Conduct background checks of individuals being considered for sensitive positions. Do so with the permission of the applicants. Repeat them periodically to look for changes.

If the position is extremely sensitive, and if it is legally allowable, consider performing a polygraph examination of the candidate.

Have applicants and contractors in sensitive positions obtain bonding.

Provide comprehensive and appropriate training for all new personnel and for personnel taking on new assignments. Document acceptance of security policies in writing.

Provide refresher training on a regular basis.

Make sure that staff have adequate time and resources to pursue continuing educational opportunities.

Institute an ongoing user security-awareness program.

Have regular performance reviews and monitoring. Try to resolve potential problems before they become real problems.

Make sure that users in sensitive positions are not overloaded with work, responsibility, or stress on a frequent basis, even if they are compensated for the overload. In particular, users should be required to take holidays and vacation leave regularly.

Monitor users in sensitive positions (without intruding on their privacy) for signs of excess stress or personal problems.

Audit access to equipment and critical data.

Apply policies of least privilege and separation of duties where applicable.

When any user leaves the organization, make sure that access is properly terminated and duties transferred.

Make sure that ...