Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
    • Physical security measures
    • Personnel security measures
      • Risk assessment
      • Screening
      • Secure contracting
      • Ongoing measures
      • Disclosure of employee-related information
      • Overseas criminal records checks
      • Personnel security in offshore locations
    • Electronic security measures
  • Products and services
  • Research
Home > Protecting your assets > Personnel security measures > Ongoing measures

Ongoing measures

Quick links

Ongoing personnel security: a good practice guide (PDF - 472KB)

There is a tendency to focus exclusively on personnel security measures at the employment stage and to neglect ongoing personnel security. There are important measures to put in place with regard to existing staff. They include:

  • Identifying change
  • Access controls
  • Security passes and access privileges
  • Management practices
  • Manipulation
  • Protective monitoring
  • Investigation

Identifying change

All staff are potentially vulnerable to circumstances in which risk-related attitudes or behaviours change significantly. These circumstances range from stressful personal crises to deliberate targeting and recruitment by malicious third parties. Circumstances leading to vulnerability might be subtle and difficult to recognise but could include financial difficulty, pressure from peers and family, or perceptions of unfairness at work.

Human Resources departments and line managers should continue to assess their staff after appointment. This is to identify any changing or suspicious behaviour patterns that might indicate a potential insider. Possible warning signs include:

  • drug or alcohol misuse
  • expressions of support for extremist views, actions or incidents, particularly when violence is advocated
  • sudden or marked change of religious, political or social affiliation or practice that has an adverse impact on the individual's performance of their job or attitude to security
  • major unexplained changes in lifestyle
  • sudden changes in expenditure
  • sudden loss of interest in work, or overreaction to career changes or disappointments
  • signs of stress such as excessively emotional behaviour
  • changes in working patterns, for instance working alone or at unusual hours, and reluctance to take holidays
  • unusual interest in security measures or areas of work outside the normal remit
  • frequent unexplained absences
  • repeated failure to follow recognised security procedures.

This is not a comprehensive list. Individual cases will have unique features and it may take a combination of behaviours and attitudes to cause further concern. It is important to note that some of these signs may be the result of ill-health and you should allow for this in your consideration of them.

For particular roles it may be appropriate to conduct regular security appraisals, perhaps annually. These may be informed by repeating assessments such as personality tests or reviewing credit reports but are most likely to involve an interview in which the risk factors identified above would be covered.

If you have concerns about existing staff, you might want to undertake additional checks. As part of your employment terms and conditions, you could also require your employees to disclose any criminal convictions they incur while employed by you. Checks will be less relevant for longstanding employees if there are regular security reviews (e.g. annual security appraisals), but you should consider checking individuals when they are promoted or when they change roles - particularly if it involves a significant increase in their access to sensitive information, systems or sites.

Back to top

Access controls

It is important that organisations clearly set out their policies regarding access control. One effect of these policies should be to limit access to the organisation's assets according to the requirements of employees' roles. In this way, staff are only given access to the information or systems that they require to do their jobs.

Back to top

Security passes and access privileges

The wearing of security passes by all staff, however senior, makes it clear who should be in the building and who should not. Ideally passes should include the holder's full-face photograph, but should not indicate the company or the building to which the pass gives access. Anyone not displaying a security pass should either be challenged or reported immediately to security or management.

Access to sensitive locations, assets or information should be limited to those who genuinely need it. Different colours or style of passes can be issued to those with access to different areas, so that anyone who has strayed into an area to which they do not have legitimate access can be recognised. Physical controls may be used to restrict access to particularly sensitive areas.

It is also important to record the issuing of passes, to monitor and review their use and to retrieve passes from staff when they cease employment or no longer require access to a particular location.

Back to top

Management practices

If staff understand that personnel security procedures are there to protect them against criminal activity, including terrorism, they are less likely to be regarded as unwelcome or intrusive. The aim should be to establish an effective security culture in which the risks are understood, the counter measures are demonstrably proportionate to those risks, and staff play an active role in supporting the measures. Achieving this requires the adoption of a range of strategies for communicating security matters to staff and for engaging them in good security practice.

