GROUP 2

CRIM 2C

POWERPOINT CREATOR:
Jasmine Gutierrez
Aldrinhope Sion

HANDOUT CREATOR:
Christian Odon
Willy Bihasa

REPORTERS:
Angel Sarile
Rengelyn Senoja
James Aeron De Vera
Mark Bien Agarin
Joshua Bernardino
 CHAPTER 5

PERSONNEL SECURITY
Learning Objectives and introduction

At the end of this chapter, the student will be able to:

 Explain personnel security

 Enumerate the checks included in pre-employment screening
 Enumerate pre-employment screening measures
 Enumerate the purpose and explain the importance of ongoing personnel security
 Enumerate ongoing personnel security measures
 Explain exit procedures.

PURPOSE OF PERSONNEL SECURITY:

Personnel security- is a set of measures to manage the risk of an employee exploiting their
legitimate access to an organization’s facilities, assets, systems or people for illicit gain, or to cause
harm.

Major threats confronting an organization are employee crime and employee misconduct,
internal theft surpasses the losses that can be attributed to robberies, theft, frauds and other
criminal acts committed by outsiders. At the same time, substandard job performance and
inappropriate behavior of employees can result in potentially devastating lawsuits and loss of
business.

Employer’s duty is to maintain a safe and secure working environment. Employers conduct
pre-employment background checks of job application in order to protect existing workers, guest,
and the public from the harmful acts of employees. Harmful acts committed by prospective
employees cover a wide number of criminal acts, such as murder, rape, assault, and drug dealing,
as well as safety violations that injure and kill.

An employee with legitimate access to corporate system has the potential to wreck the
organization’s reputation by simply using a USB memory stick or a webmail account to steal
confidential information. Those who seek to exploit their legitimate access are termed “insiders”.
They can execute several forms of criminal activity, from minor theft to terrorism.
 Employees who may exploit their legitimate access for unauthorized purpose may include
rebellious individuals, members of activist group, journalists, competitors, which linked to organized
crime or even those involved in terrorism.

Many organizations use security solely in the recruitment process, but personnel security
should be maintained throughout the time of employment. Although it is the management and the
human resource personnel who are tasked to oversee the enforcement of proper employee
behavior, security personnel have an important role in developing the necessary policies,
standards guidelines and procedures.

The Centre for the Protection of National Infrastructure (CPNI) -is a government agency
that protects the Unite Kingdom’s national security by providing protective security advice. It has
published guides on Pre-Employment Screening (CPNI, 2011) and Ongoing Personnel Security
(CPNI, 2010) to assist UK-based companies in personnel management. These guides will be used
and adopted to the Philippines setting to discuss key elements on personnel security.

PURPOSE OF PERSONNEL SECURITY:

 To identify security measures in proportion to the risk.

 To reduce the risk of employing personnel likely to present a security concern
 To establish that applicants and contractor are who they claim to be
 To close down opportunities for abuse of the organizations asset

PRE-EMPLOYMENT SCREENING

 Personnel security measures are usually undertaken during the recruitment

process.
 It is better to spot dangerous or dishonest individuals before they are hired.
 A proper background employment screening on job applicants must be carried out.

 Apparently, companies in financial services have long been carrying out such background
checks, and only recently have other industries followed. Such an interest could be
attributed to the ricing instances of applicants who lie on the job application (Condo, 2010).
 Through pre-employment screening the credentials of job applicants and their preconditions
for employment are verified.
 The objective is to collect information and use that information to identify individuals who
present security concerns.

The pre-employment screening should include checks on the following:

 Proof of identity or address

  Details of educational and employment
 Criminal records
 Financial check
 Checking of at least two character references

Pre-Employment Screening Policy Checklists (CPNI, 2011)

1. Make pre-employment screening on integral part of the recruitment process.

2. Ensure that the applicants are informed in writing that any offer of employment will be
subject to the satisfactory completion of pre-employment screening checks, whether or
not the individual has already been granted access to the site.
3. Ensure that the screening process are legally compliant at all stages (including the
wording application forms).
4. Involve all the relevant department in the organization, and ensure they communicate
and share data effectively.
5. Identify the specific office responsible for the pre-employment screening process.
6. Incorporate specialist businesses into your strategy if appropriate.
7. Ensure that the application form request all relevant information, including consent for
further checks, and outlines your screening policies.
8. Establish decision making guidelines for consistent and transparent judgments about
information.
9. Have a clear understanding of the thresholds for denying someone employment.
10. Be clear about how fake or forged documents will be dealt with.
11. Collect data and results of the pre-employment screening process (e.g. incidence of
false qualifications or criminal record.)

