In the context of our Security Analytics work (in particular of HP Labs Identity Analytics) I am looking for public documentation, links and information about how personnel vetting processes are currently carried out in the industry.
Some interesting examples (discussing at high level the steps to get different degrees of security clearance), of relevance to governmental environments, are the following:
The vetting process is indeed very important in reducing organisational risks and in making informed decisions on which credentials and access rights to give to personnel. It complements other two aspects that have been previously discussed in this blog:
- Operational aspects: provisioning and deprovisioning processes
- Governance aspects: monitoring, compliance checking and audit
The idea is to use our HP Labs Identity Analytics methodology and tools to model this process and explore the involved risks as well as tension points between business managers/stakeholders (requiring personnel as fast as possible to deal with their business needs) and risk/security assessors (requiring that full due diligence is carried out before granting any access to personnel) – by identifying suitable metrics.
We believe our analytic models can be used not only to explore potential policy compromises (what happens if we relax our vetting policies on certain aspects) and their impact on risk, but also to assess how realistic some of these policies are (i.e. how likely, given the current processes, that they are going to be violated).
Any input on documentation and references is really welcome.
In addition, we are keen in identifying 1-2 potential serious candidates (medium/large organisations) that would be interested in trialling this Identity Analytics activity, in a joint case study with HP Labs.
No comments:
Post a Comment