Personnel Security: Risk Identification and Mitigation to Improve Workplace SecurityA postal industry case study |
Abstract
A leading national shipping and mailing company needed guidance in updating and enhancing its Personnel Security (PERSEC) Policy to align itself with standards and business practices widely accepted across the Federal Government. With a national IT infrastructure, thousands of facilities across the country and nearly 600,000 employees, the company could suffer significant damage from employee misconduct. The company needed help to create a personnel security policy that established a framework for the identification and classification of risk associated with employee positions. With such risk designations in place, the company can implement business processes that align employee background investigations and security clearances with the commensurate position risk. Conducting the appropriate level of background investigation will help to mitigate internal threats by employees, provide a greater degree of confidence in personnel who are responsible for critical assets or are in positions of authority, and bolster external customer relationships by enhancing trust in the company brand.
The Challenge
Over time, the company’s personnel security policy and job code management business processes were not refreshed to reflect the most current accepted standards, making them obsolete - standards had evolved but the company’s personnel security policy and procedures had not evolved with it. This left the company in the position of not having a current and comprehensive list of low, medium, and high risk job codes. Management needed help to re-baseline and assess the risk of every occupation code to determine the appropriate level of background investigation for each position.
Some of the main challenges included:
- Identifying a cost effective platform to consolidate job information on a national level
- Identifying and eliminating unused and obsolete job codes in the company’s human resource (HR) system
- Coordinating activities and clarifying business processes between the personnel security office and HR – prior lack of coordination has resulted in the creation of new job codes without an associated risk designation and investigation requirement.
- Promoting a paradigm shift from minimal investigation activities to a risk-based personnel security program
How We Helped
Deloitte helped the Personnel Security Project Management Office (PMO) develop a plan to effectively survey 1,800 occupation codes across multiple functional areas nationwide. Using an existing company SharePoint Platform and a survey questionnaire modified from an Office of Personnel Management (OPM) publication, the PMO team designed an automatic scoring tool to calculate the required background investigation, consolidated survey results data, and facilitated working groups to resolve discrepancies.
Solution
The PERSEC initiative established a baseline list of risk by occupation codes. Once the positions were designated as low-, medium-, or high-risk, company leadership understood which positions should receive higher level background investigations in order to mitigate position risk. Programs and policies were suggested to integrate and connect the personnel security office and human resources so that they work together going forward as internal business partners. The company was presented with several solution alternatives on how to maintain these position risk designations moving forward as a standard part of its PERSEC and HR programs.