Application Form

 Using the standardize application form to be completed by Job applications requires them
to provide all relevant information and confirm it correctness with a signature
 The form should include a provision that pre-employment screening will be earned out by
signing the form the applicant provide consent for background check to be undertaken.
 It should also include a clear statement that omission or grounds to estimate the hiring
process employment even if it’s not discovered when the applicant is already hire.
 Such statement in the standardize Application form not only protect the organization legally
they also sense as determined to the applicant signing the Document.

Interviews
 The job interview portion of the application also helps in the screening process
because it provides an opportunity to discuss the candidates’ suitability for employment

This interview is important because:

 Face-to-face discussion encourages applicants to be honest.

 It allows employers to clarify information in the application form asked for other information
not covered in the application form and probe candidates about their responses.
 It also provides a good opportunity to add to the overall assessment of the applicant’s
reliability and integrity

Identity Verification

Verifying the applicant's identity is a critical measure in the screening process.

Four reason why individuals use false identities:

 To avoid detection - Individuals like crooks, terrorists or wanted criminals may wish to remain
anonymous or undetected.
 For dishonest financial gain - This involves individuals who have ill intentions to commit
credit fraud or unqualified applicant who falsify education qualifications to obtain employment
 To avoid finical liability - This includes individual who are failed to pay debts and are avoiding
financial liabilities.
 To legally obtain genuine document - such as passport by using false "breeder" document.

The purpose of verifying identity is to ascertain the correctness of

all the information they given about themselves by:

 Determining that the identity is genuine and related to a real person

 Establishing the individual awns and is rightfully using that identity.

Method of Verifying Identity

1. Paper based approach - involves requesting original document such as those that
corroborate the applicant's full name, signature, date of birth, and full permanent address.
 Issued by a trustworthy and reliable source
 Difficult to forge
 Date ad current
 Contains the owner's name, photograph and signature
 requires evidence of identity before being issued
 2. Electronic approach - involves checking the applicant's personal details against
external databased.
When such database checks are able to confirm that the identity does exist, it would
also necessary to test whether the individual truly own the identity by asking questions that
could corroborate information about the identity.

Qualification and Employment Checks

A qualification involves the verification of information regarding educational or professional

qualification, while an employment check involvement the verification of the applicant’s
employment history in terms of dates of employment and position. The purpose of such
confirmation on the applicant qualification and previous employment is to help the employer in
evaluating the candidate reliability and integrity with also help discover whether applicants are
hiding negative importation such as criminal record from previous employment for suspicious
reasons.

The qualification check should confirm the following information:

 The establishment attended

 Course dates
 The title of the course
 Grades/ marks awarded

The employment checks should verify the following information:

 Dates of employment
 Position held
 Duties
 Salary
 Reason of leaving
 Any employment gaps

Media Searches

Media searches involve the evaluation of an individual based on their online reputation. It
includes searching for what they say or what others say about them on the internet. This could be a
useful tool the position to filled up involves access to sensitive material that the applicant might
compromise. For example, if the position requires working closely with several TV and movie
personalities, it would not be ideal to hire an individual who enjoys heavy gossiping in social media
sites.
 Media searches can also help verify identity, confirm or resolve concerns about suspicious
behavior, or establish how security aware. the applicant is. An individual who posts photos of
drunkenness in parties and allows public viewing of such photos could indicate poor judgment,
especially if the position being applied for involves working in a religious foundation or a prominent
conservative politician. Potential conflicts of interest may also be identified; such as being
personally related to the owner of a competing business.

There are risks, however, in using media searches. Employers might obtain information
about someone with the same name as the applicant. It is also possible that the positive
information available online were staged by the applicant in order to appear qualified. Third party
views or opinions about the applicant-are also not completely reliable, especially if these cannot be
verified to be true.

ONGOING PERSONNEL SECURITY DURING EMPLOYMENT

Personnel security is a system of policies and procedures that manage the risk of staff or
contractors exploiting legitimate to an organization's assets or premises for authorized purposes. It
is important to distinguish between this and personal security. Which seeks to reduce the risk to
the safety or well-being of individual employees.

Purpose of Ongoing Personnel Security (CPNI 2010):

 To minimize the likelihood of employees becoming a security concern.

 To implement security measures in a way that is proportionate to the risk.
 To reduce the risk of insider activity, protect the organization assets and, where necessary,
carry out investigation to resolve suspicion or provide evidence for disciplinary procedures.

