Transcription
Personnel SecurityMaturity ModelGuidance Booklet
The purposeThe Personnel Security Maturity Model is issued by the UK’sCentre for the Protection of National Infrastructure (CPNI)with the aim of providing a framework for organisations toassess their maturity in dealing with personnel security risks.CPNI produces a wide range of tools and guidance covering various elementsof personnel security (PerSec) practices and processes.These have grownorganically as we have increased our understanding of insider acts andmotivations over the last 10 years. Our PerSec Maturity Model providesa structured framework for the systematic and therefore more effectiveimplementation of PerSec mitigations.Our aim is to use the PerSec Maturity Model to assess and baseline anorganisation’s current level of PerSec Maturity from the information providedby the organisation (the maturity questionnaire) together with any additionalevidence collected by the CPNI PerSec adviser in the course of their interactionwith the organisation. The assessment will be compared with the maturity levelthat the organisation wishes to achieve, which may be directed by the leadgovernment department or regulator.3
Why use it?Maturity Models are used in a number of industries to allowan organisation to assess their methods and processesaccording to best practice.The CPNI PerSec Maturity Model has been designed to specifically assessan organisation’s personnel security maturity. This is a key factor, in additionto physical and cyber security measures, in strengthening an organisation’sresilience to insider and wider external security threats.The model is based on comprehensive and robust research into insider acts1,as well as extensive CPNI experience in PerSec mitigations (research anddevelopment programmes and close working with the CNI and overseaspartners to test, refine and embed PerSec initiatives).1See CPNI Insider Data Collection Study – report of main findings available at www.cpni.gov.uk/personnel-and-people-securityThe benefits of using the CPNI model are:1. A starting point for developing a measurable PerSec improvementprogramme using the CPNI tools and guidance which are appropriateto the organisation’s current level of PerSec maturity.2. A common and consistent benchmark for PerSec performance acrossthe Critical National Infrastructure (CNI), which will enable individualorganisations to compare themselves with the rest of their sector,and wider CNI community.The assessment will be used by CPNI to:1. Target the use of existing PerSec advice, tools and guidancemore effectively across the CNI.2. Inform the development of PerSec improvement plans withorganisations and CNI sectors.3. Prioritise the development of new guidance and tools.4. Track improvements in CNI sector-wide PerSecmanagement practices.5
How does it work?The CPNI PerSec Maturity Model is based onseven core elements of effective PerSec processes,as identified through our insider data study andResearch & Development programme: Governance and Leadership Insider Risk Assessment Pre-Employment Screening Ongoing Personnel Security Monitoring and Assessment of workers Investigation and Disciplinary Practices (Response) Security Culture and Behaviour ChangeAnnex A offers a detailed overview of these core elements.7
How we assessyour securityThe core elements are evaluated against the six levelsof PerSec ExcellentAnnex B offers a detailed overview of these levels.Key areasThe maturity questionnaire seeks evidence across four keyareas and will be marked with the following icons to help yourecognise what area of PerSec is being assessed in order tobetter focus your response on these areas:EXISTENCEof PerSec policies,processes and proceduresIMPLEMENTATIONof the PerSec mitIgationsCONSISTENCYof the PerSec measuresin placeEFFECTIVENESSof the PerSec policiesand processes that arein place9
Using thequestionnaireWhen you are at the stage to participate in the maturityassessment it may be helpful to consider the following:The questionnaire is the primary evidence for assessingthe level of maturity. Identify a main point of contact within the organisation to work with CPNI.CPNI Advisers may require follow up discussions to clarify, or seek additionalinformation to ensure a full and accurate assessment is made. The CPNIassessment will be internally quality assured to ensure commonality ofbenchmarking within and across CNI sectors. Where applicable provide examples or evidence in support ofthe responses.The results of the assessment can then be used to: Have an informed discussion about the level of maturity the organisationwants to achieve (or maintain), and; The assessment is based on the responses provided by the organisation.It is important to ensure that answers are as comprehensive as possible.Access to the questionnaireFor access to the PerSec maturity questionnaire please contact yourCPNI Adviser or email enquiries@cpni.gov.uk. Develop (in conjunction with their CPNI adviser) a PerSec improvementplan, which could involve attendance on CPNI run courses, briefing andawareness raising sessions, bespoke training and implementation ofspecific CPNI tools.11
