed within thirty days of employment and after a name and date-of-birth check is completed with either positive or negative results); (4) a credit check, when duties or tasks performed would require it or in the event of a discovered criminal record; and (5) a criminal history records check with the submission of a completed applicant fingerprint card to the FBI CJIS Division through the state identification bureau, when the state is a single-source participant.

Step Three: Obtain Consent—The screening process involves the review of personal information, and while it must be a mandatory requirement for a successful applicant, consent is required prior to beginning the process. Written consent may only be given by those persons who have reached legal age; otherwise, the signature of a parent or guardian is required. Make certain the screening process does not begin prior to receiving this written consent. Inform those who do not consent to the screening process that they cannot be considered further for employment or contractual work.

For all security screenings, a declaration regarding the existence of a criminal record must be obtained. The applicant will be required to state whether he or she has been convicted of a criminal offense. This may be a part of the application process form(s).

Step Four: Process the Required Checks—

  • Criminal Records Name and Date-of-Birth Check—To initiate this type of check, access to the state and federal criminal history record systems is required. In most cases, employment within criminal justice agencies allows, if not demands, that this check be minimally completed prior to allowing direct or secondary access to systems that may contain sensitive information. If state and federal criminal history records access is not available within your agency, it will be necessary to determine internal procedures within your city, county, state, or federal jurisdiction to conduct these name and date-of-birth criminal history background checks. Proper legal identification must be presented by the applicant, as the inquiry must be made by using legal full name and accurate date-of-birth information. It is important to note that these checks may cause multiple hits on common names, and the only accurate method of determining whether the person inquired upon matches any possible response is through fingerprint comparison.
  • Fingerprint Check—When required, fingerprints are to be taken after the consent form is completed and will normally be taken at the jurisdiction’s enforcement unit, such as the state police, county sheriff (bailiff for courts), local police, or booking unit. Every effort should be made to ensure the comfort of the applicant during this process. The completed fingerprint (normally done in duplicate) should be forwarded to the appropriate entity within the jurisdiction for processing.
  • Credit Check—Where required, the credit check is conducted by the agency, at their expense, through the associated credit bureaus. While not necessarily an accurate indicator of an employee’s suitability for a position, it may be used in addition to other information obtained to make an informed decision.
  • Contracts—For contracting firms, the contracting authority is responsible for ensuring that the firm verifies its employees’ personal, educational, and employment data and conducts reference checks. The contracting authority initiates criminal records checks and conducts other appropriate checks.

Step Five: Evaluate the Results of Required Checks—Once the checks are completed, a decision must be made based on the information gathered. Factors to be considered are subjective and varied and cannot be adequately discussed here. In most cases, a gross misdemeanor or felony conviction within the past ten years is just cause for denial of employment with direct access to these systems. Consult the personnel department and legal department for additional information.

Step Six: Grant or Deny Access—Based on final evaluation, access to the system is granted or denied.

Step Seven: Brief the Screened Person—If negative information is obtained from the screening process, this step must be completed. The applicant may be in possession of additional information that may make the evaluation process more complete. If a name and date-of-birth check has revealed a match, a fingerprint comparison may be necessary to adequately protect the applicant from any false-positives that result from such a check.

References

For a listing of applicable security screening standards, see: