Insider Risk Body of Knowledge™

Insider Risk Procedures Hub

Access repeatable operating guidance for program governance, exposure assessment, alert triage, evidence preservation, and leaver risk management workflows.

Repeatable Workflows Support Capability Maturity

Insider risk programs need more than policies, tools, and alerts. They need repeatable procedures that help teams make consistent decisions, protect employee trust, preserve evidence, reduce exposure, and coordinate across security, HR, legal, privacy, compliance, data owners, and business leaders. The Procedures Hub provides high-level operating guidance for the core procedures that support insider risk management and insider threat response.

IRCF™ Alignment:The Procedures Hub aligns each procedure to the relevant Insider Risk Capability Framework™ components. The procedure content explains how the procedure is applied, while the IRCF™ remains the authoritative source for capability definitions and maturity expectations.

What This Hub Helps You Achieve

  • Understand the procedures an insider risk program needs to maintain.
  • Clarify roles, triggers, decision points, inputs, outputs, and evidence expectations.
  • Connect procedures to the Insider Risk Capability Framework™ without duplicating framework pages.
  • Use the Insider Threat Matrix as a behavioral and investigative reference for procedure design.
  • Identify when standard guidelines are not enough and a structured assessment, platform, or advisory engagement is needed.
Insider Threat Matrix Alignment:The Insider Threat Matrix™ helps frame motive, means, preparation, infringement, and anti-forensics. Each procedure aligns with this behavioral taxonomy to provide standard context, ensuring analytical clarity without substituting for professional investigative judgment.

Explore Core Procedure Categories

4 Procedures

Program Governance Procedures

Governance procedures explain how insider risk programs establish authority, accountability, decision rights, legal/privacy review, and executive oversight.

Explore Category
2 Procedures

Assessment and Reporting Procedures

Assessment and reporting procedures help teams understand exposure, document risks, assign owners, prioritize action, and communicate progress.

Explore Category
2 Procedures

Monitoring and Analysis Procedures

Monitoring and analysis procedures govern when monitoring is approved, how signals are routed, how alerts are triaged, and how findings are reviewed.

Explore Category
4 Procedures

Investigation and Evidence Procedures

Investigation and evidence procedures support consistent intake, preservation, legal hold, access lockdown, escalation, and case closeout.

Explore Category
2 Procedures

Workforce Lifecycle Procedures

Workforce lifecycle procedures address insider risk during onboarding, transfers, contractor engagement, termination, reduction-in-force, and elevated-risk events.

Explore Category
1 Procedure

Data, Access, and AI Procedures

Data, access, and AI procedures help organizations review sensitive-data exposure, privileged access, AI tool use, and emerging digital collaboration risks.

Explore Category

Procedures Hub FAQ

Need a Defensible Insider Risk Procedure Roadmap?

While these guidelines orient your program, building defensible, peer-reviewed operating playbooks requires tailored assessment methodologies, specialized scoring matrices, and tool configuration expertise.