Managing insider risk

Advice and guidance on reducing the risks from people within your organisation by applying good personnel security practices

Recruiting the right person

PER007

Pre-employment checks are the foundation of good personnel security. They reduce the risk of a trusted person harming your organisation or business.

Pre-employment checks allow you to:

  • confirm the identity, eligibility, suitability, and capability of a person you’re recruiting
  • find out if an applicant has concealed important information or misrepresented themselves.

Carry out pre-employment checks on everyone you’re considering employing, including existing employees changing roles, contractors, short-term staff, and secondees. Don’t skip pre-employment checks because of a person’s work experience or seniority.

 

PERSEC1
Carry out the right pre-employment checks

The three main types of pre-employment checks are:

  • baseline checks you need to do for all roles
  • optional checks to use when you identify an increased security risk
  • mandatory checks for national security clearance holders.

Some organisations may have extra baseline checks because of the nature of their work. For example, Police vetting is mandatory for roles in organisations that provide services for children.

 

Do baseline checks for all roles

You must carry out the following pre-employment checks for each person.

  • Confirm their identity
  • Confirm their nationality
  • Confirm their right to work in New Zealand
  • Check their references with their former employer
  • Conduct a criminal record check.

You can do your own pre-employment checks or get a third party, such as a recruitment agency, to do all or some of them for you.

Remember to get the applicant’s consent first. Under the Privacy Act, you should get consent in writing before you or a third party gather information from referees or other sources. You should also tell the applicant how you will use the information that is gathered.

If you use a third party, make sure you’re clear about what checks they’ll do and to what standard. It’s good practice to ask for:

  • confirmation they’ve done the checks you requested
  • copies of reference checks.

Confirm their identity

You need to check that people are who they say they are. To confirm someone’s identity, ask to see an original document, such as their passport or birth certificate.

Be mindful that:

  • some people may have an alias (for example, a previous family name)
  • some people may be known by other first names
  • naming conventions differ between cultures.

If you find unexplained discrepancies in someone’s identity documentation, ask your HR team for advice.

Meet the evidence of identity standard

When you’re doing identity checks, you must meet the standard for evidence set by the Department of Internal Affairs (DIA).

Evidence of Identity Standard(external link)

The DIA provides helpful advice on checking and confirming identity documents, such as birth certificates and passports.

View DIA factsheets on checking evidence of identity documents(external link)

Confirm their nationality

It’s important to confirm a person’s nationality as it may affect which information, assets, and work locations they can access.

Confirm their right to work in New Zealand

If you’re recruiting someone to work for your organisation in New Zealand, make sure they’re either a New Zealand citizen or have the right kind of visa to work in New Zealand.

View information about types of citizenship on govt.nz(external link)

For people who aren’t New Zealand citizens, check which visa they hold and whether the visa conditions allow them to do the job they’re applying for.

Check your applicant's visa using Immigration NZ’s VisaView(external link)

If you’re recruiting for an overseas posting

If you’re recruiting someone to work for your organisation in an overseas location, check they have the right to work in that country. For example, if your organisation has an office in China and you need to recruit someone to work there, confirm the person is eligible to work in China.

For advice to help you confirm work eligibility, contact the relevant embassy.

Check their references with their former employer

How a person has performed and behaved in the past is a good indicator of their future performance and behaviour. Checking references thoroughly gives you an opportunity to:

  • check the person can do what they say they can
  • get an insight into the person’s character.

Check that any referees are:

  • recent (from their last employer)
  • appropriate for the role (remember to also verify the person worked for the organisation, as evidenced in their CV)
  • from a legitimate source (ask your HR team for help with this if needed)
  • free from any conflicts of interest (such as being in a close personal relationship with the applicant).

It's good practice to take detailed notes from any verbal checks, such as phone conversations. File your notes for future reference.

If you have any concerns after checking references, consider doing some of the optional pre-employment checks as well.

Checking references from overseas

Overseas references can be harder to check but you should still check them as thoroughly as you can.

Conduct a criminal record check

A criminal record check helps you to identify any:

  • criminal convictions that may make a person unsuitable for the role
  • measures you might need in place to manage risk if you decide to recruit the person.

