Preventing Identity Theft in Your Business
Page 9
(i) Who is covered?
The Uniform Guidelines cover … all private employers, state and local governments, and education institutions that employ 15 or more individuals. These laws also cover private and public employment agencies, labor organizations, and joint labor management committees controlling apprenticeship and training.
Review these requirements at www.eeoc.gov/policy/vii.html
(ii) What employment practices are covered?
The Uniform Guidelines on Employee Selection Procedures (1978) apply to tests and other selection procedures which are used as a basis for any employment decision [emphasis added]. Employment decisions include but are not limited to hiring, promotion, demotion, membership (for example, in a labor organization), referral, retention, and licensing and certification, to the extent that licensing and certification may be covered by Federal equal employment opportunity law. Other selection decisions, such as selection for training or transfer, may also be considered employment decisions if they lead to any of the decisions listed above.
Review these requirements under “Scope. Sec. 1607.2 (B)” at www.access.gpo.gov/nara/cfr/waisidx_03/29cfr1607_03.html
(iii) How the law defines job analysis
Under the Uniform Guidelines, a job analysis should describe all important work behaviors, their relative importance, and their difficulty level. [A] job analysis [should include] an analysis of the important work behavior(s) required for successful performance and their relative importance and, if the behavior results in work product(s), an analysis of the work product(s). Any job analysis should focus on the work behavior(s) and the tasks associated with them. If work behavior(s) are not observable, the job analysis should identify and analyze those aspects of the behavior(s) that can be observed and the observed work products. The work behavior(s) selected for measurement should be critical work behavior(s) and/or important work behavior(s) constituting most of the job.
Review Technical Standards for validity studies, Section 1607.4 at www.access.gpo.gov/nara/cfr/waisidx_03/29cfr1607_03.html
Step 2. Create unique subteams. The job analysis requires a unique team composition: For a department with more than one job “set” (defined in step 3), the job analysis is to be conducted by team “pairs.” Unlike other exercises where the team works together, a security job analysis is conducted most effectively by dividing the team into smaller groups, each of which will analyze one or more job sets. For example, for most departments and with a team of five employees and one manager, three pairs can analyze all departmental jobs quickly and efficiently. All team pairs use the same exercises and step-by-step instructions. Select the team pairs now.
Step 3. Know the terms. Carefully review and be able to distinguish the following terms:
The term “job set” is used interchangeably with “job family” to define groups of jobs that consist of the same or similar job tasks. Examples are secretarial jobs where the primary tasks are answering phones, scheduling appointments, and performing word processing tasks; and the job of data processor where the data being processed may be different for different jobs but the actual task of processing is the same or similar.
A job “task” is a specific job “behavior” or job “action.” When broadly defined, “general” or “technical” job tasks are sometimes called “competencies.”
A “general” competency can be “generalized” across jobs. For example, “general” competencies such as timeliness (a behavior), accuracy (an action), and honesty (a characteristic) are required of most job tasks and most jobs, regardless of rank or description. (A specific job task for the general competency term “timeliness” might be to “write and submit a report on or before the last day of each month.”)
A “technical” competency refers to a special set of requirements for performing a certain job. Technical competencies also may be the same or similar across jobs, but to a lesser extent than for general competencies. Examples of technical competencies are “using word processing programs” or “creating programs using a variety of database languages.” (A specific job task for the technical competency “using various word processing programs” might simply be “prepare a report on the annual meeting using the MSWord software program.”)
Knowledge, Skills, and Abilities (KSAs) are three words sometimes used in the context of job analysis. Knowledge is passive information about some subject; skills are learned; and abilities are the innate aptitudes to learn the skills. These terms are used later to help describe job tasks.
Job “characteristics” describe the nature of the job: Examples are exactness, accuracy, timeliness, and consistency. Take the time to review the comprehensive list of job characteristics online at the Occupational Information Network (O*NET) located at http://online.onetcenter.org.
“Security-sensitive” is the single term that is used to describe general and technical job competencies that directly or indirectly involve personal or business identifying information.
Most jobs require both technical and general competencies. For example, the job tasks for finance and accounting jobs may require competencies to “perform mathematical and accounting operations,” “conduct specialized fraud audits,” or “secure proprietary documents.” These competencies are very specific. In contrast, the same job tasks might require the general competencies to “attend to detail” and “perform the job tasks with accuracy.” Readers will be able to distinguish these terms easily after they are introduced in successive exercises, following orientation step 4.
Step 4. Determine job sets. This step, preliminary to the job analysis, requires all members of the team to work together. Determine job sets within the department using current job descriptions, if available, and if based on the traditional form of job analysis that meets EEOC and Title VII requirements. Review the job descriptions for jobs that share in common similar or the same job tasks. Using the job titles, group these jobs together to form the job set. The job analysis will be conducted on job sets, if identified, and also on individual jobs not amenable to grouping. If the grouping of a job is in question, discuss and agree by consensus whether that job should be considered a member of the set. Upon completion of step 4, begin the job analysis.
