[unisog] background checks on IT employees

Brad Judy win-hied at bradjudy.com
Sat Feb 28 15:06:07 GMT 2009


At U Colorado - Boulder there were two background check options when posting 
a position: criminal and financial.  Anyone putting up a position could 
choose what options they wanted to include as a requirement for the 
position.  I know the criminal check was becoming standard for central IT 
positions with elevated rights to important systems or access to sensitive 
data.

The checks were outsourced to this company - http://www.hireright.com/

There were a couple stumbles when the outsourcing began when hiring managers 
didn't warn applicants that there was a third party requesting private 
information to conduct the background check (the hiring managers may not 
have been aware of how the process worked).  We were contacted in the IT 
security office a couple times by concerned applicants, but things seem to 
smooth out quickly.

Brad Judy


----- Original Message ----- 
From: "Bryan Zimmer" <bzimmer at ucsc.edu>
To: "UNIversity Security Operations Group" <unisog at lists.dshield.org>
Sent: Thursday, February 26, 2009 1:19 AM
Subject: Re: [unisog] background checks on IT employees


> Michael, I worked for the Department of Defense a few years ago and
> had one of their more detailed background checks run on me. Checking
> an employee's credit is especially important when classified data is
> involved, as there have been cases where people in desperate need of
> money sold secrets to pay off debt. It also shows if the person you're
> dealing with is responsible and has been able to keep a good credit
> rating (not easy for everyone), what their past has been like, and can
> reveal if they have assets they haven't told you about, like a
> multimillion dollar yacht funded by selling secrets. Of course, these
> concerns are more applicable to high security environments where you
> *really* need to know if you can trust your employees, and are only
> part of a more thorough background check.
>
> However, your credit history can be interesting to any future
> employer, and for any position in the company, not just finance. It
> can tell (though not necessarily accurately) whether or not you're
> responsible, if you've been able to keep a steady source of income,
> and if you're free of major debts.. It's all information they can use
> to make assumptions about your future performance as an employee.
> Sure, there are problems with making those kind of assumptions without
> more detailed information, but it's cheaper for them than doing a more
> thorough, accurate, and intrusive investigation.
>
> I hope this info helped.
> -Bryan
>
>
> On Feb 24, 2009, at 12:22 PM, McDonnell, Michael wrote:
>
>>
>> In my jurisdiction, an employer cannot go to the police to have a
>> check
>> done. The employee must make the request and then the police provide a
>> document to the employee, who then decides if he/she wants to
>> provide it to
>> the employer.  For jobs where there are "persons at risk
>> involved" (i.e.
>> children), an employer can request that all staff be checked by the
>> police.
>> The police do not give the employer any details just a summary of
>> which
>> employees are "clean" and which are not.  The employees then have to
>> decide
>> if they want to provide detailed background checks to the employer
>> (or get
>> fired potentially for not disclosing why they were not "clean").
>>
>> The University I work for did not request a criminal records check
>> from me
>> when I joined.  I thought that was weird, because other employers
>> have done
>> it.
>>
>> There is more to background checks than just police records checks
>> though.
>> Many employers will also perform a credit check on employees.  I
>> think the
>> logic is that if someone is heavily in debt, you wouldn't want them
>> to work
>> in your finance department.  I'm not sure what other justification
>> they
>> would have.  I have known a few companies (previous clients of mine,
>> not my
>> employers) who performed credit checks on all labourers and sales
>> staff (but
>> not management).  I could never understand their logic.
>>
>> I've never heard of a University doing a credit check.  I wouldn't
>> consent
>> to one unless I worked in position with substantial unsupervised
>> purchasing
>> authority.
>>
>> --
>> Michael McDonnell, GCIA
>> Network Security Analyst
>> University of Alberta Libraries
>> Information Technology Services
>> michael.mcdonnell at ualberta.ca
>>
>>> -----Original Message-----
>>> From: unisog-bounces at lists.dshield.org [mailto:unisog-
>>> bounces at lists.dshield.org] On Behalf Of Peter Bonitatibus
>>> Sent: Tuesday, February 24, 2009 12:18 PM
>>> To: UNIversity Security Operations Group
>>> Subject: Re: [unisog] background checks on IT employees
>>>
>>> Kirsten, reach out to the University Police, they do backgrounds for
>>> police officers and have experience in doing them.  I am sure they
>>> could
>>> guide you...
>>>
>>> Peter Bonitatibus
>>> UMass Boston Police
>>> System Administrator
>>>
>>> -----Original Message-----
>>> From: unisog-bounces at lists.dshield.org
>>> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Petersen,
>>> Kirsten
>>> J - NET
>>> Sent: Tuesday, February 24, 2009 4:53 AM
>>> To: UNIversity Security Operations Group
>>> Subject: [unisog] background checks on IT employees
>>>
>>> What kind of background checks are other universities conducting
>>> for IT
>>> positions, if any?  OSU is looking at how to implement new state
>>> regulations, and would like to follow industry standards if any are
>>> available.  If anyone knows of any good resources to refer me to, I'd
>>> appreciate it.
>>>
>>>
>>> ________________
>>> Kirsten Petersen
>>> Network Services * Oregon State University
>>> http://oregonstate.edu/net * irc.oregonstate.edu #osu-is
>>> "You can't separate peace from freedom because no one
>>> can be at peace unless he has his freedom". - Malcolm X
>>>
>>> _______________________________________________
>>> unisog mailing list
>>> unisog at lists.dshield.org
>>> https://lists.sans.org/mailman/listinfo/unisog
>>>
>>> _______________________________________________
>>> unisog mailing list
>>> unisog at lists.dshield.org
>>> https://lists.sans.org/mailman/listinfo/unisog
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
> 



More information about the unisog mailing list