You must have the person’s consent in writing before you go ahead with a criminal record check. You also need to understand your obligations as an employer.

Learn about your obligations with criminal record checks from Employment NZ(external link)

If you’re concerned about the results of a criminal record check, some of the optional pre-employment checks might help you to get a clearer picture of the person’s trustworthiness and suitability.

Getting a New Zealand criminal record check

In New Zealand, the Ministry of Justice does criminal record checks. This is the minimum requirement for criminal record checks. More detailed information is available through police vetting. Your organisation’s policies and procedures should determine what check you request.

Ministry of Justice criminal record check versus Police vetting

A Ministry of Justice criminal record check only covers convictions. Police vetting can also include information on any contact that a person has had with the police including:

  • active charges and warrants to arrest
  • any interaction a person has had with the NZ Police, including family violence incidents and investigations that did not result in a conviction
  • information subject to name suppression where the information is necessary for vetting purposes.

A Ministry of Justice criminal record check is currently free if you request one directly from them. Police vetting currently costs $8.50 plus GST.

Getting an overseas criminal record check

When you’re doing pre-employment checks for people who are overseas residents or recent migrants, consider whether you need to do an overseas criminal record check.

Be aware that rules for requesting criminal records differ by country, and sometimes by state or territory too.

View the following guide from the United Kingdom’s Centre for the Protection of National Infrastructure for helpful advice.

How to Obtain an Overseas Criminal Records Check: Quick Reference Guide(external link)

In some places, only the person the criminal record belongs to can apply for their record. In this situation, you could ask the person to apply for their record and give you an authenticated copy of it.

Be alert to warning signs

Factors that on their own, or together, may raise concerns about a person’s integrity and suitability to work in your organisation, include:

  • any current involvement with criminal activity
  • withholding information about criminal convictions not covered by the Criminal Records (Clean Slate) Act 2004
  • false statements in a CV or job application form
  • false claims about qualifications or achievements
  • unexplained gaps in the applicant’s employment or residential history
  • adverse character references
  • conflicts of interest
  • evasive behaviour when asked to verify information they have provided
  • evasive behaviour or a refusal when asked to supply references or give consent for criminal record checks or credit checks.
  • social media presence.

Use optional checks to reduce risks you’ve identified

When you identify an increased security risk with a role or the nature of your organisation’s work, additional checks could be necessary. For example, for an IT administrator who has broad access to your organisation’s information, you may wish to take greater steps to ensure they’re trustworthy.

The additional checks you apply will depend on various factors including your organisation’s security context and culture, and operating environment.

Psychometric testing

You can use psychometric testing to test for various abilities and personality traits. This type of testing can be useful in the following situations:

  • you’re concerned about the results from baseline pre-employment checks
  • it’s difficult to assess whether someone has the abilities and traits required for the role.

Qualification check

Use a qualification check to help your organisation find out if educational qualifications, professional body memberships, or practising certificates listed in a CV are legitimate.

If a qualification is critical to the role, consider making this check mandatory to avoid serious harm to your organisation.

Make sure you sight original documents rather than copies. If you’re not sure whether the documents are genuine, consider contacting the educational institute or professional body to verify the qualification.

Checking occupational registrations

Immigration NZ’s website lists occupations that require registration in New Zealand and the contact details for authorities that can verify whether a person is registered.

Check occupational registration requirements on Immigration NZ’s website(external link)

Checking university qualifications

Some universities make their graduate databases available online so you can search a person’s name and check what qualifications they’ve achieved and when. 

Checking overseas qualifications

You can ask the New Zealand Qualifications Authority (NZQA) to check whether a qualification from overseas is recognised in New Zealand or comparable to a New Zealand qualification. This service has a fee and takes about 25 working days.

Learn more about NZQA’s service for recognition of overseas qualifications(external link)

Credit check

A credit check is a commercial check of public records associated with the applicant’s financial history and any associations with businesses.

You should do a credit check if the role carries a significant financial risk or the person will have a financial delegation. Get the person’s consent first.