The handling of disaffection in the workplace should be seen by everyone as an important aspect of personnel security, although this is usually dealt with by line management or Human Resources. All staff should know how and to whom they can report concerns or grievances in a sympathetic and supportive environment.

It should also be possible for staff to raise specific security concerns they may have about colleagues, for instance by setting up confidential reporting lines.

Back to top

Manipulation

Protecting an organisation's information is the responsibility of all staff, and to be fully effective it requires regular security training to help staff guard against attacks on information.

Sometimes deliberate attempts are made to acquire information or access by manipulating staff by using a range of influencing techniques.

This is sometimes described as 'social engineering', creating situations in which someone will willingly provide access to information, sites or systems to someone unauthorised to receive it. Customer facing personnel who have been trained to be helpful and informative can be particularly vulnerable to such attacks (for example receptionists, IT helpdesk staff)

The techniques are often very simple, exploiting basic human tendencies such as the desire to return a favour or to help a colleague in need, but they can be used with damaging effect. Attackers may try to gain information piecemeal over a period of time, asking for small favours or gaining information through seemingly innocent conversation. Determined attackers prepare well, learning about a company's structure and language in advance. They might pretend to be a co-worker, a new employee or a delivery person. They might send emails with attachments containing malicious code or pretend to have lost their computer password.

Methods of defending against this sort of attack include the following:

  • provide specific training in detecting manipulative attempts to frontline and customer facing staff
  • warn all staff to be alert to anyone asking for sensitive or restricted information
  • be alert to an unknown enquirer who tries to extract information in a rush, with intimidation, emphasising authority or refusing to give contact details

Back to top

Protective monitoring

IT systems should be protected with monitoring arrangements that alert an administrator to unauthorised access. Protective monitoring can range from the appointment of team supervisors to a technically sophisticated protective monitoring system. For instance, commercially available systems will automatically detect unusual patterns of information retrieval or the inclusion of proprietary information in external email messages.

Monitoring techniques that systematically record information about employees must be undertaken in accordance with the Data Protection Act Code of Practice: Monitoring Workers' Activities. While the Act does not generally prohibit monitoring it does require employers to be able to justify the intrusion in terms of benefits to the employer or others. The Act also requires openness. Workers should be aware of the nature, extent and reasons for any monitoring unless, exceptionally, covert monitoring is justified.

The Information Commissioner's Office provides valuable guidance on the Act as it relates to monitoring. The following points are particularly important:

  • Be clear about the purpose of the protective monitoring and ensure that any monitoring solution actually achieves this purpose
  • Ensure that monitoring is focussed specifically on the people and concerns that you are trying to address
  • Consider which forms of monitoring would be most acceptable to your employees
  • If monitoring is used to enforce rules and standards, make sure that employees know what these are
  • The information collected through monitoring must be kept secure; poor handling of such information can seriously damage trust and the psychological contract between employers and employees
  • Communicate clearly to employees; make sure they understand the need for monitoring, the proportionate nature of the monitoring solution, and the fact that information collected is held securely.

Protective monitoring in the workplace is also governed by The Human Rights Act (1998), Regulation of Investigatory Powers Act (2000) and Lawful Business Practices Regulations.

Back to top

Investigation

If cases of non-compliance with security rules are suspected, then these should be investigated. This can be a challenging task with the potential to cause frustration and distress within an organisation. How investigations are conducted will vary depending on whether the identity of the person committing the security breach is known. If the identity is not known then the investigation will need to encourage witnesses to come forward.

Investigations involve the collection of information and in some cases evidence (e.g. through interviews and computer forensics) and the subsequent analysis of that evidence. Important principles to consider when conducting an investigation are:

  • Many, if not most, apparent breaches have simple explanations. Where possible the employee should be given the opportunity to explain their actions
  • The matter should be dealt with promptly
  • Any evidence of a criminal offence should be reported to the police at the earliest opportunity
  • Where prosecution is a possibility, the collection of evidence should be governed by the legal requirements regarding the admissibility of information in court.

Back to top

Back to personnel security measures

27/10/2009
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |