Personnel Security Policies
Contribute to and enforce personnel security policies and procedures
People are the biggest risk vector. Personnel security covers the entire employment lifecycle: screening/hiring, onboarding, transfers, and termination. Four key controls define this domain:
Separation of Duties — prevent fraud (no single person controls an entire transaction)
Job Rotation — detect fraud (rotating people into different roles exposes irregularities)
Mandatory Vacation — detect fraud (forced absence reveals schemes that require daily attention)
Least Privilege — limit blast radius (access proportional to job requirements, nothing more)
The critical exam point: for hostile terminations, the first step is always to disable access. Not confront, not collect the laptop, not schedule an exit interview. Disable access first, then everything else.
At a mature organization, personnel security covers every stage of the employment lifecycle:
- Hiring / Screening — Background checks proportional to role sensitivity. A help desk analyst gets a basic criminal check. A sysadmin with root access to financial systems gets a full background investigation including credit history, employment verification, and reference checks.
- Onboarding — Security awareness training before access is granted. Acceptable Use Policy (AUP) signed and acknowledged. Access provisioned based on least privilege — only what the role requires, nothing inherited from a previous employee in the same position.
- Transfers — Access is reviewed and adjusted. When an employee moves from Finance to Marketing, their Finance access is revoked — not just added to Marketing’s group. Access creep (accumulating permissions across roles) is a major risk that transfers expose.
- Termination (friendly) — Exit interview, return of assets, access revocation, knowledge transfer. Conducted in an orderly, respectful process.
- Termination (hostile) — Immediate access revocation first. Then escort from premises, asset collection, and legal documentation. The sequence matters: if the employee reaches their desk before access is disabled, they can destroy evidence or exfiltrate data.
The common thread: access is the primary control. Every lifecycle stage involves granting, adjusting, or revoking access based on the current role and risk level.
| Control | Purpose | Prevents / Detects | Example |
|---|---|---|---|
| Separation of Duties | Prevent fraud | Prevents — no single person completes a sensitive transaction | Payment approver ≠ payment issuer |
| Job Rotation | Detect fraud + reduce key-person risk | Detects — new person in role discovers irregularities | Rotate financial analysts quarterly |
| Mandatory Vacation | Detect fraud | Detects — forced 2-week absence exposes schemes requiring daily attention | All finance staff take consecutive 2-week leave |
| Least Privilege | Limit blast radius | Prevents — limits damage from compromised or malicious accounts | Help desk doesn’t need domain admin |
Termination first step for a hostile employee: DISABLE ACCESS. Not confront. Not collect the laptop. Not schedule an exit interview. Disable all network and system access immediately. Everything else happens after the access is revoked. This is the single most tested point in personnel security.
A long-term finance manager — 12 years at the company, consistently rated as a top performer — hasn’t taken vacation in three years. They handle all wire transfers personally and become defensive when asked to cross-train a backup.
The Indispensable Employee
Mid-size company · Finance dept · $2M monthly wire transfersThe “indispensable employee” is a risk, not an asset. If one person is the only one who can perform a critical function, you have a single point of failure AND a fraud risk. Mandatory vacation and job rotation solve both problems simultaneously.
In practice, pushing back on a trusted long-term employee is politically difficult. The CFO sees a loyal performer. You see a control gap. Frame it as business continuity (“what if they get hit by a bus?”) rather than accusation (“they might be stealing”). Same outcome, better reception.
On the exam: “Trust” is never a valid reason to skip controls. If the answer says “this employee is trusted, so we don’t need X” — that answer is wrong. Controls are proportional to access level, not trust level.
Your most trusted sysadmin — 15 years at the company, built most of your infrastructure — is being investigated for potential data theft. They have root access to every production system. The investigation is preliminary and may clear them.
Wait for the investigation to conclude
Avoid false accusation. 15 years of trust deserves the benefit of the doubt. Revoking access prematurely could damage the relationship if they’re innocent.
Immediately revoke elevated privileges
Assign monitoring controls. This isn’t an accusation — it’s risk management. Root access to every production system is too much exposure during an active investigation.
Option B is correct — managing risk is not the same as presuming guilt
Option B: Revoking elevated privileges during an investigation is a standard security control, not a presumption of guilt. The employee retains their position and base access — only the elevated (root) access is temporarily removed. If the investigation clears them, access is restored. Meanwhile, the organization is protected from the worst-case scenario: a guilty party with root access who knows they’re being investigated.
Option A’s kernel of truth: Due process matters, and false accusations destroy morale. But Option B isn’t an accusation — it’s a temporary, proportional response to a risk. If a pilot is being investigated for substance abuse, they’re grounded during the investigation. That’s not punishment — it’s risk management.
On the exam: controls are applied based on risk level and access, never based on trust or tenure. “Wait and see” is almost always wrong when elevated privileges are involved.
When you see a hostile termination or insider threat question: “disable access” is almost always the first step. Not “confront,” not “investigate,” not “contact law enforcement.” Disable access first to prevent further damage or evidence destruction. Everything else follows. Also remember: separation of duties PREVENTS, job rotation and mandatory vacation DETECT.
- A Escort the employee from the building
- B Disable all network and system access
- C Begin a forensic investigation
- D Contact law enforcement
Correct: B. Disable all network and system access immediately to prevent further damage, data destruction, or evidence tampering. The employee is already hostile — every second with active access is a risk. Escorting (A) is important but happens after access is disabled. Forensic investigation (C) requires preserved evidence, which means access must be disabled first. Law enforcement (D) is appropriate but not the security team’s first priority — containment comes before notification.