Background Checks: Super Sleuthing for Your Security

Control of the Week #8: Background and Reference Checks

This week’s control is on background and reference checks. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why user background and reference checks can be important to your audit.

Why this control is important

“OM3.0 – Background and Reference Checks – New employees and contractors are subjected to a background and reference checks prior to joining the organization.”

The dreaded background and reference checks. What seems like a tedious task during a job application process is actually an important security requirement for your organization. There may be different requirements or levels of checks depending on the institution, the role the applicant will be filling, and the customers the organization deals with.

The last thing you want to do is invite someone who’s going to be a major risk to work at your organization!

Background and reference checks are two different processes. While a background check is performed to verify a candidate’s identity, legal records, and education or work history, reference checks are performed to find out whether the candidate is suitable for the job, and whether they have the right  knowledge and skills by talking to references from previous employers.

How to implement this control for your audits

This control will be carried out by your HR team before hiring. If you don’t have an HR team, make sure that your team follows a consistent process and that they are aware of the requirements. The types of checks performed will depend on the organization.

Sometimes, the list of things to consider with background or reference checks can be long and elements can be missed. Applicable regulations as well as compliance laws need to be considered while determining which type of background checks should be run. Similarly, the job requirements should also be considered while determining the extent of reference checks. 


  • Who this person will be working with (e.g. children, elderly, and disabled).
  • What they will be working with (e.g. money, financial records, and private data).
  • What information they will be handling (e.g. health records, confidential documents, credit information).
  • Whether they will be a good fit for the role (e.g. previous employers, personal and professional references, why they left their previous job).
  • Level of access that the job requires and damage that they can cause (consider damage to your organization and your customers and don’t forget fraud, trading internal secrets, etc.).

Creating a comprehensive list will help your organization determine the type of checks needed, whether it’s a criminal or financial check, or a simple reference check. In each case, a list of things required to be covered in each check is recommended as well.

Essentially it boils down to:

  • Confirming people are who they say they are.
  • Checking to see if the person has the proper certifications or qualifications.
  • Ensuring a person is not going to be a security risk to your organization.
  • Retaining evidence of these checks (though the level of detail will depend on the institution).