Overview
Advocacy organizations rely heavily on fluctuating rosters of volunteers, rapid staff mobilization, and community organizers. Managing personnel access presents significant, persistent security risks. Adversarial infiltration, negligent data handling, and malicious insider threats can completely compromise operations from within.
Ethical Vetting Considerations
Standard Practice
Background checks are standard for personnel:
- Interacting directly with vulnerable populations
- Handling sensitive financial data
- Accessing legal databases
Commercial Screening Services
Typical background check components:
| Component | Purpose |
|---|---|
| Social Security trace | Identity verification |
| National sex offender registry | Safety screening |
| County criminal history | Background review |
| Reference verification | Character assessment |
Ethical Complexities
Applying criminal background checks in social justice contexts introduces profound ethical considerations:
| Issue | Impact |
|---|---|
| Systemic bias | Criminal legal system disproportionately targets communities of color and immigrants |
| Blanket bans | Contradicts diversity, equity, and inclusion principles |
| Lived experience | Denies organizations perspectives of those with direct system experience |
Ethical Screening Principles
| Principle | Implementation |
|---|---|
| Transparency | Clearly communicate screening process |
| Role-specific | Tailor screening to position risk profile |
| Holistic assessment | Consider nature of offense, time elapsed, duties |
| Legal compliance | Align with "Ban the Box" legislation |
| Trauma-informed | Avoid forcing vulnerable disclosures |
Assessment Framework
Rather than automatic disqualification, assess convictions based on:
- Nature of offense - Relevance to position responsibilities
- Time elapsed - Recency of conviction
- Position duties - Specific access and responsibilities
- Individual circumstances - Context and rehabilitation evidence
Zero Trust Architecture
Obsolete Model
The traditional perimeter-based security model is obsolete:
- Assumes anyone inside the network is trustworthy
- Highly dangerous in modern threat environments
- Does not account for insider threats or compromised credentials
Zero Trust Principles
Zero Trust operates on "never trust, always verify":
| Principle | Implementation |
|---|---|
| Continuous authentication | Verify every resource request |
| Assumed breach | Threats exist inside and outside network |
| Least privilege | Minimum access for immediate duties |
| Micro-segmentation | Divide network into security zones |
Principle of Least Privilege
Core Concept
Staff and volunteers must only receive the absolute minimum level of access required to perform immediate duties.
Implementation
| Approach | Description |
|---|---|
| Role-Based Access Control (RBAC) | Permissions based on job function |
| Network segmentation | Isolate sensitive systems |
| Graduated access | Increase permissions as trust established |
| Just-in-time access | Temporary elevation for specific tasks |
Example Segmentation
| Zone | Access Level | Example Data |
|---|---|---|
| Public | All staff | General resources, public information |
| Internal | Authenticated staff | Internal communications, policies |
| Sensitive | Case workers, attorneys | Client case files |
| Restricted | Legal team only | Privileged communications |
| Critical | Executive leadership | Financial data, donor information |
Prohibited Cross-Access
- Donor databases isolated from legal case files
- Legal case files isolated from rapid response dispatch logs
- Financial systems isolated from operational data
Onboarding and Access Management
Pre-Access Requirements
Before receiving any system credentials:
| Requirement | Purpose |
|---|---|
| Confidentiality agreement | Binding commitment to data protection |
| Non-disclosure agreement | Protection of client information |
| Security training completion | Baseline security knowledge |
| Role assignment | Defined access level |
Graduated Access Model
| Phase | Duration | Access Level |
|---|---|---|
| Probationary | First 30-90 days | Limited access, supervised |
| Standard | After evaluation | Role-appropriate access |
| Elevated | As needed | Additional systems with approval |
| Administrative | Senior staff only | System administration |
Identity Lifecycle Management
| Event | Action |
|---|---|
| Onboarding | Create accounts with minimum access |
| Role change | Review and adjust permissions |
| Project completion | Revoke project-specific access |
| Departure | Immediate credential revocation |
Single Sign-On (SSO)
Implement centralized Identity and Access Management:
- Instant severance - One action revokes all access
- Audit trail - Complete access logging
- Consistency - Uniform policy enforcement
- Elimination of orphaned accounts - No forgotten access points
Insider Threat Recognition
Threat Categories
| Category | Description |
|---|---|
| Malicious | Intentional sabotage, espionage |
| Negligent | Carelessness, policy violations |
| Compromised | Credentials stolen, social engineering victim |
Identity Threat Detection and Response (ITDR)
Modern systems use machine learning to:
- Continuously monitor networks
- Detect anomalous behavior
- Identify compromised credentials
- Flag deviations from baseline activities
Behavioral Indicators
Train administrators and managers to recognize:
Unusual Access Patterns
| Indicator | Description |
|---|---|
| Off-hours access | Accessing network at unusual times |
| Restricted directories | Attempting access outside role |
| Mass downloads | Bulk file retrieval |
Data Exfiltration Attempts
| Indicator | Description |
|---|---|
| Large outbound emails | Unexplained attachments to external addresses |
| USB device usage | Unauthorized portable storage |
| Personal email forwarding | Redirecting work data |
Policy Violations
| Indicator | Description |
|---|---|
| Password sharing | Violating credential policies |
| Security training avoidance | Refusing required modules |
| Circumvention attempts | Working around security controls |
Psychosocial Stressors
| Indicator | Description |
|---|---|
| Grievances | Expressing extreme dissatisfaction |
| Ideological shifts | Sudden opposition to mission |
| Financial distress | Severe money problems |
| Unexplained affluence | Sudden wealth without explanation |
| Substance issues | Signs of substance abuse |
Reporting Mechanisms
Requirements
Organizations must establish:
| Feature | Purpose |
|---|---|
| Secure channels | Protected reporting pathways |
| Confidentiality | Reporter identity protection |
| Accessibility | Easy to use for all staff |
| Non-retaliation | Protection for good-faith reporters |
Investigation Principles
| Principle | Implementation |
|---|---|
| Discretion | Handle quietly to avoid tipping off |
| Proportionality | Response matched to severity |
| Privacy respect | Balance security with employee rights |
| Documentation | Maintain investigation records |
Departure Procedures
Immediate Actions
When personnel depart (voluntarily or involuntarily):
| Action | Timing |
|---|---|
| Disable SSO account | Immediately upon departure |
| Revoke system credentials | Same day |
| Collect company devices | Before departure |
| Change shared passwords | If applicable |
| Review access logs | Check for pre-departure anomalies |
Access Audit
| Review | Purpose |
|---|---|
| Active sessions | Terminate any open connections |
| Shared resources | Remove from groups and shares |
| Cloud accounts | Revoke third-party integrations |
| Email forwarding | Check for unauthorized rules |
Implementation Checklist
Vetting
- [ ] Develop ethical screening policy
- [ ] Create role-specific background check requirements
- [ ] Train HR on trauma-informed screening
- [ ] Document assessment criteria
Access Management
- [ ] Implement Zero Trust Architecture
- [ ] Deploy Role-Based Access Control
- [ ] Configure network segmentation
- [ ] Establish SSO/IAM system
Onboarding
- [ ] Create confidentiality agreement templates
- [ ] Develop graduated access protocols
- [ ] Design security training curriculum
- [ ] Establish probationary access limits
Insider Threat
- [ ] Deploy behavioral monitoring (with privacy safeguards)
- [ ] Train managers on indicator recognition
- [ ] Establish reporting mechanisms
- [ ] Create investigation procedures
Offboarding
- [ ] Develop immediate access revocation checklist
- [ ] Implement SSO instant severance
- [ ] Create departure audit protocol
- [ ] Document offboarding procedures
Related Resources
- Security Program Frameworks - Overall security approach
- Information Protection - Data security
- Communication Security - Secure communications