HRS-01: Background Screening Policy and Procedures

Control Family:

Human Resources

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews, HRS-02: Background Screening.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for background verification of all new employees (including but not limited to remote employees, contractors, and third parties) according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, the business requirements, and acceptable risk. Review and update the policies and procedures at least annually.

Implementation Guidance

Personnel working under organizational control—including full-time employees, part-time employees, consultants, and temporary staff—should undergo a screening process appropriate for their role and responsibilities before granting access to the corporate network or systems. Depending on the applicable legislation, inform candidates beforehand about screening activities. Personnel screening should consider all relevant privacy, PII protection, and employment-based legislation and should (when permitted) include the following:

  1. Availability of satisfactory references.
  2. Verification of the applicant’s curriculum vitae, including claimed academic and professional qualifications.
  3. Independent identity verification (passports or similar documents).
  4. Additional role-specific verifications, such as a credit review if the person will have fiscal responsibilities.

The organization should consider rescreening individuals at regular intervals. Rescreening may also occur if the employee’s responsibilities or access to confidential data have increased since their last screening. The organization should have policies to determine who can screen personnel, how, when, and why the screening is required, where data is stored, and what the retention period constitutes. All relevant data about personnel should be considered PII and managed accordingly. If the screening is done by an external entity or another organizational department, sensitive information like historic remuneration details should be redacted if irrelevant to the screening process.

Auditing Guidance

  1. Examine policy for adequacy, currency, communication, and effectiveness.
  2. Examine the process for selection of local laws, regulations, ethics, and contractual constraints, and for review of its output.
  3. Verify that the background verification required is mapped to the risks and data classification.
  4. Examine the policy and procedures for evidence of review at least annually.
  5. Examine Human Resources tickets upon hire which trigger background review and final confirmation from third party conducting background reviews showing it has been completed and how exceptions or failed checks have been addressed.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.