In today's business environment, few organizations are able to operate without contractors, subcontractors, temporary employees, contract employees, or other trusted business partners. Understanding how they fit into your insider threat program (InTP) and how to manage your organization's relationships with trusted business partners is critical to protecting your organization's data, assets, and reputation.

Hi, this is Ian McIntyre of the CERT Insider Threat Center. In this 10th installment of our blog series on establishing an insider threat program, I'll explore three considerations for dealing with trusted business partners.

Background, Training, and Preparation

Typically, trusted business partners need the same levels of access to an organization's systems as its regular employees to do their work. Just like employees, before they are given system access, trusted business partners should go through a similar vetting process, including completion of background investigations, sign appropriate non-disclosure agreements, and require the participation in annual security awareness training. Trusted business partners should be fully trained on the rules, regulations, and policies of the organization they will be working for. In addition, access privileges and work responsibilities should be clearly defined, and when the trusted business partner relationship is no longer needed, they should follow the same off-boarding process as employees.

Contracts

Signed contracts between trusted business partners and the hiring organization should include terms and conditions that allow for

• security logging and auditing of trusted business partner activity
• an obligation to notify the organization if breaches occur
• the return of intellectual and physical assets when the engagement ends

The organization's security requirements should be clearly defined, communicated, and included in the contracting agreements.

Communication

Beyond the communication involved at the beginning of an engagement with a trusted business partner, it is important to communicate employment changes or terminations before they occur. This communication must occur both within your organization and between your organization and the contracted organization. Within your organization, physical security and IT departments must be notified if a contractor is terminated so his or her access to organizational systems and premises can be revoked. If the contracted organization terminates its employee, your organization should be informed so you can react accordingly.

If you want more information on managing trusted business partners or other components of an Insider Threat Program, look into our Insider Threat Program Manager Certification. If you have any questions or comments please feel free to contact us!