Professional Documents
Culture Documents
CRIM 2C
POWERPOINT CREATOR:
Jasmine Gutierrez
Aldrinhope Sion
HANDOUT CREATOR:
Christian Odon
Willy Bihasa
REPORTERS:
Angel Sarile
Rengelyn Senoja
James Aeron De Vera
Mark Bien Agarin
Joshua Bernardino
CHAPTER 5
PERSONNEL SECURITY
Learning Objectives and introduction
Personnel security- is a set of measures to manage the risk of an employee exploiting their
legitimate access to an organization’s facilities, assets, systems or people for illicit gain, or to cause
harm.
Major threats confronting an organization are employee crime and employee misconduct,
internal theft surpasses the losses that can be attributed to robberies, theft, frauds and other
criminal acts committed by outsiders. At the same time, substandard job performance and
inappropriate behavior of employees can result in potentially devastating lawsuits and loss of
business.
Employer’s duty is to maintain a safe and secure working environment. Employers conduct
pre-employment background checks of job application in order to protect existing workers, guest,
and the public from the harmful acts of employees. Harmful acts committed by prospective
employees cover a wide number of criminal acts, such as murder, rape, assault, and drug dealing,
as well as safety violations that injure and kill.
An employee with legitimate access to corporate system has the potential to wreck the
organization’s reputation by simply using a USB memory stick or a webmail account to steal
confidential information. Those who seek to exploit their legitimate access are termed “insiders”.
They can execute several forms of criminal activity, from minor theft to terrorism.
Employees who may exploit their legitimate access for unauthorized purpose may include
rebellious individuals, members of activist group, journalists, competitors, which linked to organized
crime or even those involved in terrorism.
Many organizations use security solely in the recruitment process, but personnel security
should be maintained throughout the time of employment. Although it is the management and the
human resource personnel who are tasked to oversee the enforcement of proper employee
behavior, security personnel have an important role in developing the necessary policies,
standards guidelines and procedures.
The Centre for the Protection of National Infrastructure (CPNI) -is a government agency
that protects the Unite Kingdom’s national security by providing protective security advice. It has
published guides on Pre-Employment Screening (CPNI, 2011) and Ongoing Personnel Security
(CPNI, 2010) to assist UK-based companies in personnel management. These guides will be used
and adopted to the Philippines setting to discuss key elements on personnel security.
PRE-EMPLOYMENT SCREENING
Apparently, companies in financial services have long been carrying out such background
checks, and only recently have other industries followed. Such an interest could be
attributed to the ricing instances of applicants who lie on the job application (Condo, 2010).
Through pre-employment screening the credentials of job applicants and their preconditions
for employment are verified.
The objective is to collect information and use that information to identify individuals who
present security concerns.
Application Form
Using the standardize application form to be completed by Job applications requires them
to provide all relevant information and confirm it correctness with a signature
The form should include a provision that pre-employment screening will be earned out by
signing the form the applicant provide consent for background check to be undertaken.
It should also include a clear statement that omission or grounds to estimate the hiring
process employment even if it’s not discovered when the applicant is already hire.
Such statement in the standardize Application form not only protect the organization legally
they also sense as determined to the applicant signing the Document.
Interviews
The job interview portion of the application also helps in the screening process
because it provides an opportunity to discuss the candidates’ suitability for employment
Identity Verification
To avoid detection - Individuals like crooks, terrorists or wanted criminals may wish to remain
anonymous or undetected.
For dishonest financial gain - This involves individuals who have ill intentions to commit
credit fraud or unqualified applicant who falsify education qualifications to obtain employment
To avoid finical liability - This includes individual who are failed to pay debts and are avoiding
financial liabilities.
To legally obtain genuine document - such as passport by using false "breeder" document.
1. Paper based approach - involves requesting original document such as those that
corroborate the applicant's full name, signature, date of birth, and full permanent address.
Issued by a trustworthy and reliable source
Difficult to forge
Date ad current
Contains the owner's name, photograph and signature
requires evidence of identity before being issued
2. Electronic approach - involves checking the applicant's personal details against
external databased.
