In 2002, the U.S. Congress passed a new set of rules concerning corporate ethics. The far-reaching new law, the Sarbanes-Oxley Act of 2002 (SOX), mandated changes in corporate governance, controls, audits and financial disclosures. In many—perhaps most—corporations, these controls had been inadequate or absent.
SOX requires publicly held corporations to show an ongoing effort to institute and document corporate controls to ensure honesty and ethical actions. Additionally, international security templates, such as ISO 17799, Section 6, emphasize the importance of background investigations for all employees. Performing background investigations on corporate officers, key personnel, new hires and even business partners has thus become the order of the day.
SOX is not the only driver behind the increasing pressure to conduct more comprehensive background investigations. The Department of Homeland Security strongly encourages employers to develop better controls. But the federal government is not without its own problems in this area.
Homeland Security Presidential Directive 12 mandates that agencies provide employees and contractors with secure identity badges beginning Oct. 27, 2006. The agencies must complete extensive background checks on each individual before issuing a badge. Requiring background checks and government-issued IDs for federal contract employees may overwhelm the Office of Personnel Management, which already has a backlog of security clearance investigations.
Failures in the Corporate World
Recent studies have shown that as many as half of corporate security officers believe their corporations have inadequate background checks, and that they are less involved in the vetting process than they should be. The ISO 17799 reviews we the writers have conducted within the financial industry support similar conclusions. One could argue that 20 to 25 percent of critical employees do not receive adequate background investigations.
Nearly all organizations follow a common process for vetting potential employees. They begin by asking potential employees to fill out applications, submit resumes, and provide references. Then they either review the data with internal resources or hire a third party to produce a background check. In either case, these checks usually involve merely collecting information found in commonly available criminal and/or credit databases.
It is easy to tell when an organization cuts corners during the vetting process. When an unrelated investigation uncovers an employee’s dubious history, it’s often found that red flags were reported in the background check prior to hiring, but no one spent enough time to connect the dots. Unfortunately, organizations with these problems are simply going through the motions of collecting data, filing it under “background check,” and rushing to extend the candidate an offer without putting all the pieces together.
Words to Live By
Adjudication means just what it sounds like: judging. All too often, organizations collect substantial amounts of information on potential employees during their background investigations, only to make a half-hearted attempt at adjudicating that information.
Two additional words come into play if an organization is going to be serious about vetting potential employees: veracity and validation. The definition of veracity is truthfulness or accuracy. Validation is the act of confirming or corroborating that an applicant is in fact who he says he is.
Many organizations consider veracity the cornerstone of their vetting process. In other words, as long as the candidate is truthful on the application and the resume, he or she qualifies as a “good” candidate. But consider this: Given the monumental rise in identity theft over the last several years, couldn’t a candidate present documentation and references that paint a perfect picture of the wrong person?
For example, the candidate presents material that can be proven true—there is a record of a person by his professed name graduating from schools as disclosed in the application, or there was a person by that name employed as described on the resume. By the policy of many companies, if those hurdles have been met, then the candidate has met the veracity test. But how do you know the candidate on paper is actually the person that will physically come to work every day? Validation.
Only after a candidate is validated can his application’s veracity be considered and an adjudication process begun. A typical, but weak, validation technique is to ask the applicant to present his or her driver’s license for review. (If you’ve ever wondered how easy it is to obtain a fake driver’s license, simply take a walk down Canal Street in Manhattan.) Instead, ask for original documents, such as a birth certificate and current utility bill. Don’t forget to contact personal references.
What Can You Do?
In November 2003, PricewaterhouseCoopers (PWC) released a white paper entitled “Key Elements of Antifraud Programs and Controls” that specifies the nature and types of positions that should be subject to a background investigation as well as the areas that should be screened. The paper also calls for better documentation of the entire process. You can download this document from the Publications section of www.pwcglobal.com.
Expect push-back from the bean-counters who will say that proper vetting is expensive and unnecessary. This is simply not true. American companies are the targets of terrorists and spies as well as common criminals. You should be able to feel confident that they’re not working for you.
Bob Wynn is the former director and CISO for the state of Georgia. For six years, he has been an instructor at the FBI National Academy in Quantico, VA.
Steve Akridge, CISSP, CISM consults on information risk compliance issues. He has served as a state CISO and a technical director with the Defense Security Service.