Protective security better practice guide Identifying and managing people of security concern – integrating security, integrity, fraud control and human

resources

Approved

January 2015

Version 1.0

© Commonwealth of Australia 2014 All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia licence (www.creativecommons.org/licenses).

For the avoidance of doubt, this means this licence only applies to material as set out in this document.

The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 3.0 AU licence (www.creativecommons.org/licenses).

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the It's an Honour website (www.itsanhonour.gov.au).

Contact us

Enquiries regarding the licence and any use of this document are welcome at:

Commercial and Administrative Law Branch Attorney-General’s Department 3–5 National Cct BARTON ACT 2600

Call: 02 6141 6666

Email: copyright@ag.gov.au

Document details

Security classification Unclassified

Dissemination limiting marking Publicly available

Date of security classification review Feb 2017

Authority Attorney-General’s Department

Author Protective Security Policy Section Attorney-General’s Department

Document status Version 1.0 – approved January 2015

Contents 1. Introduction ......................................................................................................................... 1

1.1 Purpose .................................................................................................................................... 1

1.2 Audience .................................................................................................................................. 1

1.3 Scope ....................................................................................................................................... 1

1.3.1 Use of specific terms in these guidelines ................................................................. 1

2. Approach ............................................................................................................................. 2

2.1 The relationship between personnel security, anti-corruption, fraud control and personal conduct management ......................................................................................................... 2

2.1.1 Information sharing within an agency ..................................................................... 2

2.1.2 Relationship between an agency’s culture of security and information sharing .... 4

2.2 Information exchange with other agencies ............................................................................. 4

2.2.1 Advising vetting agencies about concerns relating to security clearance holders .. 4

3. Identifying people of concern ............................................................................................... 5

3.1 Potential areas of concern....................................................................................................... 5

3.1.1 Personality traits ...................................................................................................... 5

3.1.2 Lifestyle and circumstantial vulnerabilities .............................................................. 6

3.1.3 Workplace behaviours ............................................................................................. 6

3.2 Personnel with mental health issues ....................................................................................... 7

4. Managing risks to an agency from people of concern ............................................................ 8

4.1 Personnel of moderate concern .............................................................................................. 8

4.2 High risk personnel .................................................................................................................. 8

5. Managing personnel of security concern ............................................................................. 10

5.1 Managing personnel with indicators of potential concern early .......................................... 11

5.2 Managing personnel displaying behaviours of actual concern ............................................. 11

5.2.1 Close supervision ................................................................................................... 12

5.2.2 Premise and asset access control .......................................................................... 12

5.2.3 Information and ICT access control ....................................................................... 13

5.2.4 Active audit of ICT access ....................................................................................... 13

5.2.5 External checking ................................................................................................... 13

5.2.6 Other agency specific controls ............................................................................... 14

6. Managing personnel in high risk positions ........................................................................... 15

Annex 1: Decision map – Managing people of security concern ................................................... 16

Annex 2: Additional information about managing people of concern .......................................... 16

Amendments

No. Location Amendment

1

1. Introduction

1.1 Purpose

1. The Protective Security Policy Framework (PSPF) requires agencies to manage their personnel’s ongoing suitability to access official resources. The Australian Government personnel security better practice guide—Identifying and managing people of security concern – integrating security, integrity, fraud control and human resources assists agencies to achieve a consistent approach to identifying and managing personnel of concern.

1.2 Audience

2. This guide is primarily intended for:

• Australian Government security management staff

• agency fraud control, anti-corruption and integrity management staff

• human resources personnel.

1.3 Scope

3. This guide provides better practice advice to agency security management staff. Specific controls and risk mitigation measures used by an agency should manage their personnel security risks to the Australian Government and the agency, while providing assurance it meets any legislative requirements relating to:

• employment and workplace relations

• discrimination, harassment and bullying

• any specific agency enabling legislation.

4. This guide should be read in conjunction with:

• the Australian Government Personnel Security Protocol

• the Australian Government Personnel security guidelines—Agency personnel security responsibilities

• Managing the Insider Threat to your Business—A personnel security handbook.

5. Where security incidents have occurred agencies should refer to the Australian Government protective security governance guidelines—Reporting incidents and conducting security investigations.

