FBI’s Robert Mueller Reflects On The Escalation Of Insider Threats

This is a really interesting account from the Director of the FBI. It demonstrates his top priorities, details some recently publicised incidents and explains how the threats from terrorism, espionage and cyber attacks are evolving.

I think we sometimes forget the excellent work that law enforcement and intelligence agencies carryout on a daily basis to protect us all, and this applies both at home and abroad.

It's quite lengthy (but well worth a read) so I have included a link to the source document, click here.

8th Annual CISO Summit Rome 2011

Day One - Cyber Crime Risk

Following the Cloud Summit day one of the 8th Annual CISO Summit and Roundtable starts with Detective Superintendent Charlie McMurdie, Head of the Police Central e-crime Unit (PCeU). Providing an overview of the National approach to cyber crime programme. 'National harm, national impact' and briefly shares some limited details on several success stories on arrest operations.

Don Randall, Chairman of the 'Sister Banks' gives his opinion on some of the threats as he sees it and some opportunities to engage with all levels of staff.

Mike Maddison and Sir David Pepper from Deloitte raise the level with Cyber risk should be at board level.

A very interesting and dynamic presentation by Michael Colao, Head of Information Security at Beazley on Insuring against cyber security risks.

And now for the break and expresso.

Back from a break and now it's Don Randall MBE, Master of The Worshipful Company of Security Professionals who announced yesterday (7th June 2011) the first ten Registrants have been admitted to the new Register of Chartered Security Professionals who is chairing the panel on 'Advanced persistent cyber threats and critical infrastructure protection'.

Amongst the panelist are Charlie McMurdie, Jim Reavis of Cloud Security Alliance, Eddie Schwartz newly appointed Head of Security at RSA who got a big laugh at his introduction of company. So far we talked about Olympics, 7/7, cyber crime and data loss but obvisouly no public comments on the current RSA issues, to soon me thinks.

Very informative discussion from the panel and nicely rounds off the first part of the days proceedings. A final presentation from one of the sponsors Courion then it's lunch and more expresso.

Now back from lunch, which incidentally was good I especially love the fact wine was on the table. You've got to admire the Italians approach to eating.

Next up is the turn of Dr Simon Singh on 'The science of secrecy' which was fascinating and inspired by that presentation I've decided to leave and concentrate on my own presentation for tomorrow on Combating and Managing Security Risk through Security Assurance.

I have been very impresses with the quality of the presenters and MIS Training who organised the event no it's off to sponsored drinks and dinner in the centre of Rome somewhere. More tomorrow and my turn in front of this very experienced audience.

Day Two - Security Governance

The second day starts for me with a presentation on Beyond the Cloud by the very entertaining Ray Stanton of British Telecom and there was some funny moments between him and the chair Marcus Alldrick CISO Lloyds.

Next up Dr John Meakin from BP discussing BP's approach to information security.

Lunch and wine complete now back with a presentation by Nils Puhlmann co-founder and CSO of Zynga who created Mafia Wars and other similar games and apps talking about security innovation - are we keeping up.

Next the Technology challenge of identity and access intelligence by my new friends and tour guides at Whitebox Security. Shlomi Wexter discusses. Very passionate and interesting talk.

CISO 'Think Tank' up next. Time for me to prepare for my presentation on Security Risk and Assurance.

Presentation delivered, off for a quick meeting about planning the Round Table slot, drink then dinner.

Final full day for me tomorrow, will be busy with the Round Table section of proceedings, then travelling home so will hopefully will post a wash up in the next couple of days.

Day Three - Round Table

This is the part of the event that more and different people that haven't been at the summit turn up especially for this discussion. This is the opportunity for any and all to be involved in the questioning and challenging today's issues through a series of pre prepared and supplied questions by the audience. This is also the first time I have been invited to do something like this so I am very much looking forward to assisting in facilitating the day.

Unfortunately I cannot say too much about the content as we all promised up front to be discreet ('Chatham House Rule' apply) or more simpler, The first rule of the Round Table is you do not talk about the Round Table, the second rule of the Round Table is ...... well you can see where I am going with that so I'll stop there. Nothing further to report only that I have been very surprised by the fact I've actually learnt a few new things and met some interesting people which I intend to keep in touch with and as conferences go that doesn't happen very often, of course the food and wine was typically Italian . Ciao per ora. Richard


Posted by Richard using BlogPress from my iPhone

Young Staff Commit Most Fraud

A new report has revealed that most instances of staff fraud are committed by individuals under the age of 21.

