On Fri, 21 Jun 1996, Alex Filacchione wrote:
> 1) As long as it does not interfere with their work, is drug testing really
> necessary? Furthermore, should a company make it's decision on whether
> to outsource or not (or make a final decision between two firms) based
> on whether the consulting firm employs drug testing (screening, invasion
> of privacy, etc.)? Let's say that John Doe at Fred's Security
> Consulting really knows his stuff well, has a good reputation, etc., and
> has also smoke pot. Is this *REALLY* going to make a difference? As
> long as he does not smoke on the job. Are you going to ask people if
> they drink alcohol on a recreational basis as well? If someone wants to
> make this into an example of a "law abiding citizen" vs a "delinquent,"
> saying that the "delinquent" has no regard for the law and should not be
> trusted, I ask you this... Are you going to request the consultant's
> driving records as well? Driving above the speed limit shows an EQUAL
> contempt, disrespect, whathaveyou for the law as smoking pot. Is this
> *REALLY* a smart criteria to base the security of your company on?
> Would you really go with an inferior proposal just because the architect
> of the better proposal has smoked pot?
It's illegal, therefore it has the potential to interfere with their work.
Do I want to have the head of my incident response team absent because
he/she/it got busted at his supplier's house the same night that I got
hit, and there was so much stuff there that the magistrate refused to set
Do I want them to be vulnerable to blackmail? Do I know that it's "just
pot" that they use, or could they be doing other drugs too?
It has nothing to do with philosophy, it's got everything to do with
vulerability. In general, due to privacy laws, you can't normally get
deep into alcohol, or other potential vulnerabilities. You can however
drug test. The willingness for a key employee to disregard current law is
for some people an issue. Every company should make its own mind up on
how much of a concern this is, if it is. Those of us with classic gov/mil
sec backgrounds tend to stick with this in the higher risk category, and
that's worth questioning, but I doubt you'd change my mind on it.
> 2) Polygraph? Do you really believe that these things are accurate? I
> personally have beaten one as a "proof of concept" with no problem at
> all. Yes, it was administered by a qualified professional. Do you want
> to base the decision upon which your corporate secrets may rely on
> something as flimsy as a polygraph?
Does it have to be 100% accurate for it to be useful? Used to weed out
bad guys, they're more useful than used to weed in good guys. In general,
things like this like background checks, polygraphs, credit checks, and
the like won't stop a determined opponent with good resources and/or
skills. They can also weed out perfectly good candidates who whould have
been 100% trustworthy. Everything you use to evaluate if you should
extend trust has a risk/vulnerability/effectiveness/reward value. A lot
of the effectiveness versus false positives threshold depends on what
you're trying to protect, and how many other vulnerabilities there are
that make a certain level of vulnerability the default.
It certainly doesn't make sense to make your security folks go through
harsh background checks if you get your operations staff from the local
community college work study program, and they've access to your backups,
a tape duplicator, and administrative passwords.
On the whole, I'm glad my employer didn't do driving record checks :)
Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."