1.3.1 Use of specific terms in these guidelines

6. In this guide the use of the term ‘should’ refers to better practice. Agencies are expected to apply better practice unless there is a reason based on their risk assessment or specific business needs to apply alternative controls.

2

2. Approach 7. Behavioural concerns often overlap and impact multiple areas of an agency. Therefore, agencies

should integrate the identification and management of people of security concern with:

• personnel performance management, values and code of conduct policies

• fraud control measures

• integrity and anti-corruption measures.

8. Agencies should also refer to their anti-discrimination, harassment and bullying policies when developing their managing people of security concern policy.

2.1 The relationship between personnel security, anti-corruption, fraud control and personal conduct management

9. There are multiple approaches to managing risk from personnel and the specific areas with an agency may vary. Generally each area focuses on a particular form of risk, for example:

• Security areas focus on the application of security measures to prevent losses of information and other assets to the organisation – security measures often focus on protection of the National Interest.

• Integrity areas focus on the corruption of legislative, regulatory and policy functions – the abuse of public office for private purposes. Integrity can span a continuum from minor misconduct to serious corruption and often emphasises cultural and environmental factors.

• Fraud control areas focus on loss to the organisation as a result of dishonesty. Fraud control measures often focus on financial processes, and reducing opportunities for fraud to occur in a particular system.

• Human Resource (HR) areas seeking to manage and prevent counter-productive behaviours in the workplace by promoting employee well-being and capability. HR areas are also responsible for the investigation and management of misconduct.

10. Each of these areas has a responsibility for managing personnel risk. They should collaborate, by:

• sharing insight from each perspective

• sharing information to support better decision-making in each area

• where common ground is identified, reducing duplication and strengthening underlying policies and processes—including information sharing—across the agency, benefiting all areas.

11. Additionally, HR areas are also responsible for recruitment of personnel and can take preventative measures through robust selection processes to mitigate the risks of people of security concern gaining employment in government agencies.

2.1.1 Information sharing within an agency

12. Management of the risks to and from personnel can be improved through increased information sharing between relevant areas. In the absence of a shared picture, each area is making decisions

3

viewed through their own professional ‘lens’ without the advantage of additional information available from other areas of the agency. For example, not taking leave, working extended hours, being protective of work, or not sharing information, can be viewed simply as a performance management issue by one area within an agency, but when viewed in the context of a known associate or unexplained wealth, may be understood as an indicator of corrupt behaviour.

13. Information sharing about individuals of concern can also identify sensitive investigations underway in one area which may be compromised by interventions from another area.

14. Additionally, it is important to recognise the integrity-capability link. The design of policies and processes and the governance structures that frame them can provide organisational controls through risk management, professional standards, and accountability mechanisms, to limit opportunities for unacceptable behaviour.

15. A key outcome for agencies should be the increased sharing of information between security, integrity and anti-corruption, fraud control, and HR areas within the agency.

16. Agencies should consider implementing formal information sharing arrangements between the relevant areas with their organisation—eg, through a management review board.

17. It is not just information that should be shared, decisions relating to the information should also be shared. The ability of each area to do its job can be improved through the sharing of insight, knowledge of risk, skills and mindsets.

18. Figure 1: Joining up the domains, below, compares the current siloed and the better interactive approach to information sharing. The current siloed approach results in duplicated effort by multiple areas where a risk is shared. The failure to share information also impacts on the overall effectiveness of the agency’s response to a concern as all the facts may not be available to each area.

Figure 1: Joining up the domains

Specific measures matched to specific risks, but supported by improved information sharing.

Current siloed state: pursuing objectives independently

Proposed integrated state: pursuing shared objectives together

Secu

rity

(N

atio

nal I

nter

est)

Anti-

corr

uptio

n (R

ule

of la

w/c

rimin

al)

Frau

d Co

ntro

l (T

heft

thro

ugh

dish

ones

ty)

Hum

an R

esou

rces

(p

erfo

rman

ce a

nd p

eopl

e)

Secu

rity

Anti-

corr

uptio

n

Frau

d

HR

Common risks and measures

Areas identify common concerns, risks and measures that are best handled collaboratively. Each area contributes knowledge, skills and insight to address areas of common concern.

