Show me Evidence of your Insider Threat Program (ITP).
That is a question an aspiring Defence Industry Security Program (DISP) company will be asked. Then a Big 4 consulting firm will more than likely audit this element on your first or second anniversary.
Do you know that your Insider Threat Program will need to have on average 10-12 touchpoints with your AGSVA security cleared workforce every year? You should reasonably set aside at least 1 to 2 hours of administration per touchpoint.
Your Insider Threat Program will need to have 5 components: induction, Training, Awareness, Briefings and reporting (we have coined the term ‘iTABr’).
Those touchpoints could be as subtle as chasing up annual SPPs, or getting them access to a Learning Management System or bugging them to complete training. It could be producing or delivering training or briefing content. Maybe it is something as urgent and important as handling a security incident and reporting it to Defence with 24 hours. Then there are overseas briefings & debriefings, cyber briefings, ACSC briefings, ASIO Outreach briefings, Separation briefings. Then there is the change of circumstances reporting, contact reporting and so on. Then there is the governance and DISP reporting activities relating to personnel security and ensuring it is up to date in your Security Register (SR). And then there is the liaising back-and forth with the DS&VS and the AGSVA about security clearance holders and managing people risk with your Chief Security Officer.
That is a plateful. That is why weak security management is a called out as a vulnerability in the Protective Security Policy Framework PSPF: a poorly delivered program can put Australia, Australian Business and Australians in grave danger.
One option is to do it inhouse. But what often happens is the Security Officer SO maybe trained (5 hours vs 5 days of yester-year) but not necessarily equipped. The role for that person maybe a small one and quickly becomes a low priority as urgent tasks and demands bombard their desk. That is where weak security clearance management happens. When something does flare up, the expertise is not necessarily there, the responsiveness is not there, the right information at the right time for the CSO and/or SO to make informed decisions is not there. Everything becomes reactive. The workforce is rushed and pushed into knee-jerk actions. Annual Security Reporting ASR comes around too quickly and the DISP ASR is rushed, or worse. Compliance could be called into question. DISP membership is now in jeopardy. Your important Defence-related contract is vulnerable. Stress is everywhere. Even the CSO risks jail time.
From a benchmarking perspective, we see large enterprises with 600+ staff have a dedicated Chief Security Officer CSO, Security Officer SO and at least one or two Assistance Security Officers ASO. 600 people x 12 touch points x 1 hour = 7,200 hours = 4 FTE.
If you have less than 150 in your workforce, then working with a dedicated personnel security managed service partner and outsourcing many of the day-to-day frontline duties could make sense. You get instant access to personnel vetting capability via a DISP Member’s Insider Threat Management Centre. As you grow you don’t need to grow your internal security unit team considerably. Your existing CSO and SO get the information they need, as they need it and are never out of the loop. Reporting obligations for clearance subjects are taken care of and the organisation’s reporting needs are sorted.
Enter: the Cleard Plus Insider Threat Management Centre.
We are the first dedicated managed personnel security service provider in Australia. We have delivered PSPF compliant security vetting services to the commonwealth since 2010 and due to DISP changes and being a DISP Member we can now offer you a full personnel security life cycle to complement and/or enhance your Insider Threat Program.
As a DISP Member or aspiring DISP applicant, talk to us about your personnel security, security clearance or Trusted Insider Program needs. Ask about how our Cleard Plus program can work for you.
When you fill out your DISP Application form, the AE250, you will be asked about your personnel security business case:
How do you justify an Insider Threat Program?
Contact us today.
Email us on: firstname.lastname@example.org or call 02-6171-4171