CIFAS – the UK’s Fraud Prevention Service – has released the information in its ‘Staff Fraudscape’ report, which analyses insider fraud.

Insider Fraud Trends

The report also found a 63% increase in cases of staff stealing or disclosing personal data in 2010 compared to 2009. While 29% of staff fraudsters were aged under 21, just 3% were aged between 41 and 50, and none were aged over 50. It was mostly more established members of staff committing the fraud – the average duration of employment before fraud was discovered was five and a half years in 2010.

It is believed that efforts to promote awareness of fraud among employees resulted in a 12% increase in cases being reported by staff in 2010, compared with 2009.

Read some tips on how to protect your business from fraud and how anyone can spot employee fraud.

Read more about the latest CIFAS Staff Fraudscape report.

To report a fraud, call Action Fraud on 0300 123 2040 or use thier online fraud reporting tool.

The Threat Within

Who is the insider?

But what exactly is the insider threat? What, or rather who, is an insider? Security professionals and government agencies all have their own definitions and all of these that I’ve read differ in their own little way, but fundamentally the meaning is the same.

  

I am not going to quote each and every definition (please use the web links opposite to visit some of the specific sites), but the important thing to remember is that an insider is a person to whom you have given legitimate access to your assets. In my opinion a former employee does not fall into this definition (and so is not an insider) as they no longer have legitimate access. In fact, their activities are likely to constitute a criminal offence in themselves.  



In the counter terrorism arena we talk a lot about capability vs motivation. Terrorists have motivation in buckets but most lack the capability - for example they cannot access the materials to build an effective IED. On the flip-side the insider has the motivation but also the capability as they have the in-depth knowledge of your organisation and the way in which you go about your business.

Companies are understandably slow to come forward and admit about their insider incidents as it could demonstrate a weakness in their internal processes or systems. This weakness could lead to uncomfortable questions from shareholders and governing bodies. The majority of insider incidents are reported by co-workers who experience suspicious activity but many still go undetected.

An Insider can be anyone in your organisation, anyone from the part time cleaner right up to a member of senior management. There is no ‘one size fits all’ profile for the insider, but there are a number of warning signs which could identify that you have a problem (we will cover these in future articles). It is important to remember though that current staff can become an insider, so 'Jim' who has been at his middle management role for 6 years and has a clean record may have a sudden change in personal circumstances (he could fall into financial difficulties) and could become a threat!

There is a massive misunderstanding and a lack of experience when it comes to the insider threat and this stems from no one department taking responsibility for it. The HR department generally deals with pre-employment screening (although in our opinion the security team should), IT systems are taken care of by the IT geeks wearing sci-fi t-shirts and musical ties, and any resulting investigation is dealt with by the security team.

There are various different types of insiders and the threat they pose will be different to each of you but in general they are:

• Single Action Groups (animal activists or swampy students) – to cause harm, damage or media coverage
• Terrorists - to cause large scale harm and to maximise media coverage
• The Lone Wolf - because they want to and can! They are not part of any other group
• Journalists – to identify an loop hole and to sell more newspapers
• Foreign Intelligence Service
• Competitors (corporate espionage) - trying to gain trade secrets, insider trading information or just to gain the upper hand over you
• Disaffected Staff – revenge for not giving them that promotion/pay rise or someone who thinks they know better then the organisation itself.
• 3rd Party Facilitation – helping somebody else to gain entry or supplying someone else with the data to commit crime, admin account login/password or giving them your building access card.
• Unknown Pawns - exploited via various means but one way could be via social engineering or 'water cooler talk'. Normally these types of insider are unaware of the information they are supplying others with.

Why do these people do what they do?

• Kudos
• Reward 
• Personal Mission
• In the name of Public Interest
• Identify an issue or wrong doing
• Revenge
• Intelligence
• Facilitation of Crime

The effects of an insider can be far reaching but may include: 

• Reputational Damage – poor media coverage, loss of investment opportunities
• Financial Loss – Loss of sales or fines imposed by the ICO or regulating authorities (e.g.: Ofcom or the FSA).
• Physical Damage
• Unrest Internally with Staff – potential a lack of trust between staff
• Loss of Operational Service
• Loss of IT Service (normally via denial of service attacks)
• Theft
• Fraud
• Poor International Relations

I keep coming back to it, but the single most important factor to consider is that these people have legitimate access, but what does it mean?. For me, this means they have already bypassed the majority of your physical and electronic security measures which protect you. Insiders are placed into organisations for the long term to build your trust, to gain a very in-depth understanding of your processes and the assets they are interested in. Even law enforcement are concerned that people with clean records will join in entry level roles and will raise through the ranks in order to supply serious organised criminals with information to assist them in committing crimes.