4

2.1.2 Relationship between an agency’s culture of security and information sharing

19. A well-developed culture of security encourages information sharing by agency personnel about the risks to themselves and their colleagues. This sharing is dependent on a clear agency aim to help manage the concerns with their personnel before they escalate into an incident, rather than a punitive regime.

20. While the focus should be on prevention an agency still needs to have a clear, publicised and consistently enforced regime to investigate and penalise inappropriate conduct.

2.2 Information exchange with other agencies

21. Agencies may be required by legislation in certain circumstances to report allegations or incidents to other agencies. Agencies should have in place procedures to meet these legislative requirements.

22. However, agencies should exercise care when sharing sensitive personal information. Personal information may be shared if there is an exemption under the Australian Privacy Principles or the person has consented to the sharing of information with other agencies, either through an agreed condition of service or a signed consent form.

23. Agencies are to advise any agencies affected by an incident when the incident occurs, or as soon as possible afterwards, to allow the mitigation of the incident by the affected agency.

24. In certain circumstances there is a reasonable expectation that personal information will be shared, such as when the person’s information is crucial to remedying a security incident. Agencies should consider consulting with any external agencies that may be affected by security incidents or concerns as part of their risk management process.

25. Affected agencies who provide resources may request an agency apply additional controls to prevent people of concern having continued access to the provided resources.

2.2.1 Advising vetting agencies about concerns relating to security clearance holders

26. Agencies are to advise their vetting agency—for the majority of Australian Government agencies that is the Australian Government Security Vetting Agency (AGSVA); of any agency personnel who hold a security clearance who have changes in circumstances or behaviour. For details see the Australian Government Personnel Security Protocol (section 9.4) and Australian Government personnel security guidelines—Agency personnel security responsibilities, (section 14).

5

3. Identifying people of concern 27. All people employed by an agency should meet the agency’s values, these may include but are not

limited to:

• Integrity—a quality that underpins an individual's soundness of moral principles. It is manifested in their uprightness, honesty and sincerity in their approach to themselves, others and their work.

• Commitment—characterised by dedication, application, perseverance, a belief in a personal capacity and professionalism to achieve and add value.

• Impartiality—characteristics of fairness and equity.

• Respect for others—polite consideration of other peoples’ dignity and integrity.

• Accountability—ownership of work results, personal actions and being answerable for outcomes.

28. Any failure to meet an agency’s values by its people is of concern.

3.1 Potential areas of concern

29. For a person to become a threat to an agency they need some underlying personal concerns and a trigger event. Early identification and management of the underlying concerns will help to prevent misconduct, fraud, corruption or security incidents when a trigger event occurs. Concerns can be grouped into:

• personality traits

• lifestyle and circumstantial vulnerabilities

• workplace behaviours.

3.1.1 Personality traits

30. Personality can be defined as the characteristics of the individual relating to how they respond to situations and interact with others. While a person may display one or more potentially negative personality traits they do not necessarily pose a concern, rather the traits should be considered in context and on a case-by-case basis.

31. The personality factors that may have a negative impact on work and/or colleagues are:

• Immaturity—lacks life experience, is naïve and requires excessive guidance, has difficulty making life decisions.

• Low self-esteem—lacks confidence, is extremely dependent on recognition and praise, struggles to cope well with adversity, setbacks and difficult tasks.

• Amoral and unethical—lacks moral values or personal integrity, acts in an unscrupulous manner and shows no remorse, engages in unethical behaviour.

• Superficial—lacks a sense of identity and is hard to get to know.

• Prone to fantasising—believes they are engaged in activities that have no basis in reality, likes to create the impression that they are engaged in something special.

6

• Restless and impulsive—requires constant stimulation and cannot tolerate boredom, needs or seeks instant gratification and does whatever feels good in the moment, shifts from one thing to another—ie, risk taking.

• Lacks commitment—does not comply with rules, neglects responsibilities and is unconcerned with duties and obligations, shows poor attention to detail and demonstrates poor judgement, shows a lack of focus.

• Manipulative—uses charm to get their own way and is very persuasive, nurtures relationships and manipulates others to serve their own self-interest, tends to adopt whatever position or attitude will result in getting their own way.

