Chapter 6

Human Resources Security

Is it possible that people are simultaneously an organization’s most valuable asset and their most dangerous threat? Study after study cites people as the weakest link in cybersecurity. Because cybersecurity is primarily a people-driven process, it is imperative that the cybersecurity program be faithfully supported by information owners, custodians, and users.

For an organization to function, employees need access to information and information systems. Because we are exposing valuable assets, we must know our employees’ backgrounds, education, and weaknesses. Employees must also know what is expected of them; from the very first contact, the organization needs to deliver the message that security is taken seriously. Conversely, candidates and employees provide employers with a great deal of personal information. It is the organization’s responsibility to protect employee-related data in accordance with regulatory and contractual obligations.

Before employees are given access to information and information systems, they must understand organizational expectations, policies, handling standards, and consequences of noncompliance. This information is generally codified into two agreements: a confidentiality agreement and an acceptable use agreement. Acceptable use agreements should be reviewed and updated annually and redistributed to employees for signature. An orientation and training program should be designed to explain and expand upon the concepts presented in the agreements. Even long-standing employees continually need to be reeducated about security issues. NIST has invested significant resources in developing a role-based Security Education, Training, and Awareness (SETA) model. Although designed for government, the model is on target for the private sector.

We begin this chapter with examining the security issues associated with employee recruitment, onboarding, user provisioning, career development, and termination. We then discuss the importance of confidentiality and acceptable use agreements. Last, we focus on the SETA training methodology. Throughout the chapter, we codify best practices into human resources security policy.

• Recruitment: This stage includes all the processes leading up to and including the hiring of a new employee.

• Onboarding: In this stage, the employee is added to the organization’s payroll and benefits systems.

• User provisioning: In this stage, the employee is assigned equipment as well as physical and technical access permissions. The user provisioning process is also invoked whenever there is a change in the employee’s position, level of access required, or termination.

• Orientation: In this stage, the employee settles into the job, integrates with the corporate culture, familiarizes himself with co-workers and management, and establishes his role within the organization.

• Career development: In this stage, the employee matures in his role in the organization. Professional development frequently means a change in roles and responsibilities.

• Termination: In this stage, the employee leaves the organization. The specific processes are somewhat dependent on whether the departure is the result of resignation, firing, or retirement. Tasks include removing the employee from the payroll and benefits system, recovering information assets such as his smartphone, and deleting or disabling user accounts and access permissions.

• Off-boarding: The process for transitioning employees out of an organization. This includes documenting the separation or termination details, tasks and responsibilities prior to departure, knowledge transfer, an exit interview (if applicable), the deletion of all user credentials and any other access the user had.

  

  FIGURE 6-1 The Employee Life Cycle

With the exception of career development, we are going to examine each of these stages in relation to cybersecurity concepts, safeguards, and policies.

• It conveys the mission of the organization.

• It describes the position in general terms.

• It outlines the responsibilities of the position.

• It details the necessary skill set.

• It states the organization’s expectations regarding confidentiality, safety, and security. The goal of this characteristic is to deliver the message that the organization has a commitment to security and that all employees are required to honor that commitment.

What should not be in either version of the job description is information regarding specific systems, software versions, security configurations, or access controls.

You are the Chief Executive Officer (CEO) of a Fortune 1000 financial services company. You are responsible to the stockholders and accountable to the government for the actions of your business. How much do you need to know about your new Chief Financial Officer (CFO)?

You are the Head of Medicine at your local hospital. You are responsible for maintaining the health of your patients and for guaranteeing their right to privacy. How much do you need to know about the new emergency room intake nurse?

In all three cases, the information owner wants assurance that the user will treat the information appropriately in accordance with its classification. One of the standards in determining who should have access is defining the user criteria. These criteria extend to their background: education, experience, certification/license, criminal record, and financial status. In addition, we must consider the amount of power or influence the employee will have in the organization.