There have been numerous incidents of insiders

There are many tools in organisations to prevent these threats and most fall under the security specialism of Personnel Security, some of these are:

• A robust pre-employment screening regime (most potential insiders can be detected at this stage - especially journalists and people that have clearly lied on application forms or CV’s)
• Having a staff exit (leavers) procedure
• Having a positive security culture – where staff are aware of the security risks that your organisation is susceptible to
• Good policies and procedures, which staff are aware of and read
• Awareness of the potential warning signs (we will cover some of these in a future articles)
• Support from the board and senior management
• A robust security audit process including auditing 3rd party providers (make sure all contracts include a 'right to audit 'clause)
• Utilising the electronic tools you have in place – system logs, forensic tools etc

Whatever approach you decide for your business, it must be risk-based and targeted. Each organisation’s risk appetite will be different, but one thing for sure is you ‘will’ experience an incident as a direct impact from insider action – it is purely a matter of when, and how significant the impact is.  

The insider threat is a very vast subject and something that is impossible to cover in a single blog post. In my future articles I will give you some more details on this risk but until then expect the unexpected, these people are very difficult to detect but are easier to prevent.

Terror Plot BA Employee Gets 30 Years

Rajib Karim, 31, from Newcastle (originally from Bangladesh) a former British Airways software engineer has been jailed for 30 years for plotting to blow up a plane.

I think this is an excellent example of the insider threat (albeit a very serious one). This is someone who joined an organisation with one thing on his mind - to obtain 'critical and urgent information' and to then pass it onto a 3rd party to assist in the planning of an act of terrorism.

Rajib Karim gets 30 years
at her majesty's pleasure 

Karim, who worked at the airline's IT centre in Newcastle (having joined BA in September 2007 as a graduate IT trainee), was committed to martyrdom and even tried unsuccessfully to apply to train as an air steward during the BA cabin crew strike - which presumably would have allowed him to get 'airside' bearing in mind the trial heard Awlaki had emailed Karim asking: 'is it possible to get a package or person with a package on board a flight heading to the US?'

Karim passed on key information about airport security and suggested a crippling attack on BA's computer system. But the terrorist leader he reported to - Yemeni preacher Anwar al-Awlaki (a key figure in al-Qaeda in the Arabian Peninsula and is thought to have orchestrated the unsuccessful October plot to send mail bombs on planes from Yemen to the U.S., hidden in the toner cartridges of computer printers) - had plans for him to supply information to blow up a plane.

The Bangladeshi national, who studied electronic engineering at a university in Manchester between 1998 and 2002 has been described as 'mild-mannered, well-educated and respectful'. He has a British wife and child. The court heard Karim hid his hatred for the West from colleagues by joining a gym, playing football and never airing extreme views. BA colleagues had no knowledge of what he was planning or whom he was involved with, he kept his true intentions a secret. Karim 'kept a low-profile' at British Airways, while at home he was making violent propaganda videos for a terrorist group in Bangladesh, police said.

Throughout the trial, the court heard Karim was under the influence of his brother Tehzeeb who had spearheaded the attempts to contact Awlaki. Police spent nine months breaking the encryption on 300 coded messages found on Karim’s computer. Officers described the task as the 'most sophisticated' of its kind the team had ever undertaken.

He was found guilty last month of four counts of preparing acts of terrorism and sentenced today 25/3/11), he also faces deportation after his sentence is completed. Sentencing him at Woolwich Crown Court, Mr Justice Calvert-Smith said he was a committed jihadist who planned offences 'about as grave as could be imagined'. He said Karim was a 'willing follower' who could have brought serious harm and death to civilians had his planning with others come to anything.

Karim was clearly a disciple of an extremist Islamist (Awlaki) but he was in a very dangerous position having access to the type of information which could have assisted in the plotting of a serious terror attack. In this example he was stopped but what measures do you have in place to detect and prevent these people who are clearly out there!

