Welcome » IT Booklets » Management » IT Risk Management Process » IT Controls Implementation » Personnel
Financial institutions should mitigate the risks posed by IT staff by performing appropriate background checks and screening of new employees. In addition to staff, the controls in this section are relevant for vendor personnel, consultants, and temporary staff that support the IT function. Typically, the minimum verification considerations include:
Financial institutions should use job descriptions, employment agreements (usually higher level positions), training, and awareness programs to promote understanding and increase individual accountability. Management should routinely update the institution's written job descriptions. The job descriptions should confirm and promote user access rights. Employment agreements set both the expectations and limits associated with the employee's functions. Information security awareness and training programs help support these and other management policies.
Financial institutions should establish a timely process to remove or change access rights associated with any party when appropriate. The lack of such a process may result in unauthorized or inappropriate activity. The failure to remove access rights, particularly for those individuals with high levels of privilege, represents significant risk.