Step 2 of 5 to Quantifying Insider Risk

by Mike Tierney | Feb 05, 2017

Adjust your Hiring Process to Address Insider Risk

Insider risk begins the moment you grant access.

What’s required on an employee’s first day is to present them with a Confidentiality & intellectual Property Agreement (CIPA). This agreement is designed to put a number of insider risk controls in place:

  1. Define Confidential Information – The new employee should understand what categories of information constitute confidential data and the organization’s intellectual property. By communicating what the organization considers confidential information, the new employee begins their employment aware of the organization’s desire to protect its’ confidential information. This should be very specific, relying on IT and Security staff to define what kinds of information are of a sensitive nature.
  2. Convey Confidentiality Requirements – An awareness of what actions are and are not appropriate when it comes to the handling of confidential information needs to be detailed. By describing how the organization wants an employee to conduct themselves when working with and when coming in contact with confidential information further conveys the organization’s strong stance on protecting its’ confidential information. Legal and Security staff can provide guidance on what kinds of actions are inappropriate to ensure employees understand their usage limitations.
  3. Communicate Expected Behavior – An emphasis on how the employee should err on the side of confidentiality should be communicated. By establishing expected behavior, the organization makes absolutely certain the employee has a clear picture of the organization’s assumptions around how the employee is to treat any confidential data.
  4. Inform of Need to Return or Destroy – The employee should have an understanding that any and all data that falls subject to the CIPA or is owned by the organization is expected to be returned or destroyed upon termination of their employment.

This CIPA should be presented to every employee regardless of the employee’s position, title, level of perceived access to sensitive information, etc. The goal of the CIPA is to level-set every employee about how the organization seeks to safeguard their confidential information and the employee’s role in helping maintain that protection. This is something that is commonly, but not universally done. If you were asked to sign one when you started, you can feel good that your organization has addressed one of the most basic building blocks of an effective insider threat program.

Making the CIPA Understandable

Because the CIPA is a legally-binding document being given to people normally having little more experience with contracts than perhaps their mortgage, tenant, or car lease agreement, it is important to have the CIPA written using as close to “plain English” as possible. Using clear everyday language helps establish the effectiveness of the document as a deterrent, spelling out exactly what the organization defines as confidential and what it expects of an employee.

It’s equally important to spell out those expectations and not have brevity be the default. For example, if the CIPA states that “all company data and assets must be returned”, does that mean an employee simply needs to forward a copy of an email they have, but can keep the original? Of course not. So the CIPA, in this instance, would need to use language like “return and destroy” spelling out that an employee (or contractor) is to have no physical or digital copies of any company data, emails, information, etc.