- Posted using BlogPress from my iPad

Insider Threat Most Costly for Organisations

This article was originally posted by 'The New New Internet - The Cyber Frontier' and can be found here. There is also a powerpoint presentation summary of the survey results.

A new cybersecurity survey found that cyber attacks perpetrated by so-called “insiders” — those with inside knowledge or authorised access — are viewed as the most costly and damaging to an organization. 

The 2011 CyberSecurity Watch Survey conducted by CSO magazine and sponsored by Deloitte found that 33 percent viewed inside attacks as more costly, an increase of 8 percent over last year. The survey reports that while more attacks are caused by outsiders (58 percent), the insider threat is becoming increasingly sophisticated.

The use of rootkits and other hacker tools by insiders jumped from 9 percent last year to 22 percent this year.

Aside from the monetary losses, the insider threat could tar an organization’s reputation, disclose confidential or proprietary information or disrupt critical systems — all of which can be “difficult to quantify and recoup,” the survey finds.

And, even with insider threats likely only to grow, the public is often left in the dark. That’s because about 70 percent of insider attacks are handled by the organizations with no official legal action taken.

“Technical defenses against external attacks and leakage of well-formatted data like social security numbers and credit card numbers have become much more effective in recent years,” said Dawn Cappelli, technical manager of the Insider Threat Center at CERT, the federal agency tasked with monitoring cyber threats. “It is a much more challenging problem to defend against insiders stealing classified information or trade secrets to which they have authorised access or against technically sophisticated users who want to disrupt operations.”

The report also found that, overall, cyber attacks are on the rise. Twenty-eight percent of respondents said have seen an increase in the number of events, according to the study.

But, while attacks are increasing, they are not as financially damaging as in previous years, likely because of strategic and proactive steps that organisations are taking.

News - The Threat Within

This is an excellent example of the threat an insider can pose to an organisation (and in this case potentially the public). Rajib KARIM deliberately sought a job in the UK that he could exploit for terrorist purposes.

KARIM was convicted on four counts of engaging in conduct in preparation of acts of terrorism, contrary to section 5 of the Terrorism Act, following a trial at Woolwich Crown Court.

For more information on the case visit The Met Police website.

 Security, security assurance, counter terrorism, personnel security,  Security, security assurance, counter terrorism, personnel security,  Security, security assurance, counter terrorism, personnel security,  Security, security assurance, counter terrorism, personnel security,  Security, security assurance, counter terrorism, personnel security,

The Spy Next Door, Stealing Your Life For £44

How easy can it be to steal your life? For less than 44 quid is it possible to steal your bank account username, password and bank account security questions? For less than 44 quid is it possible to harvest your credit card details, including your credit card security code and Verified by Visa or MasterCard SecureCode password? Is it possible to read your private Emails and access your Email account? Is it possible to monitor all your private web surfing habits and instant messenger conversations, and obtain your username and passwords for all your websites?

Click here to read the full article via the IT Security Expert's blog by Dave Whitelegg.

Terrorists (aka Tourists....according to the House of Commons) Banned From Big Ben!

According to the Sun newspaper all 'foreigners' have been banned from Big Ben over fears that this iconic worldwide tourist landmark could be targeted by an Al-Qaeda type attack. The reasoning behind this is that it is too costly to pre-screen foreign visitors who are looking to tour the location (which are all pre-arranged in any case), however British citizens will still be allowed (after the appropriate checks have been carried out of course).

The only view of Big Ben that foreign tourists will now see!
Photo by Brandon Swartz

I cannot help but think that the House of Commons has got this one a little wrong. Isn't the insider threat one of the most significant security risks to any establishment at the moment? Also what about the British Citizens whom are 'sleepers' and have never been on the authorities’ radar but with the right opportunity wouldn't think twice about causing harm to others.

Since when did British Citizens pose a lower risk then most foreign citizens - apart from of course a number of obvious countries!?

So what is next banning tourists from St Pauls, London Eye or the Natural History museum? You heard it here first.............

Beer Googles!

Some of the Internet Search Engines

I recently read an article (its here) which mentions some of the pitfalls when using the Internet to search for information (including pictures) for potential recruiters. I think this is a very interesting subject and I would recommend reading the article and the subsequent comments at the end which offer both arguments for and against from the HR professionals prospective.

