ISO/IEC 27001 Control 6.1: Screening

Control

Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

Capabilities to manage identity lifecycle, clearances and enforce policy rules are instrumental in enforcing effects of personnel screening by midPoint.

Implementation Details

Identity lifecycle capabilities can be used to make sure privileges are not assigned to users before all initial screening procedures are completed. E.g. lifecycle status "proposed" can be used to represent a person who has active contract but have not passed necessary screening yet. MidPoint clearances (part of information classification features) can be used to represent results of additional personnel screening. Policy rules can be used to enforce polices with respect to screening, e.g. enforcing that only users that have passed the screening can get access to applications containing sensitive information. Role-based access control structures can be set up to require screening for certain roles or jobs, especially for security-related tasks. Certification campaign can be used to repeat or update screening as necessary. Micro-certifications can be used to initiate ad-hoc screening when a person is reassigned in organizational structure or acquires a role with elevated privileges. Reporting capabilities ca provide visibility, e.g. reporting personnel that have passed screening, or personnel that were the screening was not updated in a long time.

Rationale

MidPoint has supporting functionality to represent results of screenings and apply that information in policies.

Documentation

Version Title Description
4.9 Information Classification and Clearances Using clearances to represent personnel screening
Development Information Classification and Clearances Using clearances to represent personnel screening
4.8 Information Classification and Clearances Using clearances to represent personnel screening
Was this page helpful?
YES NO
Thanks for your feedback