Exercise 1. Identify Job Tasks
Estimated Time: Three–Four Hours
This three-step exercise develops lists of job tasks.
List the specific job tasks for the job sets and for each job not grouped into a job set, using the above job descriptions, if available.
Interview the current job incumbent or, for job sets, the incumbents. Job incumbents are the job’s subject matter experts—these employees know best what tasks are performed on their jobs. Simply ask the incumbent to tell you about the job; that is, on a day-to-day basis: What are the job tasks you perform? What knowledge or special skills are required? What types of equipment are used? What are the characteristics of this job—do the tasks require exactness, accuracy, timeliness, consistency, or some other “job” characteristics? Make notes and use a recorder. Immediately after the interview or soon thereafter, transcribe the notes into a list of the job tasks for that job.
On a separate occasion, observe as unobtrusively as possible the job incumbent(s) while they perform their job(s). Arrange a one-hour block of observation time and explain in advance your purpose. While observing, simply write down your observations in a notebook. Do not ask questions or interact with an incumbent at this time. Focus on the job task being performed and jot down in simple terms what you observe being done (word processing, analyzing, climbing a ladder, leading); why it is being done, if apparent (to prepare a document, reconcile an accounting statement, change a light fixture, show other employees some technique); how it is being done (standing, sitting, stooping, reaching); and the equipment used (computer, software, calculator, ladder). If it is a “shift” job, different tasks may be performed on different shifts; in this case, it is necessary to interview and also observe incumbents for each shift. As so
on as possible after the observation, review and compile from your notes a list of the tasks you observed being performed.
You now have three lists of job tasks with details about how those tasks are performed: one list from the job description, a second from the incumbent interview, and a third from your own observation. Now consolidate these three lists: For each job or job set, sort the job tasks into one of two categories: technical or general. Completing this step forms the base of the job analysis for the remaining, relatively shorter exercises. Exercise 2, in compliance with EEOC Guidelines, determines how essential the job tasks are for each job or job set. Begin exercise 2 now.
Exercise 2. Create a Checklist of Job Tasks
Estimated Time: Three Hours
The Uniform Guidelines pertain to job tasks that are essential to the job, and essentialness is determined by the extent to which the job tasks are important for the job and how frequently those tasks are performed. In addition, a third component essential for the security standards is the extent to which each task is security-sensitive. This exercise creates a single checklist composed of these three major sections—importance, frequency, and security-sensitivity. In exercise 3, this checklist is administered to the subject matter experts—the job incumbents. Exhibit 9.1 shows an example of such a checklist, sometimes called a “job competency checklist.” Use Exhibit 9.1 as a model: For each job (or job set), list the job title, then create two subheadings in the left column—one titled “technical” and the other titled “general.” Now use the list from exercise 1 to itemize each job task accordingly as either a technical or general job task. Although the exhibit shows only a few job tasks, most jobs have many more. In the right column, for each major section (technical and general), note the rating scale of 1 (low) to 5 (high). The job incumbent will use this scale later to rate each job task according to its relative importance, frequency, and job sensitivity. Continuing with exercise 2, in the right-hand column and after each task, create the 1-to-5 rating scale as in Exhibit 9.1. Be sure to include the rating keys at the bottom of the scale:
For importance: 1 = not important, 2 = somewhat important, 3 = important, 4 = very important, and 5 = critically important
For frequency: 1 = never, 2 = sometimes, 3 = occasionally, 4 = often, 5 = most frequently
For security-sensitivity: 1 = does not use or have access to personal or business identifying information; 2 = uses or has access to personal or business identifying information
EXHIBIT 9.1 Job Competency Checklist for Job of Computer Forensic Analyst
Competencies Importance to Job
Circle Only One Response
Technical
1. Computer hardware certification 1 2 3 4 5
2. Skills to secure computer databases 1 2 3 4 5
3. Ability to detect security intrusions 1 2 3 4 5
4. Knowledge of information risk assessments 1 2 3 4 5
5. Ability to maintain security standards 1 2 3 4 5
6. Knowledge of identity theft and crimes 1 2 3 4 5
7. Job tasks involving employee identities 1 2 3 4 5
8. Job tasks involving customer identities 1 2 3 4 5
9. Job tasks involving business identities 1 2 3 4 5
General
10. Honesty 1 2 3 4 5
11. Consistency 1 2 3 4 5
12. Integrity 1 2 3 4 5
13. Interpersonal skills 1 2 3 4 5
14. Accuracy 1 2 3 4 5
15. Timeliness 1 2 3 4 5
Key: 1 = not important, 2 = somewhat important, 3 = important, 4 = very important, 5 = critically important
Competencies Frequency of Job Performance
Circle Only One Response
Technical
1. Computer hardware and software certification 1 2 3 4 5
2. Skills to secure computer databases 1 2 3 4 5
3. Ability to detect security intrusions 1 2 3 4 5
