cisspSecurity and Risk Management· 9 min read· 15 May 2026
Personnel Security: Hiring, Onboarding, Separation, and Insider Threat
People are simultaneously an organisation's greatest asset and its most significant security risk. The CISSP exam treats personnel security as a governance and process discipline: establishing the right policies, controls, and procedures to manage human risk throughout the employment lifecycle. From the hiring decision through separation, every phase carries distinct security considerations that the exam tests in scenario form.
Background Checks and Candidate Screening
The hiring process is the first opportunity to manage personnel security risk. Background checks serve to verify that candidates are who they claim to be, identify disqualifying history, and ensure that the candidate's access to sensitive information or systems is appropriate given their background.
Typical background check components include identity verification (confirming the candidate's identity using government-issued documents), criminal history checks (identifying relevant convictions that may pose a risk given the role's access), employment history verification (confirming previous employers and role descriptions to detect resume fraud), education verification (confirming claimed degrees and certifications), credit history checks (relevant for roles with financial authority or access to sensitive financial data), and reference checks (speaking with previous managers or colleagues).
For higher-sensitivity roles — positions with access to classified data, financial systems, or critical infrastructure — more extensive checks may be required: drug testing, security clearance investigations, and psychological evaluations.
For the exam: the organisation should conduct background checks appropriate to the sensitivity of the position. The exam may ask what check is most appropriate for a given role — the answer scales with the sensitivity of the access the role requires.
Onboarding Security Obligations and NDAs
Onboarding is the process of integrating a new employee into the organisation's systems and culture. From a security perspective, onboarding establishes the security relationship between the employee and the organisation.
Key security onboarding activities include: executing a Non-Disclosure Agreement (NDA) before the employee is given access to any sensitive information, completing security awareness training before access is provisioned (or at minimum, before the employee works independently with sensitive data), provisioning access according to the principle of least privilege (granting only the access required for the current role), and documenting the employee's security responsibilities and acceptable use policies through a signed Acceptable Use Policy (AUP).
NDAs are legally binding agreements that prohibit employees from disclosing confidential information to unauthorised parties. They remain in effect even after the employment relationship ends — an important point for the exam. An employee who leaves and takes customer data to a competitor has violated the NDA regardless of their employment status at the time of disclosure.
Separation of Duties as an Insider Threat Control
Separation of duties (SoD) is a control that requires two or more individuals to complete a sensitive task or transaction. By dividing critical functions between multiple parties, no single individual has the ability to commit fraud, error, or sabotage without another party's involvement.
Classic examples of separation of duties include: requiring both a financial controller and a CFO to authorise large fund transfers (preventing a single employee from conducting unauthorised transfers), requiring a developer and a separate release manager to deploy code to production (preventing a developer from deploying malicious code independently), and requiring separate individuals to create a user account and assign permissions to it (preventing unauthorised privilege grants).
Separation of duties addresses both malicious insider threats (an employee intentionally abusing their access) and non-malicious insider threats (an employee making an error that causes significant harm). In both cases, requiring a second party to complete the action provides a check on the first party.
A related control is dual control, which requires two individuals to be physically present simultaneously to perform an action — such as accessing a safe or launching a missile. Dual control is a stronger form of separation of duties.
Job rotation is a complementary control that requires employees to periodically change roles. It serves two purposes: it detects fraud that may have been concealed (a successor reviewing past work may notice anomalies) and it reduces dependence on a single person for critical functions, decreasing the risk of collusion.
For the exam: separation of duties is the primary control for insider threat. It is not a detection control — it is a preventive control. It prevents a single individual from having unchecked authority over a sensitive function.
Termination Procedures: The Exam's Favourite Topic
Employee termination — whether voluntary or involuntary — is a high-risk event. The departing employee may become hostile, may attempt to exfiltrate data before leaving, or may retain access to systems through forgotten accounts or shared credentials.
The exam tests the correct sequence and priority of termination activities extensively. The single most important action upon employee termination is immediate revocation of access. This means disabling all accounts, revoking VPN credentials, removing from email distribution lists, and revoking physical access badges — before the employee is notified of termination if the termination is involuntary.
Why before notification? An employee who learns they are being terminated has motivation to access, copy, or damage data before their access is cut off. For involuntary terminations, best practice is to revoke access simultaneously with or immediately before the notification conversation.
Other termination activities in the correct sequence: recovering organisation-owned equipment (laptops, mobile devices, access tokens), conducting an exit interview (voluntary terminations) to gather information about security concerns, ensuring the return of all physical access devices, reminding the departing employee of ongoing NDA obligations, and notifying IT and security teams of the departure.
The exam frequently presents the question: "An employee is being terminated for cause. What is the FIRST action security should take?" The correct answer is always to revoke access — not HR paperwork, not the exit interview, not equipment collection.
Vendor and Contractor Security Agreements
Personnel security extends beyond direct employees. Contractors, consultants, and vendors who have access to the organisation's systems or data must be subject to equivalent security controls.
Key contractual elements for third-party personnel include: background check requirements (the organisation should specify that contractors must pass background checks equivalent to those of employees with similar access levels), NDA and confidentiality agreements, acceptable use policies, right-to-audit provisions, breach notification requirements, and liability clauses for security incidents caused by the contractor.
Access for contractors should be provisioned with the same least-privilege principles as employee access, and should be time-limited where possible. Contractor accounts that are no longer needed should be disabled or deleted promptly — orphaned contractor accounts are a frequent source of unauthorised access in post-breach investigations.
Insider Threat Programme
An insider threat programme is an organisational initiative that combines people, processes, and technology to detect, deter, and respond to insider threats. The CISSP exam recognises that technical controls alone are insufficient — managing insider threats requires a programme-level approach.
Key components of an insider threat programme include: a cross-functional team (security, HR, legal, and management), clearly defined indicators of concern (anomalous access patterns, large data downloads, access to systems outside normal work hours), user and entity behaviour analytics (UEBA) tools that detect deviations from baseline behaviour, clearly communicated reporting mechanisms for employees to report suspicious behaviour, and a defined response process that balances security response with employee privacy rights and legal obligations.
Exam Tip
The exam loves the question: 'What is the FIRST action upon employee termination?' The answer is always revoking access — not HR paperwork, not the exit interview. For involuntary terminations, access should be revoked before or simultaneously with the notification conversation to prevent a potentially hostile employee from abusing their access in the moments after being told they are terminated.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Security and Risk Management
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.