Does your organization conduct background checks for personnel in sensitive roles both during initial onboarding and periodically throughout their employment?
Explanation
Background checks help identify potential security risks by verifying an individual's identity, criminal history, education, employment history, and other relevant information before granting access to sensitive systems or data. Periodic re-screening is important as people's circumstances change over time, potentially introducing new risks that weren't present during initial hiring.
Evidence of compliance could include a documented background check policy specifying which roles require screening, the scope and frequency of checks, and a sample of redacted background check reports or a summary report from your HR department showing completion dates for initial and periodic checks (with personal information removed).
Implementation Example
Conduct background checks prior to onboarding new personnel for sensitive roles, and periodically repeat background checks for personnel with such roles
ID: GV.RR-04.047
Context
- Function
- GV: GOVERN
- Category
- GV.RR: Roles, Responsibilities, and Authorities
- Sub-Category
- Cybersecurity is included in human resources practices
Related questions
- Have organizational leaders formally documented and agreed upon their specific roles and responsibilities for cybersecurity strategy development, implementation, and assessment?
- Does leadership actively communicate expectations for a secure and ethical culture, particularly leveraging current events as teaching opportunities?
- Does your organization have a comprehensive cybersecurity risk strategy that is reviewed and updated at least annually and after significant security events?
- Does your organization conduct regular reviews to verify that individuals responsible for managing cybersecurity risk have appropriate authority and coordination mechanisms?
- Has your organization documented risk management roles and responsibilities in a formal policy?
- Has your organization formally documented the roles and responsibilities for cybersecurity risk management, including RACI (Responsible, Accountable, Consulted, Informed) designations?

