Insider Threat Program Charter Template twelve sections that turn an ad hoc insider threat workflow into a chartered cross-functional programme
A free, copy-ready insider threat (ITP) and insider risk management (IRM) programme charter template. Twelve structured sections covering charter header and version control, programme mission and authority and executive sponsorship, cross-functional working group with named roles across security and HR and Legal and Privacy and IT and Ethics and Internal Audit, scope and definitions and insider category catalogue (negligent, malicious, compromised credential, third-party insider, hybrid), lawful basis and data minimisation and prohibited monitoring practices register, indicator catalogue covering technical and behavioural and contextual signal classes with the explicit pairing rule that behavioural indicators contribute only once a technical pattern is present, case lifecycle with nine documented states and mandatory pre-action review by HR and Legal and Privacy before any adverse employment action, data sources and monitoring controls and access boundaries, communications and transparency and workforce notice, programme metrics and quarterly governance forum with a ten-indicator metric pack, independent oversight by internal audit and workforce member appeal mechanism and records retention rules, and framework alignment matrix with charter revision discipline. Aligned with ISO/IEC 27001:2022 Annex A 6.1, A 6.3, A 6.7, A 6.8, A 5.4, A 5.24 to A 5.27, A 8.16, and Clauses 5.1, 7.5, 9.1, 10.1; SOC 2 Trust Services Criteria CC1.1 through CC1.4, CC2.2, CC6.1, CC6.7, CC7.2, CC7.4, CC7.5; NIST SP 800-53 Rev. 5 PM-12, AT-2(2), IR-4, IR-5, AC-2, AC-6, AU-6, AU-12, CA-7, PS-3 through PS-8; NIST SP 800-171 Rev. 2 3.6, 3.7, 3.9, 3.14; NIST CSF 2.0 GV.RR, GV.OV, ID.RA, PR.AT, PR.AA, DE.AE, DE.CM, RS.MA, RS.AN, RS.MI; GDPR and UK GDPR Articles 5, 6, 9, 13, 14, 15, 22, 30, 32, 35; the CISA Insider Threat Mitigation Guide; and the National Insider Threat Task Force minimum standards. Built for CISOs and security directors, internal security teams, security operations leaders, security program managers, GRC and compliance teams, AppSec and product security leads who pair into the working group, data security teams, identity security teams, security architects, detection engineering teams, incident response leads, audit committees, board risk committees, executive sponsors, HR partners, Legal partners, Privacy and DPO partners, Ethics and internal investigations partners, and internal audit partners who need a defensible cross-functional charter rather than a security policy fragment that did not survive employment-law and works-council review.
Run the chartered insider threat programme on one workspace, not across an HR system, a legal intake form, and a shared mailbox
SecPortal pairs the chartered programme to a versioned engagement record so the charter, the working group roster, the indicator catalogue, the monitoring practice register, the per-case triage record, the named HR-Legal-Privacy pre-action review chain, the metric pack, the governance forum minute book, the internal audit oversight record, and the corrective action chain all live on one workspace with named-actor activity log. Free plan available.
No credit card required. Free plan available forever.
Twelve sections that turn an ad hoc insider threat workflow into a chartered cross-functional programme
An insider threat programme is the cross-functional function that detects, assesses, and responds to negligent insiders, malicious insiders, compromised credentials, and third-party insider-shaped risk. The chartered programme record is the named, signed, version-controlled document that establishes who chartered the programme, who runs it, what it observes, how cases are triaged, what monitoring is prohibited, how the workforce knows it operates, how the programme reports to leadership, and how the charter itself stays current. It is not the same as a published insider threat detection guide, a security policy fragment, an incident response runbook, or a single-team SOC procedure. CISA, the National Insider Threat Task Force, NIST SP 800-53 PM-12, ISO/IEC 27001 Annex A 6.1, A 6.3, A 6.7, A 6.8, A 8.16, A 5.24 to A 5.27, and SOC 2 CC1.1 to CC1.4 all expect a chartered programme with cross-functional partners.
The twelve sections below cover the durable shape of one insider threat programme charter against ISO/IEC 27001 Annex A 6.1, A 6.3, A 6.7, A 6.8, A 5.4, A 5.24 to A 5.27, A 8.16, and Clauses 5.1, 7.5, 9.1, 10.1; SOC 2 CC1.1 through CC1.4, CC2.2, CC6.1, CC6.7, CC7.2, CC7.4 and CC7.5; NIST SP 800-53 Rev. 5 PM-12, AT-2(2), IR-4, IR-5, AC-2, AC-6, AU-6, AU-12, CA-7, PS-3 through PS-8; NIST SP 800-171 3.6, 3.7, 3.9, 3.14; NIST CSF 2.0 GV.RR, GV.OV, ID.RA, PR.AT, PR.AA, DE.AE, DE.CM, RS.MA, RS.AN, RS.MI; GDPR Articles 5, 6, 9, 13, 14, 15, 22, 30, 32, 35; the CISA Insider Threat Mitigation Guide; and the National Insider Threat Task Force minimum standards. The package is not a substitute for the engineering tooling (DLP, UEBA, EDR, ITDR, CASB, IAM telemetry) that surfaces the indicators; pair it with the security programme charter template as the upstream programme authority, the acceptable use policy template as the workforce-facing rule the programme monitors compliance with, the tabletop exercise template for the insider-misuse exercise lane, the incident response runbook that takes the handoff when a case progresses to a confirmed event, the data classification policy template that defines the data classes in the monitoring scope, the vulnerability disclosure policy template for the external researcher referral inflow, and the audit evidence retention policy template that classifies the programme records. Copy the section that fits your stage and paste the rest as you go.
Copy the full charter package (all twelve sections) as one block.
1. Charter header and version control
Open the charter with the named organisation, the version, the authority, and the next review date. A reviewer reading the first lines should know which firm chartered the programme, who signed it, when it took effect, and how the current version connects to its predecessors. ISO/IEC 27001 Clause 7.5 expects documented information for the management system with controlled identification, format, and review; the version control block is what turns insider threat work from a security side project into a traceable cross-functional programme. NIST SP 800-53 PM-12 and the CISA Insider Threat Mitigation Guide expect a chartered programme with named authority rather than an ad hoc workflow that began without a signed mandate.
Document title: Insider Threat Program Charter
Organisation: {{ORGANISATION_LEGAL_NAME}}
Programme name (the name the workforce knows the programme by; some firms use Insider Risk Management or IRM rather than Insider Threat Program): {{PROGRAMME_NAME}}
Document identifier (used for cross-references from policies, standards, and operating procedures): {{DOCUMENT_IDENTIFIER}}
Current version: {{CURRENT_VERSION}}
Effective date: {{EFFECTIVE_DATE}}
Next scheduled annual review date: {{NEXT_ANNUAL_REVIEW_DATE}}
Document classification (per the data classification policy; insider threat charters often carry a restricted classification because the indicator catalogue would aid attackers if leaked): {{DOCUMENT_CLASSIFICATION}}
Retention period (per the audit evidence retention policy): {{RETENTION_PERIOD}}
Custodian (the role that maintains the document between sign-offs):
- Role: {{CUSTODIAN_ROLE}} (typically the named insider threat programme lead, Director of Security Operations, or CISO depending on org shape)
- Named person at time of publication: {{CUSTODIAN_NAME}}
Version history (each row carries: version, effective date, summary of change, revision trigger, sign-off references):
- v1.0 {{V1_EFFECTIVE_DATE}}: Initial charter sponsored by {{V1_SPONSOR_NAME}}. Trigger: programme founding. Sign-off references: {{V1_SIGN_OFF_REFERENCES}}.
- v{{VN_VERSION}} {{VN_EFFECTIVE_DATE}}: {{VN_CHANGE_SUMMARY}}. Trigger: {{VN_TRIGGER}}. Sign-off references: {{VN_SIGN_OFF_REFERENCES}}.
Revision trigger that produced this version (one of: scheduled annual review, material workforce or estate change, sponsor change, regulatory environment change, audit or regulator finding naming the charter as root cause, works council or union consultation change, post-incident lesson, post-litigation lesson, privacy regulator complaint, ethics complaint, structural reorganisation, named monitoring practice retired or added):
- {{CURRENT_REVISION_TRIGGER}}
Related programme artefacts (the documents that derive their authority from or read against this charter):
- Information security programme charter (the parent programme charter this insider threat charter operates beneath): {{SECURITY_PROGRAMME_CHARTER_REFERENCE}}
- Acceptable use policy (the workforce-facing rule the insider threat programme monitors compliance with): {{ACCEPTABLE_USE_POLICY_REFERENCE}}
- Data classification policy (the data classes named in Section 8 monitoring scope read against): {{DATA_CLASSIFICATION_POLICY_REFERENCE}}
- Privacy and personal data handling policy (the workforce-monitoring lawful basis reads against): {{PRIVACY_POLICY_REFERENCE}}
- Incident response plan (the runbook the case escalation in Section 7 hands off to when a case progresses to a confirmed event): {{INCIDENT_RESPONSE_PLAN_REFERENCE}}
- Vulnerability disclosure policy (the external researcher inflow that delivers external-referral indicators to Section 6): {{VULNERABILITY_DISCLOSURE_POLICY_REFERENCE}}
- Whistleblower and ethics reporting policy (the internal channel that delivers internal-referral indicators to Section 6): {{WHISTLEBLOWER_POLICY_REFERENCE}}
- Records management and retention policy (the case file retention rules in Section 11 read against): {{RECORDS_MANAGEMENT_REFERENCE}}
- Compliance tracking record identifier: {{COMPLIANCE_RECORD_IDENTIFIER}}
Workspace pairing:
- The charter is held as a versioned document paired to a programme engagement record.
- The sign-off chain is recorded on the workspace activity log with named actor and timestamp.
- The custodian is identified in team management with the role gate applied to read and amend access.
2. Programme mission, authority, and executive sponsorship
State the mission in plain language. Name the authority basis: who chartered the programme, who funds it, who can stop it, and who reads its outputs. Name the executive sponsor and the named operating leader. The mission paragraph is the sentence the audit reads first; the authority block is what makes the programme defensible if the workforce, the works council, or the regulator challenges it. Without an explicit sponsorship and authority paragraph, the programme operates on assumed authority, and assumed authority does not survive a privacy or employment-law review.
Mission statement (one paragraph, plain language, business-specific):
{{ORGANISATION_LEGAL_NAME}} charters the Insider Threat Program to {{PLAIN_LANGUAGE_MISSION_PARAGRAPH}}. The programme exists to detect and respond to the risk that authorised workforce members, contractors, or holders of compromised workforce credentials cause material harm to the organisation, its customers, or its partners, whether through negligence, malicious intent, or unauthorised use of their credentials by an external actor. The programme operates within the lawful, ethical, and contractual boundaries named in Section 5 of this charter. The programme is not a surveillance programme; it is a chartered cross-functional risk function that observes named indicator classes on named systems for named purposes.
Programme objectives (the rule the audit reads against):
- Detect insider-driven loss events through technical, behavioural, and contextual indicators paired against documented thresholds.
- Reduce time from indicator detection to triage decision, and from triage decision to action (where action is warranted) on named cadence targets.
- Maintain workforce trust by operating against the named prohibited practices in Section 5 and by maintaining the transparency commitments in Section 9.
- Provide a defensible cross-functional review chain so adverse employment action, access change, or referral to law enforcement does not happen without HR, Legal, and Privacy review.
- Evidence compliance with the framework controls named in Section 12.
Authority basis (the rule that lets the programme operate):
- Source of authority: {{AUTHORITY_SOURCE}} (typically a board resolution, executive committee decision, or signed policy statement by the named executive sponsor).
- Resolution or decision reference: {{AUTHORITY_REFERENCE}}.
- Authority effective date: {{AUTHORITY_EFFECTIVE_DATE}}.
- Authority renewal cadence: {{AUTHORITY_RENEWAL_CADENCE}} (typically annual to align with the charter review cycle).
- Scope of authority delegated to the programme owner: {{DELEGATED_AUTHORITY_SCOPE}} (e.g., authority to triage and assess; authority to open a case; authority to request HR and Legal pre-action review; authority to recommend adverse employment action; authority to request access changes; authority to refer to internal investigations).
- Scope of authority reserved to the executive sponsor or board: {{RESERVED_AUTHORITY_SCOPE}} (e.g., authority to terminate; authority to refer to law enforcement; authority to engage external counsel; authority to disclose to regulators).
Executive sponsor (the role that signs the charter and reads its outputs at the strategic cadence):
- Role: {{EXECUTIVE_SPONSOR_ROLE}} (typically Chief Executive Officer, Chief Operating Officer, Chief Human Resources Officer, or General Counsel; in regulated sectors the Chief Compliance Officer or Chief Risk Officer is also common).
- Named person at time of publication: {{EXECUTIVE_SPONSOR_NAME}}.
- Sign-off date on this version: {{EXECUTIVE_SPONSOR_SIGNOFF_DATE}}.
- Reading cadence: {{EXECUTIVE_SPONSOR_READING_CADENCE}} (typically the quarterly governance pack plus event-driven escalation on any case that approaches a named threshold).
Programme owner (the named operating leader who runs the programme day to day):
- Role: {{PROGRAMME_OWNER_ROLE}} (typically Chief Information Security Officer, Head of Insider Risk Management, Director of Security Operations, or Director of Internal Investigations depending on org shape).
- Named person at time of publication: {{PROGRAMME_OWNER_NAME}}.
- Reporting line: {{PROGRAMME_OWNER_REPORTING_LINE}}.
- Authority to act between governance cycles: {{PROGRAMME_OWNER_INTERIM_AUTHORITY}}.
Funding line and budget anchor:
- Operating budget: {{OPERATING_BUDGET}} (named cost centre).
- Capital budget for monitoring tooling: {{CAPITAL_BUDGET}} (named cost centre).
- Named tooling stack the budget supports: {{TOOLING_STACK}} (e.g., DLP, UEBA, EDR, ITDR, CASB, IAM telemetry; named without claiming SecPortal performs these functions).
- Headcount allocation: {{HEADCOUNT_ALLOCATION}} (named roles and approved seats).
3. Cross-functional working group with named roles
Insider threat work cannot be owned by security alone. Employment law, privacy law, workforce monitoring rules, anti-discrimination law, and workforce trust all touch every active case. The cross-functional working group is what turns the programme from a security side project into a defensible operating function. Name the partner roles, the appointment authority, the meeting cadence, and the decision rights. The block below names the durable partner set; localise the names against the org chart so the programme has named people rather than role placeholders.
Working group structure (each row carries: role, partner department, appointment authority, primary responsibilities, decision rights, named person at time of publication):
Programme lead (chair of the working group):
- Role: {{PROGRAMME_OWNER_ROLE}}
- Department: Security
- Appointed by: Executive sponsor
- Primary responsibilities: programme operating leadership; charter custodianship; per-case triage assignment; governance forum chairmanship; charter revision authoring
- Decision rights: open a case; close a case as no-action; escalate a case to pre-action review; recommend adverse employment action to HR and Legal
- Named person at time of publication: {{PROGRAMME_OWNER_NAME}}
HR partner (employee relations or employment law lead):
- Role: {{HR_PARTNER_ROLE}}
- Department: Human Resources
- Appointed by: Chief Human Resources Officer (CHRO) or equivalent
- Primary responsibilities: pre-action review on every case progressing to adverse employment action; employee monitoring authority interpretation; leave-of-absence and performance-management interface; workforce notice review (Section 9); termination and exit process interface; offboarding access review
- Decision rights: hold a case from progressing to adverse action pending HR review; consult outside counsel; consult works council where union recognition applies; recommend HR-led intervention (training, coaching, transfer) instead of adverse action
- Named person at time of publication: {{HR_PARTNER_NAME}}
Legal partner (employment counsel; privacy counsel; litigation counsel):
- Role: {{LEGAL_PARTNER_ROLE}}
- Department: Legal or General Counsel office
- Appointed by: General Counsel or Chief Legal Officer
- Primary responsibilities: lawful basis review (Section 5); pre-action review on every case progressing to adverse employment action or law enforcement referral; evidence preservation hold; litigation discovery; contracts and DPA review for vendor partners that process workforce telemetry; jurisdictional interpretation across operating geographies
- Decision rights: hold a case pending lawful basis review; require preservation of evidence; require external counsel engagement; require disclosure to regulators or law enforcement
- Named person at time of publication: {{LEGAL_PARTNER_NAME}}
Privacy partner (DPO where applicable; works council interface in EU operations):
- Role: {{PRIVACY_PARTNER_ROLE}}
- Department: Privacy or Data Protection
- Appointed by: Data Protection Officer or Chief Privacy Officer
- Primary responsibilities: data minimisation review on the monitoring scope (Section 8); lawful basis articulation under GDPR Article 6 or local privacy law where applicable; works council consultation in EU operations under the workforce-monitoring chapters of national labour codes; DPIA authoring under GDPR Article 35 where the programme processes special category data or has high-risk processing; subject access request handling on workforce records; cross-border transfer review where workforce telemetry crosses jurisdictions
- Decision rights: hold a monitoring practice from operating until the lawful basis is articulated and the works council is consulted; require DPIA before the practice operates; require data minimisation in the monitoring scope
- Named person at time of publication: {{PRIVACY_PARTNER_NAME}}
IT partner (identity and access management; off-boarding; system telemetry):
- Role: {{IT_PARTNER_ROLE}}
- Department: Information Technology
- Appointed by: Chief Information Officer or equivalent
- Primary responsibilities: privileged access management interface; account lifecycle interface; off-boarding rotation discipline; system telemetry capture and retention; named tooling stack operator for DLP, UEBA, EDR, ITDR, CASB, IAM monitoring; emergency access lockdown operator when authorised
- Decision rights: execute access changes when authorised by the working group; lock accounts on confirmed evidence pending HR-Legal review; preserve system telemetry under preservation hold
- Named person at time of publication: {{IT_PARTNER_NAME}}
Ethics and internal investigations partner:
- Role: {{ETHICS_PARTNER_ROLE}}
- Department: Ethics, Compliance, or Internal Investigations
- Appointed by: Chief Ethics Officer, Chief Compliance Officer, or General Counsel
- Primary responsibilities: whistleblower and ethics reporting channel interface; anti-retaliation review on every case where the subject employee has a prior whistleblower record or has filed a complaint; internal investigations governance interface where the case crosses into anti-bribery and corruption, antitrust, or other regulated investigation scope; coordination with external investigators where the case involves law enforcement, regulators, or sector-specific investigation bodies
- Decision rights: require anti-retaliation review; require independent investigator engagement; pause a case pending whistleblower channel review
- Named person at time of publication: {{ETHICS_PARTNER_NAME}}
Internal audit partner (independent oversight):
- Role: {{AUDIT_PARTNER_ROLE}}
- Department: Internal Audit
- Appointed by: Chief Audit Executive or Audit Committee chair
- Primary responsibilities: independent oversight review on programme operation against the chartered intent; annual review of a random sample of closed cases for cross-functional review chain integrity; review of metric pack accuracy at the quarterly governance forum; advice to the audit committee on programme posture
- Decision rights: read access to closed case files for oversight; report material findings to the audit committee independent of programme management
- Named person at time of publication: {{AUDIT_PARTNER_NAME}}
Meeting cadence and decision discipline:
- Standing working group meeting cadence: {{STANDING_MEETING_CADENCE}} (typically monthly with event-driven calls on any case approaching a named threshold).
- Quorum requirements: {{QUORUM_REQUIREMENTS}} (typically programme lead plus HR plus Legal plus one of Privacy or Audit; cases involving EU workforce members add Privacy as a mandatory quorum member).
- Decision documentation discipline: every working group decision is recorded with named voters, the rationale, the dissents, and the documented review window.
- Conflict of interest discipline: working group members recuse themselves from cases involving direct reports, family members, or any prior named conflict; the recusal is documented on the case record.
4. Scope, definitions, and insider category catalogue
Insider threat is a moving target until the charter pins the definitions down. Name who counts as an insider, which workforce populations the programme covers, which systems and data classes are in scope, and which jurisdictions the rules operate inside. Pair the definitions to the indicator catalogue in Section 6 and the case lifecycle in Section 7 so the programme reads consistently end-to-end. Without explicit definitions, the programme drifts into ambiguous coverage and the audit cannot read against a stable scope.
In-scope insider populations (every individual in these populations is in scope for the named monitoring controls in Section 8 within the lawful basis named in Section 5):
- Full-time and part-time permanent employees.
- Fixed-term and seasonal employees.
- Interns, placement students, and apprentices.
- Contractors and contingent workers engaged through any contracting vehicle.
- Agency workers, temporary workers, and seconded staff from group companies.
- Board members and non-executive directors with information system access.
- Advisors, consultants, and external auditors with named accounts.
- Vendor staff, partner staff, and service provider personnel with named accounts on organisational systems.
- Anyone else who receives a named user account or any other access credential to organisational systems.
Insider category catalogue (the programme operates against named insider categories so triage and response reads against a stable taxonomy):
Category A - Negligent insider:
- Workforce member with no malicious intent who creates risk through error, lack of awareness, or workaround behaviour.
- Examples: emails sensitive data to a personal account to work from home; falls for phishing; misconfigures a sharing permission; bypasses a security control to meet a deadline; copies data to a personal device.
- Typical response: targeted training, coaching, control improvement, named follow-up; rarely warrants adverse employment action on first offence.
Category B - Malicious insider (no compromised credential):
- Workforce member with intent to harm the organisation, its customers, its partners, or another workforce member.
- Examples: pre-departure data theft; sabotage; fraud; intellectual property theft for personal gain; abuse of access for harassment; deliberate policy violation to advantage a personal interest.
- Typical response: case lifecycle through HR and Legal pre-action review; adverse employment action where evidence supports; civil or criminal referral where applicable.
Category C - Compromised insider (compromised credential or account takeover):
- Workforce credential used by an external attacker (account takeover, session hijack, credential theft, compromised endpoint, business email compromise).
- Examples: phishing-driven credential theft followed by mass data download; credential stuffing success followed by privilege escalation; insider-aided account takeover (a workforce member sharing credentials in violation of policy with intent or under coercion).
- Typical response: incident response runbook handoff for the technical event; insider threat case continues to assess whether the workforce member contributed through policy violation, social engineering vulnerability, or coercion.
Category D - Third-party insider:
- Vendor, partner, contractor, or service provider personnel with named accounts who create insider-shaped risk against organisational systems or data.
- Examples: vendor personnel data theft; partner personnel policy violation; service provider operator misuse.
- Typical response: contract enforcement chain through procurement and Legal; vendor security risk assessment review; access termination and credential rotation; named follow-up with the vendor incident response.
Category E - Hybrid:
- Cases that span more than one category (a negligent action exploited by a compromised credential; a malicious actor inside the vendor estate operating against the buyer estate).
- Typical response: working group case lead names the primary category and the secondary characteristics; the response chain runs against the primary while preserving evidence for the secondary.
Insider attack pattern catalogue (read against the indicator catalogue in Section 6):
- Pre-departure data theft (notice period theft; non-notice resignation theft; pre-acquisition theft; pre-IPO theft).
- Privileged access misuse (administrator access used outside change windows; privileged account used by non-administrator; privileged account used to read data outside the holder responsibilities).
- Sensitive data egress (bulk download; staged egress over time; sharing via personal cloud accounts; printing for off-premise removal; photo capture of screen content).
- Sabotage (production system disruption; deletion of records; code repository tampering; back-door installation; build-pipeline poisoning).
- Fraud (financial fraud; expense fraud; payroll fraud; benefits fraud; procurement fraud).
- Intellectual property theft (source code theft; design document theft; customer list theft; pricing model theft; trade-secret theft).
- Workforce-side fraud orchestration (collusion with external fraud rings; insider-aided business email compromise; insider-aided wire fraud).
- Workforce-side compromise enablement (workforce member knowingly or unknowingly enables external attacker access via social engineering, credential sharing, or device compromise).
- Workforce-side regulated-conduct violation (insider trading; anti-bribery violation; export control violation; sanctions violation; safety violation in regulated sectors).
- Workforce-side workplace misconduct that intersects with information systems (harassment via organisational systems; intimidation via organisational communications; stalking via organisational data).
Out-of-scope items:
- Personal use of personal accounts on personal devices outside any work context: out of scope.
- Off-duty conduct outside work systems where there is no work-systems intersection: out of scope.
- Personal communications on personal accounts on personal devices: out of scope.
- Protected concerted activity (union organising in jurisdictions with union recognition): out of scope.
- Lawful whistleblowing through the chartered ethics channel: out of scope for the insider threat programme; in scope for the ethics and internal investigations programme.
Jurisdictional applicability:
- The programme operates in: {{IN_SCOPE_JURISDICTIONS}}.
- For jurisdictions with workforce-monitoring restrictions (EU member states under GDPR plus national labour codes, UK under UK GDPR plus ICO guidance, EU member states with works council consultation requirements, US states with employee monitoring notice requirements), the programme operates per the jurisdictional matrix in Annex A of the lawful basis section (Section 5).
5. Lawful basis, data minimisation, and prohibited monitoring practices
The lawful basis section is where the programme either earns its right to operate or invites a privacy regulator complaint. Name the lawful basis per monitoring practice. Name the data minimisation discipline that scopes the collection. Name the prohibited practices the programme commits to avoid. The block below covers the durable shape; localise against the operating jurisdictions and the works council positions before publication. Without an explicit prohibited-practices register, the programme operates on assumed boundaries, and assumed boundaries do not survive an employment counsel review.
Lawful basis per workforce population (the rule the programme operates under):
EU and UK workforce members (operating under GDPR or UK GDPR):
- Primary lawful basis under GDPR Article 6: {{EU_LAWFUL_BASIS}} (typically (f) legitimate interests after a documented legitimate interests assessment; some monitoring practices may operate under (b) contract or (c) legal obligation depending on the practice).
- Article 9 special category data: monitoring is scoped to avoid collection of special category data unless a named Article 9(2) condition applies; the programme commits to data minimisation against special category data classes including health, religious belief, political opinion, sex life, sexual orientation, biometric data, and genetic data.
- Article 22 automated decision-making: any automated risk score on an individual employee that contributes to adverse employment action is reviewed by a named human reviewer before the action is taken; the programme does not permit purely automated adverse employment decisions.
- Article 35 DPIA: monitoring practices that meet the Article 35(3) criteria or the Article 35(4) supervisory authority high-risk list operate only after a DPIA has been completed; the DPIA reference is captured against the named practice in the monitoring scope register (Section 8).
- Works council and employee representative consultation (Germany, France, Netherlands, Italy, Austria, and other EU jurisdictions with codified consultation rights): named practices that meet the consultation threshold operate only after the consultation has been completed; the consultation reference is captured against the named practice.
US workforce members:
- Federal employee monitoring authority: documented in the named workplace notice (Section 9) and the named acceptable use policy referenced in Section 1.
- State employee monitoring notice requirements (Connecticut, Delaware, New York Electronic Monitoring Law, and other states with statutory notice requirements): named practices that meet the threshold operate only after the statutory notice has been provided.
- National Labor Relations Act protected concerted activity: monitoring does not target concerted activity; the prohibited practices register names this explicitly.
- Stored Communications Act, Wiretap Act, and Electronic Communications Privacy Act: monitoring of organisational systems operates within the named provider exception and the named consent exception; personal accounts on personal devices are out of scope.
- HIPAA: in healthcare-sector operations, workforce monitoring touching protected health information operates under the HIPAA workforce-clearance and workforce-sanction provisions.
Other operating jurisdictions:
- {{OTHER_JURISDICTION_LAWFUL_BASIS}} (named per jurisdiction with the named lawful basis and the named consultation or notice obligations).
Data minimisation discipline:
- Collection scope: monitoring collects only the data classes named in Section 8 against the named purposes named in Section 2; collection outside the named scope is prohibited.
- Retention scope: monitoring data is retained per the named class-specific retention period in Section 11; data is not retained beyond the named period absent a preservation hold issued by Legal.
- Access scope: monitoring data is accessible only to the named analyst pool and the working group; access is gated by role-based access control and protected by multi-factor authentication; access events are recorded on the audit trail.
- Purpose limitation: monitoring data is used only for the named insider threat purposes; secondary use for performance management, productivity analytics, or workforce sentiment analysis is prohibited absent a documented re-purposing decision with HR, Legal, and Privacy approval.
Prohibited monitoring practices (the register below names what the programme will not do; the named exclusions exist so the workforce trust does not collapse and the firm does not become a privacy and ethics defendant):
- No monitoring of protected concerted activity in jurisdictions with union recognition or NLRA protection.
