Taking a risk-based approach to personnel security

PER003

Implementing personnel security measures can be costly or disruptive. Your security measures must be considered in light of your organisation’s security context, potential threats and risk appetite.

A risk-based approach to protective security ensures your personnel security policies, practices, and investments are right for the risks your organisation faces.

Personnel security risk management cycle

The personnel security risk management cycle [PDF, 115 KB] shows how your organisation should identify and manage personnel security risks at an organisational level.

The ongoing cycle comprises three key activities:

• Assess your personnel security risks
• Manage your personnel security risks
• Evaluate how effectively you are managing your personnel security risks.

Assess your personnel security risks

You should identify the potential sources of personnel security risk facing your organisation, the way these might present and the types of threat they pose. Your risk assessment should identify roles, or groups of people, who have greater potential to cause harm due to their access to sensitive, valuable or classified information or assets.

Examples of risks your organisation could face are unintentional leaks, theft of intellectual property, fraud, or criminal gain.

Manage your personnel security risks

Each stage of the personnel lifecycle presents distinct challenges. You should consider personnel security from the time you begin recruitment/procurement, when you hire/engage someone, and through to the moment they leave — possibly even after they leave. Implement appropriate measures to treat personnel security risk in each of these stages. 

To manage personnel security risks, you must continually and consistently apply the security measures you have identified to all people working for your organisation.

Go to Managing Insider Risk for more information.

Evaluate how effectively you are managing your risks

Threats faced by an organisation change over time. This means that you must consider whether your understanding of the sources of personnel security risk is accurate and up to date.

You must also consider whether your security arrangements and practices are still effective and suitable. Identify what works well and what doesn’t and adjust your arrangements accordingly.

Go to Evaluating your personnel security for more information.

Risk assessment for personnel security

PER004

Carry out a risk assessment for personnel security so your organisation can make good decisions about the security measures you need to manage your risks.

Implementing the right personnel security measures can help you prevent or deter a wide variety of activities, from staff fraud through to acts of violence or espionage.

A risk assessment helps security managers communicate to senior leadership about the personnel security risks your organisation is exposed to.

Carrying out an effective risk assessment

Your risk assessment process should enable you to identify the risks associated with each role in your organisation, and the security controls you should use at each stage of the personnel lifecycle.

To carry out a risk assessment for personnel security:

1. Identify what critical information and assets your organisation holds.
2. Identify the threats to your information and assets (based on the role, intent, and capability of those who could carry out the threats).
3. Assess the likelihood of the threats happening in your organisation.
4. Assess the impact to your organisation if the threats happened.
5. Review your existing security countermeasures for the threats — are they likely to be effective?
6. Propose new measures to reduce your security risks (if necessary).

Factor the results into your risk assessment.

Carry out a risk assessment for personnel security every two years in line with the following standards available from Standards New Zealand(external link).