244 ◾ Security Strategy: From Requirements to Reality
SIDEBAR: HOW I STOLE $30 MILLION
A number of years ago we read a story recounting the assessment of a computer chip manufacturer’s security con-
trols by a penetration testing team. The engagement included “hiring” one of the consultants as a temporary clerk in
the IT department. Within hours of arriving for work, he had set up a number of interviews with department heads
to discuss their security concerns. Posing as a senior security analyst, he charmed his way onto three departmental
servers to “assess” their security controls. He then applied (online) for remote access privileges, which he received
the following day. Using this access and the credentials he had on the departmental servers, a team of penetration
testers went to work compromising a slew of internal systems. Meanwhile, the “temporary clerk” remained late one
evening to walk the building with the CSO and see what he could “discover.” It didn’t take long; entering the offi ce of
one of the senior design engineers, he accessed an engineering workstation that was left logged on. Using a portable
storage device, he then proceeded to download an entire set of engineering plans, at which point the CSO put an end
to the exercise. In a span of three days, someone hired as a temporary clerk had orchestrated the root compromise
of 24 computer systems and the theft of data valued at over $33 million!
Positive identifi cation and full disclosure are essential components of trust and should not be
bypassed or compromised for a position requiring a high level of trustworthiness.
Preemployment Testing
Preemployment testing can be used to supplement or verify applicant claims and trustworthiness.
Drug screening tests are common, lie detectors less so. In between, there are a number of psycho-
logical tests, including tests designed to assess reasoning abilities, personality, and moral sense (eth-
ics). Most are designed to be administered by professionals who can accurately assess the results,
but this is a pretty expensive proposition. e alternative is self-assessment tests. e results for
these tests tend to be broader and less reliable. Results are mapped against information collected
from thousands of other test takers, and conclusions are generally accurate but not specifi c. We do
not oppose the use of psychological testing as a supplemental factor in your trust evaluation; we
only suggest that tests not administered by professionals be weighted appropriately.
Disqualifi cation
Multiple people can look at the same data and come to very diff erent conclusions. is isn’t a par-
ticularly good scenario when you are trying to make hiring decisions for positions of high trust.
A consistent means of evaluation is key to the success of the process. Not only do organizations
need to establish good screening criteria, but they also need to defi ne the metrics associated with
those criteria. Since the process assumes trustworthiness and looks for patterns of conduct impact-
ing that trust, these are, for all practical purposes, disqualifi cation metrics. ese metrics will be
diff erent depending on the organization and business sector. In general, candidates for positions
of high trust who falsify, omit, or misrepresent facts on their application form or résumé would
be disqualifi ed. Egregious criminal or vehicular off enses or a pattern of fi scal irresponsibility are
other disqualifi ers. Defi ning your disqualifi cation criteria assures a consistent screening result and
may help guard against claims of favoritism or prejudice.
Rescreening
Rescreening, as already noted, is a periodic reaffi rmation of an employee’s trustworthiness. It is
usually carried out in the background; that is, it does not require the employee’s participation,
but it is wise to inform the employee that rescreening is taking place. Getting notifi cation that
your company just pulled your credit history can be a little disconcerting if you weren’t expect-
ing it. Rescreening follows the same processes used above to collect and evaluate data except
TAF-K11348-10-0301-C012.indd 244TAF-K11348-10-0301-C012.indd 244 8/18/10 3:11:57 PM8/18/10 3:11:57 PM