Part 2: Communication and documentation contribute to building a successful insider risk program.
When implementing an insider risk program, it is necessary to take foundational measures to integrate both technical and non-technical elements for a truly holistic defense.
There are eight components every organization must consider when building a successful program. Some components include why you need to use leadership advocacy and a proper governance structure to kick off your insider risk program—discussed in part one of this series.
In this post, let’s explore why you need a comprehensive communication strategy and the importance of documentation.
Before formally launching an insider risk program, you should develop a communications plan that aligns with the organization’s mission, vision, and values.
Most importantly, be transparent. Develop a strategic communications plan that explains the rationale for the program. Communication themes should help employees understand the “why,” include the holistic and preventative nature of the program focusing on employee welfare, inform employees of their roles and responsibilities associated with insider risk, and convey senior leadership’s advocacy and support of the program. When doing so, be sure the messaging is tailored to all levels of the organization.
Once messaging has been reviewed, finalized, and approved, broadcast the information in as many avenues as possible: webinars, emails, podcasts, posters, and company newsletters. This dissemination plan can also be used for the training and awareness campaign I’ll discuss later in this series.
A well-rounded communication plan should also account for the means and channels to receive insider information from internal and external sources. Although existing reporting mechanisms may suffice, you should also consider other dedicated means, such as the web or a hotline, making it as convenient as possible for people to help thwart insider incidents.
Formal documentation that outlines the mission, charter, roles and responsibilities, authorizations, etc. is imperative for a well-functioning insider risk program.
A comprehensive Concept of Operations (CONOPs) should be one of the first program documents and serve as the insider risk program foundation.
The CONOPs document should be a comprehensive “living document” and contain a mission statement—including an organizational definition of an insider, and descriptions of the insider risk program initial and full operational capabilities. Existing organizational policies should be evaluated for their applicability to the insider risk program, and a dedicated organizational policy should fully articulate the function and authority of the insider risk program.
It should also include associated appendices addressing such items as program staffing, resources, privacy, monitoring, and consequence management processes.
Part Three: What Deserves the Greatest Protection
In my next post, I’ll explain the importance of defining critical assets vital to business operations and leveraging technology—two more components in developing a successful insider risk program.
Need Help with Your Insider Risk Program
As the workplace becomes more complex and insider risks increase, organizations must ensure they can detect anomalies and prevent incidents before they happen. Leidos is your trusted partner to ensure the protection of your company’s critical assets and help you prevent an insider incident before it occurs.
Our array of insider risk solutions and team of insider risk experts are ready to assist you through all phases of assessing your current risk profile, creating and administering a comprehensive insider risk management program – including the best technology for your specific needs – and helping you to respond to insider incidents if they do occur properly.