- No monitoring of legally protected speech where applicable.
- No surveillance of personal devices outside the named BYOD scope and the named BYOD policy.
- No content inspection of personal communications on personal accounts.
- No monitoring of off-duty conduct outside work systems.
- No profiling by protected characteristics (race, religion, national origin, gender, age, disability, sexual orientation, political affiliation where protected, union membership where protected).
- No keystroke capture or screen recording without explicit policy notice and named lawful basis.
- No biometric monitoring beyond identity verification; no continuous biometric capture; no behavioural biometric scoring on workforce members.
- No behavioural sentiment analysis on workforce communications without consent and named lawful basis.
- No automated adverse employment decisions without human review per GDPR Article 22 in EU operations and per equivalent rules in other operating jurisdictions.
- No targeted monitoring of leave-of-absence employees, whistleblowers, complainants, ethics-reporting employees, or any individual in a known protected status in a manner that could be construed as retaliation.
- No monitoring of attorney-client privileged communications.
- No monitoring of works council communications in jurisdictions with codified protection.
- No monitoring of medical or occupational health communications.
- No reading of personal email accounts.
- No GPS or location tracking of personal devices outside named work-vehicle or work-device scope.
- No monitoring expansion against an individual without a documented case and a documented review by Legal and Privacy.
Prohibited cross-purpose use:
- Insider threat data is not used as input to performance management decisions, compensation decisions, promotion decisions, or other workforce-management decisions outside the named insider threat purposes.
- Aggregate metrics from the programme are used for governance reporting only and are not used to rank workforce populations, departments, managers, or geographies for non-insider-threat purposes.
Review cadence on lawful basis:
- The lawful basis register is reviewed at the annual charter cycle and on any material change to operating jurisdictions, monitoring practices, or workforce-monitoring statutes.
- Material legal or regulatory development between annual reviews triggers an out-of-cycle review with the working group.
The indicator catalogue is the programme observability boundary. Name the indicator classes the programme operates against; name the data sources that surface each class; name the pairing rules that combine indicators before a case opens. The catalogue exists explicitly so the analyst pool reads against a documented surface rather than improvising. Behavioural indicators alone never open a case; they only contribute to triage once a technical indicator pattern is present. This pairing rule is the structural protection against the bias-driven detection failures that have caused programme reputational damage in published industry incidents.
Indicator class A - Technical indicators (these may open a case on their own where the pattern is severe and the false-positive criteria do not apply):
Data egress indicators:
- Bulk file download against the workforce role baseline (volume per session, volume per day, volume per week).
- Large file transfer to external destinations through corporate channels (email attachments, sanctioned cloud storage, sanctioned file sharing) outside the named role pattern.
- Use of unsanctioned cloud storage, personal email accounts on corporate devices, personal messaging tools for corporate content, or unsanctioned file-transfer services.
- Use of removable media (USB drives, external storage, optical media) where the data class is sensitive and the role does not warrant such handling.
- Printing of sensitive documents for off-premise removal.
- Photo capture of screen content where named DLP detection surfaces it.
Access and credential anomalies:
- Anomalous geographic access patterns (impossible travel, anomalous country, anomalous ISP).
- Anomalous time-of-day access (off-hours access by a workforce member with no on-call role).
- Multi-factor authentication anomalies (repeated MFA bypass attempts, MFA fatigue patterns, MFA device anomalies).
- Privileged access used outside the named change window or outside the named role responsibilities.
- Service account use by an interactive user, or shared account use against policy.
- Credential stuffing or password spray success patterns surfaced from the IAM telemetry stack.
- Session hijacking or session anomalies surfaced from the IAM telemetry stack.
Access scope anomalies:
- Least-privilege violations (access to systems or data classes outside the named role).
- Access persistence after a role change or after a project completion.
- Access patterns inconsistent with the workforce role responsibilities.
- Repeated access denials followed by successful access patterns suggesting privilege escalation attempts.
- Workforce member granting access to other workforce members outside the named change process.
Asset and system anomalies:
- Unauthorised peripheral connections.
- Unsanctioned software installation on corporate devices.
- Disabling of named security controls (endpoint protection, encryption, MFA) where the workforce member has the privilege to do so.
- Unsanctioned virtual machine or container deployment.
- Anomalous build-pipeline behaviour (force push, signing-key use anomaly, unsanctioned merge bypass).
- Code repository anomalies (large clone events outside the role pattern, sensitive-content commits, deletion of audit-trail entries).
Indicator class B - Behavioural indicators (these never open a case on their own; they contribute to triage only once a technical indicator pattern is present and the behavioural indicator is documented through the named lawful basis):
Documented performance and disciplinary record:
- Documented performance improvement plan (PIP) or formal disciplinary record where HR has shared the record with the programme under the documented data-sharing agreement.
- Documented voluntary disclosure of financial distress (where the workforce member has voluntarily declared a circumstance and the disclosure is held in the named HR file).
- Documented complaint or ethics report history (subject to anti-retaliation review by the ethics partner).
Documented role transition:
- Documented offboarding window (resignation submitted, contract end date, role change effective date, transfer effective date).
- Documented acquisition or divestiture context where the workforce member is in scope of a transaction.
- Documented sensitive project membership at conclusion where the project artefacts warrant heightened watch on egress patterns.
Documented external indicator (with named source authority):
- Third-party referral with named source authority (law enforcement, regulator, partner under a documented partner-referral channel, vendor under a documented vendor-referral channel, named external researcher under the vulnerability disclosure programme).
- Media or public reporting linking a workforce member to a named external pattern (subject to documented review before any action).
Behavioural indicator pairing rules (this is the structural protection against the bias-driven failure modes):
- Behavioural indicators never trigger a case on their own.
- Behavioural indicators contribute to triage assessment only once a technical indicator pattern is present.
- Behavioural indicators are documented through the named lawful basis (HR record, voluntary disclosure, named external referral).
- Behavioural indicators do not include sentiment analysis on workforce communications, social media monitoring of off-duty conduct, surveillance of personal communications, or inference of protected characteristics.
- The named programme lead, the HR partner, and the Privacy partner review every case that uses a behavioural indicator in triage to confirm the indicator is documented and the pairing rule has been applied.
Indicator class C - Contextual indicators (these provide situational awareness for triage and never independently progress a case):
- Industry context (sector-targeted attack campaigns active in the wild).
- Threat intelligence context (named actor groups targeting the firm or sector).
- Insider threat campaign context (named patterns the wider insider threat community is reporting).
- Internal incident context (recent confirmed incidents in scope of the firm).
- Internal investigation context (other active investigations in the firm that may interact with the case).
Indicator pairing thresholds (the named threshold that progresses a case from triage to assessment):
- Single severe technical indicator (named threshold per indicator type): may progress directly to assessment with working group review.
- Multiple technical indicators across categories: progresses to assessment.
- Technical indicator paired with a documented behavioural indicator: progresses to assessment with mandatory HR-Legal-Privacy pre-action review.
- Contextual indicator alone: does not progress; recorded as situational context for the analyst rota.
Indicator catalogue maintenance:
- The catalogue is reviewed quarterly against the programme metric pack to identify indicators that produce high false-positive rates and indicators that should be added based on industry incident lessons.
- Indicator additions require working group sign-off and Privacy review.
- Indicator retirements require working group sign-off.
- The catalogue version is referenced from the engagement record at each governance cycle.
7. Case lifecycle, escalation, and pre-action review
The case lifecycle converts an indicator into a decision through a documented chain. Every state change records the actor, the timestamp, the rationale, and the named approver. The lifecycle exists explicitly so adverse action does not happen without cross-functional review and so closure as no-action is a documented decision rather than a silent drop. The block below names the durable states and the named handoffs; localise against the operating tooling and the workspace before publication.
Case lifecycle states:
State 1 - Indicator detected:
- Source: technical monitoring stack (DLP, UEBA, EDR, ITDR, CASB, IAM, named log sources) or referral channel (whistleblower, vendor, external referral, internal investigation).
- Recorded fields: indicator class, indicator type, source, timestamp, subject workforce member identifier, asset identifier, severity assessment.
- Authority to record: any named analyst on the working group analyst pool; system-generated indicators record automatically against the named pipeline.
- Transition rule to State 2: any recorded indicator transitions to initial analyst review within the named cadence target (typically one business day for high severity, three business days for medium, five for low).
State 2 - Initial analyst review:
- Performed by: the named analyst on the working group analyst pool.
- Assessment criteria: false-positive criteria (legitimate business activity confirmed against named role; role-based access pattern matches; prior approved exception applies; technical false positive in the source pipeline); severity confirmation; indicator pairing assessment per Section 6.
- Recorded fields: false-positive determination with rationale, OR escalation determination with named next state and named lead assignment.
- Transition rule to State 3 (case open) or to closure (no case): the analyst either records the indicator as a false positive with named rationale or opens a case with named lead assignment.
- Audit reading: the false-positive rate at this state is a named indicator in the metric pack (Section 10); high rates trigger indicator tuning review.
State 3 - Case opened:
- Case identifier assigned. Case lead named. Case category assigned (negligent, malicious, compromised, third-party, hybrid).
- Recorded fields: case identifier, lead analyst, category, indicator pattern that opened the case, subject workforce member identifier, named affected assets, named affected data classes, severity assessment.
- Authority to open: working group analyst pool with notification to the programme lead.
- Transition rule to State 4: the case lead conducts triage assessment within the named cadence target (typically three business days for high severity, five for medium, ten for low).
State 4 - Triage assessment:
- Performed by: the case lead.
- Assessment criteria: indicator pattern review; data minimisation review on any monitoring expansion proposed; category confirmation; preliminary determination of whether the case requires HR-Legal-Privacy pre-action review; preliminary determination of whether the case warrants evidence preservation hold.
