Personnel security is everything involving employees: recruiting them (also known as pre-employment screening), training them, monitoring their behaviour, and sometimes handling their departure. Personnel Security relies on a system of polices and procedures to reduce the potential security risk.
In these modern times not only are organisations at risk from external threats but we also have a very significant threat from the insider. An insider is classed by the CPNI (part of the security services) as 'someone who exploits or has the intention to exploit their access to an organisations assets'. So this could result in a number of different scenarios including fraud or an employee who sells your company data to a competitor or an employee who is feeding information to a terrorist organisation.
Personnel security is an area that many 'security professionals' think they understand, but in my experience actually don't. There are elements of personnel security which are managed by non security departments for instance pre employment screening by HR or it may even be outsourced to a 3rd party provider. If this is the case I recommended carrying out some of your checks to see if they are doing what you think and expect they should be doing.
I am lucky enough to receive training from some world class experts in this area, but the level of understanding is very different from organisation to organisation. The strategic objectives for personnel security are the same for everyone but in a private sector environment I believe it is a little more difficult, for example government departments have a security policy framework(SPF) which includes 70 mandatory controls (supported by various baseline standards) which must be adhered to (along with a annual declaration of adherence). The private sector has not got this level of hierarchy governance but of course there is no reason why at a local level you can’t have a similar assurance process. I would recommend any security professional obtaining a copy of the SPF which is publicly available here It is useful and a document which I refer to regularly.
In these modern times not only are organisations at risk from external threats but we also have a very significant threat from the insider. An insider is classed by the CPNI (part of the security services) as 'someone who exploits or has the intention to exploit their access to an organisations assets'. So this could result in a number of different scenarios including fraud or an employee who sells your company data to a competitor or an employee who is feeding information to a terrorist organisation.
Personnel security is an area that many 'security professionals' think they understand, but in my experience actually don't. There are elements of personnel security which are managed by non security departments for instance pre employment screening by HR or it may even be outsourced to a 3rd party provider. If this is the case I recommended carrying out some of your checks to see if they are doing what you think and expect they should be doing.
I am lucky enough to receive training from some world class experts in this area, but the level of understanding is very different from organisation to organisation. The strategic objectives for personnel security are the same for everyone but in a private sector environment I believe it is a little more difficult, for example government departments have a security policy framework(SPF) which includes 70 mandatory controls (supported by various baseline standards) which must be adhered to (along with a annual declaration of adherence). The private sector has not got this level of hierarchy governance but of course there is no reason why at a local level you can’t have a similar assurance process. I would recommend any security professional obtaining a copy of the SPF which is publicly available here It is useful and a document which I refer to regularly.
The insider threat has seen a dramatic increase in the UK in recent years and one contributing factor to this are the advances in physical and electronic security. In order to gain access to organisations, it is now considered easier to infiltrate it with the co-operation of an insider. The current financial crisis has also increased the likelihood of the insider threat as staff who would normally not be tempted into exploiting their 'privileged position' may be willing to do so (e.g. for personal gain or they maybe disgruntled for not receiving their bonus etc). It is important to note that the vast majority of employees are genuine but with a robust Personnel Security process in operation the potential insider threat is reduced and you will ensure they are detected quickly and efficiently.
My top 10 recommendations are:
1. Assess Personnel Security Risks and include these on your risk registers
2. Have a helpline in place for employees to confidentially report concerns
3. Know the source of employment references
4. Confirm employee has the Right to Work in the UK (a legal requirement)
5. Carryout qualification checks and check physical certificates where possible
6. Where possible complete the 'pre-employment screening' process prior to start date
7. Promote a positive security culture
8. Advise potential employees of the level of checks you use, this may deter potential insiders
1. Assess Personnel Security Risks and include these on your risk registers
2. Have a helpline in place for employees to confidentially report concerns
3. Know the source of employment references
4. Confirm employee has the Right to Work in the UK (a legal requirement)
5. Carryout qualification checks and check physical certificates where possible
6. Where possible complete the 'pre-employment screening' process prior to start date
7. Promote a positive security culture
8. Advise potential employees of the level of checks you use, this may deter potential insiders
from joining the organisation
9. Transparency - have clear polices and procedures in place
10. Audit - to provide assurance that the systems are effective
In future blogs I intend providing some more details on each of the individual personnel security subjects which will hopefully help you going forward.
9. Transparency - have clear polices and procedures in place
10. Audit - to provide assurance that the systems are effective
In future blogs I intend providing some more details on each of the individual personnel security subjects which will hopefully help you going forward.
No comments:
Post a Comment
Thank you for your comments.
Team Chatback