Tuesday, February 12, 2013

Aggressive Anti-Insider Threat Programs for The Rest of Us

Engage your company with an aggressive insider threat countermeasures that the government and contractors apply to ensure a good security program. One of the best applications is the continuous evaluation program used by cleared contractors and their cleared employees.

Though applied to those with government security clearances, it can be adopted to benefit other enterprises as well. Of course you will have to consider legal guidance and protection of personal information.

Here’s how it works in the defense contractor community.  An employer determines an employee requires a security clearance based on a defense contract requirement. Once the contractor submits a security clearance request, the employee is subject to a rigorous background investigation and adjudication process. If results are favorable, the employee is granted a security clearance.

 So, why not continue this process through the cleared employee’s employment?

Responsibilities don’t stop with granted access. These now cleared employees are given a periodic review every 5 to 15 years depending on clearance level. During the periodic review, the investigation and adjudication process is repeated.

Throughout the employment, cleared employees are required to report any information that would lead to a decision that involved cleared employees could become a security risk. This is called adverse information reporting. Cleared employees are required to report adverse information on themselves and other cleared employees. Failure to report could be discovered during the review.

Why the drastic measures?

You might recall news articles about captured spies. Many were enterprise employees who provided unauthorized information to unauthorized persons. Experience demonstrates that these employees had displayed signs and habits related to their intent. Extra time at the copy machines, unauthorized collection of data on storage devices, taking work home, emailing sensitive information and etc provided indicators of mal-intent. These days, it should be well understood in the National Industrial Security Program (NISP) community that employees help monitor insider threat

The NISP has tied such reporting to job performance and future employment through (think report or perish). To be successful, FSOs provide NISPOM based programs with well trained, knowledgeable and dedicated employees. This plan will help curb insider threat.

Continuous evaluation involves identifying reportable information. So, why not apply a degree of continuous evaluation to address any behaviors that would identify a employee security risks or insider threats. If your company performs sensitive work, you are already aware of risks to product, proprietary information, trade secrets, personal information and etc.     
So, why go through the excruciating work of identifying classified, sensitive, proprietary, intellectual data or other information, only to be unable to control what employees do with it?

How does reporting help?

Reportable information involves a long list of events that may be way too involved to memorize. That’s where your NISPOM training comes in. It’s not so important to be able to recite the reportable incidents as it is to just understand what is reported. In other words it’s the impact of adverse information over the laundry list of reportable items.

The best approach is to explain the impact that spies have had. Many cleared employees had observed reportable behavior and failed to report it. The impact of not reporting cost lives, programs and damage to national security.

What’s the best method for instituting a reporting program?

Break down the long list of events into bite size portions or categories and define the impact to the enterprise and national security failure to report the adverse information.

As an example, you will not see an exhaustive list of the reportable information in this article. However, I can relay to you that:
Continuous evaluation involves identifying reportable information. Though you might not have employees with security clearances, you’ve hopefully instituted background checks. These checks typically look into:

  • Credit
  • Education
  • Past jobs
  • References
  • Criminal records

Many sources are used to get a clear 360 degree understanding of the person that the company is hiring. So, why not apply a degree of continuous observation to address any behaviors that would identify a risky employee. If your company performs sensitive work, you are already aware of risks to product, proprietary information, trade secrets, personal information and etc. The following is a list of events you might adopt into your continuous observation criteria:

  • Corporate espionage
  • Theft
  • Sabotage
  • Sexual harassment
  • Drug and alcohol abuse
  • Employee relations

Some reporting requires a great deal of personal integrity because subjects are co-workers, friends or personal violation issues justifying security violations

The point is that the greatest risk to proprietary information and product comes from within the organization. Yes, trusted and vetted employees pose a significant risk. The cloak and dagger image of spies is just a small portion.
Since this is the greatest threat, why not take time to develop a program to ensure employees continue to demonstrate ethical and legal activity that ensured their employment in the first place. Identify what needs to be protected, enforce clearance and need to know, and foster a healthy reporting environment.  If not, an employee could volunteer, be pressured or coerced to steal data or items.

For more information on the NISPOM and related security matter, see DoD Clearances and Contracts Guidebook. Many of the lessons can be applied at non-DoD enterprises.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

No comments: