What are High Risk Roles?
Understanding the concept of High Risk Roles begins with the concept of assets. There are generally agreed to be two categories of asset – tangible (e.g. physical things) and intangible (e.g. knowledge). Examples of tangible assets include property (facilities), information (including intellectual property and trade secrets), reputation, people (workforce), systems and infrastructure, and stock or merchandise.
Whilst loss, degradation or compromise of an asset may cause a financial loss or inconvenience, not all assets are critical to an organisation’s survival: Those assets which are critical are often referred to as ‘critical assets‘.
Critical assets typically comprise only a small fraction of all assets held by any organisation, but their loss causes a disproportionately high business impact. In security risk management, we never have enough resources to treat every risk, nor does it make sense to do so. By extension, an organisation’s critical assets are those assets which it must use disproprotionately more resources to protect. This may range from restricting access to the asset to prevent loss or damage through to providing multiple layers of redundancy and increasing organisational resilience in the event of unanticipated shocks or events.
Does this article resonate with you? Please vote below or subscribe to get updates on my future articles
High Risk Roles: What are they and why are they important?
High Risk Roles are those which confer privileged access to an organisation’s critical assets, as well as other types of access privileges, user privileges, or delegations of authority.
The concept of privileged access to assets, including information, is very much situational within the organisation concerned. If an organisation has no controls to protect its critical assets from loss, damage or interference, then every role is effectively high risk.
In contrast, if some roles are subject to less controls, supervision or oversight; senior staff are easily able to bypass or compromise internal controls by virtue of their position (or coerce junior employees or subordinates into doing so); or are more readily able to access critical assets (such as in organisations where critical assets are closely guarded or ‘locked down’), then a higher degree of trust is inherently placed in those individuals. This degree of trust is reflected in their ‘privileged access’ to these assets – some organisations have historically used the term ‘positions of trust’ to refer to such roles.
What are some examples of privileged access which make a position ‘high risk’?
An organisation’s workforce must have access to its critical assets to perform its core functions. Members of the workforce with access to its critical assets may not just comprise trusted employees, but also contractors, suppliers and other third parties, making it essential to have a mechanism to track who has access to what as part of good governance, let alone risk management and assurance. Examples of postitions which an employer may deem ‘high risk roles’ based on a risk assessment process include:
- Positions with unchecked access to the organisation’s critical assets (i.e. the organisation’s ‘crown jewels’)
- Positions conferring higher Delegations of Authority (e.g. financial delegations)
- Positions conferring Access to customer or employee Personally Identifiable Information (PII)
- Those with access to Trade Secrets, sensitive research or other Confidential Information
- Persons with access to sensitive business information
- Roles involving system administrator privileges
- Roles conferring access to valuable stock, merchandise or assets (particularly those which are of high value and easily moved)
- Roles conferring other privileged access or decision making rights
Unless defined by legislation, what constitutes a High Risk Role will differ between organisations. Some organisations use the Personnel Security Risk Assessment as a tool for identifying these roles (refer below).
Five suggested tools to manage High Risk Roles
As outlined in the preceding paragraphs, the purpose of defining High Risk Roles is to identify the subset of your overall workforce which has privileged access to critical assets. In most organisations, perhaps with the exception of smaller organisations such as startups, those in High Risk Roles will comprise a very small percentage of the overall workforce. There are five main steps in managing high risk roles, as follows:
1. Personnel Security Risk Assessment (PSRA)
The purpose of the PSRA is a structured approach to identifying those groups of roles, or even specific positions, in the organisation which may be defined as high risk. The PSRA helps inform development of a number of risk treatments and internal controls, including design of Employee Vetting and Supplier Vetting Standards (also known as Employment Screening, Workforce Screening, Employee Due Diligence or Supplier Due Diligence or Supplier Integrity standards) and Continuous Monitoring Programs.
This alignment helps ensuring that the vetting (background check) programs reconcile to the organisation’s inherent risks where the risk driver is a trusted insider with an adverse background, and that Continous Monitoring Programs are risk-based and justifiable. The relationships between these high level concepts is illustrated in the following figure:
See my article here for more detail on Personnel Security Risk Assessment process.
2. Identify your High Risk Roles
This involves an exercise to determine which position numbers (or groups / types of roles) have privileged access to your critical assets. This activity manually assigns a risk rating to each position, group or type of role in the company’s HR Position Control or HR Position Management registers extracted from the organisation’s Human Resources Information System and might be stored somewhere such as Active Directory.