Be aware that the results of credit checks can be subjective. Make sure you:

  • get an appropriately experienced person to review the results
  • have policies and processes to address any questions that a check brings up.

Remember that under the Criminal Records (Clean Slate) Act 2004, some minor offences won’t show up in a credit check if the person has completed the rehabilitation period (7 years without criminal convictions).

Bankruptcy is removed from records 4 years after a person is discharged.

Police vetting

Police vetting covers more than convictions. It also checks for:

  • active charges and warrants to arrest
  • any interaction the person had with the NZ Police, including family violence incidents and investigations that didn’t result in a conviction
  • information subject to name suppression where the information is necessary for vetting purposes.

Under the Vulnerable Children’s Act 2014, applicants for certain roles must go through police vetting.

In other situations, police vetting may give you more assurance about a person’s suitability for a role.

Before you apply for police vetting, make sure you get the person’s consent in writing and follow your obligations as an employer.

Read about your obligations with criminal history checks on Employment NZ’s website(external link)

Requesting police vetting

To request police vetting, your organisation must be registered with the Police Vetting Service.

Request a Police Vetting(external link)

Requesting an Australian criminal history check

If your organisation is registered for NZ Police vetting, you can ask to use their Australian Criminal History Checking Service.

Request an Australian National Police History Check from NZ Police(external link)

Drug and alcohol check

It might be part of your organisation’s policy to do drug and alcohol testing for roles which:

  • involve working in safety-sensitive areas
  • directly affect the safety of other people.

You may also decide these checks are appropriate when your baseline checks suggest a person may have problems with drug or alcohol use.

Get legal advice before you decide to do drug and alcohol testing as privacy and employment laws apply.

View guidance on drugs, alcohol, and work from Employment NZ(external link)

Do mandatory checks for national security clearance holders 

The vetting process for people who need a national security clearance includes mandatory checks and is carried out by the New Zealand Security Intelligence Service (NZSIS).

Be cautious about employing a person before the vetting process is complete to avoid potential employment issues.

Address any concerns from pre-employment checks

If you have any concerns arising from pre-employment checks, you should:

  • assess how the risks are likely to affect the role the person may be employed for
  • work out whether you can reduce the risks to an acceptable and manageable level.

Example scenarios

A qualification can’t be verified

You can’t verify a qualification that is essential to a role, so you decide the risk is too great and rule that person out.

A credit check reveals a small debt

A credit check reveals a small debt from many years ago, but the role doesn’t include managing finances, so you decide it’s safe to hire the person (assuming you are satisfied with the outcome of your other checks).

Record what you discover

Remember to record all:

  • concerns that come up during pre-employment checks
  • risk assessments you carry out
  • decisions you make to reduce or manage risks.

Create a risk management plan if necessary

If you employ a person with identified risks, work with them to create an individual risk management plan. Use the plan to support the person in their work, treat risks, and maintain your organisation’s security.


Setting the right expectations

PER008

Set clear expectations about security. New employees, employees changing roles, and contractors, must understand your security policies and practices as soon as possible after joining your organisation.

Baseline activities to set the right expectations

Conduct an induction to your organisation, including to your values, code of conduct, health and safety procedures, and security expectations. 
Provide security awareness training tailored to your organisation’s security risks and to the risks you’ve identified for individual roles. Make sure everyone is aware of their responsibilities for security.

Optional activities to consider

Create an individual risk management plan if an individual you employ has specific security risks. Use the plan to support the employee in their work, treat risks, and maintain your organisation’s security.

Activities for national security clearance holders

For staff who are granted a national security clearance, you must provide a security briefing. Use the briefing to help them understand their responsibilities, so they can maintain their clearance and keep your information and assets safe.
If an employee is granted a clearance with conditions (qualifications), you must develop a risk management plan to address those qualifications.


PERSEC2
Ensuring their ongoing suitability

PER009

Effective pre-employment checks reduce the risk of threats to your people, information, and assets. However, people and their circumstances can change. Changes can happen over time or suddenly as a reaction to an event. Your organisation needs to make sure that people remain suitable for having access to your information and assets.