For example, we expect that a CFO will have access to confidential financial records and sensitive corporate strategy documents. In addition, the CFO has the power to potentially manipulate the data. In this case, we need to be concerned about both the confidentiality and the integrity of the information. It seems obvious that the CFO needs to be held to a high standard. He should have a spotless criminal record and not be under any financial pressure that may lead to inappropriate activities such as embezzlement. Unfortunately, as corporate scandals such as Enron, Adelphia, HealthSouth, and Tyco have shown us, those in power do not always act in the best interest of the organization. The organization needs to proactively protect itself by conducting background and reference checks on potential employees and directors. The same holds true for positions of less prominence, such as a salesperson or intake nurse. Although these positions may have less power, the potential for misuse still exists.

Not all potential employees need to undergo the same level of scrutiny. It is the responsibility of the information owner to set standards based on level of information access and position.

The various types of background checks are as follows:

• Educational: Verification that all educational credentials listed on the application, resume, or cover letter are valid and have been awarded.

• Employment: Verification of all relevant previous employment as listed on the application, resume, or cover letter.

• License/certification: Verification of all relevant licenses, certifications, or credentials.

• Credit history: Checking the credit history of the selected applicant or employee. Federal laws prohibit discrimination against an applicant or employee because of bankruptcy. Federal law also requires that applicants be notified if their credit history influences the employment decision.

• Criminal history: Verification that the selected applicant or employee does not have any undisclosed criminal history.

It is important to have a policy that sets the minimum standards for the organization yet affords information owners the latitude to require additional or more in-depth background checks or investigations. This is an example of a policy that in the development stage may need to involve outsiders, such as legal counsel or employee representatives. Many organizations have union labor. The union contract may forbid the background checks. This policy would need to be incorporated into the next round of negotiations. The following are rules you should be aware of:

• Employee’s right to privacy: There are legal limits on the information you can gather and use when making employment decisions. Workers have a right to privacy in certain personal matters, a right they can enforce by suing you if you pry too deeply. Make sure your inquiries are related to the job. Stick to information that is relevant to the job for which you are considering the worker. Different regulatory bodies such as Article 88 of the European Union General Data Protection Regulation (GDPR) include strict rules around the processing of data and privacy in the context of employment.

• Getting consent: Although not universally required by law, conventional wisdom recommends asking candidates to agree to a background check. Most organizations include this request on their application forms and require the applicant to agree in writing. By law, if a candidate refuses to agree to a reasonable request for information, you may decide not to hire the worker on that basis.

• Using social media: Social media sites are increasingly being used to “learn more” about a candidate. They are also used as recruiting platforms. According to HireRight’s 2017 Benchmark Report, several organizations use social media to conduct pre-hire background checks. However, according to the same report, “in the transportation sector, only nine percent of companies surveyed turn to social media when conducting pre-hire background checks. The decline in the practice is becoming widespread throughout other industries as well.” Social media profiles include information such as gender, race, and religious affiliation. The law prohibits the use of this information for hiring. Access to this info could have the organization subject to discrimination charges. Legal experts recommend that organizations have a non-decision maker conduct the search and provide to the decision maker(s) only relevant job-related information.

• Educational records: Under the Family Educational Rights and Privacy Act (FERPA), schools must have written permission to release any information from a student’s education record. For more information on obtaining records under FERPA, go to www.ed.gov.

• Motor vehicle records: Under the federal Drivers Privacy Protection Act (DPPA), the release or use by any state DMV (or any officer, employee, or contractor thereof) of personal information about an individual obtained by the department in connection with a motor vehicle record is prohibited. The latest amendment to the DPPA requires states to get permission from individuals before their personal motor vehicle record may be sold or released to third-party marketers.

• Financial history: According to the Federal Trade Commission (FTC), you may use credit reports when you hire new employees and when you evaluate employees for promotion, reassignment, and retention, as long as you comply with the Fair Credit Reporting Act (FCRA). Sections 604, 606, and 615 of the FCRA spell out employer responsibilities when using credit reports for employment purposes. These responsibilities include the requirement of notification if the information obtained may result in a negative employment decision. The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added new sections to the federal FCRA, intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. For more information on using credit reports and the FCRA, go to www.ftc.gov.

