1. Purpose
Establish requirements for conducting background checks and security screening for all personnel categories commensurate with the sensitivity of assets and data they will access, including requirements for third-party providers.
2. Scope
This policy applies to all employees, contractors, temporary staff, interns, and third-party provider personnel who access [ORGANIZATION]'s information systems, data, or facilities.
3. Policy Content
3.1 Screening Tier Requirements
[ORGANIZATION] implements a tiered screening approach based on the sensitivity of the role and the assets accessed:
| Tier | Applicable Roles | Screening Components | Rescreening Frequency |
|---|---|---|---|
| Tier 1 - Standard | General staff with standard system access | Identity verification, criminal background check, employment history (last [CUSTOMIZE: 5 years]) | Upon hire; [CUSTOMIZE: every 5 years] |
| Tier 2 - Enhanced | IT staff, data handlers, supervisors with elevated access | Tier 1 plus credit check, education verification, professional reference checks | Upon hire; [CUSTOMIZE: every 3 years] |
| Tier 3 - High Sensitivity | System administrators, security team, executives, personnel with access to critical assets | Tier 2 plus expanded criminal check (all jurisdictions), regulatory disqualification check | Upon hire; [CUSTOMIZE: every 2 years] |
| Tier 4 - Critical | Personnel with root/domain admin access, key management, or access to highly restricted data | Tier 3 plus [CUSTOMIZE: security clearance verification, additional screening as required] | Upon hire; [CUSTOMIZE: annually] |
3.2 Pre-Engagement Requirements
No personnel shall be granted access to [ORGANIZATION]'s information systems, data, or secure facilities until the required screening for their assigned tier has been completed and cleared.
In exceptional circumstances where business needs require access before screening is complete, a temporary exception may be granted by [CUSTOMIZE: CISO/HR Director] with the following conditions: access is limited to the minimum necessary, the individual is supervised, enhanced monitoring is enabled, and screening is completed within [CUSTOMIZE: 30 days].
Exception approvals shall be documented and maintained in the screening records.
3.3 Third-Party Provider Requirements
All contracts with third-party providers whose personnel will access [ORGANIZATION]'s assets shall include requirements for background screening commensurate with the access tier.
Third-party providers shall provide written attestation of completed screening for all personnel assigned to [ORGANIZATION] engagements, prior to access being granted.
[CUSTOMIZE: Vendor Management / Procurement] shall verify third-party screening compliance during onboarding and periodically through the contract term.
The required screening standards for third-party personnel are the same as those for equivalent [ORGANIZATION] roles as defined in the Screening Tier Requirements.
3.4 Adverse Findings
Adverse screening findings shall be evaluated by [CUSTOMIZE: HR / Security] on a case-by-case basis considering the nature and severity of the finding, its relevance to the role, the time elapsed since the event, and any mitigating circumstances.
Decisions to hire, retain, or deny access based on adverse findings shall be documented with rationale and approved by [CUSTOMIZE: HR Director / CISO].
Adverse findings that present a clear and immediate security risk shall result in denial or immediate suspension of access pending review.
Personnel who become aware of changes to their own screening status (e.g., arrest, conviction) shall be required to report such changes to [CUSTOMIZE: HR / Security] within [CUSTOMIZE: 5 business days].
3.5 Records and Privacy
All screening records shall be maintained securely by [CUSTOMIZE: HR Department] with access limited to authorized personnel on a need-to-know basis.
Screening activities shall comply with all applicable privacy laws and regulations in the jurisdictions of operation, including [CUSTOMIZE: applicable privacy regulations].
Individuals shall be informed of screening requirements and provide consent prior to screening being conducted.
Screening records shall be retained for the duration of the individual's engagement plus [CUSTOMIZE: 7 years] per the records retention schedule.
4. Compliance
Compliance with this policy is mandatory for all personnel and functions within its scope. Compliance will be monitored through periodic audits, management review, and second line of defence oversight.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Executive Risk Committee], and reviewed at least annually.
5. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Document Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, organizational structure, or risk appetite.
All revisions shall be documented with version number, date, author, and description of changes.
Document Approval
Approved By
Title
Date
Document Control