Because people and their circumstances can change over time, you must monitor changes and events that can affect people.

Ongoing security education helps to keep your people, information, and assets safe from harm.

Do minimum checks to ensure ongoing suitability

At a minimum, your organisation must:

  • have a process for people to report security incidents and near misses
  • investigate security incidents
  • provide ongoing security awareness updates and training.

Report and respond to security incidents

You must have a system in place for reporting and responding to potential and actual security incidents. Managing incidents well helps your organisation to:

  • contain the effects
  • manage the consequences
  • recover as quickly as possible
  • learn from what happens.

At a minimum you must:

  • establish a formal security incident reporting and response procedure
  • report all personnel security incidents to the appropriate people in your organisation
  • make everyone aware of their responsibilities and the procedure for reporting security incidents.

Good communication between managers and employees, along with clear security expectations and procedures makes it easy for people to raise concerns, and report changes and incidents.

Managers and co-workers are in the best position to notice changes in a person’s behaviour or attitude. Encourage your people to report what they notice and make it easy for them to do so confidentially.

Provide ongoing security awareness updates and training

Ongoing security education helps to keep your people, information, and assets safe and secure. It also enhances your security culture. When you increase your people’s understanding of security practices and processes, you increase their ‘care factor’, and their ‘do factor’ — security becomes everyone’s responsibility.

Carry out additional ongoing checks for higher risk roles

When you identify an increased security risk related to a role or the nature of your organisation’s work, additional ongoing checks could be necessary. The checks you apply will depend on a range of factors including your organisation’s security context and culture, and operating environment.

Checks to consider

Additional checks you can consider to ensure ongoing suitability include:

  • requiring people to report any significant change in personal circumstances (for example, a divorce, new partner, bankruptcy, foreign citizenship, or new and significant debt)
  • requiring people to report any suspicious contacts
  • encouraging people to report any suspicion of ‘insider threat’
  • carrying out an engagement survey to understand how satisfied and engaged your people are
  • briefing people on the risks related to international travel
  • requiring regular police vetting
  • carrying out regular financial or credit checks
  • requiring drug and alcohol testing
  • checking regularly for conflicts of interest
  • obtaining copies of annual practising certificates.

Report significant changes in personal circumstances

Significant changes in personal circumstances can arise from many different areas: relationships, finances, health, work issues, substance abuse, or new interests and contacts.

These changes can put people under pressure. They could act irrationally or inappropriately, or be vulnerable to exploitation by others.

Reporting significant changes in circumstances helps you to manage the risk of someone:

  • breaching your security intentionally or unintentionally
  • being coerced into breaching your security by an external party.

Your people should know which changes of circumstances they need to report and who they should report them to. If you’re unsure which significant changes need to be reported, consult with your HR and security teams.

Report suspicious contacts or behaviour

Foreign officials, foreign intelligence services, and commercial, political, or issue-motivated groups can devote considerable energy to accessing information (for example, political, economic, scientific, technological, and military information).

Small pieces of information can all contribute to a valuable picture. Make sure your people understand that a seemingly innocent conversation or contact, such as an email, may be part of a wider intelligence gathering exercise. Contacts can be official (as part of a person’s role) social, or incidental and can take place in a wide variety of contexts.

Your people should complete a contact report when an official or social contact appears suspicious, ongoing, unusual, or persistent (SOUP) in any respect. This contact could be with:

  • embassy or foreign government officials within New Zealand
  • foreign officials or nationals outside New Zealand, including trade or business representatives
  • any individual or group, regardless of nationality, that seeks to obtain official or commercially sensitive information that they do not have a valid ‘need to know’.

Attempts to get information may involve techniques such as phishing or tailgating.

Brief people on the risks related to international travel

When your people travel overseas, they could be targeted by foreign intelligence services aiming to get access to classified material.

To protect your organisation and New Zealand’s interests, consider providing advice or briefing your people on the risks and the security measures they need to take. When they return, consider debriefing them to check for any contact that appears suspicious, ongoing, unusual, or persistent (SOUP).

