CSA CCM HRS-01
Background Screening Policy and Procedures

Establishing robust policies and procedures for background verification of new hires is crucial for safeguarding your organization. A well-defined screening process helps ensure you bring on board trustworthy individuals who meet role requirements and don't pose undue risk. While it takes some effort to set up, a little due diligence upfront can prevent major headaches down the road.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full matrix here to explore further. The CCM provides a comprehensive set of cloud security best practices that are widely referenced in the industry.

Who should care?

This is relevant for:

  • HR professionals responsible for hiring and onboarding new employees
  • Security and compliance teams who define policies to manage workforce risk
  • Hiring managers who make decisions on candidate selection
  • Executives who are accountable for the conduct of their teams

What is the risk?

Without proper screening, your organization faces risks like:

  • Hiring unqualified individuals who lack necessary skills and experience
  • Onboarding untrustworthy people who may commit fraud, theft, or harm
  • Inadvertently giving access to sensitive data to people who shouldn't have it
  • Non-compliance with regulations that mandate certain background checks

While screening is not a silver bullet, it is an important control for reducing the likelihood and impact of insider threats originating from poor hiring decisions.

What's the care factor?

For most organizations, implementing some level of background verification is a must-have, not a nice-to-have. The extensiveness of your screening program should be proportional to the sensitivity of the data and systems the individual will access.

For example, a low-level employee may only require basic identity and reference checks. But an executive with broad access privileges warrants a much more in-depth examination.

The reputational damage and legal liability that can arise from negligent hiring practices can be substantial. So it's worth taking screening seriously, especially for high-trust roles.

When is it relevant?

Background checks should be performed for:

  • All new full-time and part-time employees
  • Temporary staff, interns, and contractors who will access corporate assets
  • Current employees changing roles with increased responsibilities or permissions
  • Third-parties who require privileged remote access to your environment

Rescreening at regular intervals (e.g. annually) is also a good idea for sensitive positions.

Basic identity verification is sufficient for guest accounts and users with minimal access. Extensive background checks are less applicable in these low-risk scenarios.

What are the trade-offs?

Background checks are not without costs and considerations:

  • The process takes time and may slow down hiring timelines
  • Third-party screening services can be expensive, especially for high volumes
  • Handling sensitive personal information introduces privacy and liability risk
  • Overly onerous screening requirements may turn off potential candidates
  • Global screening is complex with country-specific laws and norms to navigate

Striking the right balance is key. You need to offset risk without going overboard. Work with HR and legal to determine the minimum viable screening approach for each role.

How to make it happen?

  1. Define the scope of your screening program
    • Determine what roles and workforce segments are in-scope
    • Specify the minimum screening required for each based on risk
  2. Document your screening standards in a formal policy
    • Include allowed screening methods, frequency, and criteria
    • Reference applicable laws, regulations, and contractual requirements
    • Cover data handling, privacy, retention, and candidate consent
  3. Communicate the policy to all stakeholders
    • Train HR on the screening procedures they must follow
    • Notify candidates upfront about your background check process
  4. Integrate screening into your HR onboarding workflow
    • Trigger checks automatically when a candidate enters a certain stage
    • Use an accredited third-party service for objectivity and scale
    • Verify identity (e.g. passport), qualifications, references etc.
  5. Make a risk-based decision to proceed with each hire
    • Failed checks should raise a red flag to evaluate further
    • Document screening outcomes and rationale in your HR system
  6. Securely manage all collected personal data
    • Encrypt PII both in-transit and at-rest
    • Limit access to those with a legitimate need-to-know
    • Delete data when no longer needed per your retention policy
  7. Monitor and update your program continuously
    • Audit screening records to ensure procedures are being followed
    • Review policies annually and adjust as business needs change

What are some gotchas?

  • Screening laws vary by country and even by state, know your local requirements
  • GDPR considers background check data to be sensitive personal information
    • Candidate consent is required to collect and process it
    • You must have a valid legal basis, like legitimate interest or contract
  • In the US, the Fair Credit Reporting Act (FCRA) regulates employment screening
    • Imposes disclosure and authorization requirements before checks can begin
    • Candidates can dispute inaccurate results and you must provide a copy
  • Screening records may be subject to "right to be forgotten" deletion requests
  • Never make hiring decisions based on protected characteristics (race, gender etc.)

What are the alternatives?

While pre-employment screening is a best practice, some alternative approaches:

  • Behavioral interviews and assessments to gauge trustworthiness and fit
  • Progressively granting access based on trust built over time on the job
  • Automated monitoring tools to detect anomalous user behavior post-hire
  • Emphasizing a cybersecurity culture that encourages shared responsibility

However, none of these are a complete substitute for basic due diligence. A hybrid approach that combines screening with ongoing personnel risk management is ideal.

Explore further

Blog

Learn cloud security with our research blog