-
Conduct background checks of individuals being considered for sensitive positions . Do so with the permission of the applicants . Repeat them periodically to look for changes.
-
If the position is extremely sensitive, and if it is legally allowable , consider performing a polygraph examination of the candidate.
-
Have applicants and contractors in sensitive positions obtain bonding.
-
Provide comprehensive and appropriate training for all new personnel and for personnel taking on new assignments. Document acceptance of security policies in writing.
-
Provide refresher training on a regular basis.
-
Make sure that staff have adequate time and resources to pursue continuing educational opportunities.
-
Institute an ongoing user security-awareness program.
-
Have regular performance reviews and monitoring. Try to resolve potential problems before they become real problems.
-
Make sure that users in sensitive positions are not overloaded with work, responsibility, or stress on a frequent basis, even if they are compensated for the overload. In particular, users should be required to take holidays and vacation leave regularly.
-
Monitor users in sensitive positions (without intruding on their privacy) for signs of excess stress or personal problems.
-
Audit access to equipment and critical data.
-
Apply policies of least privilege and separation of duties where applicable .
-
When any user leaves the organization, make sure that access is properly terminated and duties transferred.
-
Make sure that no user becomes irreplaceable.