Your employees, contractors, and secondees should:

  • consult your chief security officer before travelling to check if a security briefing is necessary
  • know what methods foreign agents may use to gather information
  • understand how to protect your organisation’s information and assets
  • know what information they must protect
  • know what information they can share and trade
  • be aware of how to manage electronic equipment.

More guidance

Carry out checks for national security clearance holders

For people who hold a national security clearance, in addition to your general ongoing suitability checks, you must:

  • provide annual security awareness updates
  • conduct security briefings
  • ensure they report any change in their personal circumstances
  • ensure they report any suspicious contacts
  • manage any emergency access to classified material
  • report changes to their security clearance level
  • review their security clearances.

More guidance

Manage role changes

It’s common for people to enter an organisation in one role and then move to another role with greater responsibilities and a higher risk profile. Not completing proper checks for the new role because the person is ‘known’ to your organisation increases the risk of problems.

Before you confirm a person in a new role, make sure you complete all required pre-employment checks and/or ongoing suitability checks to the level required for the new role.


Managing contractors

PER011

Giving a contractor access to your information and assets comes with the same security risks as for permanent employees, and some extra risks.

The main risk is that a current or former contractor will accidentally or maliciously misuse their trusted access to harm your organisation’s people, customers, assets and information, or reputation. This risk is known as the ‘insider threat’.

To protect your information and assets:

  • use the same personnel security measures with contractors as you would with permanent employees
  • consider extra measures to counter the security challenges that contractors can present.

Extra security challenges with contractors

The following challenges are common with contractors.

Gaining commitment to your security measures

If you don’t induct a contractor to your security culture or make them feel a part of the team, their commitment to your security measures may not be strong.

Knowing about competing interests

A contractor may work for a competitor before, during, and after their contract with you. If you don’t ask about conflicts of interest, you can’t assess the risks or manage them.

Renewing or extending contracts

If you renew or extend a contract without re-checking or re-verifying the contractor, you can’t easily identify new risks arising from changes in the work environment or the contractor’s life.

Moving contractors from one assignment to another

If you move a contractor from one assignment to another with a higher security profile without proper checks and a security handover, you raise the risk of problems occurring.

Guidance to help you manage contractors

To address the insider threat and extra challenges with contractors, follow the process and tips in our Guide to hiring and managing contractors (available from the Supporting Documents section below).


PERSEC3
Managing their departure

PER010

Managing people’s departure well protects your organisation’s security and reputation.

When a person leaves your organisation, they retain their knowledge of your business operations, intellectual property, official information, and security vulnerabilities. Managing their departure well will reduce the risk of this knowledge being misused.

Whether a person is leaving by choice or not, a positive exit experience reduces the risk they will misuse their knowledge of your operations, intellectual property, official information, or any security weaknesses.

Minimum departure activities

Remove access rights

Before a person leaves your organisation, you must remove their access to electronic resources, physical resources, and physical sites.

Collect security passes

Make sure the departing person returns all identification cards and access passes, including any tools that allow them remote access to your information management systems.

Make sure assets are returned 

A departing person must return all property that belongs to your organisation. Take particular care with your intellectual property or official information.

Optional actions to consider

If you identify a higher risk associated with a particular role or a person’s circumstances, consider asking them to:

  • complete an exit debrief or interview
  • sign a deed of confidentiality.

Conduct exit interviews

In addition to their broader function exit interviews give you the opportunity to remind the departing person of their obligations to protect your organisation’s information.

Exit interviews are also a good opportunity to allow the affected individual to:

  • discuss their reasons for leaving, and their attitude to your organisation and people
  • surrender any passes or access cards they hold.

Use a deed of confidentiality if the risk is high

A deed of confidentiality may be necessary to protect your organisation’s proprietary information or intellectual property.

Activities for national security clearance holders

When a person who holds a national security clearance leaves your organisation, you must carry out the baseline activities and also:

  • conduct an exit interview
  • transfer or revoke their security clearance
  • debrief them from any sensitive compartmented information briefings they hold
  • notify the New Zealand Security Intelligence Service.