~2-page information security policy template concerning insider threats.
Information risks involving insider threats (i.e. workers who threaten to harm the organisation by exploiting/using information, IT systems etc.) should be managed in the usual manner i.e. identified, evaluated and treated appropriately.
'Risk treatment' for insider threats involves addressing joiners, movers and leavers, plus management oversight and vigilance to pick up on issues at the earliest opportunity.
This is a sensitive policy matter since most insiders are valuable assets and may naturally resent any implication that some constitute threats. However, ignoring the issue or pretending it is not a problem won't make it go away. This is a blind spot for many organisations, at least those who have yet to experience a serious insider incident (such as fraud or theft of intellectual property) and the shockwaves that follow.
The policy is brief and matter-of-fact, firing a warning shot across the bow of any disaffected, unethical workers contemplating "getting back at" or "taking advantage of" the organisation.
The template specifically defines and uses the term "worker" to include those on the organisation's payroll (staff and management, remember) plus others who work for and are to some extent under the control of the organisation but are employed and paid by third parties (e.g. contractors) or self-employed (e.g. lone consultants). Their internal knowledge and access presents opportunities for wrongdoing that outsiders lack.
The policy on outsider threats naturally complements this one.
Supplied as an MS Word document, readily customised for your organisation's specific situation.
Insider threats (HR) policy
Information security policy template on insider threats
See also the policies on:
- Threat intelligence
- Information governance
- Information ownership
- Information risk management
- Division of responsibilities
- Social engineering
- Responsible disclosure
- Information security architecture and design
- IT systems development and acquisition
- IT systems implementation
- Identification and authentication
- Access control
- Change and configuration management
- IT auditing