Behind the Screen Part 2 - The 9 Questions to Ask Your Screener About Information Security
The handling and storing of data might sound like a dry, IT topic, but in this day and age of rampant identity theft, job applicants depend on employers protecting their information.
This is no simple task.
Every day, background screeners process thousands of pieces of data. Most of it is extremely sensitive information like candidates’ names, addresses, social security numbers, dates of birth, employment history, education, motor vehicle records, credit and criminal history, and even drug testing results. Employers need to be sure that their screening partner does everything in its power to protect candidate data.
Finding a background screening partner that understands this grave responsibility can take a lot of pressure off of employers. But how do you find a partner you can trust?
Going “behind the screen,” here are the 9 essential questions that we as professional screeners would ask to evaluate a provider’s focus on information security. (For an even deeper dive, download the extended list here.)
1. Which information security standards do they adhere to?
First, find out which of the information security standards they adhere to… if any.
There are many different levels of managing information security risks for background screeners. A company’s level of focus in regards to information security is typically driven by senior management, a prior security event or even by client requirements. Certainly the size, scope and complexity of the screening firm will also drive that level of care. Larger firms with bigger risks and tighter client security requirements better understand the need to mitigate information security risks. Risk management should never be taken lightly, and the amount of time and money a screening provider spends on information security is typically related to risk tolerance.
There are several levels of information security. The pyramid below shows the different systems -- from the very basic risk management methodologies, all the way up to what is considered to be the “Gold Standard” for information security: the ISO/IEC27001 Standard.
If your provider is serious about information security they will have, at a minimum, a BSAAP Accreditation through the National Association of Professional Background Screeners (NAPBS). Ideally, they will have achieved an even higher level of certification, indicating a much greater devotion to keeping data safe. The ISO 27001 Certification is the Gold Standard in this arena. It takes lots of time, money and dedication to maintain, but it is invaluable to protecting your candidates’ sensitive data.
2. Do they have clear security policy and practices?
Does your Screening Partner have an Information Security Policy that includes clear objectives and staff training for proper communication? Initial training and ongoing training are critical, and corporate roles and responsibilities should be clearly defined and audited.
The high-level objectives should include areas such as: risk reduction; employee and management responsibilities, compliance with regulatory and contractual commitments, the importance of confidentiality and securing data, incident management, acceptable and unacceptable use of corporate assets, and available resources for employees to comply with the policy are just a few areas that should be included.
The entire policy should also be reviewed on an annual basis or when significant changes are made to information systems, workflows or facilities.
3. What’s the screening policy for their own employees?
Does your screening provider practice what they preach? Ask your screening provider what level of background screening and drug testing is being conducted on the people who have access to sensitive information, and ask about ongoing background checks. Employees should also be bound by confidentiality agreements and understand the role they play in information security, privacy and ethics. A strong disciplinary policy should be in place to deal with offenders.
Information security must be part of a company’s culture and values. Senior management must have buy-in and be actively involved in oversight and play an active role in monitoring, measuring and improving the entire process.
4. How do they control and monitor information assets?
It is essential that your screening partner be tightly controlled and monitored to minimize the threat of information leakage. Tight policies need to be created around the storage of personally identifiable information (PII). PII must never be contained within a laptop or mobile device that cannot be controlled. A stolen device containing PII would certainly create a security breach scenario. A background screening firm with a solid information security program has tight control over its assets and information storage protocols.
Monitoring access to information and information systems is just as important as tracking assets. Employee access to candidate information should only be granted when required to do their job. Controlled access and monitoring such information could help prevent an Edward Snowden scenario. There should be a formal policy on registering a user or granting access rights, and even terminating access rights as necessary. A formal access policy should include all users – that is, not just staff members, but also contractors, third-parties and even clients. Conducting a periodic audit of user access rights is critical in ensuring a tight control over access to information.
5. How do they manage the risk caused by their vendors?
Third-party contractors pose the highest risk in just about any business process because companies just don’t have the same level of supervision or security over third-party workers.
Target learned the hard way. Their 2013 security breach was caused by a phishing scam. A hacker duped a third-party HVAC contractor to gain access and exploit Target’s systems.
Both the background screening and drug testing processes require the use of several outsourced or third-party vendors. Outsourced contractors such as court or public records researchers and third-party specimen collection sites or clinics used for drug testing are just a few.
A screening provider with a solid foundation for controlling risk should properly vet and evaluate each contractor. Each should be assessed based on experience and compliance with handing or storing PII. They should also have established training protocols, security breach procedures and tight protocols for transferring and storing PII. Ongoing audits need to be conducted to assess compliance with corporate security policies and practices and periodic evaluations should be conducted on each for compliance.
6. How do they protect their office facility?
Physical building security can be a huge risk to information security. Having a tight policy on physical access controls such as secured or sensitive areas is a must. Badge access entry and a formal policy around visitor and contractor access must be applied and followed. Policies around logging out of systems, shredding sensitive data and having a clear desk policy should be used to reduce the potential of onlookers for all screening firms. Monitoring systems such as badge access control, use of security cameras and perimeter security should also be considered and monitored to reduce the risk of theft.
Companies also forget about the less obvious risks of maintenance workers and janitorial staff that are not monitored or even screened at all.
7. Are they protected from cyber-attacks?
Proper software and systems maintenance is a big part of information security risk reduction. We live in a world of cyber-hackers who work tirelessly to break into systems and look for the newest vulnerabilities to gain access. Cybercriminals would love to get their hands on a few thousand or so social security numbers and candidate’s information to sell over the black market. Having enterprise-wide virus protection software and updating computer vulnerabilities are a must to stay ahead of hackers.
Penetration testing and vulnerability scanning should always be standard protocols to reduce risks around information security. Be sure that your background screening provider conducts both penetration testing and vulnerability scanning on a regular basis. Working with a third-party security assessment firm could further enhance risk management and provide an unbiased outside assessment. Be sure that your provider addresses security vulnerabilities by type of risk, and be sure they have proper procedures in place to mitigate risks based on criticality.
8. How do they manage an information security incident?
Security incidents and events are sure to occur, and must be managed based on severity. Be sure that your provider has a clear policy on dealing with such matters. Procedures should include containment, a root cause analysis and corrective action based on each situation. Staff members should be fully aware and trained on how to identify a potential security event and the process for reporting to management. You should have a complete understanding of your provider’s policies and your expectations for reporting incidents when it affects your candidates’ or company’s data. Notification timelines, methods of communication and a process for escalation should be established.
9. Can they stay up and running in an emergency?
Business continuity should always be a focus when selecting a provider. The hiring process typically grinds to a halt if a background check or drug test result has not been completed on your new-hire. This could affect hiring, training, production and certainly profitability. Be sure your provider understands the need of redundant systems, use of secured colocation facilities and secure backup and restoral procedures.
Disasters happen, systems go down, and we all need to prepare for the unexpected. Your screening provider should have a solid plan for business continuity, along with regular outage testing and restoral procedures to bring systems back online efficiently. Be sure you understand communication channels and resumption timelines when addressing business continuity with your partner.
At the end of the day…
Your screening provider should always be considered as a trusted partner within your hiring process. The information they provide is a critical component of the hiring, assessment and risk management process. Processing and storing sensitive and confidential information such as personally identifiable information (PII) should never be taken lightly. Have a clear understanding of information security and risk management policies before formalizing any relationship with your new or current provider. Ask the right questions and protect your candidates’ information like it was your own.
For an in-depth checklist that expands on the aforementioned categories, download these 39 questions you can use to assess your screening partner: