S 3.50 Selection of employees

Initiation responsibility: Head of Personnel, IT Security Officer

Implementation responsibility: Supervisor, Personnel Department

When formulating the requirements, the qualifications and skills required should be specified exactly. Whether or not the applicants actually meet these requirements should initially be checked based on the documents provided and then examined in more detail during the interview.

People expected to perform security-relevant tasks (for example the security personnel, Data Protection Officers, Administrators, and employees with access to financial or confidential information) must be trustworthy and reliable (see also S 3.33 Security vetting of staff).

Special care must be taken to ensure that no conflicts of interest or dependencies are created that could endanger the employee's ability to perform the required tasks. Conflicts of interest may arise especially when an employee fulfils different roles at the same time which grant the employee extensive rights or are mutually incompatible. In addition, the tasks performed by employees should not be affected by conflicts of interest arising outside of the government agency or company, for example due to previous jobs or other duties. In order to avoid conflicts of interest when someone changes positions, non-competition agreements and waiting periods can be agreed upon.

If the professional qualifications of an employee are inadequate in some areas, the employee must be given the opportunity to become more qualified. All employees should be trained regularly to gain and update the qualifications and skills required and should also be informed of the importance of information security (see also module S 1.13 Information security awareness and training).

These items should also be taken into account when selecting service providers and employees for temporary positions.

Review questions:

© Federal Office for Information Security. All rights reserved.