Samuel Johnson, the famous 18th century author, once commented, “We are inclined to believe those we do not know, because they have never deceived us.” That trust can be misplaced. Security directors need to ensure that processes are in place to verify the identities of their companies' employees and to control access to their companies' assets and data. Unfortunately, just buying the latest access control technology does not solve this problem. It is a process problem. Let's look at the issues behind identifying and authenticating employees.
The FIPS 201 Program
The federal government has a clear vision on this issue. They have issued a Federal Information Processing Standard (FIPS 201) that covers personal identity verification. The program has two overarching goals: to issue credentials based on “sound criteria for verifying an individual employee's identity”; and to use smart cards that are “strongly resistant to identity fraud, tampering, (and) counterfeiting.” In other words, it answers the questions Who are these people? and What credentials will we give them to prove it?
To solve the first half of the problem, the government now consistently performs an NACI investigation (National Agency Check and Inquiries) for all employees, in addition to requiring presentation of documents such as a drivers license or passport. The NACI investigation consists of a check of the FBI fingerprint and name databases, a check of several other government databases, and a five-year survey of past and present employers, schools, references and local law authorities. Candidates for higher-risk positions also undergo a credit check, and even more checks are involved for positions with security clearance.
The government is working on second half of the problem by issuing to all government employees and contractors new, uniform smart card badges that allow multi-factor authentication and are highly resistant to tampering and cloning. The surfaces are printed with a standardized layout, and the printed data can be verified electronically.
The FIPS 201 program ensures that government workers are who they say they are, that they have a background suitable for their position, and that they can be readily and reliably identified before being given access to government facilities or systems.
Many companies in the commercial sector have a comparably integrated view of employee identification, but few go as far in verifying identity or providing a highly secure ID badge. Will FIPS 201 trickle down to the commercial sector? Should it? Let's take a deeper look.
Who Are Your Employees?
A 2005 survey by the Society for Human Resource Management (SHRM) found that only 68% of respondents always checked new hires for a criminal background. Fewer yet did enough research to verify that candidates were who they said they were.
But does this represent a significant risk? A quick look at the ADP 2006 Screening Index (created by ADP, a vendor of screening and selection services) suggests the risk is real. Among the criminal records checks ADP performed in 2005, five percent revealed an unreported criminal record. Forty-nine percent of employment, education and credential checks uncovered a resume discrepancy, and 46% of credit checks discovered a judgment, lien, bankruptcy or collection activity.
Worse, of the background checks that companies commission, how many are done correctly? Federal, state, and local governments do not make it easy on the background investigator. There is no single database that lists all criminal convictions. Commercial firms, with rare exception, are not allowed to use the FBI database, and some question the completeness of that database in any case. That leaves the investigator to check each local county in which the applicant has ever lived.