Background Screening Policy and Procedures

[Applicable to all actors]
1. AI-Focused Screening: Verify AI expertise, data governance experience, and relevant 
certifications for anyone involved in AI development, orchestration, deployment, or management.

2. Compliance and Ethical Requirements: Ensure all candidates understand and agree to 
comply with legal, regulatory, and ethical standards related to data privacy and responsible AI.

3. Controlled Access: Grant access to critical AI systems (e.g., model endpoints, training data, 
admin consoles) only after successful completion of background checks. Maintain secure, 
confidential records of the verification process.

4. Periodic Updates: Review and update screening policies annually—or more frequently if AI 
risk profiles change—to align with evolving technologies and regulations.

5. Automated Verification & Human Oversight: When AI-enabled background-screening tools are used, a qualified reviewer must validate AI-generated results before onboarding or any adverse employment decision. Audit the accuracy and bias of the tools on a defined schedule.

1. Policy Documentation and Approval: Verify that the CSP has a documented, approved background verification policy covering employees, contractors, and third parties who have physical or logical access to cloud infrastructure and data centers.

2. Defined Criteria: Verify that the policy defines consistent screening criteria: criminal history, employment history, education, professional licenses, and (if relevant) credit checks.

3. Transparency and Consent: Verify the policy is clearly communicated to applicants and written consent is obtained, respecting fairness and applicable laws.

4. Use of Providers: Verify that the CSP uses reputable, legally compliant background check providers.

5. Handling Adverse Findings: Verify that the CSP defines fair processes for addressing adverse findings, allowing candidates to respond or appeal.

6. Data Privacy and Security: Verify that personal data collected through background checks is securely handled in compliance with privacy regulations.

7. Review and Update: Verify that the policy is reviewed and updated at least annually or after significant changes to legal/regulatory or operational context.

8. Evidence of Compliance: Review a representative sample of hiring records to ensure background checks were completed before granting access to infrastructure or sensitive data.

9. Customer Assurance: Review third‑party audit reports (e.g., SOC 2, ISO 27001) that include background verification controls, and confirm they are up to date and communicated to customers as evidence of compliance.

10. KPI Monitoring: Verify whether the CSP tracks metrics (e.g., turnaround time, discrepancies, compliance incidents) to improve the program.

From CCM:
1. Examine policy for adequacy, currency, communication, and effectiveness.
2. Examine the process for selection of local laws, regulations, ethics, and contractual constraints, and for review of its output.
3. Verify that the background verification required is mapped to the risks and data classification.
4. Examine the policy and procedures for evidence of review at least annually.
5. Examine Human Resources tickets upon hire which trigger background review and final confirmation from third party conducting background reviews showing it has been completed and how exceptions or failed checks have been addressed.