Insider Threat Program Policy¶
Document ID: AUL-POL-14 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy establishes the Insider Threat Program (InTP) for Aulendur Labs, Inc. The program detects, deters, and mitigates risks posed by personnel who may use their authorized access to harm Aulendur's information, systems, personnel, or mission — whether through espionage, sabotage, unauthorized disclosure, or negligence. As a defense contractor with CUI access and TS/SCI-cleared personnel, Aulendur is required by DFARS and CMMC to implement insider threat capabilities. This policy completes coverage of NIST SP 800-171 Rev. 3 control 03.02.03 (Insider Threat Awareness).
2. Scope¶
This policy applies to:
- Personnel: All employees, contractors, interns, and advisors with access to Aulendur information systems or data.
- Threats addressed: Espionage, unauthorized disclosure of CUI or ITAR data, sabotage of systems or data, theft of intellectual property, fraud, and negligent insider behavior.
- Systems: All information systems within the Aulendur security boundary.
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves this policy; receives insider threat briefings; authorizes investigations involving co-founders. |
| Chief Technology Officer (CTO) / ISSM / Insider Threat Program Senior Official (ITPSO) | Owns this policy; leads the Insider Threat Program; conducts or oversees investigations; coordinates with legal counsel. |
| All Personnel | Report insider threat indicators; cooperate with inquiries; complete insider threat awareness training. |
[!NOTE] DECISION POINT: At ~5 personnel, the CTO/ISSM serves as the ITPSO. A formal multi-member Insider Threat Working Group is not feasible at this scale. Compensating control: the CEO provides independent oversight of insider threat matters and would lead any investigation involving the CTO/ISSM. When headcount exceeds 15 or a facility clearance (NISPOM) is pursued, a formal working group shall be established per 32 CFR Part 117.
4. Policy Statements¶
4.1 Program Establishment¶
4.1.1 Aulendur Labs shall maintain an Insider Threat Program proportionate to its size and risk profile. The program shall integrate personnel security, information security, and cybersecurity data to identify and respond to insider threats.
4.1.2 The ITPSO (CTO/ISSM) shall document the Insider Threat Program in the Insider Threat Program Plan (forthcoming), including program scope, authorities, data sources, inquiry procedures, and civil liberties protections.
4.1.3 The ITPSO shall brief the CEO on insider threat program status and any active concerns at least quarterly.
4.2 Insider Threat Indicators¶
4.2.1 The following categories of behavior may constitute insider threat indicators. Personnel shall report observed indicators to the ITPSO:
- (a) Data exfiltration indicators: Unusual download volumes, copying large amounts of data to removable media, emailing sensitive files to personal accounts, accessing data outside job scope.
- (b) Access anomalies: Accessing systems at unusual hours without business justification, repeated failed access attempts, accessing systems after notice of termination.
- (c) Behavioral indicators: Expressing intent to harm the organization, unexplained affluence, unreported foreign contacts or travel, disgruntlement combined with access to sensitive data.
- (d) Policy violations: Repeated security policy violations, circumventing security controls, refusing to comply with security procedures.
- (e) Technical indicators: Installation of unauthorized software (keyloggers, tunneling tools, encryption tools not sanctioned by the CTO/ISSM), modification of audit logs, disabling security tools.
4.2.2 The presence of indicators does not constitute proof of malicious intent. All inquiries shall be conducted with due regard for privacy, civil liberties, and the presumption of good faith until evidence establishes otherwise.
4.3 Data Sources¶
4.3.1 The ITPSO may correlate the following data sources to identify potential insider threats:
- (a) System access logs (Google Workspace, GitHub, Linode, AWS, 1Password admin logs).
- (b) Endpoint telemetry (if endpoint detection and response tooling is deployed).
- (c) Email and messaging metadata (not content without legal authorization).
- (d) Physical access logs.
- (e) Personnel security reports (background check results, self-disclosures).
- (f) Security incident reports.
- (g) Training completion records.
- (h) Reports from personnel.
4.3.2 Content inspection of employee communications (email body, chat messages, file contents) shall require CEO authorization and documentation of the specific concern justifying the inspection, consistent with applicable law and Aulendur's employee privacy notice.
4.4 Inquiry and Investigation¶
4.4.1 Upon receiving a credible insider threat indicator, the ITPSO shall: (a) document the indicator(s) and source(s), (b) assess the immediacy and severity of the potential threat, (c) determine whether immediate protective actions are warranted (access suspension, device collection), and (d) initiate a preliminary inquiry.
