Personnel Security Policies
What the Exam Is Really Testing
The most dangerous insider threat is often someone who was never properly offboarded. Their account still works. Their badge still opens doors. Their VPN credentials are active three months after their last day.
Personnel security is not about trusting people less — it is about building processes that do not depend on trust alone.
CISSP expects you to understand the full lifecycle of personnel security: from the moment a candidate applies to the day they leave. Every phase introduces risk, and every phase has controls designed to address that risk.
The exam is not testing whether you can recite HR procedures. It is testing whether you understand why each control exists, what category it falls into, and when it applies.
Hiring and Onboarding — Where Security Starts
Personnel security begins before someone is hired. Candidate screening is the first line of defense, and its depth should be proportional to the sensitivity of the role.
Candidate screening may include:
- Background checks (criminal history, credit history for financial roles)
- Employment verification
- Reference checks
- Education verification
- Security clearance validation for government roles
The level of screening matches the risk. An entry-level role with no access to sensitive data warrants less scrutiny than a database administrator with access to customer financial records.
Employment agreements formalize security expectations before access is granted:
- Non-Disclosure Agreement (NDA) — protects confidential information during and after employment
- Non-compete agreement — restricts competitive employment (enforceability varies by jurisdiction)
- Acceptable Use Policy (AUP) — defines permitted use of organizational resources
- Code of conduct — establishes behavioral expectations
Onboarding security procedures should include:
- Provisioning access based on least privilege
- Security awareness training before system access
- Acknowledgment of security policies
- Assignment of assets with documented custody
The principle is straightforward: define expectations, document agreements, provision minimally.
Operational Controls — During Employment
Two controls dominate the exam in this area, and both are frequently miscategorized.
Separation of duties divides critical tasks so that no single person can complete a high-risk process alone. The classic example: the person who approves a payment should not be the same person who initiates it.
Mandatory vacations require employees in sensitive positions to take consecutive time off, during which another employee performs their duties.
Here is what the exam tests most:
Separation of duties and mandatory vacations are detective controls. They exist to detect fraud, not prevent it.
Separation of duties does make fraud harder by requiring collusion. But its primary purpose is detection — if one person handles the entire process, fraud can be concealed indefinitely. Split the duties, and discrepancies surface.
Mandatory vacations work the same way. When someone else steps into a role, irregularities become visible. Embezzlement schemes that require daily maintenance unravel when the perpetrator is absent for two weeks.
Job rotation is a related control. By rotating employees through different positions, the organization:
- Reduces single points of failure (cross-training)
- Increases the chance of detecting irregularities
- Reduces the opportunity for long-running fraud
Termination — Friendly and Hostile
Termination procedures differ based on the circumstances, and the exam expects you to know why.
Friendly termination (voluntary resignation, retirement):
- Exit interview conducted
- Knowledge transfer completed
- Access revoked on or before the last day
- Assets returned (laptop, badge, mobile devices)
- NDA obligations reinforced
Hostile termination (involuntary dismissal, layoff, for-cause termination):
- Access revoked immediately — ideally before or during the notification meeting
- Escort from premises
- All assets collected on the spot
- Remote access disabled simultaneously
- Email forwarded or monitored for business continuity
The key difference is timing. In a friendly termination, you have days or weeks to manage the transition. In a hostile termination, you have minutes. The risk of retaliation, data theft, or sabotage is highest in the moments after an employee learns they are being let go.
Vendor and Contractor Personnel
Third-party personnel introduce unique risks. They operate inside your environment but answer to a different organization.
- Contracts must define security requirements, background check standards, and acceptable access
- Access should be time-limited and scoped to the specific engagement
- NDAs are required before access is granted
- Contractor access should be reviewed regularly and revoked promptly at engagement end
- Escort policies may apply for physical access
The exam tests whether you recognize that contractor personnel require the same rigor as employees — and sometimes more, because you have less visibility into their behavior.