• Emotionally unstable—is prone to exaggerated mood swings, overreacts to problems, complains about unimportant or trivial things.

• Poor attitude—is often negative, argumentative, dismissive or abusive.

3.1.2 Lifestyle and circumstantial vulnerabilities

32. An individual’s lifestyle, personal circumstances and individual vulnerabilities are of particular interest and could be predictive of future behaviour. There may be a cause for concern when there are frequent or clear signs of:

• Poor workplace conformance—does not follow established procedures, does not read or follow announcements and instructions issued by the organisation

• Poor resilience to stress—loses their temper, is apathetic, shows an increase in nervous habits, has memory problems, difficulty making decisions, an inability to concentrate and/or confusion

• Exploitable or vulnerable lifestyle—has an exploitable weakness such as a serious financial, alcohol drug or medical problem, gambling, reportable association, may have turned down offers of organisational support or ignored recommendations for treatment, has a strong desire for financial gain

• Exploitable or vulnerable work profile—has access to sensitive information or assets which are highly sought after, has an ability to facilitate criminal activity through unauthorised access, or

• Recent negative life events—problems at work resulting in a loss of status, significant personal injury, death of a family member or close friend, relationship break-up, financial difficulty.

3.1.3 Workplace behaviours

33. Some workplace behaviours are of particular interest and may be predictive of future behaviour when observed on a regular basis without reasonable explanation—for example:

• Engaging in unusual copying/printing activity—makes extensive use of computer equipment to reproduce sensitive materials which may exceed job requirements, covers or removes protective markings on documents when copying them, copies sensitive or classified information in other offices, despite a copier being available in their own area

• Engaging in unusual IT activity—conducts searches in databases which the individual has no need to know, shows an unusual pattern of computer usage shortly prior to foreign travel

7

• Unauthorised handling of sensitive material—stores and carries sensitive material inappropriately and without approval, provides sensitive information outside approved channels to any person without authorisation or need to know, asks others to obtain access to material on their behalf which they are not authorised to see

• Unusual work patterns—work patterns do not match the requirement of the role or agency expectations

• Committing security violations—betrays positions of trust, commits security violations

34. Specific behaviours of concern will vary from agency to agency dependent on their risk tolerances and operating environment.

3.2 Personnel with mental health issues

35. Personnel suffering from mental health issues are not automatically of concern if the condition is being effectively managed.

36. Each person should be assessed based on their condition and the effect it has on their ability to perform their role, and any increase in personal susceptibility or vulnerability—eg, some drugs used to treat mental illness may influence a person’s decision making capacity.

37. Any control measures should be based on the agency’s level of tolerance to specific areas of concern based on the agency’s risk assessment.

38. Agencies should seek advice from a qualified mental health practitioner before imposing controls based on mental health issues.

8

4. Managing risks to an agency from people of concern 39. Agencies should determine their level of tolerance to specific areas of concern based on their risk

assessment.

4.1 Personnel of moderate concern

40. Agencies may from time to time engage personnel who may raise concerns, but these concerns do not warrant the withdrawal of an offer of engagement. This could include:

• foreign nationals from countries not of concern

• people with convictions for minor unrelated offences

• people with dated significant criminal history who have demonstrated their rehabilitation

• people with financial concerns who are attempting to address the concerns

• people with previous minor security breaches or infringements.

41. Existing personnel who experience changes in circumstances may also raise concerns, but are not automatically going to commit unacceptable behaviour. Existing personnel may also display poor behaviour that does not warrant termination. These personnel need to be managed to prevent escalation of concerns.

4.2 High risk personnel

42. What constitutes a high risk person for an agency is dependent on the agency’s risk tolerance. What is a significant concern to one agency may not be significant to another—eg, significant concerns within intelligence community agencies may not be significant in agencies not involved in national security.

43. Agencies may need to engage high risk personnel with specialist skills that may not otherwise be suitable for employment. This could include:

• foreign nationals of countries of concern, or people with significant links to a country of concern

• people with:

- ideological values that are not supported or accepted in Australia

- recent significant or repeated minor criminal offences

- links to criminal elements

- significant financial concerns who are not attempting to address the concerns

• people whose current or previous associations or employment indicate a real or perceived conflict of interest

• people who have been terminated from employment for misconduct, fraud, corruption or security breaches.

