Security Guidelines for the Electricity Sector

NERCPersonnel Risk Assessment

(UPDATE of EXISTING Employment Background Screening Guideline)

Version 1: 2.0 Effective Date: June 14, 2002TBD

Purpose:

Pre-employment background investigations

Preamble:

It is in the public interest for NERC to develop guidelines that are useful for improving the reliability of the bulk electric system. Guidelines provide suggested guidance on a particular topic for use by bulk electric system entities according to each entity’s facts and circumstances and not to provide binding norms, establish mandatory reliability standards, or be used to monitor or enforce compliance.

Introduction:

This Guideline addresses potential risks that can apply to Electricity Sector Organizations and provides practices that can help mitigate the risks. Each organization decides the risk it can accept and the practices it deems appropriate to manage its risk.

Personnel Risk Assessments (PRA) mitigate the “insider” threat byassuring only trustworthy and reliable personnel have unescorted access tocriticalan organization’s facilities, function, or information. Effective pre-employment screeningPRAs may prevent or deternegligent hiring, theft, and drug use at critical job locationsan organization’s facilities.

Each companyorganization must assess the need for employment background screeninga PRAwithin the context of its operating environment and subject to its own evaluationof its vulnerability and risk to its perceived spectrum of threats.

ApplicabilityScope of Application:

This guideline applies to facilities and functions that are considered critical to the support of the electricity infrastructure and the overall operation of the individual company.

Each company is free to define and identify those facilities and functions it believes to be critical, keeping in mind that the ability to mitigate the loss of a facility through redundancies may make that facility less critical than others. A critical facility may be defined as any facility or combination of facilities, if severely damaged or destroyed, would have a significant impact on the ability to serve large quantities of customers for an extended period of time, would have a detrimental impact to the reliability or operability of the energy grid, or would cause significant risk to public health and safety.

Guideline Statement:

This guideline recommends “best practices” for the electricity sector in the area of “Employment Background Screening” for facilities or functions identified as critical.

Table of Contents:

This Guideline applies to all essential infrastructure owners and operators and describes common practices utilized by organizations that conduct personnel risk assessments on their employees; particularly those that have access to essential bulk electric system facilities and/or information.

Guideline Details:

Depending on job classification or expected duties of the prospective employee,the background screening investigationPRA process may consist of all or some of thefollowing elements:

1. Verification of social security number;
2. Local- or state level criminal history check,

3.National Criminal Database Search,

1. Residence/employment checks,
2. Motor vehicle check or drivers license history;,
3. Drug screening, and,

7.Credit Report

1. Verification of highest level of education or professional certifications, i.e.,CPA, PE, etc.

It is the company’s Each organization maintains discretion as to the extent and breadth of the screening processPRA; e.g. number of criminal checks, the historical periodstime frame covered, thenumber of former employers contacted, the number of personal referencesverified, etc. Consider .; however, a seven year assessment is typically the minimum time frame for a PRA.

Each organization may also consider developing several levels of background checksPRAs basedupon different time periodsframes and the amount of information to be verified.

Background screening programsPRAs typically fall into the following classifications:

• Full Employment BackgroundsPRA– May consist of a comprehensiveinvestigationassessmentincluding most of the aforementioned elements. This type ofbackground screening should be consideredassessment is typically utilizedfor full time personnelworking at or in direct support of criticalessentialfacilities and/or information.

• Limited Employment BackgroundsPRA– A less extensive investigation than aFull Employment BackgroundPRA, this type of screening includes elementssuch as criminal history and social security check. Limited background checksPRAs may be appropriate for summer and intern students, co-opemployees, and independent contractors who work at or in direct supportof identified criticalessentialfacilitiesand/or information on a brief or intermittent basis.

• Leased / Contract Employment BackgroundsPRA– Depending on specificduties, this type of screeningPRAmay be less extensive than the LimitedEmployment Background.PRA. Lease / Contract backgrounds, however, Employee PRAs maybe required contractually with the vendor company.

For applicants who are non-citizens or who have lived outside the country withinthe last five to seven yearsPRA time frame, full or limited background investigations may requireinternational inquires including education, criminal, and previous employerchecks.

When conducting background investigationsPRAs, all applicable federal and state laws,such as the Fair Credit Reporting Act, should be reviewed, understood, andcomplied with. Consideration

As mentioned above, consideration should be given to conducting pre-employment screening for contractors and vendorsa PRA for contractor and vendor employees who either work at or work in directsupport of criticalessentialfacilities. Alternatively, the company may require thatemployment agenciescontractor and vendor companiesconduct background investigationsPRAs for contract personnelusing the same criteria the company uses for prospective employees. An auditof the employment agencycontractor or vending company’sscreening processes may be included as part of the company’san organization’s normal contract compliance program.

A key component of a good background investigation is a comprehensiveemployment application form. Willful omission, misrepresentation, or falsificationof information on the employment application may be considered appropriategrounds for denying employment (or denying access to company facilitiesand/or information tocontractors).

Each company should An organization may publish specific “disqualification criteria.” Job” and job applicantsshould be fully knowledgeableinformed of the criteria that will be used to denyemployment.

The questions on the employment application form as well as the disqualification criteriashould be reviewed and approved by the Human Resources and Legaldepartments to assure that state and federal laws are properly complied with.(Consideration should be given to developing an audit process as a means ofdocumenting compliance.)

Each company shouldTypically, an organization will designate the department or function responsible forpre-employmentscreening. Activities are typically conducted by or coordinated withthroughthe company’sorganization’s Human Resources orSecurity Department.

Background checks PRAs are usually are not repeated once personnel are hired. ; however, standards (CIP-004 – Personnel and Training) and government regulations may require updated PRAs for certain employees within specified time frames.

Effectivesupervisor training, however, may be useful in detecting behavioral changes thatmay trigger a company to update an individual’s background check. In addition furtherPRA. Additionally,credible information could be received by an organization that mightmaytrigger an additional background investigation.updated PRA. Organizations may consider an on-going programsPRA program toevaluate and ensure the trustworthiness and reliability of personnel.

Certified Products/Tools:

Related Documents:

Fair Credit Reporting Act as amended September 30, 1997June 14, 2008.

Security Guidelines for the Electricity Sector: Guideline Overview, NERC

-Security Guidelines for the Electricity Sector:

oVulnerability and Threat Assessment

oThreat Response

oEmergency Plans

oContinuity of Business Processes

oCommunications

oPhysical Security

oCyber Security

oProtecting Potentially Sensitive Information

-Threat Alert Levels and Physical Response Guidelines, NERC, November2001,

Threat Alert Levels and Cyber Response Guidelines, NERC, March 2002,

NERC Critical Infrastructure Protection Standard CIP-004 Personnel and Training, June 2006

ASIS International Background Screening Guideline

Revision History:

Date / Version Number / Reason/Comments