It turns out that in the US, one of the few exemptions
to the non-allowed use of Employeed Polygraph testing
in private companies is for : security service companies -
armoured cars, guards, ....
Normally, one can neither require a test, nor descriminate
against those who refuse. Except if you are the US
govt, of course, to whom these rules dont apply. Obviously,
they dont apply to those who may need security clearances,
though such clearances count for nothing beyond their
access privileges.
In an attempt to gain legitimacy for CA companies as
Trusted Third Parties, it proved necesary for
some of our employees acting as issuing authorities to have various
felony background checks. This was the first
step; the list of actions and further
requirements keeps growing.
Would anyone consider it right/wrong/prudent, etc,
socially, commercially, etc,
to institute a lie detector program, if only to
gain data, and the question set, used when
a breach involving internal threat to CA operations, is
to be investigated?
Such a programme would consitute good audit evidence
of maintaining proper countermeasures for certain
classes of internal threat, the lack of which could
be damaging to any commercial entity involved
in this business which suffers any loss
impacting others.
While no commercial entity will ever be perfect,
and the law rarely requires it, one does have
to show due care when offering trust services. Where
trust and security intersect, its even worse.
HAving said all this, I personally find it
a distateful concept. "To be in a position of
issuing authority for a CA, one would need
to be periodically polygraphed."
Any comments on the issue, in general?