top of page

SecAware materials

SecAware logo

~2-page information security policy template concerning insider threats.


Information risks involving insider threats (i.e. workers who threaten to harm the organisation by exploiting/using information, IT systems etc.) should be managed in the usual manner i.e. identified, evaluated and treated appropriately.


'Risk treatment' for insider threats involves addressing joiners, movers and leavers, plus management oversight and vigilance to pick up on issues at the earliest opportunity.


This is a sensitive policy matter since most insiders are valuable assets and may naturally resent any implication that some constitute threats.  However, ignoring the issue or pretending it is not a problem won't make it go away.  This is a blind spot for many organisations, at least those who have yet to experience a serious insider incident (such as fraud or theft of intellectual property) and the shockwaves that follow.


The policy is brief and matter-of-fact, firing a warning shot across the bow of any disaffected, unethical workers contemplating "getting back at" or "taking advantage of" the organisation.


The template specifically defines and uses the term "worker" to include those on the organisation's payroll (staff and management, remember) plus others who work for and are to some extent under the control of the organisation but are employed and paid by third parties (e.g. contractors) or self-employed (e.g. lone consultants).  Their internal knowledge and access presents opportunities for wrongdoing that outsiders lack.


The policy on outsider threats naturally complements this one.


Supplied as an MS Word document, readily customised for your organisation's specific situation.

Insider threats (HR) policy

bottom of page