Maturity assessmentquestionnaireThe questionnaire is made up of the followingseven sections:1. Governance and LeadershipThis set of questions assesses the level of corporate governance relating toPerSec, the level of engagement and commitment from the Board to PerSec,the reporting mechanisms up to the Board on PerSec and resourcing forPerSec from Board outwards across the organisation.Example Questions:2. Insider Risk Assessment and ManagementThis set of questions assesses your insider risk process, the way in whichinsider risk is integrated into other organisational processes and the processfor recording and reviewing insider risk decisions.3. Pre-Employment Screening (PES)This set of questions considers the policies and processes relating to PreEmployment Screening within the organisation (employees and contractors),the competency of the people involved in the screening process and the centralrecording of screening decisions and the ability to review them as necessary.4. Ongoing Personnel SecurityThis set of questions considers the policies, processes and procedures relatingto PerSec and how consistently they are applied across the organisation, thecompetency of line management to apply the policies, the understanding andcommitment of workers to the policies, and the process for reviewing personnelpolicy including exit procedures.5. Monitoring and Assessment of WorkersEXISTENCEIMPLEMENTATIONWho has responsibilityfor managing yourorganisation’s people risk?Is PerSec a standingagenda item at boardlevel meetings?This set of questions explores the effectiveness of monitoring processes,awareness of security procedures, reporting lines for workplace behavioursof concern and auditing arrangements and review of processes this sectionconsiders all workers whether they are contractors, consultants, part time, fulltime or temporary.6. Investigation and Disciplinary Practices (Response)This set of questions assesses the policies and procedures relating toinvestigating workplace behaviours of concern and the arrangements relatingto security incident response, reporting mechanisms and analysis of incidents.CONSISTENCYEFFECTIVENESS7. Security Culture and Behaviour ChangeHow are your PerSecpolicies integrated into yourwider business?How do you review yourPerSec policies (e.g afteran incident, as part of anannual risk review)?This set of questions considers the level of defined security culture acrossthe organisation, workers’ awareness, understanding of and engagementin PerSec and the ability of an organisation to respond and initiate changewhere required.13
Annex ACPNI definition of the MaturityModel core elements15
Governanceand LeadershipPositive and visible Board level support for protectivesecurity is vital to demonstrate to workers the value placedon personnel and people security policies and procedures.As part of an overarching protective security strategy, strong securitygovernance will develop (in conjunction with their CPNI adviser)a PerSec improvement plan. This could involve attendance on CPNI runcourses, briefing and awareness raising sessions, bespoke training andimplementation of specific CPNI tools.Strong security leadership, at all levelsacross your organisation, will: Ensure consistency and clear lines of responsibility for themanagement of security risk. Foster a multi-disciplinary approach to countering the insider threat. Ensure proportionate and cost effective use of resources. Provide essential management information for the purposes of securityplanning and people management. Provide a strong example that both develops and underpins an effectivesecurity culture.CPNI research has identified that a single accountable Board level ownerof security risk and a top-down implementation of security policies andexpected behaviours are likely to promote a more compliant and consistentsecurity regime in your organisation.Inadequate corporate governance structures and a lack of awareness of insiderthreat at a senior level can undermine effective security strategies and make itharder to detect, investigate and prevent insider activity.17
Insider RiskAssessmentUnderstanding what security risks your organisation facesis essential for developing appropriate and proportionatesecurity mitigation measures.There are a range of risk assessment models available, which all followthe same principles:1. Identify critical assetsand systems in yourorganisation2. Categorise and classifyassets in relation totheir level of criticality insupporting your business3. Identify threats (basedon the intent and capabilityof those who could carryout the threat)If you are carrying out a securityrisk assessment it is importantthat the results are factored intoyour wider corporate risk registerNext stepsThe risks that have been identified are then used to inform thesecurity mitigations you implement.4. Assess the likelihoodof the threat occurringand impact should thethreat transpire5. Build a risk register toensure all data gatheredis recorded6. The strategy ofmitigating risksand reviewing theexisting countermeasuresCarrying out a security risk assessment is crucial in helping security managersaudit, and communicate to the executive Board, the security risks to which theorganisation is exposed.CPNI has developed a risk assessment model to help organisations centreon the insider threat. The process focuses on workers (their job roles), theiraccess to their organisation’s critical assets, risks that the job role poses tothe organisation and sufficiency of the existing countermeasures.Working through the CPNI insider risk assessment model willhelp organisations to: Conduct security risk assessments in a robust and transparent way. Prioritise the insider risk to an organisation.7. Development andimplementation of newproportionate measuresto reduce security risks8. An iterative process ofregularly reviewing risks Evaluate the existing countermeasures and identify appropriate newmeasures to mitigate the risks. Allocate security resources (personnel, physical or cyber) in a waywhich is cost effective and proportionate to the risk posed.19
