160 likes | 308 Views
Joint Security Awareness Council Dallas April 15, 2009. New Developments in Personnel Security Lynn F. Fischer Defense Personnel Security Research Center. PERSEREC Monterey California. Defense Personnel Security Research Center DoD research center
E N D
Joint Security Awareness CouncilDallasApril 15, 2009 New Developments in Personnel Security Lynn F. Fischer Defense Personnel Security Research Center
PERSERECMonterey California • Defense Personnel Security Research Center • DoD research center • To improve the effectiveness, efficiency, and fairness of the personnel security system http://www.dhra.mil/perserec
Joint Suitability and Security Reform • Automating and streamlining the process for making suitability and clearance determinations • Lead agencies: DNI, USD(I), OPM • Impact on contractor community
Key features of the reform: • eApplication • eAdjudication for clean cases • Automated Record Checks • Expanded Focus Investigation • Enhanced Subject Interview • Replacement of Periodic Reinvestigation with Continuous Evaluation
Joint Reform Timelines • Phased implementation • eAdjudication of clean cases underway • eApplication, new generation of e-QIP • Automated Records Checks mid-2009 • Many reforms in place by end of 2010
Insider Threat Studies A Continuing focus by PERSEREC • Espionage trends and patterns • Changes in Espionage by Americans 1947-2007 • Allegiance in a Time of Globalization • Workplace Violence • Guidelines for Employers and Law Enforcement • The Threat to Critical Information Systems • Ten Tales of Betrayal
Observations from IT Insider Case Studies: Increased risk where… • personal stress and adverse social climate are present in the workplace • management does not respond to disgruntlement in a timely fashion • system administrators are permitted exclusive control without oversight • Remote access privileges are not carefully controlled
Insider Risk Audit and Evaluation Tool • Sneak Preview of a new product • Adverse Insider Behavior • Common causes of adverse behavior • Common safeguards to mitigate risk • Management intervention and proactive policies to address risk • To be posted on the PERSEREC website
Functional Areas of Action to Mitigate Insider Risk • Recruitment • Pre-employment Screening • Policies and Regulations • Training and Education • Monitoring and Enforcement • Employee Intervention Planning
Insider Risk Multipliers • Cultural Factors • Political Factors • Economic Factors • Sector-Specific Forces • Organizational-Specific Forces
Pre-employment Screening • Verification of information on employment applications • Criminal background checks; online behavior • Credit reports and civil records • Testing for substance abuse • Psychological testing/honesty testing
Training and Education • Initial indoctrination: policies and practices of the organization • Clear information about what needs protection of employee obligation • Non-disclosure agreements • Adversary awareness training • Reporting requirements
Monitoring and Enforcement • Track and record at-risk behaviors • Timely response to employee disgruntlement • Consistent enforcement of policies • Keeping reporting channels open and receptive
Employee Intervention Planning • Policies and practices for dealing with at-risk employees • Evaluation teams for employees facing negative personnel actions • Termination procedures to minimize the risk of recrimination and adverse behavior • Intensified monitoring of at-risk employees
Uses of this Tool • Evaluation and Audit • Development of Strategic Risk Mitigation Plan • Vulnerability Assessment • Training and Awareness