• Bankruptcies: Under Title 11 of the U.S. Bankruptcy Code, employers are prohibited from discriminating against someone who has filed for bankruptcy. Although employers can use a negative credit history as a reason not to hire, employers cannot use bankruptcy as a sole reason.

• Criminal record: The law on how this information can be used varies extensively from state to state.

• Workers’ Compensation history: In most states, when an employee’s claim goes through Workers’ Compensation, the case becomes public record. An employer may use this information only if an injury might interfere with one’s ability to perform required duties. Under the federal Americans with Disabilities Act, employers cannot use medical information or the fact an applicant filed a Workers’ Compensation claim to discriminate against applicants.

Obtaining a U.S. government security clearance involves a four-phase process:

1. Application phase: This phase includes verification of U.S. citizenship, fingerprinting, and completion of the Personnel Security Questionnaire (SF-86).

2. Investigative phase: This phase includes a comprehensive background check.

3. Adjudication phase: During this phase, the findings from the investigation are reviewed and evaluated based on 13 factors determined by the Department of Defense. Examples of these factors include criminal and personal conduct, substance abuse, and any mental disorders.

4. Granting (or denial) of clearance at a specific level: To obtain access to data, clearance and classification must match. For example, to view Top Secret information, the person must hold Top Secret clearance. However, merely having a certain level of security clearance does not mean one is authorized to access the information. To have access to the information, one must possess two elements: a level of security clearance at least equal to the classification of the information and an appropriate “need to know” the information in order to perform one’s duties.

The purpose of Form I-9 is to prove that each new employee (both citizen and noncitizen) is authorized to work in the United States. Employees are required to provide documentation that (a) establishes both identity and employment authorization or (b) documents and establishes identity and (c) documents and establishes employment authorization. Employees provide original documentation to the employer, who then copies the documents, retains a copy, and returns the original to the employee. Employers who hire undocumented workers are subject to civil and criminal penalties per the Immigration Reform and Control Act of 1986. For an example of an I-9 form, visit https://www.uscis.gov/i-9. As shown on page 9 of this document, the required documents may contain NPPI and must be safeguarded by the employer.

Completion of Form W-4 is required in order for employers to withhold the correct amount of income tax from employee pay. Information on this form includes complete address, marital status, social security number, and number of exemptions. Additionally, according to the W-4 Privacy Act Notice, routine uses of this information include giving it to the Department of Justice for civil and criminal litigation; to cities, states, the District of Columbia, and U.S. commonwealths and possessions for use in administering their tax laws; and to the Department of Health and Human Services for use in the National Directory of New Hires. They may also disclose this information to other countries under a tax treaty, to federal and state agencies to enforce federal nontax criminal laws, or to federal law enforcement and intelligence agencies to combat terrorism. The confidentiality of information provided on Form W-4 is legally protected under 26 USC § 6103: Confidentiality and Disclosure of Returns and Return Information.

One important step toward securing your infrastructure and effective identity management practices is to ensure that you can manage user accounts from one single location regardless of where these accounts were created. Although the majority of organizations will have their primary account directory on-premise, hybrid cloud deployments are on the rise, and it is important that you understand how to integrate on-premise and cloud directories and provide a seamless experience to the end user, and to also manage onboarding of new employees and deleting accounts for departing employees. To accomplish this hybrid identity scenario, it is recommended that you synchronize and federate your on-premise directory with your cloud directory. A practical example of this is using Active Directory Federation Services (ADFS). We discuss role-based access controls and other identity management topics later in the book.

• Electronic monitoring includes phone, computer, email, mobile, text, Internet access, and location (GPS-enabled devices).

• Camera monitoring includes on-premise locations, with the exception of cameras in restrooms or locker rooms where employees change clothes, which is prohibited by law.