Pre-EmploymentScreeningPre-Employment Screening comprises the proceduresinvolved in deciding an individual’s suitability to holdemployment in a given job role.This is not limited to ‘new joiners’, but also individuals who are moving betweenjob roles within an organisation. A suitable level of screening should be appliedto all individuals who are provided with access to organisational assetsincluding permanent, temporary and contract workers.Robust Pre-Employment Screening policies and procedures are essential inorganisations meeting their legal obligations and setting a foundation for asafe and secure workplace.Appropriate screening measures help to provide cost effective and legallycompliant assurance that only the right people, in the right job roles,are working within your organisation.The application of screening measures will vary across organisations andacross job roles. Basing screening decisions on thorough security riskassessments will ensure that any measures adopted will be proportionateto the risks and make best use of valuable resources.As part of an overarching protective securitystrategy the appropriate application of PES will:Deter applicants who may wish to harm yourorganisation from applying for employment.Detect individuals with intent to harmyour organisation at the recruitmentor application phase.Deny employment to individuals intending toharm your organisation and deny employmentin roles for which the applicant is unsuitable.21
OngoingPersonnel Security75% of the insider acts werecarried out by workers who hadno malicious intent when joiningthe organisationWhile Pre-Employment Screening helps ensure that anorganisation recruits trustworthy individuals, people andtheir circumstances and attitudes change, either graduallyor in response to events.CPNI’s Insider Data Collection Study identified: 75% of the insider acts were carried out by workers who had nomalicious intent when joining the organisation, but whose loyaltieschanged after recruitment. In many circumstances the worker undertaking the insider act had beenin their organisation for some years prior to undertaking the activity andexploited their access opportunistically.CPNI’s collection of ongoing PerSec guidance and tools can be used to helpan organisation develop and plan effective practices for countering the insiderthreat and maintaining a motivated, engaged and productive workforce.The application of good ongoing PerSec principals adds huge value tophysical and technical security measures in a cost effective manner, promotinggood leadership and management and maximising people as part of thesecurity solution.23
Monitoring andAssessmentCPNI’s Insider Data Collection Study indicated that someorganisations had not made regular or systematic use oftheir own technical or financial auditing functions to spotirregularities or unusual workplace behaviours.In other organisations, counterproductive workplace behaviours were knownin one part of the organisation, but this was not shared with other sections,resulting in delays in the organisation taking mitigating actions to reduce therisk and allowing insiders to act in the first place, or for some, to continue theiractivity without detection for longer than necessary.CPNI advocates a holistic approach to protective monitoring where informationabout workers’ risks (physical, electronic audit and personnel data) are broughttogether under a single point of accountability and governance, to ensure atransparent, legal, ethical and proportionate protective monitoring capability.Targeting security measures(information, personnel andphysical) and interventionswill help you spot high-riskworkplace behaviours25
Investigationand DisciplinaryMany organisations will at some point need tocarry out some kind of internal investigation intoa member of staff.In addition to investigating an insider act your organisationneeds to have a risk management process in place whichmanages the consequences of the act and a process in placethat helps you:1Identify and analyse the rootcause of the incident.The primary duty for an investigator is to establish the true facts,whilst adhering to appropriate HR policy and employment laws.Organisations can react disproportionately to accusations,which can lead to costly employment tribunals or an unhappyand disaffected workforce. Conversely, organisations which failto take any appropriate investigative and subsequent disciplinaryaction can create a culture where staff actively disregard securitypolicies and processes.With correct procedures in place, workers who understand policiesand regulations, and competently trained investigative staff, yourorganisation is better equipped to avoid these pitfalls andmaintain trust.3Assess the effectiveness ofcurrent control measuresin place.2Identify the appropriatedisciplinary actions orinterventions that needto be undertaken.4Identify gaps in practiceand develop more effectivecontrol measures.These processes help your organisation learn from the incident and put in placemeasures to prevent the incident from occurring again.27
Security Cultureand BehaviourChangeA good security culture in your organisation isan essential component of a protective securityregime and helps to mitigate against insiderthreats and external people threats (such ashostile reconnaissance).Security culture is the set of values, shared by everyone in anorganisation, which determine how people are expected to thinkabout and approach security, and is essential to the protectivesecurity regime as a whole.The benefits of an effective securityculture include:Workers are engaged with, and takeresponsibility for, security issues.Levels of compliance with all protectivesecurity measures increase achievingbest value in personnel, physical andtechnical security measures.The risk of security incidents andbreaches is reduced by encouragingworkers to think and act in moresecurity conscious ways.Workers are more likely to reportbehaviours/activities of concern.29
Annex BCPNI PerSec MaturityModel overview31