Personnel Safety
CISSP also covers personnel safety concerns that go beyond standard HR policies:
- Duress — systems and procedures that allow employees to signal coercion (duress codes, silent alarms)
- Travel security — protecting personnel and data during business travel (encrypted devices, VPN requirements, awareness of local laws)
- Emergency procedures — ensuring personnel safety takes priority over asset protection
The exam principle: people come first. No asset, no system, and no data is worth more than human safety.
Pattern Recognition
When you see personnel security questions, look for these patterns:
- Lifecycle thinking — security applies at every phase: hiring, onboarding, employment, termination
- Control classification — separation of duties and mandatory vacations are detective, not preventive
- Proportional screening — background check depth matches role sensitivity
- Timing on termination — hostile terminations require immediate access revocation
- Third-party equivalence — contractors need the same controls as employees, sometimes stricter
Trap Patterns
The exam will tempt you with these wrong directions:
- Calling separation of duties preventive — it makes fraud harder, but its classification is detective because it enables detection through divided responsibility
- Delaying access revocation — any answer that suggests waiting until after a hostile termination to disable access is wrong
- Skipping the NDA — answers that grant access before agreements are signed violate basic personnel security
- Treating contractors as lower risk — the exam considers third-party access at least as risky as employee access
- Prioritizing assets over people — in any safety scenario, the answer that protects people wins
Scenario Practice
Question 1
A financial analyst has been with the company for eight years and has never taken more than three consecutive days off. She manages wire transfers and reconciles accounts independently.
What control should the security manager recommend FIRST?
A. Deploy additional monitoring on her workstation
B. Require a mandatory vacation of at least one consecutive week
C. Terminate the employee and investigate
D. Implement two-factor authentication for wire transfers
Answer & reasoning
Correct: B
Mandatory vacation is the appropriate detective control here. When someone else performs her duties during extended absence, any irregularities in wire transfers or reconciliation will surface. Termination without evidence is premature, and additional monitoring does not address the root issue of unchecked single-person control.
Question 2
An employee in the IT department has been terminated for cause after a disciplinary investigation. The HR director wants to allow the employee to return to their desk to collect personal items and say goodbye to colleagues.
What should the security manager advise?
A. Allow the employee to return with an escort after access has been revoked
B. Allow the employee to return unescorted as a professional courtesy
C. Ship personal items to the employee and do not allow return access
D. Allow return access but monitor all network activity during the visit
Answer & reasoning
Correct: A
In a hostile termination, all system access must be revoked immediately. However, allowing the employee to collect personal items with an escort is a reasonable accommodation. The escort ensures the terminated employee cannot access systems, remove company assets, or cause damage. Unescorted access is unacceptable, and refusing personal item retrieval entirely may create legal issues.
Question 3
A consulting firm has embedded three contractors within the IT security team for a six-month project. The project ended two weeks ago, but the contractors still have active VPN credentials and access to the SIEM platform.
What is the MOST significant security concern?
A. The consulting firm may bill for additional hours
B. Unauthorized access persists beyond the engagement period
C. The contractors may not have signed updated NDAs
D. The SIEM platform license costs may increase
Answer & reasoning
Correct: B
Contractor access should be revoked promptly at the end of an engagement. Active credentials two weeks after project completion represent unauthorized access to security-sensitive systems. This is a failure of the offboarding process for third-party personnel, and it creates exposure to data exfiltration or unauthorized monitoring.
Key Takeaway
Personnel security on the CISSP is about process, not personality. You do not secure an organization by hiring trustworthy people and hoping for the best. You secure it by building controls into every phase of the employment lifecycle:
- Screen before you hire
- Document agreements before you grant access
- Separate duties so fraud requires collusion
- Enforce vacations so irregularities surface
- Revoke access the moment employment ends — or sooner for hostile terminations
Trust but verify is not the CISSP approach. The CISSP approach is: build processes that work regardless of who fills the role.