- Recorded fields: triage determination, named monitoring scope (limited to the documented case scope), evidence preservation hold determination, pre-action review determination.
- Transition rules:
- Close as no further action with rationale (insufficient pattern, control improvement opportunity not warranting case progression, false-positive on second review).
- Progress to assessment phase with continued monitoring inside the named case scope.
- Progress to pre-action review where the indicator pattern suggests imminent harm or where any access change is proposed.
State 5 - Assessment:
- Performed by: the case lead with named analyst support.
- Activities: continued analysis of the indicator pattern; review of the workforce member named role responsibilities; review of the named access record; review of the named asset and data class exposure; review of historical context; preservation of evidence under documented chain of custody.
- Constraints: monitoring expansion outside the documented case scope requires working group approval and Privacy review; surveillance of personal devices or personal communications is prohibited; behavioural sentiment analysis is prohibited; profiling by protected characteristics is prohibited.
- Recorded fields: assessment summary, named evidence base, named control improvement opportunities, named recommendation for next state.
- Transition rule to State 6 or closure: the case lead either recommends closure with documented rationale or recommends progression to pre-action review.
State 6 - Pre-action review (mandatory before any adverse action, access change beyond the case-scope monitoring, or referral to law enforcement):
- Performed by: programme lead, HR partner, Legal partner, and Privacy partner at minimum; ethics partner where the case involves a named conflict-of-interest review or anti-retaliation review.
- Activities: review of the evidence base; review of the named action proposed; review of the lawful basis for the action under operating jurisdiction; review of the workforce member named protections (active grievance, active leave, active whistleblower record, prior named complaint); review of any works council consultation requirement; review of the disclosure pathway (internal-only, law enforcement, regulator, named customer).
- Decision authority: the four partners by quorum; dissent recorded with rationale; escalation to executive sponsor where the partners cannot reach consensus.
- Recorded fields: review summary, named decision, named action authority, named approver, dissent record where applicable.
- Transition rule to State 7 or closure or escalation: the partners either close the case as no action with documented rationale, approve the named action with named authority, or escalate to the executive sponsor.
State 7 - Action:
- Performed by: the named action authority per the pre-action review decision.
- Action classes: HR-led intervention (training, coaching, documented warning, performance plan); access change (suspension, scope reduction, credential rotation, account lockout); adverse employment action (termination, contract non-renewal, contractor de-engagement); referral (internal investigation transfer, law enforcement referral, regulator referral, named partner notification); evidence preservation continuation pending external action.
- Constraints: action operates within the named jurisdictional rules; works council consultation where applicable; named workforce notice where applicable; named privacy and labour law compliance.
- Recorded fields: action taken, named authority, named timestamp, named workforce member acknowledgement where applicable, named consequence chain.
- Transition rule to State 8: any action transitions to closure once the named consequence chain is complete.
State 8 - Closure:
- Performed by: the case lead.
- Closure types: closure with no action; closure with HR intervention; closure with access change; closure with adverse employment action; closure with external referral; closure with named follow-up (control improvement, training programme adjustment, policy adjustment, indicator catalogue adjustment).
- Recorded fields: closure type, named consequence chain, named lessons learned, named control improvement actions raised on the wider security finding record, named indicator catalogue feedback.
- Authority: case lead with quarterly review at the governance forum.
State 9 - Appeal and oversight (parallel to closure; available to the workforce member and to the internal audit partner):
- Workforce member appeal: where the workforce member has been subject to adverse action under the named jurisdictional rules, the documented appeal channel operates per the firm-wide grievance procedure; appeal outcomes are recorded against the case identifier.
- Internal audit oversight: the internal audit partner reviews a random sample of closed cases annually for cross-functional review chain integrity; material findings are reported to the audit committee independent of programme management; findings are recorded against the case identifier as corrective actions.
- External regulator complaint: where a workforce member files a complaint with a privacy regulator or labour authority, the complaint is recorded against the case identifier with the named regulator engagement chain.
State machine integrity rules:
- Every state change records the actor, the timestamp, and the rationale.
- No state can be skipped (a case cannot progress from State 3 to State 7 without passing through States 4, 5, and 6).
- Closure as no action is a documented decision with a named rationale; cases are not silently dropped.
- The case record is held under restricted access until closure; after closure, the case record is held per the named retention rule in Section 11.
Escalation thresholds (the named threshold that brings the case to the working group regardless of state):
- Indicator pattern suggesting imminent harm (active exfiltration in progress, active sabotage in progress, active fraud in progress).
- Case category malicious or hybrid with high-severity pattern.
- Case subject in a named protected status (active grievance, active leave, active whistleblower record, prior named complaint, named protected characteristic).
- Case involving a named senior workforce member where reputational impact is high.
- Case involving regulated-sector workforce member where regulatory disclosure may apply.
- Case crossing into anti-bribery, antitrust, export control, or sanctions investigation scope.
- Case involving law enforcement contact or external counsel engagement.
8. Data sources, monitoring controls, and access boundaries
The monitoring scope register names the data sources the programme observes, the monitoring practices it operates, the lawful basis paired to each practice, and the access boundary that protects the data. Name the named tooling stack without claiming SecPortal performs these functions. The block below covers the durable register; localise against the operating tooling stack before publication.
Data source register (each row carries: source name, source type, data classes captured, named lawful basis per Section 5, named retention period per Section 11, named access boundary):
System telemetry sources:
- Identity provider telemetry (login events, MFA events, account events, session events).
- Endpoint detection and response telemetry (process events, file events, registry events, network events).
- Data loss prevention telemetry (egress events, content classification events, policy violation events).
- User and entity behaviour analytics telemetry (anomaly detection events, peer-group analysis events, baseline deviation events).
- Cloud access security broker telemetry (SaaS access events, data sharing events, policy violation events).
- Identity threat detection and response telemetry (account takeover events, session anomaly events, privilege anomaly events).
- Privileged access management telemetry (privilege elevation events, session recording events where lawfully captured, just-in-time access events).
- Secure email gateway telemetry (outbound content events, attachment events, recipient anomaly events).
- Secure web gateway telemetry (egress destination events, content classification events).
- File and document management telemetry (sensitive content access events, sharing events, classification events).
- Source code repository telemetry (clone events, commit events, push events, signing-key use events).
- Build pipeline telemetry (build events, signing events, deployment events).
- Workforce communication platform telemetry (events permitted under the named lawful basis and named workforce notice).
Referral and external sources:
- Vulnerability disclosure programme inflow (external researcher referrals; named source authority).
- Whistleblower and ethics reporting channel inflow (internal referrals; named anti-retaliation review).
- Vendor and partner referrals (named partner-referral channel; documented contractual basis).
- Law enforcement and regulator referrals (named contact procedure; Legal partner gateway).
- Internal investigation referrals (named inter-programme handoff procedure).
Monitoring practice register (each row carries: practice name, named lawful basis, named purpose, named scope, named data minimisation rule, named workforce notice, works council consultation status where applicable):
Named monitoring practices (localise against the operating tooling; do not claim practices the operating tooling does not support):
- {{MONITORING_PRACTICE_1}}: {{PRACTICE_1_LAWFUL_BASIS}}, {{PRACTICE_1_PURPOSE}}, {{PRACTICE_1_SCOPE}}, {{PRACTICE_1_MINIMISATION}}, {{PRACTICE_1_NOTICE}}, {{PRACTICE_1_CONSULTATION}}.
- {{MONITORING_PRACTICE_N}}: {{PRACTICE_N_LAWFUL_BASIS}}, {{PRACTICE_N_PURPOSE}}, {{PRACTICE_N_SCOPE}}, {{PRACTICE_N_MINIMISATION}}, {{PRACTICE_N_NOTICE}}, {{PRACTICE_N_CONSULTATION}}.
Access boundary discipline:
- Analyst pool access: read access to monitoring telemetry within the named role scope; write access to case records within named role scope; access events recorded on the audit trail.
- Working group access: read access to case records within the working group scope; write access to working group decisions within named role.
- Working group partner access: HR partner read access scoped to HR-relevant fields; Legal partner read access scoped to legally-relevant fields; Privacy partner read access scoped to privacy-relevant fields; ethics partner read access scoped to ethics-review-relevant fields; audit partner read access scoped to oversight-review purposes only.
- Subject workforce member access: workforce members have access to their own personnel records per applicable subject access right (GDPR Article 15, UK GDPR, US state privacy rights); insider threat case records are subject to the lawful exemptions for criminal investigation and similar contexts per jurisdiction.
- External partner access: vendor and partner personnel do not have access to insider threat case records; named exceptions for incident response coordination are documented.
Tooling stack acknowledgement:
- The monitoring stack named in this section is the engineering toolset operated by IT and Security Engineering against the named lawful basis.
- The chartered programme record (this charter, the working group roster, the case files, the metric pack, the governance forum minute book) is the cross-functional operating record the audit, the works council, the regulator, and the executive sponsor read against.
- The programme record and the monitoring stack are connected through documented data-sharing agreements between the working group and the engineering teams that operate the monitoring stack.
Cross-border data flow discipline:
- Where workforce telemetry crosses jurisdictions, the cross-border transfer mechanism is documented (Standard Contractual Clauses, Binding Corporate Rules, adequacy decision, named exception where applicable).
- Cross-border processing is reviewed by the Privacy partner at the annual charter cycle and on any material change to operating jurisdictions or tooling stack vendors.
9. Communications, transparency, and workforce notice
Workforce notice and ongoing transparency are what make the chartered programme a trusted operating function rather than a covert surveillance practice. Name the published policy the workforce reads. Name the onboarding training that explains the programme. Name the works council consultation status where applicable. Name the channels through which the workforce can raise concerns about the programme itself. Without explicit transparency, the programme operates on assumed acceptance, and assumed acceptance does not survive a workforce trust event.