• Personal searches extend to searching an employee, an employee’s workspace, or an employee’s property, including a car, if it is on company property. Personal searches must be conducted in accordance with state regulations.

A company should disclose its monitoring activities to employees and get written acknowledgment of the policy. According to the American Bar Association, “an employer that fails to adopt policies or warnings or acts inconsistently with its policies or warnings may find that the employee still has a reasonable expectation of privacy.” The lesson is that companies must have clear policies and be consistent in their application. Privacy expectations should be defined in the cybersecurity policy, acknowledged in the signed acceptable use agreement, and included in login banners and warnings.

How termination is handled depends on the specific circumstances and transition arrangements that have been made with the employee. However, in situations where there is any concern that an employee may react negatively to being terminated or laid off, access to the network, internal, and web-based application, email, and company owned social media should be disabled prior to informing the employee. Similarly, if there is any cause for concern associated with a resignation or retirement, all access should be disabled. If the employee is leaving to work for a competitor, the best bet is to escort them off the property immediately. In all cases, make sure not to forget about remote access capabilities.

Confidentiality agreements perform several functions. First and most obviously, they protect confidential, technical, or commercial information from disclosure to others. Second, they can prevent the forfeiture of valuable patent rights. Under U.S. law and in other countries as well, the public disclosure of an invention can be deemed as a forfeiture of patent rights in that invention. Third, confidentiality agreements define exactly what information can and cannot be disclosed. This is usually accomplished by specifically classifying the information as such and then labeling it appropriately (and clearly). Fourth, confidentiality agreements define how the information is to be handled and for what length of time. Last, they state what is to happen to the information when employment is terminated or, in the case of a third party, when a contract or project ends.

• The introduction sets the tone for the agreement and emphasizes the commitment of the leadership of the organization.

• Data classifications define (and include examples of) the classification schema adopted by the organization.

• Applicable policy statements include Authentications & Password Controls, Application Security, Messaging Security (including email, instant message, text, and video conferencing), Internet Access Security, Remote Access Security, Mobile Device Security, Physical Access Security, Social Media, Incident Use of Information Resources, Expectation of Privacy, and Termination.

• Handling standards dictate by classification level how information must be stored, transmitted, communicated, accessed, retained, and destroyed.

• Contacts should include to whom to address questions, report suspected security incidents, and report security violations.

• The Sanctions for Violations section details the internal process for violation as well as applicable civil and criminal penalties for which the employee could be liable.

• The Acknowledgment states that the user has read the agreement, understands the agreement and the consequences of violation, and agrees to abide by the policies presented. The agreement should be dated, signed, and included in the employee permanent record.

“Federal agencies and organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all people involved in using and managing IT:

• Understand their roles and responsibilities related to the organizational mission;

• Understand the organization’s IT security policy, procedures, and practices;

• Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.

“The ‘people factor’—not technology—is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this ‘asset.’

“A strong IT security program cannot be put in place without significant attention given to training agency IT users on security policy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure IT resources. In addition, those in the agency who manage the IT infrastructure need to have the necessary skills to carry out their assigned duties effectively. Failure to give attention to the area of security training puts an enterprise at great risk because security of agency resources is as much a human issue as it is a technology issue.

“Everyone has a role to play in the success of a security awareness and training program, but agency heads, Chief Information Officers (CIOs), program officials, and IT security program managers have key responsibilities to ensure that an effective program is established agency wide. The scope and content of the program must be tied to existing security program directives and established agency security policy. Within agency IT security program policy, there must exist clear requirements for the awareness and training program.”

In addition, NIST created the National Initiative for Cybersecurity Education (NICE) and defined it NIST Special Publication 800-181. The NICE Cybersecurity Workforce Framework (NICE Framework) is designed to provide guidance on how to identify, recruit, develop, and retain cybersecurity talent. According to NIST, “it is a resource from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of workforce development, planning, training, and education.”

Details about the NICE Cybersecurity Workforce Framework can be obtained at the NIST Special Publication 800-181, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf, and at the NICE Framework website: https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework.