Importance of Ongoing Personnel Security

Insider activities are those that exploit an employee's legitimate access to an organization's
assets for unauthorized purposes. This is a potential threat for organizations that could have
possibly hired terrorists, intelligence service agents, discontented employees, or journalists and
activists seeking to damage the organization's reputation. Numerous companies already had
serious losses because of insider acts such as fraud, theft, corporate espionage and even
terrorism. But the more common insider activities include those that involve unauthorized
disclosure of information and process corruption. For example, a finance employee might be
receiving money to illegitimately alter an internal process in order to benefit certain clients.
 It is difficult to clearly establish an insider's motivation. It could be a combination of factors
such as political or religious ideology, revenge, notoriety and financial gain or even fear or coercion
from an external pressure. An outsider seeking to gain access might hire insiders to get through a
company's sophisticated physical and IT security measures.

An employee might not have malicious intentions initially when hired, but attitudes change
either gradually or in response to events and circumstances. The employee who has proven to be
honest and dependable for a few years could possibly change loyalties after acquiring sensitive
information about the organization.

As with physical security, so single set of countermeasures can guarantee protection from
serious threats. Ongoing personnel security is critical to counter threats considering that the human
factor could quite possibly be the weakest link in the organization's security chain.

SECURITY TRAINING AND AWARENESS

 These are the programs that provide an opportunity for old and new employees to gain
necessary skills to perform their duties and responsibilities within the organization’s security
network.
 It includes orientation for new employees or new activities for existing employees such as
the following:
 Workshops
 Scenario based role plays
 Briefings
 Intranet or Magazine Articles
 Posters
 Meetings
 Focus Groups or Quizzes
 The goal is to encourage them to accept personal responsibility for security and equip to
make judgement calls, that procedures cannot always predict.
 To achieve its objective, the trainers and security personnel should consider the following
points. (CPNI, 2010)
 Encourage staff to see those in security as friendly and approachable. Provide a
contact number or email address for reporting security
 Demonstrate unconditional support for the security policy (particularly from
management)
 Explain the organization’s security policies openly. If there are some areas that are
more sensitive than others and where access is restricted this should be clearly
stated.
 Give employees a realistic picture of the threats to the organization.
  Encourage cultures which resolve and correct rather than focus on establishing
blame.
 Avoid exaggerating the risks and threats faced by the organization to gain more
credibility.
 Avoid making false claims about security to frighten employees into compliance.
 Provide regular refresher trainings to incorporate new and security procedures in
order to help maintains standards and ensure that employees understand why
these are important to follow.

ADDRESSING BEHAVIOR CONCERNS

 Managers play a key role in addressing negative behavior and ensuring that security
measures are followed.
 Managers sometimes fail to act on poor performance and this could worsen to the problem
because other employees might become dissatisfied for compensating on their co-worker’s
poor performance.
 Another negative result is when employees assume that poor performance is acceptable
and follow that example.
 If there is reason to be concerned about an employee’ performance of behavior, the
manager may resort to an informal interview to clarify or address issues to prevent the
problem from getting worse.
 An informal interview can be initiated by asking open questions such as the following:
 “how have you been finding your job lately?
 How is the project going so far?
 If there are serious concerns, the manager could uncover innocent explanations such as:
 Personal issues like marital problems, bereavement or illness
 Work difficulties which may be causing tension, such as friction between colleagues,
disillusionment, boredom or dissent
 Possible conflicts of interest which may affect the employee’s engagement with their
work, such as ethical concerns
 If there is a clear breach of security policy or if further evidence or wrongdoings emerges,
those responsible for personnel security should be informed so that they can conduct
further investigation.

Controlling Employee Access

Organization usually use access controls as physical security measures against outsiders.
Similar consideration should be used to prevent or minimize the risk of individuals with legitimate
access engaging in insider activities.
 One measure is to require employees to wear security passes. There should be no
exceptions, even for senior management, security staff or visitors. When an individual gains access
to sensitive areas without an appropriate pass, employee is encouraged to challenge this individual
for suspicion of security breach. In addition, the security system should be periodically tested to
ensure that personnel without the appropriate pass Will not easily gain access.