Workforce-facing communications artefacts:
Acceptable use policy (the workforce-facing rule that names the permitted and prohibited use of organisational systems; the insider threat programme monitors compliance with this rule):
- Reference: {{ACCEPTABLE_USE_POLICY_REFERENCE}}.
- Last published version: {{AUP_VERSION}}.
- Workforce acknowledgement record: held on the named HR system.
Workforce monitoring notice (the named statement the workforce reads at onboarding and at periodic re-acknowledgement, describing the monitoring practices in scope and the lawful basis):
- Reference: {{WORKFORCE_MONITORING_NOTICE_REFERENCE}}.
- Last published version: {{NOTICE_VERSION}}.
- Workforce acknowledgement record: held on the named HR system.
- Jurisdictional variants: the notice has separate versions for US, EU, UK, and other operating jurisdictions where statutory or works council requirements differ.
Privacy notice (the workforce-side privacy notice describing the personal data processing the firm performs as employer, including the workforce-monitoring processing):
- Reference: {{WORKFORCE_PRIVACY_NOTICE_REFERENCE}}.
- Last published version: {{PRIVACY_NOTICE_VERSION}}.
- Subject rights handling reference: {{SUBJECT_RIGHTS_HANDLING_REFERENCE}}.
Onboarding training:
- Module on the workforce acceptable use rule and the chartered insider threat programme.
- Module length: {{ONBOARDING_TRAINING_LENGTH}}.
- Acknowledgement requirement at completion.
- Refresher cadence: {{REFRESHER_CADENCE}} (typically annual).
Workforce questions and concerns channel:
- Named channel for the workforce to ask questions about the programme: {{WORKFORCE_QUESTIONS_CHANNEL}}.
- Named channel for the workforce to raise concerns about a named monitoring practice: {{WORKFORCE_CONCERNS_CHANNEL}}.
- Named channel for the workforce to file a complaint about the programme operation: {{WORKFORCE_COMPLAINT_CHANNEL}}.
- Anti-retaliation commitment: workforce members raising questions, concerns, or complaints about the programme are subject to documented anti-retaliation protection; the programme records the protection event on the workforce member record under the documented data-sharing rule with HR.
Works council and employee representative consultation status (EU operations):
- Per-jurisdiction consultation status: {{PER_JURISDICTION_CONSULTATION_STATUS}}.
- Consultation reference per practice: see Section 8 monitoring practice register.
- Renewal cadence per consultation: per the operating jurisdiction codified procedure.
Annual transparency report:
- The programme publishes an annual workforce-facing transparency report covering aggregate metrics, named practice updates, named indicator catalogue updates, named lawful basis changes, and named workforce-trust events.
- The transparency report does not include personally identifiable case data, named workforce member identifiers, or any data that would enable inference of an individual case.
- The report is reviewed by the working group before publication.
External transparency commitments:
- The firm public privacy notice references the chartered insider threat programme at a high level without describing operational detail that would compromise the monitoring efficacy.
- Customer contracts may require notification of workforce-side data exposure events under named contractual terms; the programme operates in coordination with Legal on customer notification chains.
Workforce-trust event handling:
- Where a programme practice causes a workforce-trust event (named complaint, media coverage, regulator complaint, internal escalation pattern), the working group conducts a named review and reports the outcome to the executive sponsor.
- Outcomes that require charter revision trigger an out-of-cycle revision per Section 12.
10. Programme metrics, reporting cadence, and governance forum
The governance forum is what tells the executive sponsor whether the programme is operating on chartered intent. Name the named metric pack, the named reporting cadence, the named governance attendees, and the named decision rights. The metric pack stays explicit so the audit committee, the executive sponsor, and the internal audit partner read against the same numbers. Without a documented metric pack, the programme drifts into reporting whatever is easy to produce.
Metric pack (ten durable indicators read at every governance cycle):
Indicator 1 - Case volume by category and trend:
- Cases opened in the period by category (negligent, malicious, compromised, third-party, hybrid).
- Trend against the prior period.
Indicator 2 - Median triage cadence by category:
- Median latency from State 2 initial analyst review to State 4 triage assessment by category.
- Trend against cadence targets and prior period.
Indicator 3 - Median closure cadence by category:
- Median latency from State 3 case opened to State 8 closure by category.
- Trend against cadence targets and prior period.
Indicator 4 - False-positive rate at initial review:
- Percentage of recorded indicators closed as false positive at State 2 by indicator class.
- High rates trigger indicator tuning review per Section 6.
- Trend against the prior period.
Indicator 5 - Pre-action review penetration rate:
- Percentage of cases that progressed to State 6 pre-action review.
- Low rates may signal under-triage; very high rates may signal threshold drift.
- Trend against the prior period.
Indicator 6 - Adverse employment action rate (cases progressed to State 7 with adverse action):
- Percentage of cases that resulted in adverse employment action.
- Reviewed by the HR partner against employment-management context.
- Trend against the prior period.
Indicator 7 - Confirmed-loss-event rate:
- Percentage of cases that resulted in confirmed loss event with named impact magnitude.
- Reviewed against the impact-magnitude distribution.
- Trend against the prior period.
Indicator 8 - Indicator catalogue health:
- Indicators added in the period.
- Indicators retired in the period.
- Indicators flagged for tuning review.
Indicator 9 - Charter revision and governance health:
- Charter revisions issued in the period.
- Working group meetings held against the standing cadence.
- Working group quorum-met rate.
- Internal audit oversight reviews completed in the period.
Indicator 10 - Workforce-trust health:
- Workforce questions and concerns volume in the period.
- Workforce complaints in the period.
- External regulator complaints in the period.
- Trend against the prior period.
Reporting cadence:
Monthly (working group internal):
- Indicator review on the past month against the metric pack.
- Case-by-case review for cases that remain open longer than the cadence target.
- Indicator catalogue review on patterns surfacing during the month.
Quarterly (executive sponsor governance forum):
- Full metric pack review against the prior quarter and the annual baseline.
- Working group decisions log review.
- Named case-context briefing on any case approaching a named threshold.
- Indicator catalogue revision approval.
- Monitoring practice register revision approval.
- Workforce-trust event review.
Annual (board sponsor or audit committee):
- Annual programme performance report.
- Annual charter revision pack.
- Annual transparency report (Section 9).
- Internal audit oversight report.
- Framework alignment evidence pack (Section 12).
Governance forum attendees:
- Standing attendees: executive sponsor, programme lead, HR partner, Legal partner, Privacy partner, IT partner, ethics partner, internal audit partner.
- Optional attendees on named cases: subject-matter experts named by the case lead with working group approval.
- External attendees on named cases: external counsel, external investigators, external auditors, as named by the working group with executive sponsor approval.
Decision rights at the governance forum:
- Approve monitoring practice register updates.
- Approve indicator catalogue updates.
- Approve case-by-case escalations beyond the working group authority.
- Approve charter revisions on the documented cadence.
- Approve corrective actions raised by the internal audit partner.
- Approve named monitoring practice retirement where workforce-trust events warrant.
11. Independent oversight, appeal mechanism, and records retention
Independent oversight is the structural protection against programme drift. The internal audit partner reviews a random sample of closed cases for cross-functional review chain integrity. The workforce member appeal mechanism is the structural protection against unjust action. The records retention discipline is the structural protection against silent data accumulation. The block below names the durable mechanisms; localise against the operating retention rules and the appeal procedures before publication.
Internal audit oversight programme:
- Named oversight body: Internal Audit function, reporting to the audit committee independently of programme management.
- Oversight scope: random sample of closed cases reviewed annually for cross-functional review chain integrity; review of metric pack accuracy at every quarterly governance cycle; review of programme operation against the chartered intent.
- Oversight cadence: random sample annual review of closed cases plus quarterly metric pack review plus event-driven review on any named workforce-trust event.
- Oversight independence: the audit partner reports findings to the audit committee independent of programme management; programme management does not have edit access to the audit findings.
- Oversight evidence pack: the audit partner publishes an annual oversight report with named findings, named corrective actions, and named timelines.
Workforce member appeal mechanism:
- Named appeal channel: {{WORKFORCE_APPEAL_CHANNEL}} (typically the firm-wide grievance procedure with the additional named insider threat appeal step).
- Named appeal scope: workforce members subject to adverse action under State 7 may appeal the action through the named channel.
- Named appeal review authority: the appeal authority is independent of the working group that recommended the action; in smaller firms the appeal authority may be the executive sponsor or an external independent reviewer named in the firm-wide grievance procedure.
- Named appeal recordkeeping: appeal outcomes are recorded against the case identifier; appeal outcomes that invalidate the original action trigger named corrective action including evidence destruction or correction where applicable, named workforce member remedy per HR procedure, and named indicator or process review.
External regulator complaint handling:
- Named external regulator channels: privacy regulators (national DPA, ICO, FTC where applicable), labour authorities (named per jurisdiction), human rights bodies (where applicable), works council (where union recognition applies).
- Named complaint receipt procedure: the regulator complaint is logged against the case identifier with the named regulator engagement chain.
- Named regulator response procedure: Legal partner leads the regulator response; the working group provides the documented evidence base.
- Named corrective action procedure: regulator findings that warrant corrective action are tracked on the engagement record with named owner and target close date.
Anti-retaliation discipline:
- Workforce members raising questions, concerns, complaints, appeals, or regulator complaints about the programme are subject to documented anti-retaliation protection.
- The protection is operated by HR with ethics partner oversight.
- Suspected retaliation events are investigated by the ethics partner independent of the working group that took the original action.
