Differences

This shows you the differences between two versions of the page.

--- screening [2025/08/15 08:00] – created tijs
+++ screening [2025/08/15 08:21] (current) – tijs
@@ Line 1: / Line 1: @@
 **Screening**
-^ Heading 1      ^ Heading 2       ^ Heading 3          ^ Heading 4          ^ Heading 5          ^
+^ Control type      ^ Information Security Properties       ^ Cybersecurity concepts          ^ Operational capabilities          ^ Security domains          ^
-| Row 1 Col 1    | Row 1 Col 2     | Row 1 Col 3        | Row 1 Col 3        | Row 1 Col 3        |
+| Preventative    | Confidentiality, Integrity Availability     | Protect        | HR security       | Governance and ecosystem        |
+**Definition**\\
+Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
+**Background Check Requirements**\\
+The level of background checks is going to be proportionate to need and risk but to consider the common requirements:
+	• References
+	• Verify the CV
+	• Confirm qualifications
+	• Verify Identity
+	• Where appropriate, criminal or finance checks.
+**Enhanced Vetting**\\
+The level of checks is going to be proportionate to the role and the risk posed. Not everyone will go through a full and rigorous check but there are roles that are inherently risky and require additional checks to be put in place. Common examples of roles requiring enhanced vetting include:
+	• Admins
+	• Power users
+	• Directors
+	• Those with financial authority
+	• Those with legal authority
+	• Those processing highly confidential or protected characteristic data
+**Information Security Roles**\\
+For people in information security roles you will make sure people are competent to do the job and can be trusted. Ensure that an up to date job description with requirements is available.
+**What if you can’t do the checks in time**\\
+If you cannot do the checks in time the standard has some pretty harsh guidance. The approach, according to the standard, is around delaying them joining, not giving them company stuff, allowing them only limited access or even sacking them.
+**Screening Process**\\
+Screening procedures must clearly identify responsible personnel and the purpose of the screening process.
+Ensure that a process is in place and be able to show that process during an audit.
+Also be able to show during an audit that the process is followed, proof that background checks are performed.
+**Audit Checklist**\\
+	• Is there a HR Screening Policy
+	• Are Screening procedures documented
+	• Assess Background Check Providers
+	• Audit Checks on References and Credentials
+	• Review Documents and Records
+	• Assess Ongoing Monitoring and Review
+**Common Mistakes**\\
+	• Employing Friends, Family or acquaintances
+	• Lack of Documentation
+	• Inadequate Document and Version control