4. Conducting information process risk assessments 1 2 3 4 5
5. Assessing compliance with Security Standards 1 2 3 4 5
6. Knowledge of identity theft and crimes 1 2 3 4 5
7. Job tasks involving employee identities 1 2 3 4 5
8. Job tasks involving customer identities 1 2 3 4 5
9. Job tasks involving business identities 1 2 3 4 5
General
10. Honesty 1 2 3 4 5
11. Consistency 1 2 3 4 5
12. Integrity 1 2 3 4 5
13. Interpersonal skills 1 2 3 4 5
14. Accuracy 1 2 3 4 5
15. Timeliness 1 2 3 4 5
Key: 1 = never, 2 = sometimes, 3 = occasionally, 4 = often, 5 = most frequently
JOB COMPETENCY CHECKLIST FOR JOB OF COMPUTER FORENSIC
Competencies The Job Task Is Security Sensitive
Circle Only One Response
Technical
1. Computer hardware and software 1 2
2. Securing computer databases 1 2
3. Detecting security intrusions 1 2
4. Conducting information process risk assessments 1 2
5. Analyzing Security Standards for compliance 1 2
6. Recognizing identity thefts and identity crimes 1 2
7. Performing tasks involving employee identities 1 2
8. Performing tasks involving customer identities 1 2
9. Performing tasks involving business identities 1 2
Key: 1 = does not use or have access to personal or business identifying information
2 = occasionally or frequently uses or has access to personal or business identifying information
Exercise 3. Administer Checklist to Incumbent Expert(s)
Estimated Time: Two Hours
Employees are the job experts and, as in the other BISP exercises, they must play a major role in the job analysis. More than anyone else, job incumbents know which of their tasks are the most important and the most frequently performed. Solicit the employee-experts to rate their jobs using the checklist prepared in exercise 2.
Exercise 4. Score Checklist
Estimated Time: Two Hours
Now score the checklist; that is, simply rank-order the job tasks according to their rated importance (5 = most important), frequency (5 = most frequent), and sensitivity (1 = not sensitive; 2 = sensitive). The higher importance and most frequently rated job tasks are essential for that job, and a sensitive rating for one or more job tasks requires that that job be secured as a position of security and authority. (Regarding job task frequency, even though a frequently performed job task is rated as lesser in importance relative to some others, nonetheless the job task may be essential. For example, a job may require frequent monitoring of e-mail messages, of which only a few may be for product orders, because for high-priced items, even one missed order would be a substantial loss, frequent monitoring is an essential task.)
The job analysis is now complete. What remains is to use the job analysis results to create the job description, in exercise 5.
Exercise 5. The Security Job Description
Estimated Time: Two Hours
Use the model in Appendix F to write a job description for each job or job set. Use the results from Exercise 4 to indicate whether or not the job is security-sensitive, and list the essential functions—those tasks that are fundamental (as opposed to marginal) to the job position. List also job tasks of lesser importance and also those that are less frequently performed.
Notice in Appendix F that some of the job tasks are written using the terms “knowledge” (performance of the task requires some passive knowledge about the subject), “skills” (the task requires certain skills, such as those that have been or can be learned), and “abilities” (the task requires certain aptitudes, such as mathematical, analytical, or others). One job task, however, simply requires a “certification,” a learned skill (see the first item under the section “List the knowledge, skills, and abilities identified in the job analysis…”). The point is that there are many ways to write job task statements; howeve
r, the knowledge/skills/abilities examples shown in Appendix F, because they are broader than simply stating a specific task, are generally more descriptive.
Notice also the “Work Context” section, which describes the physical abilities required to perform the job tasks—sitting, standing, reaching, the use of hands. This section is required to identify jobs that require accommodations. You may also include a section describing the work environment, as this information may be useful for recruiting announcements.
Information contained in the job analysis and the job description, completed in the exercises in this chapter, will be used in the subsequent chapters, beginning with Chapter 10, the recruitment of job applicants.
CHAPTER 10
THE PEOPLE FRONT: RECRUITMENT FOR SECURITY
Businesses set the standards of integrity and performance for their own workforce, either intentionally or not. Beginning with recruitment, a company can purposely use scientifically developed procedures to assemble a capable and collegial group of coworkers or can, by default, leave things to chance. The standard for “recruitment for security” eliminates chance. This method develops an applicant pool sufficiently large to increase the probability of attracting applicants who can both perform the job well and secure it.
STANDARD 4. RECRUITMENT FOR SECURITY
Goals: Develop a large applicant pool qualified to (1) perform both general and technical job tasks for a security-related job position (or job set) as well as to (2) secure the personal or business identifying information accessible to the requisite job tasks.
Objectives: Use the team approach, the information contained in the security job description, and a method called “snowballing” to attract a large number of job applicants for a given job set.