In some cases, the identification of High Risk Roles is undertaken as part of the Personnel Security Risk Assessment, whilst other organisations chose to do this as a discreet exercise.
3. Apply enhanced vetting to individuals occupying High Risk Roles
Many organisations run multiple levels of workforce screening (employment screening) for prospective and ongoing employees. Importantly, vetting looks at the employees’ overall background but does not consider their activity, behaviours or conduct within the organisation or on its networks (this is the role of Continuous Monitoring, below).
To manage cost and minimise unnecessary privacy intrusions, low risk roles will typically be subject to minimal screening processes – perhaps Identity Verification, Right to Work Entitlement (e.g. Working Visa or Citizenship), and Criminal Record Check. Vetting programs for High Risk Roles should be treatments for some of the risks identified through the Personnel Security Risk Assessment.
4. Conduct periodic ICT User Access Reviews
This should be undertaken on an ongoing basis as part of your cybersecurity hygiene, but Users who have higher access privileges, administor access, or access to critical assets should be periodically re-evaluated by line management to ensure this access is still required in the course of work. It is common to find people who are promoted or move laterally to new roles who inherit access privileges from previous roles which may no longer be required in subsequent roles.
5. Apply continuous monitoring for users in high risk roles
Continuous Monitoring through the correlation of data points obtained through User Activity Monitoring and / or other advanced analytics or behavioural analytics-based insider risk detection solutions (such as DTEX Intercept, Microsoft Insider Risk or Exabeam) should be disproportionately focused towards those in High Risk Roles (see Albrethsen, 2017).
In summary, the identification and management of High Risk Roles should be a feature of any Insider Risk Management, Supply Chain Risk Management, or Research Security Program. Increasingly, various legislative frameworks – such as Anti-Money Laundering / Counter-Terrorist Financing (AML/CTF) regime – also consider the concept of High Risk Roles in their compliance programs as a way to manage personnel related risks. Don’t forget, given that High Risk Roles change periodically as the organisation changes, regular updates to related artefacts form part of a mature capability.
- Albrethsen, M.J. (2017). Data Management and Event Correlation (Part 12 of 20: CERT Best Practices to Mitigate Insider Threats Series), SEI Blog, Software Engineering Institute, Carnegie Mellon University, https://insights.sei.cmu.edu/blog/data-management-and-event-correlation-part-12-of-20-cert-best-practices-to-mitigate-insider-threats-series/
- Australian Cyber Security Centre (2021). Essential Eight Maturity Model, October 2021, Australian Government, https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model
- Australian Cyber Security Centre (2021). Restricting Administrative Privileges, October 2021, Australian Government, https://www.cyber.gov.au/acsc/view-all-content/publications/restricting-administrative-privileges
- Center for the Development of Security Excellence (2015). Continuous Monitoring Student Guide, CS200.16, https://www.cdse.edu/Training/eLearning/CS200-resources/
- Centre for the Protection of National Infrastructure (2013). Personnel Security Risk Assessment: A Guide, 4th Edition, June 2013, HM Government, United Kingdom, https://www.cpni.gov.uk/resources/personnel-security-risk-assessment-guide-4th-edition
- Curwell, P. (2021). In business, confidential information is a critical asset
- Curwell, P. (2022). Building your Supplier Integrity Framework
- Curwell, P. (2022). Business Espionage – The Sale of Intellectual Property on the Dark Web
- Curwell, P. (2022). Los Angeles rail hijackings – a form of cargo theft
- Curwell, P. (2022). What is a Personnel Security Risk Assessment?
- May, O. and Curwell, P. (2021). Chapter 8 Due Diligence in Terrorist diversion: a guide to prevention and detection for NGOs, Routledge, London.
- Microsoft (2014). How the Active Directory Schema Works, Active Directory Schema Technical Reference, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773309(v=ws.10)
- Office of the Australian Information Commissioner (2017). What is Personal Information?, https://www.oaic.gov.au/privacy/guidance-and-advice/what-is-personal-information
- Spooner, D., Silowash, G., Costa, D., Albrethsen, M. (2018). Navigating the Insider Threat Tool Landscape: Low cost technical solutions to jump-start and Insider Threat Program, June 2018, Software Engineering Institute, Carnegie Mellon University, https://resources.sei.cmu.edu/
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.