- Confirmed retaliation events trigger named corrective action against the responsible parties per the firm-wide disciplinary procedure.
Records retention rules:
Case file retention:
- Case files for cases closed as no action: {{NO_ACTION_RETENTION_PERIOD}} (typically 12 to 24 months depending on jurisdiction; consult Privacy for the operating jurisdiction).
- Case files for cases closed with HR intervention: {{HR_INTERVENTION_RETENTION_PERIOD}} (typically aligned with the named HR record retention period).
- Case files for cases closed with adverse employment action: {{ADVERSE_ACTION_RETENTION_PERIOD}} (typically the longer of jurisdictional employment record retention and any litigation hold).
- Case files for cases closed with external referral: {{EXTERNAL_REFERRAL_RETENTION_PERIOD}} (typically aligned with the longer of jurisdictional referral retention and any litigation hold; named litigation hold extends retention indefinitely until released).
- Case files subject to legal preservation hold: retained indefinitely until the hold is released by Legal.
Telemetry retention (named source-specific retention; aligned with the named source pipeline):
- Identity telemetry: per the named IAM telemetry retention rule.
- Endpoint telemetry: per the named EDR telemetry retention rule.
- DLP telemetry: per the named DLP retention rule.
- UEBA telemetry: per the named UEBA retention rule.
- CASB telemetry: per the named CASB retention rule.
- Email telemetry: per the named SEG telemetry retention rule.
- Code repository telemetry: per the named repository retention rule.
- Communications platform telemetry: per the named communication platform retention rule and the named lawful basis.
Records destruction discipline:
- Records exceeding retention periods are destroyed per the documented disposal procedure with named-actor activity log.
- Destruction events are recorded against the case identifier where applicable.
- Records subject to litigation hold are not destroyed until the hold is released by Legal.
Subject rights handling:
- Workforce member subject access requests on personnel records: handled by HR per the named jurisdictional rule.
- Workforce member subject access requests on insider threat case records: handled by the working group with Legal advice on the named lawful exemptions per jurisdiction.
- Workforce member rectification requests: handled per the named jurisdictional rule with working group review on insider threat data.
- Workforce member erasure requests: handled per the named jurisdictional rule with named exemptions for ongoing investigations, named legal holds, and named statutory retention requirements.
12. Framework alignment and charter revision discipline
The framework alignment block ties the charter to the named control catalogues so the audit can read the chartered programme against the controls the framework expects. Name the framework controls, the named evidence the programme produces for each, and the named cross-reference to the workspace engagement record. Revision discipline is what keeps the charter current as the threat picture, the regulatory environment, and the workforce-monitoring statutes move. Without revision discipline, the charter reads against year-one assumptions while the world has moved.
Framework alignment matrix (the named controls the charter operates as the implementing programme for):
ISO/IEC 27001:2022 Annex A:
- A 5.1 (policies for information security): the charter and the referenced policy library.
- A 5.4 (management responsibilities): the executive sponsorship and the working group authority structure.
- A 5.24 to A 5.27 (information security incident management): the case lifecycle and the IR runbook handoff.
- A 6.1 (screening): the workforce-screening rule the charter reads against; not authored by the charter.
- A 6.3 (information security awareness, education, and training): the onboarding training and the refresher cadence.
- A 6.4 (disciplinary process): the HR partner pre-action review chain.
- A 6.5 (responsibilities after termination or change of employment): the off-boarding rotation discipline.
- A 6.7 (remote working): the named scope across remote workforce monitoring.
- A 6.8 (information security event reporting): the indicator detection and case-open chain.
- A 8.16 (monitoring activities): the monitoring practice register.
- Clause 5.1 (leadership and commitment): the executive sponsorship.
- Clause 7.5 (documented information): the version control discipline.
- Clause 9.1 (monitoring, measurement, analysis, evaluation): the metric pack.
- Clause 10.1 (continual improvement): the charter revision discipline.
SOC 2 Trust Services Criteria:
- CC1.1 (commitment to integrity and ethical values): the chartered programme and the ethics partner involvement.
- CC1.2 (board oversight): the executive sponsor and audit committee reading.
- CC1.3 (management establishes structures, reporting lines, and authorities): the working group structure.
- CC1.4 (commitment to attract, develop, and retain competent individuals): the named programme owner role and named partner roles.
- CC2.2 (internal communication): the workforce notice and the workforce questions channel.
- CC6.1 (logical and physical access controls): the access boundary discipline.
- CC6.7 (transmission, movement, and disposal of information): the egress-monitoring scope.
- CC7.2 (anomaly monitoring): the indicator detection chain.
- CC7.4 (security incident response): the case lifecycle and the IR runbook handoff.
- CC7.5 (security incident recovery): the corrective action chain.
NIST SP 800-53 Rev. 5:
- PM-12 (insider threat program): the chartered programme as the implementing instance.
- AT-2(2) (insider threat awareness training): the onboarding training and refresher cadence.
- IR-4 (incident handling): the case lifecycle.
- IR-5 (incident monitoring): the metric pack.
- AC-2 (account management): the IT partner interface.
- AC-6 (least privilege): the access scope anomaly indicator class.
- AU-6 (audit review, analysis, and reporting): the indicator detection chain.
- AU-12 (audit record generation): the telemetry source register.
- CA-7 (continuous monitoring): the monitoring practice register and the metric pack.
- PS-3 (personnel screening), PS-4 (personnel termination), PS-5 (personnel transfer), PS-6 (access agreements), PS-7 (external personnel security), PS-8 (personnel sanctions): the named workforce lifecycle interface.
NIST SP 800-171 Rev. 2 (CUI environments):
- 3.6 (incident response): the case lifecycle in CUI environments.
- 3.7 (maintenance): the offboarding rotation discipline.
- 3.9 (personnel security): the named workforce lifecycle interface.
- 3.14 (system and information integrity): the asset and system anomaly indicator class.
NIST CSF 2.0:
- GV.RR (roles, responsibilities, authorities): the working group structure.
- GV.OV (oversight): the internal audit partner role.
- ID.RA (risk assessment): the indicator catalogue.
- PR.AT (awareness and training): the onboarding training.
- PR.AA (identity management, authentication, and access control): the access boundary discipline.
- DE.AE (adverse event analysis): the indicator pairing rules.
- DE.CM (continuous monitoring): the monitoring practice register.
- RS.MA (incident management): the case lifecycle.
- RS.AN (incident analysis): the assessment phase.
- RS.MI (incident mitigation): the action phase.
GDPR (and UK GDPR):
- Article 5 (data minimisation): the data minimisation discipline in Section 5.
- Article 6 (lawful basis for processing): the lawful basis register in Section 5.
- Article 9 (special categories of personal data): the special category data discipline in Section 5.
- Article 13, 14 (information to be provided to the data subject): the workforce notice in Section 9.
- Article 15 (right of access): the subject rights handling in Section 11.
- Article 22 (automated individual decision-making): the human-review requirement in Section 5.
- Article 30 (records of processing activities): the named processing record.
- Article 32 (security of processing): the access boundary discipline in Section 8.
- Article 35 (data protection impact assessment): the DPIA discipline in Section 5.
CISA Insider Threat Mitigation Guide and National Insider Threat Task Force minimum standards (US federal):
- Programme establishment: this charter.
- Programme management: the working group and the named partners.
- Reporting and analysis: the indicator catalogue and the case lifecycle.
- Personnel monitoring: the monitoring practice register and the lawful basis.
- Information sharing: the named partner referral channels.
- Programme evaluation: the metric pack and the internal audit oversight.
NIS2 (Directive (EU) 2022/2555) Article 21 (cybersecurity risk-management measures): the chartered programme reads against the security-policy, incident-handling, business-continuity, supply-chain-security, security-in-network-and-information-systems-acquisition-and-development-and-maintenance, policies-and-procedures-to-assess-effectiveness, basic-cyber-hygiene-practices-and-cybersecurity-training, and human-resources-security measures.
DORA (Regulation (EU) 2022/2554) Article 6 (ICT risk management framework): the chartered programme reads against the named framework expectations.
Charter revision discipline:
- Annual scheduled review: the working group reviews the full charter against operating jurisdictions, the threat picture, the workforce composition, the tooling stack, the regulatory environment, and the prior-year metric pack.
- Out-of-cycle revision triggers: material workforce or estate change; sponsor change; regulatory environment change; works council or union consultation change; named monitoring practice retirement or addition; post-incident lesson; post-litigation lesson; privacy regulator complaint; ethics complaint; named workforce-trust event; structural reorganisation; audit or regulator finding naming the charter as root cause.
- Revision authoring: the programme owner authors the revision; the working group reviews; the executive sponsor signs.
- Revision activation: the new version supersedes the prior version on the effective date; the prior version is retained on the workspace document repository per the records retention rule.
- Revision communication: the workforce notice references the current charter version; material changes to monitoring practices trigger renewed workforce notice and works council consultation where applicable.
Programme acknowledgement:
- The chartered programme is the durable cross-functional operating function the audit, the works council, the regulator, the executive sponsor, and the workforce read against.
- The cross-functional working group runs the programme day to day with documented decision rights and documented review discipline.
- The indicator catalogue, the case lifecycle, the monitoring practice register, the lawful basis register, the prohibited practices register, the metric pack, the governance forum minute book, the internal audit oversight record, the workforce notice, the appeal mechanism, the records retention rules, and the framework alignment matrix are kept in sync on one workspace so the audit read of programme performance, the works council read of programme operation, the workforce read of programme transparency, the regulator read of programme legality, and the executive sponsor read of programme value are the same record rather than twelve independently edited summaries that diverge between reporting cycles.
