2.5.1. Personnel Security Lifecycle
💡 First Principle: Insider threats are the most difficult security risk to defend against because insiders have authorized access by definition. Personnel security is the set of controls that reduce insider risk at every stage of the employment relationship — from before hiring to after departure.
Pre-employment:
| Control | Purpose | Caveats |
|---|---|---|
| Background check | Verify claimed credentials; discover criminal history | Scope must comply with local law (FCRA in US); some jurisdictions restrict what can be checked |
| Reference checks | Verify work history and character from prior employers | Legal constraints on what prior employers can disclose |
| Employment verification | Confirm education, certifications, dates | Credential fraud is common; verify directly with institutions |
| Social media screening | Assess character and alignment with organizational values | Privacy law variations; may not be permitted in some jurisdictions |
During employment:
- Least privilege — Job roles define minimum necessary access; access accumulation over career tenure must be reviewed
- Separation of duties — No single person controls an entire critical process (e.g., one person initiates payments, another approves them)
- Job rotation — Moving employees through different roles detects fraud (accumulated cover-up activities are disrupted) and builds cross-training resilience
- Mandatory vacation — Forces employees away from systems long enough that fraud or unauthorized activity may surface (financial sector requirement)
- Dual control — Two authorized people must act simultaneously (e.g., two keys to launch nuclear weapons, two approvals for large wire transfers)
- Two-person integrity — No one person is ever alone with critical assets (physical security analog of dual control)
Termination:
The termination sequence matters — and the CISSP exam tests it. The primary concern is preventing a terminated employee from taking retaliatory or opportunistic action before their access is revoked.
💡 Key Point: The CISSP exam's "what should you do FIRST?" termination question almost always has the correct answer as: notify IT to revoke access before or simultaneously with the employee notification meeting. The risk of a disgruntled employee destroying data or exfiltrating information in the window between notification and access revocation is significant.
Vendor, consultant, and contractor agreements must define: scope of access (minimum necessary), duration, security requirements (compliance with organizational policies), right to audit, breach notification obligations, and specific termination of access procedures.
⚠️ Exam Trap: Background checks verify history — they do not predict future behavior. An employee with a clean background who becomes disgruntled or faces financial pressure can become an insider threat at any point. Ongoing monitoring (behavior analytics, access reviews) is the continuous control; background checks are only a pre-employment snapshot.
Reflection Question: A system administrator with privileged access to all production databases gives two weeks notice. During their notice period, they continue to have full admin access. What specific risks does this create, and what controls would a mature personnel security program have in place during the notice period?
