The institution should mitigate risks posed by IT staff by performing appropriate background checks and screening of new staff. The controls in this section also are relevant for third-party provider staff, consultants, and temporary personnel who support the IT function. Typically, the minimum verification considerations should include the following:
- Background checks, including confirmations of prior experience, academic credentials, professional qualifications, or criminal records. Section 19 of the Federal Deposit Insurance Act prohibits, without the prior written consent of the Federal Deposit Insurance Corporation (FDIC), a person convicted of any criminal offense involving dishonesty or breach of trust or money laundering (covered offenses), or who has agreed to enter into a pretrial diversion or similar program in connection with a prosecution for such offense, from becoming or continuing as an institution-affiliated party, owning or controlling, directly or indirectly an insured depository institution (insured institution), or otherwise participating, directly or indirectly, in the conduct of the affairs of the insured institution, See 12 U.S.C. 1829.
- Confirmation of identity from government-issued identification.
- Character references.
The institution should use job descriptions, employment agreements (usually for higher-level or higher-sensitivity positions), training, and awareness programs to promote understanding and increase individual accountability. The job descriptions should detail duties and responsibilities and be routinely updated by managers responsible for the positions with assistance from HR. Management should document and confirm access privileges for each staff member based on his or her job description. Additionally, management should establish a timely process to review, update, and remove access privileges associated with any party when appropriate. The lack of such a process may result in unauthorized or inappropriate activity. Failure to remove access privileges when appropriate, particularly for those individuals with high levels of privilege, represents significant risk.
The institution should protect the confidentiality of information about its customers and organization by having new hires sign agreements covering confidentiality, nondisclosure, and authorized use as a condition of their employment. Employment agreements set both the expectations and limits associated with the staff member's functions. Management should obtain signed confidentiality and nondisclosure agreements before granting new staff members, contractors, and temporary staff access to IT systems. In addition, management should require periodic acknowledgement of acceptable use policies for the network, software applications, Internet, e-mail, confidential data, and social media. Information security awareness and training programs help support information security and other management policies.
III.C.1 Policies, Standards, and Procedures
III.C.3 Information Security