| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
CISSP 2.1 - Personnel Security Policies & Procedures (Part 1 of 2)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series turns to the human side of security in Domain 1. Part 1 of 2 follows a hire from the written job description through screening, interviews, and onboarding, and closes with the agreements that set the rules before a new employee touches a single system.
What this episode covers
- People as weakest link and strongest asset β humans can defeat any control, yet trained staff become security partners.
- Job descriptions β defining tasks and security-sensitive duties before anyone applies, and guiding access rights.
- Keeping descriptions alive β auditing privilege on a schedule so access stays aligned with real duties.
- Screening and interviews β background check depth tracks position sensitivity; interviews stay standardized and defensible.
- Onboarding β policy-driven integration, from signing agreements to account provisioning by the IAM system.
- Least privilege β granting only the minimum permissions the job needs, at hire and at every role change.
- Employment agreement and acceptable use policy β confirming the rules, expectations, and penalties in writing.
- NDAs and non-competes β unilateral, bilateral, and multilateral nondisclosure, plus jurisdiction-dependent non-competes.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
Why are people both the weakest link and the strongest asset?
Humans can dodge, disable, or trick their way past any control you build β no lock survives a person determined to prop the door open. But the same people, once trained and motivated, become partners who watch out for the organization. Treat staff as allies you are equipping rather than a problem to contain, because every stage of a security program passes through human hands.
How does a job description shape who you hire?
It defines the role before anyone applies, spelling out the work tasks and flagging security-sensitive duties like handling classified material. Job roles map to a level of privilege, while the description maps to specific responsibilities, and those listed responsibilities become the guide for exactly which access rights you grant. Kept current after hiring, the description is the yardstick managers use to audit privilege assignments and spot access someone no longer needs.
How thorough should candidate screening be?
As thorough as the sensitivity of the position demands β a high-trust role earns a deeper background check than a routine one. Screening can include verifying work and education history, checking references, confirming identity, and reviewing criminal records, and depending on the job may add drug testing, credit checks, skills challenges, or a review of public social media. Laws on background checks and discrimination vary widely by region, so always clear your approach with legal counsel.
What happens during onboarding?
A qualified new hire gets integrated into the organization through a policy-driven process: reviewing and signing agreements, meeting managers and coworkers, learning how the work gets done, and orientation into the culture. Done well, it lifts satisfaction, speeds productivity, and reduces early turnover. This is also where the identity and access management system provisions the new account, granting only the minimum permissions the job needs under the principle of least privilege.
Which agreements should a new hire sign before touching a system?
The employment agreement lays out the organizationβs rules, the security policy, the job details, and the consequences for violations, often pointing to a separate acceptable use policy for company equipment and resources. A nondisclosure agreement stops a current or former employee from leaking confidential information β unilateral covers one-way sharing, bilateral protects both sides, and multilateral covers three or more parties. A non-compete agreement restricts joining a rival within a set region and time window, though enforceability varies hard by jurisdiction.
π Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 2.1 - Personnel Security Policies & Procedures (Part 1 of 2).