Conduct background checks of individuals
being considered for sensitive positions. Do so with the permission
of the applicants. Repeat them periodically to look for changes.
If the position is extremely sensitive, and if it is legally
allowable, consider performing a polygraph examination of the
candidate.
Have applicants and contractors in sensitive positions obtain bonding.
Provide comprehensive and appropriate training for all new personnel
and for personnel taking on new assignments. Document acceptance of
security policies in writing.
Provide refresher training on a regular basis.
Make sure that staff have adequate time and resources to pursue
continuing educational opportunities.
Institute an ongoing user security-awareness program.
Have regular performance reviews and monitoring. Try to resolve
potential problems before they become real problems.
Make sure that users in sensitive positions are not overloaded with
work, responsibility, or stress on a frequent basis, even if they are
compensated for the overload. In particular, users should be required
to take holidays and vacation leave regularly.
Monitor users in sensitive positions (without intruding on their
privacy) for signs of excess stress or personal problems.
Audit access to equipment and critical data.
Apply policies of least privilege and separation of duties where
applicable.
When any user leaves the organization, make sure that access is
properly terminated and duties transferred.
Make sure that no user becomes irreplaceable.