Screening for Insider Threat

 Insider attack can cause significant damage to an organization. Big organization might
rarely encounter threats of insider activity, but they should nevertheless be prepared by
stablishing an effective screening regime. There is no clear pattern that can help detect
insider threat because the personality, motivation and behavior of insiders can be extremely
varied.
 The insider could be the administrative assistant who decided to exploit his access to
expensive equipment once in Post, even though he had no prior intention of doing so. He
could be the public relations of staff who was recruited by an investigative journalist to take
advantage of his Access to sensitive information that could destroy the organizations
reputation. He could even be the elevator maintenance crew who is secretly connected to a
terrorist group and deliberately applied for the job with the intention to gain access to highly
secured areas in the office.
 Screening employees to determine Their vulnerability to, or active involvement in insider
activity involves identifying those people who give cause for concern by demonstrating
suspicious behaviors or possessing individual’s vulnerabilities. After identifying individual
who may give cause for concern. It is important to find a way to resolve or manage those
concerns. It is important not to overact but to take swift, proportionate action in order to
avoid any escalation. It is equally important not to diagnose insider activity where none
exists, so organizational procedures should always follow to ensure that the correct steps
are taken in each instance (CPNI, 2010)

Exit Procedure

An employee who leaves an organization could possibly have considerable knowledge

about its assets, operations and security vulnerabilities. If the reason for the employee’s departure
is not amicable, he might maliciously give sensitive information to the organization’s competitor. A
thorough procedure on the personnel departures is therefore critical to ensure that appropriate
actions are taken to protect the organization without unnecessarily disrupting the relationship with
the departing employee. Standard procedures could include changes in the combinations for
secure cabinets, termination of IT accounts, or changes in generic passwords and remote access
codes so that an employee will no longer have access when he leaves the organization.
 When an employee leaves, the organization cannot guarantee his loyalty especially if he
left feeling badly treated, ignored or unappreciated. They would possibly not feel guilty about
damaging the organization or give away sensitive company information. Exit procedures can be the
appropriate measures to limit this employee’s propensity to be disloyal.

As soon as managers become aware that an employee is leaving the company, they
should assess and manage the risk that this individual may pose. The manager should consider
the following:

 Is the employee leaving voluntarily or as the result of a disciplinary process or

redundancy?
 If employee is not leaving voluntarily, what is the reason for the dismissal?
 Where are they going to work for next? Would they be working for the competitor?
 How sensitive is their role and their access to organizational assets?

After assessing the risks, the following are the manager’s options depending on the
employee’s contract:

 Allow the employee to carry on working during their contractual notice period and
retain their usual access to the organization’s assets. This option could provide the
employee with an opportunity to abuse his access and damage the organization
and should therefore be used only if there is no risk.
 Allow the employee to work their contractual notice period but with reduced access
to assets (for example, using additional supervision or by allocating lower-level IT
access). This is generally considered the best course of action. If an employee is
leaving to work for a competitor, it may be appropriate to remove his access to
commercially valuable information.
 Ask employee to leave immediately - possibly under supervision to prevent any
unauthorized act while still on the premises – and not to return for the duration of
their notice period. This could apply to employees who had extremely sensitive
positions. This is likely to cause ill feelings with the employee and should therefore
be handled with caution.

Exit procedures should also include the return of all assets, access tools and identifiers that
belong to the organization. These may include:

 Uniforms
 Security passes and/or identification cards
  Mobile phones
 Company credit cards
 Any unused personal business cards
 Keys to secure/ storage areas
 Tokens for access to electronic systems
 Any books, papers, or commercially sensitive documentation
 Laptops and other remote working equipment such as flash drives
 Security containers such as security briefcases

The following additional steps should also be considered to reduce the employee’s access
to assets:

 Selectively or completely blocking the employee’s user-IDs to prevent system

access
 Changing passwords to common systems
 Making sure that measures are in place to protect the organization’s electronic
systems from malware or hacking
 Selectively or completely blocking the employee’s security pass to prevent physical
access
 Changing door codes to common areas
 Changing combinations to storage areas, where the value of assets merits it
 Cancelling the employees signature authority, credit card and expense accounts
and ensuring that all relevant parties are notified
 Where necessary, issuing instructions to security guards regarding the employee’s
future access to the premises

The Exit Interview

By and large, the exit interview is done with the employees about to leave the company in
order to help identify problems contributing to employee turnover. The employee’s experiences and
reasons for leaving may suggest needed changes and open the eyes of the management to adopt
a course of action that will improve the morale, improve the working conditions and increase
efficiency. Expanding the questions by including security questions can be an effective source of
information about loss.

As a security measure, the exit interview is an opportunity to:

 Remind the employee of his obligation and organizational codes of conduct

concerning access to assets like intellectual property
 Obtain all passwords or encryption keys for files the employee has been working on
so that they can be changed accordingly.
 Recover as many of the organizational assets, access tools and identifiers as is
reasonable at the time.
 Ask the employee if they have any comments/observations about the strength (or
weakness) of the security culture, measures and procedures in place within the
organization.