Eight failure modes the charter has to design against
Insider threat programmes fail the audit read, the workforce-trust read, and the executive sponsor read in recognisable patterns. Each failure has a structural fix that the template above is designed to enforce. Read this list before you customise the charter so the customisation does not weaken the discipline that makes the cross-functional review chain defensible.
Programme operating without a chartered authority
The security organisation builds an insider threat workflow on assumed authority because no one wrote the charter. The first privacy or employment law challenge surfaces that no executive sponsor authorised the programme, no cross-functional partners reviewed the lawful basis, no works council consultation happened in EU operations, and the programme cannot evidence the chartered intent. The fix is Section 1 plus Section 2 with named executive sponsor sign-off and named authority basis before any monitoring practice operates.
Security ownership without cross-functional working group
The programme is run from within security alone with HR, Legal, and Privacy consulted on a best-effort basis. Cases progress to adverse employment action without documented HR review; surveillance expansion happens without Privacy review; access changes happen without Legal review; the workforce trust event surfaces a case where a workforce member with active protected status was monitored without ethics review. The fix is Section 3 with named partners and named decision rights, plus Section 7 with mandatory pre-action review.
Behavioural indicators driving cases without technical indicators
Cases open based on behavioural indicators alone (performance concerns, complaints, leave patterns) without a paired technical indicator pattern. The programme drifts into surveillance of the workforce member based on inference about their character rather than observation of their actions on systems. The privacy and discrimination law exposure escalates rapidly. The fix is Section 6 with the explicit behavioural indicator pairing rule: behavioural indicators contribute to triage only once a technical indicator pattern is present.
No prohibited practices register, leading to scope creep
The programme expands monitoring practices opportunistically as new tools become available without an explicit boundary on what the programme will not do. Workforce trust collapses when keystroke capture, screen recording, behavioural sentiment analysis, or surveillance of personal communications become operational. The fix is Section 5 with the explicit prohibited-practices register reviewed by Privacy and Legal at every annual charter cycle and at every monitoring practice change.
Cases closing as no action without documented rationale
Cases open on an indicator and disappear from the workflow without a documented closure rationale. The audit reading cannot reconstruct why the programme dropped a case; the workforce member never learns that they were under investigation; the indicator catalogue does not get the feedback that would tune it. The fix is Section 7 State 8 with mandatory documented closure rationale plus Indicator 4 in the metric pack reading the false-positive rate at State 2 review.
No appeal mechanism for adverse action
Workforce members subject to adverse action cannot challenge the decision because the programme does not document an appeal channel. The first wrongful termination claim surfaces that the programme operates without due process and the firm cannot defend the chain. The fix is Section 11 with the named appeal channel, the named appeal review authority, the named anti-retaliation discipline, and the named appeal recordkeeping.
No metric pack, leading to invisible programme drift
The programme operates without a documented metric pack so the executive sponsor cannot tell whether case volume is moving against threat or against threshold drift, whether false-positive rate is improving or degrading, whether pre-action review is being applied consistently, or whether workforce-trust events are accumulating. The programme drifts away from chartered intent over four to eight quarters. The fix is Section 10 with the ten durable indicators read at every governance cycle and the trend reading against the prior period.
Charter that never revises
The charter publishes at programme launch and freezes; the workforce composition, the operating jurisdictions, the tooling stack, the threat picture, the regulatory environment, the works council position, and the named monitoring practices all move underneath while the charter reads against year-one assumptions. The audit reads the programme as procedure-on-paper. The fix is Section 12 with the named revision triggers and the documented annual scheduled review.
Ten questions the quarterly governance forum has to answer
Operational review keeps the working group current at the case level. Governance review answers whether the programme is delivering chartered intent or drifting against threshold, coverage, or trust. Run these ten questions at every quarterly governance forum and capture the answers in the governance record on the workspace.
1.How many cases did the programme open in the quarter by category, and how does the trend read against the prior quarter and the annual baseline.
2.Which category dominated the case volume in the quarter, and what is the working group reading on whether the dominance is consistent with the threat picture or with threshold drift.
3.What is the median triage cadence by category against the named cadence target, and which category sustained an overrun for two or more cycles.
4.What is the false-positive rate at initial review by indicator class, and which indicator classes warrant tuning per Section 6 review.
5.What is the pre-action review penetration rate, and is the rate consistent with the case mix or does it signal under-triage or threshold drift.
6.How many cases progressed to adverse employment action in the quarter, and what is the HR partner reading on the action distribution against the workforce-management context.
7.How many confirmed loss events did the programme record in the quarter, and what is the impact magnitude distribution.
8.How many indicators were added or retired in the quarter, and what is the indicator-catalogue health reading on detection coverage.
9.How many internal audit oversight reviews completed in the quarter, and what material findings did the audit partner report to the audit committee.
10.What was the workforce-trust event volume in the quarter (questions, concerns, complaints, appeals, external regulator complaints), and what working group action did each event trigger.
How the package pairs with SecPortal
The template above is copy-ready as a standalone artefact. If your team already runs engagement records, document custody, and finding tracking on a workspace, the chartered programme record becomes a byproduct of the work rather than a separate evidence project. SecPortal pairs the chartered programme to a versioned engagement record through engagement management, so the charter, the working group roster, the per-case triage record, the named pre-action approval chain, the metric pack, and the governance forum minute book all live on one workspace rather than scattered across a chat channel, a wiki page, an HR system, a legal intake form, and a shared mailbox.
The document management feature holds the charter itself, the indicator catalogue, the monitoring practice register, the lawful basis register, the prohibited practices register, the workforce notice variants per jurisdiction, the works council consultation references, the framework alignment matrix, and every prior charter version retained per the audit evidence retention policy. Access to each document is gated by role-based access control through team management with the working group partner roles named on the engagement record, and protected by multi-factor authentication. The activity log captures the timestamped chain of state changes by user with 30, 90, or 365-day retention windows depending on the plan, so the indicator detection, the analyst review, the case open, the triage assessment, the pre-action review, the action authorisation, the closure, and the appeal chain are all observable rather than asserted.
Per-case records land as findings on findings management alongside vulnerability findings from external, authenticated, and code scanning, each carrying a severity assessment, a named owner, a target close date, and an evidence-of-closure requirement so the cross-functional review chain reads from the same record the rest of the security organisation operates against. Finding overrides carry the documented closure-as-no-action decision chain with the eight-field rationale, named approver, and named review window that survives the audit reading. Bulk finding import supports CSV-based ingestion of DLP, UEBA, EDR, ITDR, CASB, IAM, and HRIS event exports so indicator records land on the workspace at the cadence the source pipeline publishes rather than at the analyst rota cadence. Retesting workflows carry the named follow-up evidence for cases closed with control improvement actions. The notifications and alerts feature dispatches case-state-change pages, pre-action review reminders, and governance forum cadence reminders to the working group and the named partner rota.
The compliance tracking feature maps the chartered programme records to ISO 27001 Annex A 6.1, A 6.3, A 6.7, A 6.8, A 8.16, A 5.24 to A 5.27, A 5.4 and Clauses 5.1, 7.5, 9.1, 10.1; SOC 2 CC1.1 to CC1.4, CC2.2, CC6.1, CC6.7, CC7.2, CC7.4, CC7.5; NIST SP 800-53 PM-12, AT-2(2), IR-4, IR-5, AC-2, AC-6, AU-6, AU-12, CA-7, PS-3 to PS-8; NIST CSF 2.0 GV.RR, GV.OV, ID.RA, PR.AT, PR.AA, DE.AE, DE.CM, RS.MA, RS.AN, RS.MI; NIS2 Article 21; DORA Article 6; and GDPR Articles 5, 6, 9, 13, 14, 15, 22, 30, 32, 35 with CSV export, so when an auditor asks how the firm operates a chartered insider threat function, the charter version, the working group roster, the indicator catalogue, the monitoring practice register, the case ledger, the metric pack, the governance forum minute book, the internal audit oversight record, and the corrective action chain are one query against the same data. The AI report generation workflow drafts the quarterly governance pack, the executive summary, and the annual transparency report from the same engagement data so the audit committee read, the works council read, and the operational read are the same record rather than three independently edited summaries.
SecPortal is not a user activity monitoring (UAM) tool, is not a user and entity behaviour analytics (UEBA) engine, is not a data loss prevention (DLP) platform, is not an endpoint detection and response (EDR) tool, is not an identity threat detection and response (ITDR) platform, is not a secure email gateway, is not a CASB, and is not a managed insider risk service. SecPortal does not capture keystrokes, screen content, browser history, file-system events, or network telemetry; does not produce behavioural risk scores on individual employees; does not maintain employee surveillance dashboards; does not push to Jira, ServiceNow, Slack, Microsoft Teams, PagerDuty, Splunk, QRadar, Sentinel, Chronicle, CrowdStrike, SentinelOne, Microsoft Purview, Proofpoint, Code42, DTEX, Forcepoint, Teramind, ActivTrak, Veriato, Insightful, Workday, BambooHR, ADP, SAP SuccessFactors, Oracle HCM, or any UAM, UEBA, DLP, EDR, ITDR, CASB, or HRIS platform through packaged connectors. The detection tools live on the engineering stack; the workforce-monitoring policy and the lawful basis live in the firm-wide policy library; SecPortal carries the chartered programme record the audit, the works council, the regulator, and the executive sponsor read against. For the practical detection guidance the programme reads against, see the insider threat detection guide. For the exercise discipline the programme runs against the insider-misuse lane, see the tabletop exercise template. For the secret-sprawl response chain the programme hands off into for credential-egress patterns, see the secret sprawl incident response playbook. For the compliance anchors the programme records feed, see the framework pages for ISO 27001, SOC 2, NIST SP 800-53, NIST CSF 2.0, NIS2, and DORA.