People are an organisation’s biggest asset, however, in some cases they can also pose an insider risk. As organisations implement increasingly sophisticated physical and cyber security measures to protect their assets from external threats, the recruitment of insiders becomes a more attractive option for those attempting to gain access.
CPNI defines an insider as a person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes.
An insider could be a full time or part-time employee, a contractor or even a business partner.
An insider could deliberately seek to join your organisation to conduct an insider act, or may be triggered to act at some point during their employment.
What is Personnel Security?
Personnel security is a system of policies and procedures which seeks to:
- Reduce the risk of recruiting staff who are likely to present a security concern
- Minimise the likelihood of existing employees becoming a security concern
- Reduce the risk of insider activity, protect the organisation’s assets and, where necessary carry out investigations to resolve suspicions or provide evidence for disciplinary procedures
- Implement security measures in a way that is proportionate to the risk
Employees may also inadvertently trigger security breaches through ignorance of rules, or deliberate non-compliance (due to pressure of work). Our guidance is also relevant to mitigating these threats.
CPNI has developed a wide range of guidance and products across seven key areas to help organisations make informed decisions about the level of personnel security risk they manage. More information on these key areas is provided below.
Insider Risk Mitigation Framework
The Insider Risk Mitigation Framework is CPNI's recommendation for developing an Insider Threat programme which aims to reduce insider risk.
The implementation of this will facilitate an objective review of security posture and allow measures to be updated or deployed in a risk based manner.
This will ensure proportionate spending on any measures posed and make the cost benefit argument to support recommendations for security. It will also support organisational security development through the best use of insider risk mitigation methods to further mature a protective security stance.
Insider Data Collection Study
CPNI has reviewed and analysed cases of insider acts from the UK and overseas to understand how and why these events occurred, and what could have been done to prevent them. The Insider Data Collection Study report provides CPNI's main findings.
CPNI has used this data, and our relationship with the CNI to test, refine and embed personnel security into protective security measures. The output from that learning has helped us develop effective strategies to assist you in reducing insider risk.
Personnel Security Maturity Model
We have developed a Personnel Security Maturity Model based on seven core elements of effective personnel security processes, as identified through our insider data study and research and development programme. These are listed below, with links to more information for each element:
- A. Leadership and Governance
- B. Insider Risk Assessment
- C. Employment Screening
- D. Ongoing Personnel Security
- E. Monitoring and Assessment of Employees
- F. Investigation and Disciplinary Practices (Response)
- G. Security Culture and Behaviour Change
There is also an infographic on personnel security measures your organisation should consider (click image to enlarge).