When such database checks are able to confirm that the identity does exist, it would
also necessary to test whether the individual truly own the identity by asking questions that
could corroborate information about the identity.
Dates of employment
Position held
Duties
Salary
Reason of leaving
Any employment gaps
Media Searches
Media searches involve the evaluation of an individual based on their online reputation. It
includes searching for what they say or what others say about them on the internet. This could be a
useful tool the position to filled up involves access to sensitive material that the applicant might
compromise. For example, if the position requires working closely with several TV and movie
personalities, it would not be ideal to hire an individual who enjoys heavy gossiping in social media
sites.
Media searches can also help verify identity, confirm or resolve concerns about suspicious
behavior, or establish how security aware. the applicant is. An individual who posts photos of
drunkenness in parties and allows public viewing of such photos could indicate poor judgment,
especially if the position being applied for involves working in a religious foundation or a prominent
conservative politician. Potential conflicts of interest may also be identified; such as being
personally related to the owner of a competing business.
There are risks, however, in using media searches. Employers might obtain information
about someone with the same name as the applicant. It is also possible that the positive
information available online were staged by the applicant in order to appear qualified. Third party
views or opinions about the applicant-are also not completely reliable, especially if these cannot be
verified to be true.
Personnel security is a system of policies and procedures that manage the risk of staff or
contractors exploiting legitimate to an organization's assets or premises for authorized purposes. It
is important to distinguish between this and personal security. Which seeks to reduce the risk to
the safety or well-being of individual employees.
Insider activities are those that exploit an employee's legitimate access to an organization's
assets for unauthorized purposes. This is a potential threat for organizations that could have
possibly hired terrorists, intelligence service agents, discontented employees, or journalists and
activists seeking to damage the organization's reputation. Numerous companies already had
serious losses because of insider acts such as fraud, theft, corporate espionage and even
terrorism. But the more common insider activities include those that involve unauthorized
disclosure of information and process corruption. For example, a finance employee might be
receiving money to illegitimately alter an internal process in order to benefit certain clients.
It is difficult to clearly establish an insider's motivation. It could be a combination of factors
such as political or religious ideology, revenge, notoriety and financial gain or even fear or coercion
from an external pressure. An outsider seeking to gain access might hire insiders to get through a
company's sophisticated physical and IT security measures.
An employee might not have malicious intentions initially when hired, but attitudes change
either gradually or in response to events and circumstances. The employee who has proven to be
honest and dependable for a few years could possibly change loyalties after acquiring sensitive
information about the organization.
As with physical security, so single set of countermeasures can guarantee protection from
serious threats. Ongoing personnel security is critical to counter threats considering that the human
factor could quite possibly be the weakest link in the organization's security chain.
These are the programs that provide an opportunity for old and new employees to gain
necessary skills to perform their duties and responsibilities within the organization’s security
network.
It includes orientation for new employees or new activities for existing employees such as
the following:
Workshops
Scenario based role plays
Briefings
Intranet or Magazine Articles
Posters
Meetings
Focus Groups or Quizzes
The goal is to encourage them to accept personal responsibility for security and equip to
make judgement calls, that procedures cannot always predict.
To achieve its objective, the trainers and security personnel should consider the following
points. (CPNI, 2010)
Encourage staff to see those in security as friendly and approachable. Provide a
contact number or email address for reporting security
Demonstrate unconditional support for the security policy (particularly from
management)
Explain the organization’s security policies openly. If there are some areas that are
more sensitive than others and where access is restricted this should be clearly
stated.
Give employees a realistic picture of the threats to the organization.
Encourage cultures which resolve and correct rather than focus on establishing
blame.
Avoid exaggerating the risks and threats faced by the organization to gain more
credibility.
Avoid making false claims about security to frighten employees into compliance.
Provide regular refresher trainings to incorporate new and security procedures in
order to help maintains standards and ensure that employees understand why
these are important to follow.
Managers play a key role in addressing negative behavior and ensuring that security
measures are followed.
Managers sometimes fail to act on poor performance and this could worsen to the problem
because other employees might become dissatisfied for compensating on their co-worker’s
poor performance.
Another negative result is when employees assume that poor performance is acceptable
and follow that example.
If there is reason to be concerned about an employee’ performance of behavior, the
manager may resort to an informal interview to clarify or address issues to prevent the
problem from getting worse.
An informal interview can be initiated by asking open questions such as the following:
“how have you been finding your job lately?
How is the project going so far?
If there are serious concerns, the manager could uncover innocent explanations such as:
Personal issues like marital problems, bereavement or illness
Work difficulties which may be causing tension, such as friction between colleagues,
disillusionment, boredom or dissent
Possible conflicts of interest which may affect the employee’s engagement with their
work, such as ethical concerns
If there is a clear breach of security policy or if further evidence or wrongdoings emerges,
those responsible for personnel security should be informed so that they can conduct
further investigation.
Organization usually use access controls as physical security measures against outsiders.
Similar consideration should be used to prevent or minimize the risk of individuals with legitimate
access engaging in insider activities.
One measure is to require employees to wear security passes. There should be no
exceptions, even for senior management, security staff or visitors. When an individual gains access
to sensitive areas without an appropriate pass, employee is encouraged to challenge this individual
for suspicion of security breach. In addition, the security system should be periodically tested to
ensure that personnel without the appropriate pass Will not easily gain access.
Insider attack can cause significant damage to an organization. Big organization might
rarely encounter threats of insider activity, but they should nevertheless be prepared by
stablishing an effective screening regime. There is no clear pattern that can help detect
insider threat because the personality, motivation and behavior of insiders can be extremely
varied.
The insider could be the administrative assistant who decided to exploit his access to
expensive equipment once in Post, even though he had no prior intention of doing so. He
could be the public relations of staff who was recruited by an investigative journalist to take
advantage of his Access to sensitive information that could destroy the organizations
reputation. He could even be the elevator maintenance crew who is secretly connected to a
terrorist group and deliberately applied for the job with the intention to gain access to highly
secured areas in the office.
Screening employees to determine Their vulnerability to, or active involvement in insider
activity involves identifying those people who give cause for concern by demonstrating
suspicious behaviors or possessing individual’s vulnerabilities. After identifying individual
who may give cause for concern. It is important to find a way to resolve or manage those
concerns. It is important not to overact but to take swift, proportionate action in order to
avoid any escalation. It is equally important not to diagnose insider activity where none
exists, so organizational procedures should always follow to ensure that the correct steps
are taken in each instance (CPNI, 2010)
Exit Procedure
As soon as managers become aware that an employee is leaving the company, they
should assess and manage the risk that this individual may pose. The manager should consider
the following:
After assessing the risks, the following are the manager’s options depending on the
employee’s contract:
Allow the employee to carry on working during their contractual notice period and
retain their usual access to the organization’s assets. This option could provide the
employee with an opportunity to abuse his access and damage the organization
and should therefore be used only if there is no risk.
Allow the employee to work their contractual notice period but with reduced access
to assets (for example, using additional supervision or by allocating lower-level IT
access). This is generally considered the best course of action. If an employee is
leaving to work for a competitor, it may be appropriate to remove his access to
commercially valuable information.
Ask employee to leave immediately - possibly under supervision to prevent any
unauthorized act while still on the premises – and not to return for the duration of
their notice period. This could apply to employees who had extremely sensitive
positions. This is likely to cause ill feelings with the employee and should therefore
be handled with caution.
Exit procedures should also include the return of all assets, access tools and identifiers that
belong to the organization. These may include:
Uniforms
Security passes and/or identification cards
Mobile phones
Company credit cards
Any unused personal business cards
Keys to secure/ storage areas
Tokens for access to electronic systems
Any books, papers, or commercially sensitive documentation
Laptops and other remote working equipment such as flash drives
Security containers such as security briefcases
The following additional steps should also be considered to reduce the employee’s access
to assets:
By and large, the exit interview is done with the employees about to leave the company in
order to help identify problems contributing to employee turnover. The employee’s experiences and
reasons for leaving may suggest needed changes and open the eyes of the management to adopt
a course of action that will improve the morale, improve the working conditions and increase
efficiency. Expanding the questions by including security questions can be an effective source of
information about loss.