October 3, 2016
Personnel Security – Adjudication of the Human Resource and the “Whole Person” rule.
October 3, 2016
Personnel Security is of course concerned with the people that have access or management is considering for access to the company, government or other institutions resources. It is therefore important that, like any other security consideration, a risk based approach be taken to the determination of hiring or retaining employees, contractors, vendors or others (including visitors) that will have access to our assets. It is not my purpose here to review how a Personnel Security policy is created, or review the reasons for such a policy specifically, etc., but rather to discuss the determination decision process for adjudicating a background or other similar investigation of an individual.
The first and most important consideration of a Personnel Background Investigation is the reason for the investigation, which is usually to determine the trustworthiness of a person in order to authorize access to assets. So how do we do that? Often times we ask the individual for information about themselves in the form of a resume, application, or form completed for the purpose of background information gathering. We then ensure we have that person’s signed permission to investigate prior to ordering or beginning the investigation process.
While there are various methods for gathering data on an individual (not discussed here) and multiple issues to consider when selecting source material (again, not our focus here), eventually the data gathered needs to be adjudicated. Hard and fast rules of what is acceptable and what is not do indeed exist. For example, often if an individual has a felony conviction in their background this results in an adverse finding or a “red flag” and access to assets is normally denied. While such findings are generally understandable and often due to policy easy to determine, in the real world of humans, hardly anything is as cut and dry when it comes to adjudication.
Here is where the “whole person” or “whole man” rule comes into play. Basically what the rule states is that in the presence of “red flags” consideration should be made to the entirety of the individual’s background in order to make a determination.
Let’s take a few examples;
Person A is a fifty year old with twenty years verified work history as a senior system administrator for a large corporation. The person was responsible for handling enterprise level assets and was a highly trusted employee according to prior supervisors’ references. The company that this person worked for was bought out and the person was laid off, collecting unemployment for over eight months. Thereafter no employment records were found for three years until the most current job was documented and verified. All education documentation matches and shows that this person was in school during the three year interval where employment was verified and the person received a degree in Computer Science. The person indicated that they were self-employed during the time that no employment records were located but no supporting documentation was verified. When queried, the individual indicated that work was found infrequently and was under the documentation reporting limits for the taxable purposes after expenses. Drug test clean. Pending job as Security Operations Analyst in Cyber Security at credit card company.
Finding, “red flag” on three years unverifiable self-employment.
Person B is a twenty nine year old with a degree in business administration gained recently and two years verified employment as a shift supervisor at a big chain retail outlet. Prior to this employment this individual held one job in a retirement home as an aid since graduation from high school. The person is currently not working and documented that the reason for unemployment is “Let go for low sales.” However, investigation sources indicated that the person was terminated for cause with no further explanation. This individuals background also indicates that they are carrying a heavy debt load of student loans and several outstanding credit card and house hold bills have 90 days or greater overdue. This individuals degree is verified and GPA shown to be 3.85. This person has listed multiple addresses in the past seven years. Drug test clean. Pending job New Sales Associate at credit card company.
Findings, “red flags” on the termination for cause, heavy debt and unpaid bills and multiple addresses.
Person C is a forty year old accountant with a history of job hopping every three years or so until this person’s current employment at a fortune 500 corporation which has lasted eight years. The person has two convictions for DUI; one at age 19 and another the following year. There is nothing remarkable on this persons credit check except an unpaid medical bill from six years ago. This person’s education is verified and their certification as a CPA is also on record. Drug test clean. Pending job as Lead Billing and Accounts Receivable at credit card company.
Findings, “red flags” on the DUI convictions and early career job hopping.
Now given that of these three people, none are obviously going after the same job posting your company has advertised. It is your responsibility as the Personnel Security Specialist to make determinations as to the trustworthiness of each individual before they are officially hired and can begin work. They have each interviewed with the hiring manager and HR recruiter and a conditional offer has been extended to each pending the background investigation findings. How do you find?
For the sake of this example, we will stipulate that there is no specific policy directives regarding any of these “red flag issues” or that if there is, they permit for a “grey area” determination to be made by the Personnel Security Specialist.
Using the “whole man/person” rule, you take all factors, i.e., all of the information into consideration as opposed to weighing each item individually or focusing on only the “red flags”. Understanding that no one is perfect, do any of these backgrounds indicate the likelihood of future security risks to the company based on the past? Consider how long in the past events were and how serious they were, as well as the approximate age of the person when the negative event occurred. Also, consideration should be towards the intent if any can be determined as well as the relative nature of the event to the business risk exposure. When queried about any specifics, how forthcoming was the individual and how reasonable was the response?
There are of course multiple areas not covered here that a Personnel Security person needs to be aware of legally when asking questions and seeking information since there are protections under the law regarding discrimination issues and legal status issues. Those topics are well covered in most Human Resources material. My intent here is to broaden security considerations and open a discussion for the purpose of learning together. To that end, you are invited to have an open dialog and explain why you would or would not approve one of these persons as a new hire using the “Whole man/person” rule.