InnocentLevel 0AwareLevel 1Current BehavioursOrganisation is functioning at the most basiclevel. There are no formal PerSec policies,training or procedures. Senior Managers areunconcerned of the risks posed by peopleand have made no attempt to engage withCPNI. The organisation is at very high risk fromoperational, financial, and reputational damagedue to PerSec threats.LEVEL 2Current BehavioursPerSec is seen as a business risk, givenmanagement time and effort put into reducingsecurity incidents. Security still defined in termsof adherence to rules, procedures and technicalcontrols, however there is an acknowledgedapproach using standardised templates.LEVEL 3The Executive board recognises that securityis important from a moral and economic pointof view, and can provide business advantage.Governance arrangements are as concernedwith monitoring and influencing precursorindicators as with lagging indicators.Majority of workers accept the need for personalresponsibility towards security. The importanceof all workers feeling valued and treated fairlyis recognised.The organisation puts significant effort intoproactive measures to prevent securityincidents. Security performance is activelymonitored, and statistics collected andanalysed. The organisation is at medium lowrisk from operational, financial or reputationaldamage from PerSec threats.PerSec is defined in basic terms of technicalor procedural solutions to meet UK employmentlegislation or regulation. No standardisedthreat mitigation processes, training or policy.No senior, board level, member of staff has beengiven responsibility for PerSec.Security performance is measured in terms oflagging indicators (number of breaches, alarms).The organisation is at medium high risk fromoperational, financial and reputational damagedue to PerSec threats.CompetentLEVEL 4Current BehavioursThe organisation is at high risk from operational,financial and reputational damage due toPerSec threats.DevelopingEffectiveCurrent BehavioursExcellentLevel 5Current BehavioursThe prevention of PerSec incidents is a corecompany value, and a board level memberof staff has overall responsibility for PerSec.Security is part of “business as usual”.The organisation recognises that the nextthreat is just around the corner and thePerSec risk assessment is reviewed at leastonce a year. Uses a range of indicators tomonitor performance, but not just thosewhich are performance driven.Organisation has confidence in its securityprocesses and is constantly striving to findbetter and innovative ways of improvingsecurity control. All workers accept personalresponsibility for security. The organisationis at low risk from operational, financial andreputational damage due to PerSec threats.Current BehavioursThere is an organisation wide, consistentapproach to security with defined processesin place.Organisation recognises the involvementof front line workers in security is critical.Managers recognise wide range of factorsinfluence security and root causes can originatefrom management decisions.Significant numbers of front line workers willingto work with management to improve security.The organisation is at medium risk fromoperational, financial and reputational damagefrom PerSec threats.33
Annex CTHRC PerSec definitions35
Levels ofVulnerabilityFor Lead Government Departments and the relevantCNI, the Threats, Hazards, Resilience and Contingencies(THRC)1 definitions of PerSec vulnerability are aligned tothe CPNI maturity levels.The following scale shows the level of vulnerability, the THRC sector-widedefinition and the related maturity level. It is important to bear in mind thatthese definitions relate to the general state of the CNI sector rather thanindividual organisations.MEDIUM HIGHMEDIUM LOWPeople risk seen as a businessrisk and resources allocated toreducing security incidents; securitydefined by adherence to rules andtechnical controls.Significant effort put into proactivemeasures to prevent securityincidents, security performanceactively monitored; workers acceptneed for personal responsibilitytowards security.LEVEL 2 DEVELOPINGLEVEL 4 EFFECTIVEHIGHMEDIUMLOWA lack of appropriate processes,arrangements or awareness andconcern about people risk; operatingonly at the minimum required levelfor compliance.Consistent approach within thesector to security, recognition ofthe variety of factors that influencesecurity, solutions that involvemanagers and workers as part ofthe delivery mechanism.Prevention of PerSec incidents seenas a core value within the sector, hasconfidence in its security processesand constantly striving to find betterand innovative ways of improvingsecurity control.LEVEL 3 COMPETENTLEVEL 5 EXCELLENTLEVELS 0 & 1 INNOCENT, AWAREFor more information on the National Resilience Capabilities Programme that THRC sits under pleasesee mergencies-the-capabilities-programme.137
CPNI produces a wide range of tools andguidance covering various elements ofrecommended PerSec practices and processes.These have grown organically as our understanding ofinsider acts, motivations and potential mitigations have overthe last 10 years. The Maturity Model provides a structuredframework for the systematic, and therefore more effective,implementation of an insider risk mitigation programme.DisclaimerThe information contained in this document is accurate as at the date it was created. It is intended as general guidance only and you should not rely on it. This informationshould be adapted for use in the specific circumstances required and you should seek specialist independent professional advice where appropriate before taking anyaction based on it. To the fullest extent permitted by law, CPNI accept no liability whatsoever for any loss or damage incurred or arising as a result of any error or omissionin the guidance or arising from any person acting, relying upon or otherwise using the guidance. Full terms and conditions governing the use of this guidance are availableon our website at www.cpni.gov.uk.Freedom of Information Act (FOIA)This information is supplied in confidence to the named reader and may not be disclosed further without prior approval from CPNI. This information is exempt fromdisclosure under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Crown Copyright
The Personnel Security Maturity Model is issued by the UK's Centre for the Protection of National Infrastructure (CPNI) with the aim of providing a framework for organisations to assess their maturity in dealing with personnel security risks. CPNI produces a wide range of tools and guidance covering various elements
