How agencies can tighten personnel security
- By Aarti Smith
- Mar 23, 2015
Personnel security is fairly intuitive; it’s the system of policies and procedures that manage the risk of staff exploiting, or intending to exploit, their access to assets or premises for unauthorized purposes.
However, when we look at this topic from a government perspective, we discover that it is so much more than that. A personnel security system should not only be designed to ensure that employees are safe, but also to protect the organization from the actions of its employees. While it is arguably the most critical aspect of information security, few agencies are asking if their personnel security systems are designed to prevent a future tragedy or leak confidential or classified information.
Personnel security systems certainly collect data on potential job candidates to weed out anyone that shouldn’t be offered employment or a contractor position. But what happens post-employment? Are these systems designed to watch over the health of an agency’s personnel? Is the system smart enough to detect an employee or contractor about to go “rogue”? Does it include the intelligence to foresee or prevent the next Navy Yard incident, the next Fort Meade tragedy, or the next Snowden? That is the question that all federal agencies should be asking themselves. If the answer to that question is “no,” then there is much work to be done.
Today, personnel security systems collect all kinds of information on a candidate: home addresses, education, past employment, marital status, children, friends, foreign travel, financial stability, police records and much more going back 10 years. But what happens once a candidate is cleared for access to an agency’s premises or IT systems? Personnel security systems need to ensure the continued stability of their personnel. One way to do that is by integrating agency personnel security systems with other data systems, such as local law enforcement, mental health databases or FBI data systems. Also, personnel managers need a way to watch activity between security clearance reinvestigations that only come up every five or 10 years. So many vulnerabilities exist that many personnel security systems are not capturing – or perhaps don’t even know to capture – relevant data.
Despite decades of paper case files and manual implementation of business processes, government agencies now have many options to help improve and strengthen their personnel security. Not only can agencies take advantage of the latest technologies, but these technologies can be leveraged and tailored to the unique business processes of each agency.
Agencies can use the latest business process management (BPM) tools to design and build sophisticated electronic systems that capture, maintain and track personnel information, customized to their unique environments. Moving away from paper-based processes can allow agencies to retrieve personnel information on demand, keep it current and share that information expeditiously when necessary. With the help of these tools, agencies can facilitate swift data capture, improve adjudication timeliness, implement logic to look for pattern and trends in behavior and encourage information sharing.
Many BPM solutions can also be integrated with other data systems, such as the Office of Personnel Management’s Personnel Investigation Processing System, expediting the sharing of candidate information and receipt of investigation results. BPM solutions can also be designed to integrate with human resource systems that capture annual or monthly data on personnel assessments, job satisfaction, foreign travel or other life changing events that may lead to more serious concerns. Agencies can also integrate personnel security systems with the FBI and local law enforcement to check for inappropriate activity. Finally, agencies can host collaborative forums and blogs to promote information sharing within personnel security teams. Such collaboration may capture more intimate and revealing discussions among staff, which can be monitored for key words or topics of interest.
With integration and automation from so many data sources, as well as transitioning from paper-based processes to integrated electronic systems, agencies are empowered and more in control of their personnel security. Agencies that have made these investments in technology and streamlined their business processes are indeed smarter and more vigilant. Although no one can predict if personnel security systems can prevent another tragedy at a government facility or a classified information leak, they can certainly be built to look beyond the obvious, beyond just past history, and identify future risks and vulnerabilities and ultimately help prevent them.
Aarti Smith is founder and CEO of Chainbridge Solutions Inc. and a strategic consultant to Array Information Technology.