Re: Background Checks Revisited

["Hudson, Edward" <ewhudson () CSUCHICO EDU>]

Mike, That is correct that state law supersedes however the annual requirement (as stated in your note) applies only if 
the person in question was a QSA. As a former QSA I am not aware of any higher edu. that operates as an assessing 
entity and offers PCI assessment services for hire and thus would have active QSA's on their staff.
PCI DSS (12.7) Requires screening of potential employees who are going to come in contact with cardholder data prior to 
hiring but the scope is pretty broad:

"Inquire with Human Resources dept. management and verify that back ground checks are conducted (within the constraints 
of local laws) on employees who prior to hire who will have access to cardholder data or the cardholder data 
environment. (Examples of background check include previous history, criminal record, credit history and records 
checks.)

No person can get an offer of employment on our campus without having the hiring manager check references and some 
roles require actual criminal history checks. 

Ed Hudson, CISM
Information Security Office 
California State University, Chico 
www.csuchico.edu/ires/security 
Office: (530) 898-6307
Cell: 707-799-3250
ewhudson () csuchico edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael 
Johnson
Sent: Thursday, October 29, 2009 12:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Background Checks Revisited

It is a requirement of the PCI Security Standards Council that any
employee engaged in qualified assessor work must have their background
check revalidated for criminal activity every year.

State law will supersede.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly
Sent: Thursday, October 29, 2009 2:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Background Checks Revisited

In Iowa, it seems to be against state law to run a criminal background
check on a current state employee.

- ken

Volz, Donald D wrote:
> Apologies to those of you who see this question on multiple lists.
>
> I checked several EDUCAUSE discussion list archives and found a few
earlier threads on the topic of employee background checks.  It appeared
that MOST respondents performed checks on prospective IT employees, and
quite a few indicated that ALL new hires were subject to such tests,
regardless of department or job position.  
> However, I did not get any insight about the use of background checks
on existing employees, i.e., those hired before background checks became
a requirement for employment.  Obviously there are non-trivial legal and
policy considerations surrounding the institutional response to the
results of those checks, but I'd like to set those aside for the moment
and focus on who is subject to background checks. 
> My questions are simple:
>
> 1) Does anyone perform background checks on existing employees hired
prior to the implementation of such checks for new hires?  
> 2) If yes, are they performed only to address individual employee
situations or circumstances? If so, please explain.
> 3) Are you planning to complete such checks on ALL or some key
subset(s) of your existing employees (e.g., all IT employees, staff
only, all cashiers, all faculty and staff, ...)?    
> Regards,
> Don
> ______________________________________________
>  
> Don Volz
> Special Assistant to the VP for Information Technology
> Texas State University-San Marcos
> Email: don.volz () txstate edu
> Voice: 512-245-9650
> FAX: 512-245-1226
>  
>   

-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373