person in the position. Thus, the thoroughness of the screening process should reflect the secu- rity of the position to be filled. Background checks and security clearances are essential elements in proving that a candidate is adequate, qualified, and trustworthy for a secured position. Background checks include obtaining a candidate’s work and educational history; checking references; interviewing col- leagues, neighbors, and friends; checking police and government records for arrests or illegal activities; verifying identity through fingerprints, driver’s license, and birth certificate; and hold- ing a personal interview. This process could also include a polygraph test, drug testing, and per- sonality testingevaluation. Creating Employment Agreements When a new employee is hired, they should sign an employment agreement. Such a document outlines the rules and restrictions of the organization, the security policy, the acceptable use and activities policies, details of the job description, violations and consequences, and the length of time the position is to be filled by the employee. Many of these items may be separate docu- ments. In such a case, the employment agreement is used to verify that the employment candi- date has read and understood the associated documentation for their perspective job position. In addition to employment agreements, there may be other security-related documentation that must be addressed. One common document is a nondisclosure agreement NDA. An NDA is used to protect the confidential information within an organization from being disclosed by a former employee. When a person signs an NDA, they agree not to disclose any information that is defined as confidential to anyone outside of the organization. Violations of an NDA are often met with strict penalties. Throughout the employment lifetime of personnel, managers should regularly audit the job descriptions, work tasks, privileges, and so on for every staff member. It is common for work tasks and privileges to drift over time. This can cause some tasks to be overlooked and others to be performed multiple times. Drifting can also result in security violations. Regularly review- ing the boundaries defined by each job description in relation to what is actually occurring aids in keeping security violations to a minimum. A key part of this review process is mandatory vacations. In many secured environments, mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This removes the employee from the work environment and places a different worker in their position. This often results in easy detection of abuse, fraud, or negligence. Employee Termination When an employee must be terminated, there are numerous issues that must be addressed. A ter- mination procedure policy is essential to maintaining a secure environment even in the face of a disgruntled employee who must be removed from the organization. The reactions of termi- nated employees can range from understanding acceptance to violent, destructive rage. A sen- sible procedure for handling terminations must be designed and implemented to reduce incidents. The termination of an employee should be handled in a private and respectful manner. How- ever, this does not mean that precautions should not be taken. Terminations should take place with at least one witness, preferably a higher-level manager andor a security guard. Once the employee has been informed of their release, they should be escorted off the premises immedi- ately. Before the employee is released, all organization-specific identification, access, or security badges as well as cards, keys, and access tokens should be collected. When possible, an exit interview should be performed. However, this typically depends upon the mental state of the employee upon release and numerous other factors. If an exit interview is unfeasible immediately upon termination, it should be conducted as soon as possible. The pri- mary purpose of the exit interview is to review the liabilities and restrictions placed on the former employee based on the employment agreement, nondisclosure agreement, and any other security-related documentation. The following list includes some other issues that should be handled as soon as possible: Make sure the employee returns any organizational equipment or supplies from their vehi- cle or home. Remove or disable the employee’s network user account. Notify human resources to issue a final paycheck, pay any unused vacation time, and ter- minate benefit coverage. Arrange for a member of the security department to accompany the released employee while they gather their personal belongings from the work area. In most cases, you should disable or remove an employee’s system access at the same time or just before they are notified of being terminated. This is especially true if that employee is capable of accessing confidential data or has the expertise or access to alter or damage data or services. Failing to restrict released employees’ activities can leave your organization open to a wide range of vulnerabilities, including theft and destruction of both physical property and logical data. Security Roles A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization. Security roles are not necessarily prescribed in job descriptions because they are not always distinct or static. Familiarity with security roles will help in establishing a communications and support structure within an organization. This struc- ture will enable the deployment and enforcement of the security policy. The following six roles are presented in the logical order in which they appear in a secured environment. Senior manager The organizational owner senior manager role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. The senior manager must sign off on all policy issues. In fact, all activities must be approved by and signed off on by the senior manager before they can be carried out. There is no effective security policy if the senior manager does not authorize and support it. The senior manager’s endorsement of the security policy indicates the accepted ownership of the implemented security within the organization. The senior manager is the person who will be held liable for the overall success or failure of a security solution and