I was having lunch last week with the senior executive for one of the large agencies in the government organization where I work, when I asked about the agency's information security officer. I'd heard that the ISO had left his job rather quietly and quickly a few weeks earlier, but I hadn't been able to get a clear answer or reasonable explanation as to why. This isn't as strange as it may sound. Our government organization is very decentralized, and the agency ISOs don't work directly for me. I don't have any real authority over them other than to ensure they institute the enterprise security policies within their agencies (but that's a whole different story).
The senior executive told me that he'd been meaning to bring me up to speed on the situation but that it was very complicated, and after the ISO left, he didn't feel a sense of urgency to close the loop. Because the senior executive was relatively new in the position, he'd spent some time trying to get to the bottom of the whole situation himself. My antennas were now wagging in anticipation.
Here's the rest of the story. This employee had been quickly hired about a year ago to fill a critical vacancy. The agency was preparing for a couple of fairly extensive federal audits and also needed a security manager to mitigate some critical vulnerabilities from a recent vulnerability assessment and other new enterprise security requirements that I had recently initiated. This particular ISO quickly became one of the more proactive and effective security officers in the more than 20 agencies in our government organization. In fact, he was one of the leaders whom I held up as an example to others because he took the initiative to stay in front of his agency's security problems.
Then one day about eight weeks ago, the HR director from this particular agency had received a call from a county probation officer, who said that one of his probationers was employed and had been lying to him. He was angry and told the HR director that he suspected this person had been lying to the agency as well.
Guess who the employee was.
Oops, We "Forgot"
This revelation was a bit of a shock to both the HR directorand the senior executive, because they weren't even aware that the employee had legal problems—let alone that he was on probation. He was, after all, just the information security officer! After some investigation and discussion with the probation officer, they discovered that after being convicted of felony embezzlement, this employee had been released from prison mere weeks before being hired as a public servant in this public agency. OK, fellow CSOs and CISOs, can you see where this is headed? Are you beginning to perspire?
While my first thought was, Are you kidding me? my first question to the senior executive was, "Do you have a policy for conducting background investigations, and do you follow it?" The answers were "Yes" and "Usually." In the haste to get someone hired, a former HR staffer had simply forgotten the background check portion of the hiring process. There was obviously no checklist to make sure that all components of the process were completed.
One of the most important things an organization can do during the hiring process is to conduct a background check. This is especially critical for those in positions that require a high degree of integrity and ethics. It does all of us a great deal of harm to have someone in our midst who causes our credibility to be questioned. I also believe that we should raise that bar for employees who hold a position of trust or have access to critical systems and information—employees such as information security officers. Background checks won't necessarily eliminate fraud or ethically challenged employees, but the process might lead us to ask some hard questions before actually hiring a person, or at least give us some insight into his or her prior work or personal history.
We've all heard the statistics that somewhere around 50 percent of all information security incidents are caused by the insider threat. These aren't all malicious in nature, of course, but a substantial number of them are. A number of recent cases make the hair on the back of my neck stand up, including: The woman who thought she was going to be fired from her job at an architectural firm, so she deleted seven years' worth of architectural blueprints and drawings estimated to be worth $2.5 million.
The guy who planted a logic bomb on the St. Cloud (Minnesota) Hospital computer system that activated several months after his departure, disabling the program he had created.
The Georgia state agency worker who was charged in 2005 with computer intrusion and theft after accessing Georgia drivers' license files outside of work hours and without authorization.
The former DuPont scientist who pled guilty to theft of trade secrets. After discovering that the scientist was the second most active user of the company's database, DuPont found that he had accessed thousands of documents with the intent of giving them to a competitor.
Would a background check have turned up something to make any of the employers question the morals or ethics of these employees? Maybe or maybe not, but at least the companies could have answered with a straight face questions about how well they vetted the employees.
Even more troubling are the incidents involving those in law enforcement who are entrusted to protect, but instead violate that trust. Just in the past few months:
A Virginia police sergeant was charged with accessing the FBI's National Crime Information Center database for personal reasons.
Two Collier County (Florida) Sheriff's Office employees were charged with inappropriately accessing the office's computer system to find out information about other people.
A veteran of the Hartford, Conn., police force looked up information from the National Crime Information Center and gave it to a friend.
Surely these trained law enforcement personnel knew this kind of activity was wrong. These violations do a significant amount of damage to public trust. Although background investigations obviously can't deter or stop everything, they might provide an indicator of future behavior.
The recent case in January of the futures trader at the French bank Société Générale—the one who allegedly bypassed established computer-control systems to generate fictitious financial transactions that caused over $7.2 billion in losses for the bank—is another situation that might have been deterred. That amount of money is going to have a lot of people asking a lot of questions. A recurrent background check may have turned up some information to indicate that this guy was a potential threat to the organization.
What Not to Forget
So what does a background check consist of, and how do you do one? While background checks were traditionally done by the police, today there are many local and national private companies that offer background check services. Like most things, you get what you pay for. A simple online background check will provide quick, basic information, while a more comprehensive investigation can cost hundreds of dollars and take considerably more time. Either way, the purpose is to give some insight into a person's character based on past actions and records. Depending on the extent of background check desired, it can provide information about a person's financial, criminal and even personal history, including bankruptcies, motor vehicle tickets and employment records. I recommend a personnel security policy that includes, at a minimum, the following components:
- A requirement for all new employees, including contractors, interns or other temporary employees, to pass a basic background check.
- A definition of "positions of trust" that require a higher level of scrutiny for background checks. This might include anyone who has access to large sums of money or financial accounts, citizen or customer personal information, proprietary information or intellectual property, and intelligence- or law-enforcement-related information.
- A requirement that all new employees working in a position of trust, or who routinely have access to any kind of personally identifiable information or other sensitive information, complete a comprehensive background check that includes criminal records, education records, credit history, employment records, driving records and drug testing where applicable.
- A policy defining the specific criteria for what would disqualify a potential employee from working in the organization.
- A requirement that an "update" background check be done at least once every three years on existing employees and contractors in positions of trust.
- A policy that establishes specific passing criteria as a condition of employment.
The ancient Roman poet Juvenal asked, "Quis custodiet ipsos custodes?" which translates to "Who watches the watchmen?" For those of us responsible for protecting the sensitive and critical personal information of our citizens and customers, the answer had better be, "We do!"
This column is written anonymously by a real CSO. Send your comments via e-mail to firstname.lastname@example.org.