Education is management-oriented. In the field of cybersecurity, education is generally targeted to those who are involved in the decision-making process: classifying information, choosing controls, and evaluating and reevaluating security strategies. The person charged with these responsibilities is often the information owner.

Prior to hire, candidates should be subject to background checks, which may include criminal record, credit record, and licensure verification. Employers should request consent prior to conducting background checks. There are legal limits on the information that can be used to make employment decisions. Rules to be aware of include worker’s right to privacy, social media restrictions, and regulatory restraints related to credit, bankruptcy, workers compensation, and medical information.

Many U.S. government jobs require that the prospective employee have the requisite security clearance and, in addition to the standard screening, the employer will investigate an individual’s loyalty, character, trustworthiness, and reliability to ensure that he or she is eligible for access to national security–related information.

Confidentiality and acceptable use agreements should be a condition of employment. A confidentiality agreement is a legally binding obligation that defines what information can be disclosed, to whom, and within what time frame.

An acceptable use agreement is an acknowledgment of organization policy and expectations. An acceptable use agreement should include information classifications, categorized policy statements, data-handling standards, sanctions for violations, and contact information for questions. The agreement should disclose and clearly explain the organization’s privacy policy and the extent of monitoring the employee should expect. Training and written acknowledgment of rights and responsibilities should occur prior to being granted access to information and information systems. Organizations will reap significant benefits from training users throughout their tenure. Security awareness programs, security training, and security education all serve to reinforce the message that security is important. Security awareness programs are designed to remind the user of appropriate behaviors. Security training teaches specific skills. Security education is the basis of decision making.

From a security perspective, termination is fraught with danger. How termination is handled depends on the specific circumstances and transition arrangements that have been made with the employee. Regardless of the circumstance, organizations should err on the side of caution and disable or remove network, internal, web-based application, email, and company-owned social media rights as soon as possible.

Human Resources policies include job recruitment, personnel screening, employee agreements, user provisioning, electronic monitoring, cybersecurity training, and employee termination.

A. The employee life cycle spans recruitment to career development.

B. The employee life cycle spans onboarding to orientation.

C. The employee life cycle spans user provision to termination.

D. The employee life cycle spans recruitment to termination.

2. At which of the following phases of the hiring process should personnel security practices begin?

A. Interview

B. Offer

C. Recruitment

D. Orientation

3. A published job description for a web designer should not include which of the following?

A. Job title

B. Salary range

C. Specifics about the web development tool the company is using

D. Company location

4. Data submitted by potential candidates must be ____________.

A. protected as required by applicable law and organizational policy

B. not protected unless the candidate is hired

C. stored only in paper form

D. publicly accessible

5. During the course of an interview, a job candidate should be given a tour of which of the following locations?

A. The entire facility

B. Public areas only (unless otherwise authorized)

C. The server room

D. The wiring closet

6. Which of the following facts is an interviewer permitted to reveal to a job candidate?

A. A detailed client list

B. The home phone numbers of senior management

C. The organization’s security weaknesses

D. The duties and responsibilities of the position

7. Which of the following statements best describes the reason for conducting background checks?

A. To verify the truthfulness, reliability, and trustworthiness of the applicant

B. To find out if the applicant ever got in trouble in high school

C. To find out if the applicant has a significant other

D. To verify the applicant’s hobbies, number of children, and type of house

8. Which of the following is not a background check type?

A. Credit history

B. Criminal history

C. Education

D. Religious or Political

9. Social media profiles often include gender, race, and religious affiliation. Which of the following statements best describes how this information should be used in the hiring process?

A. Gender, race, and religious affiliation can legally be used in making hiring decisions.

B. Gender, race, and religious affiliation cannot legally be used in making hiring decisions.

C. Gender, race, and religious affiliation are useful in making hiring decisions.

D. Gender, race, and religious affiliation listed in social media profiles should not be relied upon because they may be false.

