5.1 Background Screening & Vetting

Back to: Data Center Physical Security Professional

Lesson 5.1: Background Screening & Vetting

1. Learning Objectives

By the end of this lesson, you will be able to:

Identify the components of a comprehensive background check (Identity, Criminal, Financial, Employment).
Explain the significance of BS 7858 (Security Screening Standard) and the “Gap Period” rule.
Differentiate between “Pre-Employment Screening” and “Continuous Vetting.”
Assess the risk of Financial Vulnerability as a vector for bribery or coercion.

2. The Insider Threat Reality

We often focus on external hackers, but an Insider has:

Authorized Access: They don’t need to break the door; they have a badge.
Knowledge: They know where the cameras have blind spots and where the backups are stored.
Trust: They are often ignored by security guards who “know them.”

Vetting is the process of validating that Trust. It is not just about finding criminals; it is about finding people who are vulnerable or dishonest.

3. The Vetting Components (The “Deep” Check)

For critical infrastructure like a Data Center, a simple “police check” is insufficient. We look for patterns of behavior.

A. Identity & Right to Work

Goal: Prove they are who they say they are.
Check: Verify Passport/ID against government databases. Check work visa status (illegal workers are susceptible to blackmail).

B. Criminal Record Check

Goal: Identify past behavior that indicates risk.
Nuance: Not all crimes disqualify a candidate. A speeding ticket is fine; fraud, theft, or arson is a hard stop.

C. Financial & Credit Check

Goal: Identify Financial Vulnerability.
The Risk: An employee with massive gambling debt or impending bankruptcy is a prime target for a competitor or criminal gang offering cash for access ($10,000 to plug in a USB drive).
Standard: We check for County Court Judgments (CCJs), bankruptcies, and high unsecured debt ratios.

D. Employment History (The 5-Year Rule)

Goal: Verify honesty and continuity.
The Standard (BS 7858): You must verify the last 5 to 10 years of employment history.
The “Gap” Rule: Any gap in employment longer than 31 days must be explained and verified (e.g., “I was traveling” $\rightarrow$ Show us the plane tickets/passport stamps).
- Why? A 6-month unexplained gap could be prison time or working for a competitor.

4. Risk Tiers: Not Everyone Needs Top Secret

Screening should be proportional to the risk.

Tier	Role Example	Screening Level
Tier 1 (Critical)	System Admins, Security Managers, Master Key Holders.	Maximum: Criminal + Financial + 10-Year History + Polygraph (in some sectors).
Tier 2 (Standard)	Marketing, HR (Non-Operational).	Standard: Criminal + 5-Year History.
Tier 3 (Vendor)	Cleaners, Caterers.	Contractual: The vendor company must certify they have vetted their staff, but you must audit their process.

Warning: Cleaners are often Tier 1 risks. They enter every room, work at night, and are often unescorted. Never underestimate the access of the janitorial staff.

5. Continuous Vetting (Re-Screening)

A background check is a snapshot in time.

Scenario: You hire “Bob” in 2020. He is clean.
Event: In 2022, Bob gets divorced and develops a gambling addiction.
The Risk: In 2023, Bob is a high-risk insider, but his 2020 background check says he is safe.

The Solution:

Periodic Re-checks: Re-run criminal and financial checks every 2–3 years for critical staff.
“Clean Slate” Policy: Encourage employees to self-report arrests or financial trouble in exchange for support rather than firing.

6. Practical Application: Resume Red Flags

Scenario: You are reviewing a CV for a Senior Network Engineer.

The CV states:

2018–2020: Worked at Google.
2020–2021: “Freelance Consultant / Sabbatical.”
2021–Present: Current Job.

The Action:

The “Freelance” period is a Red Flag.
Investigate: Ask for tax returns, client invoices, or bank statements from that period. If they cannot prove they were working, this is an unverified gap. In a high-security environment, No Proof = No Hire.