Personnel Security – Adjudication of the Human Resource and the “Whole Person” rule.

October 3, 2016 | Views: 3265

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

     Personnel Security is of course concerned with the people that have access or management is considering for access to the company, government or other institutions resources. It is therefore important that, like any other security consideration, a risk based approach be taken to the determination of hiring or retaining employees, contractors, vendors or others (including visitors) that will have access to our assets. It is not my purpose here to review how a Personnel Security policy is created, or review the reasons for such a policy specifically, etc., but rather to discuss the determination decision process for adjudicating a background or other similar investigation of an individual.

       The first and most important consideration of a Personnel Background Investigation is the reason for the investigation, which is usually to determine the trustworthiness of a person in order to authorize access to assets. So how do we do that? Often times we ask the individual for information about themselves in the form of a resume, application, or form completed for the purpose of background information gathering. We then ensure we have that person’s signed permission to investigate prior to ordering or beginning the investigation process.

     While there are various methods for gathering data on an individual (not discussed here) and multiple issues to consider when selecting source material (again, not our focus here), eventually the data gathered needs to be adjudicated. Hard and fast rules of what is acceptable and what is not do indeed exist. For example, often if an individual has a felony conviction in their background this results in an adverse finding or a “red flag” and access to assets is normally denied. While such findings are generally understandable and often due to policy easy to determine, in the real world of humans, hardly anything is as cut and dry when it comes to adjudication.

      Here is where the “whole person” or “whole man” rule comes into play. Basically what the rule states is that in the presence of “red flags” consideration should be made to the entirety of the individual’s background in order to make a determination.

Let’s take a few examples;

Person A is a fifty year old with twenty years verified work history as a senior system administrator for a large corporation. The person was responsible for handling enterprise level assets and was a highly trusted employee according to prior supervisors’ references. The company that this person worked for was bought out and the person was laid off, collecting unemployment for over eight months. Thereafter no employment records were found for three years until the most current job was documented and verified. All education documentation matches and shows that this person was in school during the three year interval where employment was verified and the person received a degree in Computer Science. The person indicated that they were self-employed during the time that no employment records were located but no supporting documentation was verified. When queried, the individual indicated that work was found infrequently and was under the documentation reporting limits for the taxable purposes after expenses. Drug test clean. Pending job as Security Operations Analyst in Cyber Security at credit card company.

Finding, “red flag” on three years unverifiable self-employment.

Person B is a twenty nine year old with a degree in business administration gained recently and two years verified employment as a shift supervisor at a big chain retail outlet. Prior to this employment this individual held one job in a retirement home as an aid since graduation from high school. The person is currently not working and documented that the reason for unemployment is “Let go for low sales.” However, investigation sources indicated that the person was terminated for cause with no further explanation. This individuals background also indicates that they are carrying a heavy debt load of student loans and several outstanding credit card and house hold bills have 90 days or greater overdue.  This individuals degree is verified and GPA shown to be 3.85. This person has listed multiple addresses in the past seven years. Drug test clean. Pending job New Sales Associate at credit card company.

Findings, “red flags” on the termination for cause, heavy debt and unpaid bills and multiple addresses.

Person C is a forty year old accountant with a history of job hopping every three years or so until this person’s current employment at a fortune 500 corporation which has lasted eight years. The person has two convictions for DUI; one at age 19 and another the following year. There is nothing remarkable on this persons credit check except an unpaid medical bill from six years ago. This person’s education is verified and their certification as a CPA is also on record. Drug test clean. Pending job as Lead Billing and Accounts Receivable at credit card company.

Findings, “red flags” on the DUI convictions and early career job hopping.

    Now given that of these three people, none are obviously going after the same job posting your company has advertised. It is your responsibility as the Personnel Security Specialist to make determinations as to the trustworthiness of each individual before they are officially hired and can begin work. They have each interviewed with the hiring manager and HR recruiter and a conditional offer has been extended to each pending the background investigation findings. How do you find?

    For the sake of this example, we will stipulate that there is no specific policy directives regarding any of these “red flag issues” or that if there is, they permit for a “grey area” determination to be made by the Personnel Security Specialist.

    Using the “whole man/person” rule, you take all factors, i.e., all of the information into consideration as opposed to weighing each item individually or focusing on only the “red flags”. Understanding that no one is perfect, do any of these backgrounds indicate the likelihood of future security risks to the company based on the past? Consider how long in the past events were and how serious they were, as well as the approximate age of the person when the negative event occurred. Also, consideration should be towards the intent if any can be determined as well as the relative nature of the event to the business risk exposure. When queried about any specifics, how forthcoming was the individual and how reasonable was the response?

 

    There are of course multiple areas not covered here that a Personnel Security person needs to be aware of legally when asking questions and seeking information since there are protections under the law regarding discrimination issues and legal status issues. Those topics are well covered in most Human Resources material. My intent here is to broaden security considerations and open a discussion for the purpose of learning together. To that end, you are invited to have an open dialog and explain why you would or would not approve one of these persons as a new hire using the “Whole man/person” rule.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. GREAT WORK

  2. Love this article! very interesting.

  3. What Watsonce said. Person A seems to have a very credible reason for his period of unemployment, which can be very readily understood in the circumstances; not a red flag in my view at all. Person B’s reason given for ‘being let go’ may or may not fit with the ‘no further explanation’, however coupled with the person’s financial indiscretions may well add up to a negative risk factor, therefore declined job offer. I would consider Person C carefully and maybe try to ascertain courses or actions taken following his DUI offences, which agreed were potentially at a less mature age. However, pending finding of more in depth investigations as to any further possible offences, combined with the ‘Job-hopping’ may swing the balance for this individual from a ‘possible’ to a ‘no’. Interesting scenarios, do we have a DS forthcoming?

    • Thank you for your thoughtful response. Here is how I find for each of these people;

      Person A – I would accept as a new hire with little reservation. There is really nothing outstandingly unusual in this persons background that would indicate anything more than moderate risk in hiring the person for a post requiring trust.

      Person B – I would not have a favorable background risk finding. Those of you who indicated that this person posses a greater than acceptable risk as indicated in past behavior are correct. My recommendation would be to revoke the offer.

      Person C – This is the easiest example of the “whole man/person” rule being applied. Recall that the idea is to look not only at what, but when a negative indicator occurred. I would approve an offer for this person as long as the job did not involve operations of company vehicles or dangerous equipment. There has been twenty years since the DUI’s and unless there were indications otherwise, I would document the file regarding driving and approve the hire.

  4. Nice article.

  5. Given Person B’s questionable level of financial responsibility, the lack of direct (progressive) experience for the advertised job, and not being forthcoming with the conditions of unemployment/termination from previous job; this applicant would not meet my requirements for trustworthiness.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel