Personnel Background Checks
OperationsControl Statement
The organization ensures that background checks have been implemented for personnel/contractors and at third party providers, commensurate with the sensitivity and cyber risk needs of organization assets being managed.
Description
Background screening is a foundational personnel security control that reduces the risk of insider threats by verifying the trustworthiness of individuals with access to organizational systems, data, and facilities. The depth and scope of background checks should be proportional to the level of access granted and the sensitivity of the assets involved. This control extends beyond direct employees to encompass contractors and staff at third-party providers who manage or access organizational assets, recognizing that insider risk can originate from any personnel category within the supply chain.
Key Implementation Activities
- 1 Define background check requirements based on role sensitivity, access levels, and the classification of assets that will be accessible
- 2 Implement pre-employment and pre-engagement screening processes for employees and contractors aligned with defined requirements
- 3 Include contractual requirements for third-party providers to conduct background checks on their personnel who will access organizational assets
- 4 Establish periodic rescreening requirements for individuals in high-sensitivity roles or with elevated access privileges
- 5 Maintain records of completed background checks and ensure access is not granted until screening requirements are satisfied
Evidence Examples
- Background check policy defining screening requirements by role sensitivity tier
- Records of completed background checks for employees and contractors (redacted as appropriate for privacy compliance)
- Third-party contracts containing background check requirements with compliance attestation provisions
- Periodic rescreening completion records for personnel in high-sensitivity roles
- Process documentation showing that access provisioning is gated by background check completion
Maturity Levels
Background checks are performed inconsistently or only for a subset of personnel. Third-party personnel screening requirements are not defined. No risk-based tiering of screening depth.
Background checks are systematically performed for all personnel and contractors based on a defined risk tiering model. Third-party contracts include screening requirements. Access is contingent on screening completion.
Continuous vetting approaches supplement traditional point-in-time background checks. Third-party compliance with screening requirements is verified through audits. Screening requirements are dynamically adjusted based on evolving threat intelligence.
Document Templates
Evidence Requirements View all evidence
| Type | Evidence Item | Frequency | Level |
|---|---|---|---|
| Document | Background check policy defining screening requirements by role sensitivity tier | Reviewed annually | Required |
| Record | Completed background check records for employees and contractors (redacted appropriately) | Per hire/engagement | Required |
| Record | Third-party contracts containing background screening requirements | Per contract | Required |
| Record | Third-party screening compliance attestations | Annually per provider | Required |
| Record | Periodic rescreening completion records for high-sensitivity personnel | Per rescreening cycle | Expected |
| Record | Process documentation showing access provisioning gated by screening completion | Reviewed annually | Expected |