Positive and visible Board level support for protective security is vital to demonstrate to staff the value placed on personnel and people security policies and procedures. As part of an overarching protective security strategy, strong security governance will:
- Deter employees who may wish to harm your organisation by creating an open and transparent organisational framework where security is actively promoted as the responsibility of all staff whilst providing appropriate resource and support in implementing a proportionate, multi-disciplinary approach to countering insider threats.
Strong security leadership, at all levels across your organisation will:
- Ensure consistency and clear lines of responsibility for the management of security risk
- Foster a multi-disciplinary approach to countering the insider threat
- Ensure proportionate and cost effective use of resources
- Provide essential management information for the purposes of security planning and people management
- Provide a strong example that both develops and underpins an effective security culture.
NPSA research has identified that a single accountable board level owner of security risk and a top-down implementation of security policies and expected behaviours is likely to promote a more compliant and consistent approach across your organisation.
Inadequate corporate governance structures and a lack of awareness of insider threat at a senior level can undermine effective security strategies and make it harder to detect, investigate and prevent insider activity.
Holistic Management of Employee Risk (HoMER)
Holistic Management of Employee Risk (HoMER) guidance is to help you manage the risk of employees' behaviour damaging your business.
The holistic use of targeted security measures and interventions (eg information, personnel and physical) will help you spot high-risk workplace behaviour and reduce the potential of employees carrying out malicious attacks.
This guidance is for board members and the managers of risk in your organisations. A Holistic Management of Employee Risk (HoMER) Executive Summary is also available.
Personnel Security Animations
NPSAs Personnel Security films are one-to-two minute, light-hearted animations, for people new to personnel security. The first three are aimed at managers, the next two are for all staff; and the last is for anyone making strategic decisions based on people-risk, such as HR, IT and security managers. Upload the films to your intranet or internal message boards or show them on management, security or induction training courses.
Communicating personnel security messages further explanations is also available.
Fly In The Ointment
Management responsibility for employee risk
This film illustrates how personnel security issues can damage an organization, its operations, reputation and profit. It gives the message that managers are responsible for dealing with staff security issues, should lead by example and take any necessary action to deal with such issues.
This film focusses on the link between insider activity and disgruntled employees, lifestyle vulnerabilities and poor organizational factors. Good managers are more likely to intervene before an insider act occurs.
One Small Step
Security measures needn't cost the Earth
Also focussing on the insider threat, this film shows managers that small, inexpensive changes to organizational culture can significantly improve the effectiveness of existing security measures.
Your Company Needs You
Who's responsible for security?
This film shows that everyone is responsible for security. It highlights some common physical, IT and personnel security weaknesses, and suggests seeking more information from your own security team.
People, People, People
You are your company's greatest asset
This film, also for all staff, tells the true story of a diamond thief, who used social engineering to undermine physical security measures. An employee's behaviour can strengthen or weaken security.
Proportionate response to risk
This film illustrates the importance of making proportionate risk management decisions by undertaking personnel security risk assessments.