9

44. An agency should only engage high risk people when the risks posed can be mitigated, managed appropriately and there is no viable alternative which will still allow the agency to achieve its outcomes.

45. On occasion, existing personnel may over time become high risk personnel through major changes in circumstances or behaviours. It may not always be possible to terminate the person’s engagement, or the person may be vital to achieving agency outcomes. In such cases agencies should mitigate the risks posed by the person.

46. Agencies should undertake a formal risk assessment of all high risk personnel to identify the risk and document the mitigation strategy.

4.3 Groups of concern

47. Malicious insiders may target other members of their work group. This can lead to unacceptable or corrupt behaviours that can be entrenched in workgroups.

48. Entrenched behavioural issues are often hard to identify from outside of a workgroup. Strategies that may be effective to minimise the possibility of entrenched behavioural issues are:

• targeted induction training for all new starters in high risk work areas

• reporting capability for all staff independent of direct management and colleagues

• rotation of staff in high risk work areas

• independent workplace audits, such as:

- active ICT audits

- spending audits

- security inspections

- leave history and work pattern audits

10

5. Managing personnel of security concern 49. All peoples’ circumstances will change over time. Negative changes could lead to unacceptable

behaviour or vulnerability to coercion.

50. The impact of changes in personal circumstances or behaviours will vary from person to person. Controls put in place to manage concerns by agencies should:

• be proportionate

• reflect the individual circumstances of the matter based on an assessment of the impact to the person from the changes

• reflect the agency’s level of tolerance to specific areas of concern

51. Prior to committing deliberate security breaches, fraud, corruption or misconduct, most people:

• need the intent to do the wrong thing

• need the opportunity and capability

• rely on the expectation they will get away with their actions

52. Managing people of concern should address all three elements concurrently.

53. The management of personnel with changes in circumstances or behaviours will depend on the level of concern. People can be broadly divided into two groups:

• personnel displaying indicators of potential concern

• personnel displaying changes in behaviours of actual concern

Figure two: Stages leading to a security incident by a person of concern

54. See Annex 1: Decision map - Managing people of security concern further detail on managing people of concern.

Person of no concern

Changes of circumstances that are indicators of potential concern

Trigger event: major change in circumstances for person of concern

Person has the intent to do wrong. Is there the opportunity, capability

and expectation that the person will get away with doing wrong?

Security incident

Displays behaviours of concern

11

5.1 Managing personnel with indicators of potential concern early

55. Agencies have established frameworks and processes to manage security risks. Individuals should be encouraged to rely on their agency’s capacity to manage these risks, and to seek advice from and/or report to appropriate managers about their changes in circumstances, conflicts of interest, or approaches from other persons of concern. Individuals should not self-manage risk.

56. Likewise, managers should be encouraged to raise concerns about their staff as they occur, including changes in their employees’ circumstances.

57. Agency security, fraud control and anti-corruption areas should work closely with HR once changes in circumstances or behaviours are identified in personnel.

58. HR is often best placed to identify when a person’s circumstances are potentially of concern and put in place measures to mitigate the concerns through early personal intervention using existing agency personal support and counselling programs. Importantly the management of personal issues should never be seen as anything other than trying to help a person so they remain a productive member of the team.

59. Minor changes in circumstances may be followed by a ‘trigger event’—ie, another higher risk change in circumstance that triggers behavioural change. By managing the initial changes in circumstances the trigger event, when it occurs, is unlikely to have the underlying unresolved personal circumstances needed for the event to cause behavioural change.

60. Without appropriate support, individuals may be susceptible to manipulation or may attempt to abuse their access within the agency.

61. However, this information not only needs to be actioned by HR but also provided to the prevention and control areas of an agency so they can increase monitoring of people considered to be at risk. Security, fraud control and anti-corruption areas can:

• increase watchfulness to identify if indicators escalate to actions

• if necessary, intervene to prevent escalation of a problem

5.2 Managing personnel displaying behaviours of actual concern

62. Any high risk personnel should be treated as people displaying behaviours of concern. Where possible controls should be implemented before the person is employed. Agencies should include any specific control measures for high risk personnel as:

• conditions of employment for employees

• contract provisions for service providers

(See Section 4.2 High risk personnel.)

