[unisog] background checks on IT employees

Mike Carter mike.carter at colorado.edu
Tue Mar 3 04:33:50 GMT 2009 

Good to know ;-)

Hey, did you see some snow?  Did you go driving just to show the dolts how
it works...

Brad Judy writes:
> 
> At U Colorado - Boulder there were two background check options when posting 
> a position: criminal and financial.  Anyone putting up a position could 
> choose what options they wanted to include as a requirement for the 
> position.  I know the criminal check was becoming standard for central IT 
> positions with elevated rights to important systems or access to sensitive 
> data.
> 
> The checks were outsourced to this company - http://www.hireright.com/
> 
> There were a couple stumbles when the outsourcing began when hiring managers 
> didn't warn applicants that there was a third party requesting private 
> information to conduct the background check (the hiring managers may not 
> have been aware of how the process worked).  We were contacted in the IT 
> security office a couple times by concerned applicants, but things seem to 
> smooth out quickly.
> 
> Brad Judy
> 
> 
> ----- Original Message ----- 
> From: "Bryan Zimmer" <bzimmer at ucsc.edu>
> To: "UNIversity Security Operations Group" <unisog at lists.dshield.org>
> Sent: Thursday, February 26, 2009 1:19 AM
> Subject: Re: [unisog] background checks on IT employees
> 
> 
> > Michael, I worked for the Department of Defense a few years ago and
> > had one of their more detailed background checks run on me. Checking
> > an employee's credit is especially important when classified data is
> > involved, as there have been cases where people in desperate need of
> > money sold secrets to pay off debt. It also shows if the person you're
> > dealing with is responsible and has been able to keep a good credit
> > rating (not easy for everyone), what their past has been like, and can
> > reveal if they have assets they haven't told you about, like a
> > multimillion dollar yacht funded by selling secrets. Of course, these
> > concerns are more applicable to high security environments where you
> > *really* need to know if you can trust your employees, and are only
> > part of a more thorough background check.
> >
> > However, your credit history can be interesting to any future
> > employer, and for any position in the company, not just finance. It
> > can tell (though not necessarily accurately) whether or not you're
> > responsible, if you've been able to keep a steady source of income,
> > and if you're free of major debts.. It's all information they can use
> > to make assumptions about your future performance as an employee.
> > Sure, there are problems with making those kind of assumptions without
> > more detailed information, but it's cheaper for them than doing a more
> > thorough, accurate, and intrusive investigation.
> >
> > I hope this info helped.
> > -Bryan
> >
> >
> > On Feb 24, 2009, at 12:22 PM, McDonnell, Michael wrote:
> >
> >>
> >> In my jurisdiction, an employer cannot go to the police to have a
> >> check
> >> done. The employee must make the request and then the police provide a
> >> document to the employee, who then decides if he/she wants to
> >> provide it to
> >> the employer.  For jobs where there are "persons at risk
> >> involved" (i.e.
> >> children), an employer can request that all staff be checked by the
> >> police.
> >> The police do not give the employer any details just a summary of
> >> which
> >> employees are "clean" and which are not.  The employees then have to
> >> decide
> >> if they want to provide detailed background checks to the employer
> >> (or get
> >> fired potentially for not disclosing why they were not "clean").
> >>
> >> The University I work for did not request a criminal records check
> >> from me
> >> when I joined.  I thought that was weird, because other employers
> >> have done
> >> it.
> >>
> >> There is more to background checks than just police records checks
> >> though.
> >> Many employers will also perform a credit check on employees.  I
> >> think the
> >> logic is that if someone is heavily in debt, you wouldn't want them
> >> to work
> >> in your finance department.  I'm not sure what other justification
> >> they
> >> would have.  I have known a few companies (previous clients of mine,
> >> not my
> >> employers) who performed credit checks on all labourers and sales
> >> staff (but
> >> not management).  I could never understand their logic.
> >>
> >> I've never heard of a University doing a credit check.  I wouldn't
> >> consent
> >> to one unless I worked in position with substantial unsupervised
> >> purchasing
> >> authority.
> >>
> >> --
> >> Michael McDonnell, GCIA
> >> Network Security Analyst
> >> University of Alberta Libraries
> >> Information Technology Services
> >> michael.mcdonnell at ualberta.ca
> >>
> >>> -----Original Message-----
> >>> From: unisog-bounces at lists.dshield.org [mailto:unisog-
> >>> bounces at lists.dshield.org] On Behalf Of Peter Bonitatibus
> >>> Sent: Tuesday, February 24, 2009 12:18 PM
> >>> To: UNIversity Security Operations Group
> >>> Subject: Re: [unisog] background checks on IT employees
> >>>
> >>> Kirsten, reach out to the University Police, they do backgrounds for
> >>> police officers and have experience in doing them.  I am sure they
> >>> could
> >>> guide you...
> >>>
> >>> Peter Bonitatibus
> >>> UMass Boston Police
> >>> System Administrator
> >>>
> >>> -----Original Message-----
> >>> From: unisog-bounces at lists.dshield.org
> >>> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Petersen,
> >>> Kirsten
> >>> J - NET
> >>> Sent: Tuesday, February 24, 2009 4:53 AM
> >>> To: UNIversity Security Operations Group
> >>> Subject: [unisog] background checks on IT employees
> >>>
> >>> What kind of background checks are other universities conducting
> >>> for IT
> >>> positions, if any?  OSU is looking at how to implement new state
> >>> regulations, and would like to follow industry standards if any are
> >>> available.  If anyone knows of any good resources to refer me to, I'd
> >>> appreciate it.
> >>>
> >>>
> >>> ________________
> >>> Kirsten Petersen
> >>> Network Services * Oregon State University
> >>> http://oregonstate.edu/net * irc.oregonstate.edu #osu-is
> >>> "You can't separate peace from freedom because no one
> >>> can be at peace unless he has his freedom". - Malcolm X
> >>>
> >>> _______________________________________________
> >>> unisog mailing list
> >>> unisog at lists.dshield.org
> >>> https://lists.sans.org/mailman/listinfo/unisog
> >>>
> >>> _______________________________________________
> >>> unisog mailing list
> >>> unisog at lists.dshield.org
> >>> https://lists.sans.org/mailman/listinfo/unisog
> >>
> >> _______________________________________________
> >> unisog mailing list
> >> unisog at lists.dshield.org
> >> https://lists.sans.org/mailman/listinfo/unisog
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.dshield.org
> > https://lists.sans.org/mailman/listinfo/unisog
> > 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
> 


-- 

                                - Mike

More information about the unisog mailing list