Joint Security Awareness Council Dallas April 15, 2009

1. Joint Security Awareness CouncilDallasApril 15, 2009 New Developments in Personnel Security Lynn F. Fischer Defense Personnel Security Research Center

2. PERSERECMonterey California • Defense Personnel Security Research Center • DoD research center • To improve the effectiveness, efficiency, and fairness of the personnel security system http://www.dhra.mil/perserec

3. Joint Suitability and Security Reform • Automating and streamlining the process for making suitability and clearance determinations • Lead agencies: DNI, USD(I), OPM • Impact on contractor community

4. Key features of the reform: • eApplication • eAdjudication for clean cases • Automated Record Checks • Expanded Focus Investigation • Enhanced Subject Interview • Replacement of Periodic Reinvestigation with Continuous Evaluation

5. Joint Reform Timelines • Phased implementation • eAdjudication of clean cases underway • eApplication, new generation of e-QIP • Automated Records Checks mid-2009 • Many reforms in place by end of 2010

6. Insider Threat Studies A Continuing focus by PERSEREC • Espionage trends and patterns • Changes in Espionage by Americans 1947-2007 • Allegiance in a Time of Globalization • Workplace Violence • Guidelines for Employers and Law Enforcement • The Threat to Critical Information Systems • Ten Tales of Betrayal

7. Observations from IT Insider Case Studies: Increased risk where… • personal stress and adverse social climate are present in the workplace • management does not respond to disgruntlement in a timely fashion • system administrators are permitted exclusive control without oversight • Remote access privileges are not carefully controlled

8. Insider Risk Audit and Evaluation Tool • Sneak Preview of a new product • Adverse Insider Behavior • Common causes of adverse behavior • Common safeguards to mitigate risk • Management intervention and proactive policies to address risk • To be posted on the PERSEREC website

9. Functional Areas of Action to Mitigate Insider Risk • Recruitment • Pre-employment Screening • Policies and Regulations • Training and Education • Monitoring and Enforcement • Employee Intervention Planning

10. Insider Risk Multipliers • Cultural Factors • Political Factors • Economic Factors • Sector-Specific Forces • Organizational-Specific Forces

11. Pre-employment Screening • Verification of information on employment applications • Criminal background checks; online behavior • Credit reports and civil records • Testing for substance abuse • Psychological testing/honesty testing

12. Training and Education • Initial indoctrination: policies and practices of the organization • Clear information about what needs protection of employee obligation • Non-disclosure agreements • Adversary awareness training • Reporting requirements

13. Monitoring and Enforcement • Track and record at-risk behaviors • Timely response to employee disgruntlement • Consistent enforcement of policies • Keeping reporting channels open and receptive

14. Employee Intervention Planning • Policies and practices for dealing with at-risk employees • Evaluation teams for employees facing negative personnel actions • Termination procedures to minimize the risk of recrimination and adverse behavior • Intensified monitoring of at-risk employees

15. Uses of this Tool • Evaluation and Audit • Development of Strategic Risk Mitigation Plan • Vulnerability Assessment • Training and Awareness

16. Questions and comments?