63. Ideally the person displaying behaviour of significant concern should have access to agency resources restricted as appropriate until the behaviour is investigated and appropriate mitigations are put in place.

12

64. When a serious intentional incident has occurred, the person should be removed immediately and under escort, to minimise the possibility of additional harm.

65. See the Australian Government protective security governance guidelines—Reporting incidents and conducting security investigations for guidance on undertaking investigations.

66. If removal of the person is not possible then increased vigilance is required by the person’s manager and the security, fraud control or anti-corruption areas to limit the impact of the behaviour. These controls could include:

• close supervision

• regular reporting/ debriefing

• premise and asset access control

• information and ICT access control

• active audit of ICT access

• other agency specific controls

67. Where circumstances permit, an agency should make the person aware of the concerns as well as any controls before or as they are implemented (provided that this will not jeopardise any ongoing investigations or the national interest).

5.2.1 Close supervision

68. Close supervision by managers of people of concern can provide immediate feedback to mitigate the risks to the agency.

69. Managers should be given clear reporting guidance to ensure that any additional or repeated behaviours of concern are reported immediately to the appropriate area of the agency.

70. Failure by managers to implement controls identified by the agency may itself be misconduct.

5.2.2 Regular reporting/ debriefing

71. As part of the close supervision the person should be required to regularly report on work to their manager.

72. The manager should provide regular feedback to the person on their performance and any continued concerns.

73. The manager should also regularly report to HR and security, fraud control or anti-corruption as appropriate on the person’s actions. Any new concerns should be reported immediately.

5.2.3 Premise and asset access control

74. Any access by the person of concern to agency resources should be strictly limited to that required to achieve agency outcomes.

75. Access to agency premises should be limited to business hours. Access to specific work areas should be limited to when access is required and when the person of concern can be supervised/ observed by other personnel in the area.

13

76. Agencies that use Electronic Access Control Systems (EACS) should be able to readily modify access when the concern is first identified. Agencies with manual access control systems will need to ensure that the person of concern’s manager is aware of the restrictions and that the restrictions are enforced.

77. Any keys should be withdrawn and known combinations changed unless there is no way to supervise access and continued unsupervised access is vital to achieving agency outcomes.

78. The return of portable assets should also be sought.

5.2.4 Information and ICT access control

79. Access to information should be limited to information that is actually needed to continue to perform the tasks required. This includes where possible limiting access on agency ICT systems.

80. All remote access to agency information should be withdrawn. Where remote access cannot be fully withdrawn then it should be limited to only information that is absolutely necessary for the immediate task being performed by the person of concern.

81. All privileged user access to any system should be withdrawn. This includes but is not limited to ICT administrator access and financial system approver rights.

5.2.5 Active audit of ICT access

82. Agencies should have in place systems that allow for the active audit of any ICT system or electronic information accessed by any system user. When a person of significant concern is identified, increased audit checking should be implemented.

83. Email traffic should also be monitored to ensure agency information or assets are not being exported to personal accounts.

84. An agency should monitor the quantity and type of information printed by a person of concern and any unexplained increases in printing or printing of information that is not required for the person’s role should be investigated.

85. Agencies should have measures in place to restrict the exporting of information by all personnel to portable devices. If an agency does not have effective controls they should monitor the copying of information by people of significant concern.

5.2.6 Other agency specific checks

86. Agencies may require personnel to undergo additional internal or external checks or management procedures to ensure that the concerns are not repeated or are being managed. These could include:

• police records checks

• drug or alcohol screening

• financial assessments

• counselling.

14

5.2.7 Other agency specific controls

87. Agencies should determine any additional controls based on their enabling legislation and operating environment. This could include more regular re-screening of existing periodic agency employment screening.

15

6. Managing personnel in high risk positions 88. Some positions within an agency can be of higher risk to the agency due to the level of access to

agency assets required to perform the role. Personnel in high risk positions have an increased opportunity to harm an agency’s reputation. These positions include:

• ICT system administrators

• ICT system privileged users

• positions requiring access to very sensitive or highly classified information

• finance and payroll system managers/ payment approvers

• senior management positions

• compliance or enforcement roles

• law enforcement roles

89. It is important to note that these individuals may be susceptible to influence, compromise, grooming, reach-back (external contact from former colleagues), blackmail or opportunities as they arise, and sometimes these instances may be hard to detect. Concealment, for example, is a key element of corruption.

90. ‘Trusted insiders’ might form collaborations with organised criminal groups, or other corrupting or criminal individuals, in a relationship that can be described as ‘the corruption handshake’.

91. Agencies should identify high risk positions as part of their risk assessment.

92. Agencies should implement monitoring and control regimes appropriate to the risks for these positions. See section 4.2 Managing personnel displaying behaviours of actual concern.

93. In addition to agency specific screening requirements, agencies may require occupants of high risk positions to hold security clearances at the level indicated by the business impact of the position.

94. The Australian Signals Directorate’s Information Security Manual provides controls for privileged ICT system users.

95. The Fraud Control Framework provides advice on managing financial system users.

96. Australian Standard 8001:2008 - Fraud and corruption control can assist agencies to identify positions susceptible to corruption and develop control measures.

16

Annex 1: Decision map - Managing people of security concern

1. Only action in a way that does not compromising any ongoing investigations

Is support effective?

Person of no concern

Is the person in a high risk position?

The person demonstrates behaviours of concern

The person experience changes of circumstances that are

indicators of potential concern NO

YES

The behaviours are reported to HR/ the ASA by the

manager

Implement additional controls1 to limit opportunity, capability or expectation of going undiscovered:

• close supervision • regular reporting/ debriefing • facility and asset access control • information and ICT access control • active ICT audit • additional agency specific checks

Is the person a high risk person?

Is the person vital to the agencies operation?

NO

NO

If already employed and if warranted/possible start procedures to terminate

employment

NO

YES

YES

Are controls effective?

Implement agency support mechanisms: • counselling • employee assistance program • peer support

Implement standard agency monitoring regime.

YES

NO

Trigger event: major change in circumstances for person

of concern

YES Continue to monitor and

review

Does the person demonstrate improved

behaviours?

YES

NO

17

Annex 2: Additional information about managing people of concern

Attorney-General’s Department publications • Protective Security Policy Framework

• Australian Government Personnel Security Protocol

• Australian Government personnel security guidelines—Agency personnel security responsibilities

• Managing the Insider Threat to your Business—A personnel security handbook

• Fraud Control Framework

Australian Public Service Commission publications relating to performance management

• APS Values and Code of Conduct in practice: A guide to official conduct for APS employees and agency heads

• APS Values, Employment Principles and Code of Conduct resources

• Handling misconduct

• In whose interests?: Preventing and managing conflicts of interest in the APS

• Promoting an attendance culture

• Reflect: APS Values and Code of Conduct: Decision-making model

• Circular 2014/2 - Amendments to the Australian Public Service Code of Conduct

Australian Standards corporate governance • Australian Standard 8001:2008 - Fraud and corruption control

Independent Commission Against Corruption (NSW) • Corruption risk management

Centre for the Protection of National Infrastructure (UK) • Personnel Security

• Holistic Management of Employee Risk (HoMER)

• Ongoing personnel security

• Investigating Employees Of Concern - A Good Practice Guide

• Insider data collection study - Report of main findings

Defense Personnel and Security Research Center (PERSEREC) (US) • Adjudicative Desk Reference

18

• Insider Risk Evaluation and Audit Tool

Deakin University managing performance concerns from mental health issues (includes videos)

• Managing performance concerns (Solution focused outcomes)

• Health and wellbeing

• Information for managers - Managing mental health in the workplace: your role as a manager

ADCET (Australian Disability Clearinghouse on Education and Training) • Dealing with Disruptive Behaviour

Alexandra Mills May 2012: Causes of corruption in public sector institutions and its impact on development

• Causes of corruption in public sector institutions and its impact on development: Turning what we know into what we do

U4 - Anticorruption Resource Centre • The basics of anti-corruption

• Publications