Insider risks
There are information risks associated with people joining any corporate function – information risks that deserve to be identified, assessed, evaluated and treated appropriately like any other.
If your organisation currently pays little if any attention to these risks, how about developing and trialling a suitable strategy and approach for, say, the information risk and security management function, as a pilot or demonstrator for other corporate functions and rôles that place a high reliance on the personal integrity of their people?
Think about that for a moment: which functions depend heavily on personal integrity? What are the most trusted rôles? Where are the priorities? You may feel that this is primarily a concern for senior people and specific rôles such as financial controllers, IT system/network and security administrators … but that’s a narrow perspective. What about, for instance, your security guards and cleaners? Facilities management and maintenance engineers? Relationship managers? Sales people? Procurement pros? Isn’t this - in fact - an information risk broadly applicable to virtually every worker, essentially every possible source of ‘insider risk’?
OK, OK, I know HR routinely screens and background-checks new employees, but what about pseudo-employees such as temps, interns, contractors and consultants? Don't forget those 'strategy consultants' and 'brand advisors' brought in by the CEO after a jovial round of golf. It's probably worth exploring how the extent, nature and depth of background checks varies in proportion to the assessed risks (or not!). There's more to this than glancing at the person's certificates or calling a couple of former employers for references.
Oh and then there's the auditors and pen-testers. Their credentials may be impeccable but are you certain about the true identities and bona fides of those people in fine suits waiting impatiently in reception?
And that's not all. What about workers changing positions within the organisation (e.g. promotions), or leaving it? If the risks vary, so should the risk treatments.
ISO/IEC 27002 talks about 'joiners, movers and leavers'. Oh oh, better get busy!
Maybe this will help: three of our security awareness modules are now on sale for just $1 each. www.secaware.com/specials