10. Under the Fair Credit Reporting Act (FCRA), which of the following statements is true?

A. Employers cannot request a copy of an employee’s credit report under any circumstances.

B. Employers must get the candidate’s consent to request a credit report.

C. Employers cannot use credit information to deny a job.

D. Employers are required to conduct credit checks on all applicants.

11. Candidate and employee NPPI must be protected. NPPI does not include which of the following?

A. Social security number

B. Credit card number

C. Published telephone number

D. Driver’s license number

12. Which of the following statements best describes the purpose of completing Department of Homeland Security/U.S. Citizenship and Immigration Services Form I-9 and providing supporting documentation?

A. The purpose is to establish identity and employment authorization.

B. The purpose is to determine tax identification and withholding.

C. The purpose is to document educational achievements.

D. The purpose is to verify criminal records.

13. The permissions and access rights a user is granted should match the user’s role and responsibilities. Who is responsible for defining to whom access should be granted?

A. The data user

B. The data owner

C. The data custodian

D. The data author

14. Network administrators and help desk personnel often have elevated privileges. They are examples of which of the following roles?

A. The data owners

B. The data custodians

C. The data authors

D. The data sellers

15. Which of the following statements is not true of confidentiality agreements?

A. Confidentiality/nondisclosure agreements are legal protection against unauthorized use of information.

B. Confidentiality/nondisclosure agreements are generally considered a condition of work.

C. Confidentiality/nondisclosure agreements are legally binding contracts.

D. Confidentiality agreements should be required only of top-level executives.

16. Which of the following elements would you expect to find in an acceptable use agreement?

A. Handling standards

B. A lunch and break schedule

C. A job description

D. An evacuation plan

17. Which of the following statements best describes when acceptable use agreements should be reviewed, updated, and distributed?

A. Acceptable use agreements should be reviewed, updated, and distributed only when there are organizational changes.

B. Acceptable use agreements should be reviewed, updated, and distributed annually.

C. Acceptable use agreements should be reviewed, updated, and distributed only during the merger and acquisition due diligence phase.

D. Acceptable use agreements should be reviewed, updated, and distributed at the discretion of senior management.

18. Which of the following is true about the NICE Cybersecurity Workforce Framework (NICE Framework)?

A. NICE is designed to provide guidance on how to implement the NIST Cybersecurity Framework.

B. NICE is designed to provide guidance on how to identify, recruit, develop, and retain cybersecurity talent.

C. NICE is designed to provide guidance on how to onboard new employees and delete accounts for departing personnel.

D. NICE is designed to provide guidance on how to create cybersecurity programs to maintain compliance with regulations.

19. Posters are placed throughout the workplace reminding users to log off when leaving their workstations unattended. This is an example of which of the following programs?

A. A security education program

B. A security training program

C. A security awareness program

D. None of the above

20. A network engineer attends a one-week hands-on course on firewall configuration and maintenance. This is an example of which of the following programs?

A. A security education program

B. A security training program

C. A security awareness program

D. None of the above

21. The Board of Directors has a presentation on the latest trends in security management. This is an example of which of the following programs?

A. A security education program

B. A security training program

C. A security awareness program

D. None of the above

22. Companies have the legal right to perform which of the following activities?

A. Monitor user Internet access from the workplace

B. Place cameras in locker rooms where employees change clothes

C. Conduct a search of an employee’s home

D. None of the above

23. Sanctions for policy violations should be included in which of the following documents?

A. The employee handbook

B. A confidentiality/nondisclosure agreement

C. An acceptable use agreement

D. All of the above

24. Studies often cite ____________ as the weakest link in cybersecurity.

A. policies

B. people

C. technology

D. regulations

25. Which of the following is not a component of an Acceptable Use Agreement?

A. Handling standards

B. Sanctions for violations

C. Acknowledgment

D. Social media monitoring

26. Which of the following is a privacy regulation that has a goal to protect citizens’ personal data and simplify the regulatory environment for international business by unifying the regulation within the European Union?

