Secure Controls Framework
Download The SCF

Human Resources Security (HRS)

Domain Principle

Execute security-informed personnel management practices that address screening, onboarding, acceptable behavior, role-based risk, competence and offboarding requirements.

Domain Intent

Organizations cultivate a security, compliance and resilience-minded workforce by defining personnel security expectations, validating role-based competence, supporting appropriate culture and collaboration, and managing personnel risk throughout the employment lifecycle.

Domain Guide

Security controls fail when the people operating them don't understand their obligations or when personnel risk isn't managed through the employment lifecycle. The HRS domain covers the full arc from pre-employment screening through offboarding, including background verification, role-based security expectations, acceptable use requirements and the revocation of access when employment ends.

 

The SCF's intent for HRS emphasizes cultivating a security-minded workforce. That is not just awareness training; it includes validating role-based competence, defining what security behaviors are expected and managing the cultural dimensions of security. An organization that treats security awareness as an annual checkbox exercise and HRS as an HR function rather than a security control will find that human factors contribute to most of its significant incidents.

 

Offboarding is consistently under-controlled. Privileged access that survives the departure of the account holder, credentials shared with former employees and service accounts tied to individuals who have left are all real findings that HRS controls are designed to prevent.