Preventions
- ID: PV013
- Created: 01st June 2024
- Updated: 21st July 2024
- Contributor: The ITM Team
Pre-Employment Background Checks
Background checks should be conducted to ensure whether the information provided by the candidate during the interview process is truthful. This could include employment and educational reference checks, and a criminal background check. Background checks can highlight specific risks, such as a potential for extortion.
Sections
| ID | Name | Description |
|---|---|---|
| MT001 | Joiner | A subject joins the organisation with the pre-formed intent to gain access to sensitive data or otherwise contravene internal policies. |
| IF012 | Public Statements Resulting in Brand Damage | A subject makes comments either in-person or online that can damage the organization's brand through association. |
| IF011 | Providing Access to a Unauthorized Third Party | A subject intentionally provides system or data access to a third party that is not authorized to access it. |
| MT012 | Coercion | A subject is persuaded against their will to access and exfiltrate or destroy sensitive data, or conduct some other act that harms or undermines the target organization. |
| MT004 | Political or Philosophical Beliefs | A subject is motivated by their political or philosophical beliefs to access and destroy or exfiltrate sensitive data or otherwise contravene internal policies. |
| MT010 | Self Sabotage | A subject accesses and exfiltrates or destroys sensitive data or otherwise contravenes internal policies with the aim to be caught and penalised. |
| MT005 | Personal Gain | A subject seeks personal gain from another by accessing and exfiltrating or destroying sensitive data or otherwise contravening internal policies. |
| MT011 | Hubris | A subject accesses and exfiltrates or destroys sensitive data or otherwise contravenes internal policies with the aim to successfully defeat controls in order to demonstrate ability and/or skill. |
| MT017 | Espionage | A subject carries out covert actions, such as the collection of confidential or classified information, for the strategic advantage of a nation-state. |
| MT018 | Curiosity | A subject, motivated solely by personal curiosity, may take actions that unintentionally cause or risk harm to an organization. For example, they might install unauthorized software to experiment with its features or explore a network-attached storage (NAS) device without proper authorization. |
| MT005.002 | Corporate Espionage | A third party private organization deploys an individual to a target organization to covertly steal confidential or classified information or gain strategic access for its own benefit. |
| MT005.001 | Speculative Corporate Espionage | A subject covertly collects confidential or classified information, or gains access, with the intent to sell it to a third party private organization. |
| MT012.002 | Extortion | A third party uses threats or intimidation to demand that a subject divulge information, grant access to devices or systems, or otherwise cause harm or undermine a target organization. |
| MT005.003 | Financial Desperation | A subject facing financial difficulties attempts to resolve their situation by exploiting their access to or knowledge of the organization. This may involve selling access or information to a third party or conspiring with others to cause harm to the organization for financial gain. |
| MT012.004 | Emotional Vulnerability | A subject’s emotional state is exploited by a malicious third party, particularly during periods of heightened stress, grief, or personal hardship. The third party leverages this vulnerability to manipulate the subject into revealing sensitive information or performing actions that could compromise the organization. |