A. European Union General Data Protection Regulation (GDPR)

B. European Union PCI Council

C. European Union Gramm-Leach-Bliley Act (GLBA)

D. Privacy Data Protection of the European Union (PDPEU)

27. Which of the following regulations specifically stipulates that schools must have written permission to release any information from a student’s education record?

A. FERPA

B. HIPAA

C. DPPA

D. FISMA

28. Best practices dictate that employment applications should not ask prospective employees to provide which of the following information?

A. Last grade completed

B. Current address

C. Social security number

D. Email address

29. After a new employee’s retention period has expired, completed paper employment applications should be ___________.

A. cross-cut shredded

B. recycled

C. put in the trash

D. stored indefinitely

30. Threat actors might find job posting information useful for which of the following attacks?

A. A distributed denial of service attack (DDoS) attack

B. A social engineering attack

C. A man-in-the-middle attack

D. An SQL injection attack

“Obtaining Security Clearance,” Monster.com, accessed 05/2018, http://govcentral.monster.com/security-clearance-jobs/articles/413-how-to-obtain-a-security-clearance.

Changes to employee data management under the GDPR, accessed 05/2018, https://www.taylorwessing.com/globaldatahub/article-changes-to-employee-data-management-under-the-gdpr.html.

“2017 Trends in Recruiting via Social Media,” HireRight, accessed 05/2018, http://www.hireright.com/blog/2017/05/2017-trends-in-recruiting-via-social-media/.

The CERT Insider Threat Center at Carnegie Mellon’s Software Engineering Institute (SEI), accessed 05/2018, https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=91513.

The NICE Framework, accessed 05/2018, https://www.nist.gov/itl/applied-cybersecurity/nice.

CyberSeek, NIST, accessed 05/2018, http://cyberseek.org.

“26 U.S.C. 6103: Confidentiality and Disclosure of Returns and Return Information,” accessed 05/2018, https://www.gpo.gov/fdsys/granule/USCODE-2011-title26/USCODE-2011-title26-subtitleF-chap61-subchapB-sec6103/content-detail.html.

“Americans with Disabilities Act (ADA),” official website of the United States Department of Justice, Civil Rights Division, accessed 05/2018, https://www.ada.gov/2010_regs.htm.

“Fair Credit Reporting Act (FCRA). 15 U.S.C. 1681,” accessed 05/2018, https://www.ecfr.gov/cgi-bin/text-idx?SID=2b1fab8de5438fc52f2a326fc6592874&mc=true&tpl=/ecfrbrowse/Title16/16CIsubchapF.tpl.

“Family Educational Rights and Privacy Act (FERPA),” official website of the U.S. Department of Education, accessed 05/2018, https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

“Immigration Reform and Control Act of 1986 (IRCA),” official website of the U.S. Department of Homeland Security, U.S. Citizenship and Immigration Services, accessed 05/2018, https://www.uscis.gov/.

“Public Law 108–159: Dec. 4, 2003 Fair and Accurate Credit Transactions Act of 2003,” accessed 05/2018, www.gpo.gov/fdsys/pkg/PLAW-108publ159/.../PLAW-108publ159.pdf.

“Public Law No. 91-508: The Fair Credit Reporting Act,” accessed 05/2018, https://www.ecfr.gov/cgi-bin/text-idx?SID=2b1fab8de5438fc52f2a326fc6592874&mc=true&tpl=/ecfrbrowse/Title16/16CIsubchapF.tpl.

“Sarbanes-Oxley Act—SoX,” accessed 05/2018, http://uscode.house.gov/download/pls/15C98.txt https://www.sec.gov/about/laws/soa2002.pdf.

“U.S. Department of Homeland Security and U.S. Citizenship and Immigration Services, Instructions for Employment Eligibility Verification,” accessed 05/2018, https://www.uscis.gov/i-9.

“U.S. Department of the Treasury and Internal Revenue Service, 2017 General Instructions for Forms W-2 and W-3,” accessed 05/2018, https://www.irs.gov/pub/irs-pdf/iw2w3.pdf.