4.4.2 Preliminary inquiries shall be confidential and limited to the ITPSO and CEO. Results shall be documented and retained securely.
4.4.3 If the preliminary inquiry establishes a reasonable basis for concern, the ITPSO shall: (a) brief the CEO, (b) recommend protective actions (access restriction, enhanced monitoring, separation), (c) engage Michael Best legal counsel if legal action or law enforcement referral may be warranted, and (d) preserve all relevant evidence.
4.4.4 If the insider threat involves the CTO/ISSM, the CEO shall assume ITPSO responsibilities for that matter and may engage external counsel or an independent security consultant.
4.5 Protective Actions¶
4.5.1 The ITPSO may recommend the following protective actions, with CEO approval for actions beyond access restriction:
| Action | Approval Authority |
|---|---|
| Enhanced monitoring of specific systems/accounts | ITPSO |
| Temporary access restriction to sensitive systems | ITPSO |
| Full access suspension | CEO |
| Device collection and forensic review | CEO |
| Termination referral | CEO |
| Law enforcement referral | CEO + legal counsel |
4.5.2 Protective actions shall be proportionate to the assessed risk and documented with rationale.
4.6 Training and Awareness¶
4.6.1 All personnel shall complete insider threat awareness training per the Security Awareness & Training Policy. Training shall cover: indicator recognition, reporting procedures, anti-retaliation protections, and civil liberties safeguards.
4.6.2 The ITPSO shall receive specialized insider threat training annually, covering behavioral analysis, digital forensics fundamentals, and legal constraints on investigations.
4.7 Civil Liberties and Whistleblower Protections¶
4.7.1 The Insider Threat Program shall not be used to investigate, retaliate against, or suppress legitimate whistleblowing, union activity, or protected speech.
4.7.2 Reports made in good faith under the Whistleblower & Reporting Policy (forthcoming) are protected regardless of whether the reporter also exhibits indicators that might otherwise trigger an inquiry.
4.7.3 All insider threat inquiries shall be conducted consistent with applicable federal and state privacy laws, employment laws, and 10 USC 4701 (contractor employee whistleblower protections).
4.8 Record Keeping¶
4.8.1 Insider threat inquiry records shall be classified Confidential, stored separately from general personnel files, and accessible only to the ITPSO and CEO.
4.8.2 Records shall be retained for 5 years after case closure, or longer if required by ongoing legal proceedings or contract requirements.
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- Security Awareness & Training Policy
- Personnel Security Policy
- Code of Conduct & Ethics Policy
- Whistleblower & Reporting Policy (forthcoming)
- Insider Threat Program Plan (forthcoming)
- Logging & Monitoring Policy (forthcoming)
6. Compliance & Enforcement¶
Failure to report known insider threat indicators is a policy violation. Misuse of the insider threat program for personal vendettas, harassment, or suppression of legitimate reporting is a serious violation subject to termination and potential legal liability. Suspected violations shall be reported to the CEO.
7. Exceptions¶
This policy does not permit exceptions to reporting obligations or civil liberties protections. Procedural exceptions require CEO written approval per the Policy Exception & Waiver Policy.
8. Definitions¶
| Term | Definition |
|---|---|
| Insider Threat | The risk that a person with authorized access to organizational resources uses that access — intentionally or through negligence — to harm the organization's information, systems, or mission. |
| ITPSO | Insider Threat Program Senior Official — the individual responsible for the organization's insider threat program. |
| Indicator | An observable behavior or event that may suggest an insider threat is developing or occurring. |
| Preliminary Inquiry | An initial, limited-scope review of insider threat indicators to determine whether a full investigation is warranted. |
| Protective Action | A measure taken to reduce the risk posed by a potential insider threat, ranging from enhanced monitoring to termination. |
| CUI | Controlled Unclassified Information, per 32 CFR Part 2002. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- CMMC 2.0 Level 2, Cybersecurity Maturity Model Certification
- Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information
- 32 CFR Part 117, National Industrial Security Program Operating Manual (NISPOM) — Insider Threat Program requirements
- 10 USC 4701, Contractor Employees: Protection from Reprisal
- CISA, Insider Threat Mitigation Guide
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.02.03 | Insider Threat Awareness | Full — combined with AUL-POL-10 |
| CMMC 2.0 L2 | AT.L2-3.2.3 | Insider Threat Awareness | Full |
| NIST SP 800-53 R5 | PM-12 | Insider Threat Program | Full |
| NIST SP 800-53 R5 | AT-2(2) | Insider Threat | Full |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.