Any information posted on the internet is in the public domain so surely I/you shouldn't put anything on here that you don't want others to potentially see (for whatever reason), however the issue then comes when someone else puts something on the internet without your knowledge and which could potentially lead to reputational damage for you! Obviously the privacy settings within social networking sites could help here, but these are only as good as the users awareness of these and also your friends of a friend of a friends awareness of these also!!

My personal view (as is all of the content on this site) is that a Google search (or Yahoo! for that matter) is a tool which can be utilised with caution within the pre-employment screening process for certain roles. For example security sensitive positions where an internet search may highlight information which would prompt you to ask some more probing questions during the interview stage i.e. you may find that someone worked for company XYZ, wasn’t sacked but mentions on their social networking profile how they were able to procure £2000 fraudulently and further more this role doesn’t appear on their CV within the employment history section.

From a legal or DPA prospective I am not too sure what the view on this is(but I can guess that it’s not particularly pro). Now with my security hat on surely advising a candidate at the initial stages that an internet search may take place will potentially deter the candidates who could pose a problem................in the current climate good candidates are a plenty, we all want to recruit the best, but we also don't want to recruit the candidate within the accounts department who has previous for fraud (but never convicted) or the candidate who has links to a terrorist organisation that joins your business to gain valuable intelligence and pose an insider threat.....or the person that lacks integrity and is clearly not a team player!

Update 7/10/10: Sal Remtulla, Head of Employee Screening at Risk Advisory has recently circulated some snapshots of recent CV liars. You can read her analysis here

Don't Put Your Life Online!

I have this available in PDF format. If required send me an email.

Address at the WCoSP by the Director General of the Security Service, Jonathan Evans

Social Engineering Definitely a Massive Threat!

The thing is with Social Engineering we all experience it on a regular basis in one shape or form and we do not even know its happening to us, luckily the vast majority don't pose a security risk.

When was the last time you spoke to a recruitment company? The consultants use a form of Social Engineering to 'tease out' information about you, the organisation you work for (or previously worked for) and also some information about your colleagues. This information is not only used by them to help you but its also utilised by them to make more contacts, to get a better understanding of what the job market is doing and to ultimately make more money (and why not).

Personnel Security is now a very important part of any organisations security strategy. The potential risks from an 'insider threat' are reducing (with the appropriate processes in place), but attackers no longer need to gain legitimate employment they can gain the trust of the unsuspecting staff (normally at a junior level) to provide the sensitive information they require to penetrate your organisation (physically or electronically).

What I'm trying to say is be cautious who you are talking to, why are they asking so many questions, why are they stroking your ego and of course be careful what information you put into the public domain about you and your organisation (including the Internet).

Check out the link for the 'Help Net Security' website article.

Personnel Security is a must for any organisation.

Personnel Security is a must for any organisation to combat the insider threat and manage associated risk. Checkout http://j.mp/bivrSO for some very good advice from the experts.

How to Provide Security Assurance in 9 Easy Steps!

The following is proven to work across all security disciplines including Physical Security, Personnel Security and Electronic Security. I know the thought of inviting Auditors into your areas of responsibility is a little daunting but if used correctly this can really be a very effective tool and can also be utilised to provide some free consultancy advice.

In conjunction with management you should produce and deliver an Annual Programme (1) of risk based audits aimed at ensuring security risks are identified and effectively managed. It is more than useful to obtain senior executive level approval that is communicated throughout your organisation and that clearly sets out the objectives, authority and responsibilities of the Department conducting these security audits.

Once high level approval is obtained you need to develop a structure as to how these security audits should be done and who needs to be involved. Below is an idea for a structure that could be adopted once the business area or security risk owner (also known as an auditee) has been identified.

A Planning or Opening Meeting (2) should be arranged with you and the auditee to agree areas of scope and to gain a better understanding of their business area. This meeting will include discussion of: appropriate questions to enable the level of risk maturity to be determined, confirmation of your understanding of the purpose of the area under review, the objective and scope of the audit, agreement of the key risks, any concerns risk owner may have which need to be addressed and agreement of key contacts and dates. This information then sets out the detail that is captured in an Engagement Letter (3) and once complete this letter is issued to the principal auditee(s) before fieldwork starts. I see the engagement letter as an essential document because it enables and drives the auditee and other key staff to have an input into the audit, clarifies the work that will be done, confirms the timing of the audit, ensures that the appropriate resource has been assigned to the audit, and establishes responsibilities of all parties.

Once you have identified your resource, the security auditor/advisor/manager should create a security audit programme. The purpose of the Security Audit Programme (4) is to set out in more detail the actual testing and work that will be carried out to address each of the areas in the scope. The programme is used as a basis to effectively align the Fieldwork (5) with the risks to be reviewed. The audit programme is the document that will focus on testing the effectiveness of the security controls and other risk mitigations in place to manage the most significant risks.

Fieldwork consists of a range of activities undertaken by the auditor/advisor and may include the following: Interviews with key staff involved in business processes, observation of key processes, carrying out tests of key controls, reviewing relevant documentation The purpose of fieldwork is to gather sufficient information to document the processes involved in the system under review and form an opinion on how well the key security risks or areas for review are being managed. The outcome of fieldwork will then form the content of the report with a management action plan to address any findings highlighted.

On completion of audit fieldwork and armed with a copy of the Draft Report (6) you should then meet up again with the management and auditee and hold a Closing Meeting (7) where the draft report, the findings and any suggested actions to rectify be discussed and pending this outcome it is then you notify management of the next stages in the audit process.

Most audit functions apply 4-5 Conclusion (8) titles ranging from very good, very poor to must try harder (a traffic light system is also sometimes used). It doesn’t matter what the conclusions are called just as long as it means something to the business. Based on the assessment of the fieldwork and the content of the identified issues a conclusion should be assigned to it, time scales with a defined date of when the identified issues will be addressed and owners named as this audit will have a Follow Up (9) and further tested at the agreed date. The report should then get an appropriate level of circulation to enable the business area, its managers and those that want and need assurance to understand its risk better. Dependant upon the audit conclusion the report circulation might include COE’s and other senior board members.

Personnel Security - Something we should all be paying a lot of attention to!

Personnel security is everything involving employees: recruiting them (also known as pre-employment screening), training them, monitoring their behaviour, and sometimes handling their departure. Personnel Security relies on a system of polices and procedures to reduce the potential security risk.

In these modern times not only are organisations at risk from external threats but we also have a very significant threat from the insider. An insider is classed by the CPNI (part of the security services) as 'someone who exploits or has the intention to exploit their access to an organisations assets'. So this could result in a number of different scenarios including fraud or an employee who sells your company data to a competitor or an employee who is feeding information to a terrorist organisation.

Personnel security is an area that many 'security professionals' think they understand, but in my experience actually don't. There are elements of personnel security which are managed by non security departments for instance pre employment screening by HR or it may even be outsourced to a 3rd party provider. If this is the case I recommended carrying out some of your checks to see if they are doing what you think and expect they should be doing.

I am lucky enough to receive training from some world class experts in this area, but the level of understanding is very different from organisation to organisation. The strategic objectives for personnel security are the same for everyone but in a private sector environment I believe it is a little more difficult, for example government departments have a security policy framework(SPF) which includes 70 mandatory controls (supported by various baseline standards) which must be adhered to (along with a annual declaration of adherence). The private sector has not got this level of hierarchy governance but of course there is no reason why at a local level you can’t have a similar assurance process. I would recommend any security professional obtaining a copy of the SPF which is publicly available here It is useful and a document which I refer to regularly.

The insider threat has seen a dramatic increase in the UK in recent years and one contributing factor to this are the advances in physical and electronic security. In order to gain access to organisations, it is now considered easier to infiltrate it with the co-operation of an insider. The current financial crisis has also increased the likelihood of the insider threat as staff who would normally not be tempted into exploiting their 'privileged position' may be willing to do so (e.g. for personal gain or they maybe disgruntled for not receiving their bonus etc). It is important to note that the vast majority of employees are genuine but with a robust Personnel Security process in operation the potential insider threat is reduced and you will ensure they are detected quickly and efficiently.

My top 10 recommendations are:

1. Assess Personnel Security Risks and include these on your risk registers
2. Have a helpline in place for employees to confidentially report concerns
3. Know the source of employment references
4. Confirm employee has the Right to Work in the UK (a legal requirement)
5. Carryout qualification checks and check physical certificates where possible
6. Where possible complete the 'pre-employment screening' process prior to start date
7. Promote a positive security culture
8. Advise potential employees of the level of checks you use, this may deter potential insiders

from joining the organisation
9. Transparency - have clear polices and procedures in place
10. Audit - to provide assurance that the systems are effective

In future blogs I intend providing some more details on each of the individual personnel security subjects which will hopefully help you going forward.