CONTINUOUS RE-VETTING & INSIDER-THREAT MONITORING

This is a standing re-vetting and insider-threat monitoring subscription on a defined employee/contractor population or sensitive-access cohort: it defines the refresh watch criteria/tripwires, the periodic re-screening and reporting cadence, the escalation routes, and the service levels under which we keep the client current on personnel integrity and threat-signal emergence over the term. It does NOT cover the one-off baseline pre-employment screening (Pre-Employment Screening), nor any staffed operational detail (guard force / GSOC staffing under the staffed retained-service archetype). Prescriptive throughout: this is what we watch, how often, and what we do when a tripwire fires - not an analytic estimate of personnel risk.

Document Control

FieldValue
Service name[ ]
DIDOSINT-012
Population / monitoring target[ ]
Client / sponsor[ ]
Classification & handling[e.g., classification + caveats + dissemination control]
Version[ ]
Author / service owner[ ]
Effective date[ ]
Term / period of performance[e.g., start–end, auto-renew terms]
Seeding product (baseline)[e.g., reference to the OSINT-007 pre-employment screening that establishes the baseline vetting]

Scope, Authorities & Limitations

State the authorized scope (which personnel cohort, which lawful source lanes, which jurisdictions), the engagement authority/consent basis, and what is explicitly out of scope; reproduce the verbatim caveats below; name the sibling products this service routes to.

This is a monitoring/operational service, not an investigation, a guarantee of detection, or legal advice. Collection is limited to lawful, authorized sources within the agreed scope; no unlawful access, intrusion, pretexting, or surveillance of non-consenting third parties is performed. Alerting is best-effort within the stated SLA and does not warrant prevention of any event.

BoundaryStatement
In scope[ ]
Out of scope[ ]
Authority / consent basis[ ]
Routes to (seeding product)[e.g., OSINT-007 Pre-Employment Screening]
Routes to (escalation/staffed services)[e.g., OSINT-005 Detailed Subject Investigation / 08 Protective Intelligence / HR investigation]

1. Scope & Watch Criteria / Tripwires

Enumerate every re-vetting watch item; per the load-bearing rule each row MUST bind a tripwire (the observable threshold that fires it), implicitly a cadence (§2), and an escalation route (§4). Risk-score each watch item with the L×I key reproduced in §4. No row may omit a tripwire or an escalation route.

#Watch itemObservable indicatorTripwire thresholdLikelihood (1–5)Impact (1–5)L×I (1–25)Severity tierEscalation route (→ §4)
[ ][e.g., criminal records - new charges/convictions][ ][e.g., any arrest, conviction, or pending charge in the relevant jurisdiction(s)][ ][ ][ ][ ][ ]
[ ][e.g., credential compromise - password leak/breach][ ][e.g., personnel username/email flagged in a public or dark-web credential dump][ ][ ][ ][ ][ ]
[ ][e.g., adverse media - financial distress / legal action][ ][e.g., public report of bankruptcy, foreclosure, lawsuit, or liens][ ][ ][ ][ ][ ]
[ ][e.g., travel anomalies - high-risk destination][ ][e.g., international travel to sanctioned/hostile countries or unexpected pattern break][ ][ ][ ][ ][ ]
[ ][e.g., social media red flags - ideological / threat signaling][ ][e.g., public expression of extremist ideology, violence-sympathetic content, or organizational security concerns][ ][ ][ ][ ][ ]
[ ][e.g., employment history - unauthorized departure or conflict][ ][e.g., unexpected termination, resignation, or public dispute with current/former employer][ ][ ][ ][ ][ ]
[ ][e.g., financial irregularity - sudden wealth / unexplained spending][ ][e.g., public indicators of sudden asset acquisition, luxury acquisition, or cash-based lifestyle misaligned with declared income][ ][ ][ ][ ][ ]

2. Collection Cadence & Sources

Specify each lawful collection lane keyed to the watch items above, its method, its collection cadence, the expected source grade (Admiralty, see Annex A), and the owning collector. Free/browser-first lanes before escalation-tier platforms; no live tool names here - describe the lane.

Source / laneWatch item(s) servedCollection methodCadenceExpected source grade (Admiralty)Owner
[ ][e.g., criminal records][e.g., court records + corrections database queries + regulatory watchlist subscriptions][e.g., monthly / quarterly][e.g., A–F × 1–6][ ]
[ ][e.g., breach + password intelligence][e.g., subscription feeds + dark-web corpus monitoring][e.g., real-time + weekly digest][ ][ ]
[ ][e.g., adverse media][e.g., news aggregation + financial disclosure + bankruptcy filing feeds][e.g., daily / weekly][ ][ ]
[ ][e.g., travel patterns][e.g., flight-manifest data + border-crossing feeds + sanctions list cross-reference][e.g., monthly][ ][ ]
[ ][e.g., social media monitoring][e.g., open-source social platform surveillance + altmetrics][e.g., continuous + daily review][ ][ ]
[ ][e.g., employment verification + corporate news][e.g., employment verification services + corporate announcements + LinkedIn monitoring][e.g., quarterly / semi-annual][ ][ ]
[ ][e.g., financial intelligence][e.g., property records + asset filings + UBO disclosure monitoring][e.g., quarterly / semi-annual][ ][ ]

3. Reporting Cadence & Product Format

Define each recurring product the service emits, what triggers it (scheduled cadence or tripwire-driven), its format, recipient, and delivery channel. Distinguish the routine cadence product from the on-tripwire alert product.

ProductTrigger / cadenceFormatRecipientChannel
[e.g., periodic re-vetting summary][e.g., quarterly / semi-annual per scope][e.g., summary briefing + table of re-checked items + current status][ ][ ]
[e.g., tripwire alert - watch-item fire][e.g., on tripwire fire, per §1][e.g., immediate alert + source citation (Admiralty grade) + preliminary assessment][ ][ ]
[e.g., re-vetting status report][e.g., on request or scheduled][e.g., updated personnel status vs. baseline + new findings][ ][ ]
[e.g., service health + collection availability][e.g., quarterly][e.g., summary of source availability, lane uptime, collection gaps][ ][ ]

4. Escalation & Notification Triggers

Map severity tiers to trigger conditions, the party notified, the notification method, and the acknowledgement target. Each tier must correspond to severity bands derived from the L×I key below; every §1 watch item routes to a tier here.

Risk scoring key (reproduce verbatim): Likelihood (1–5) × Impact (1–5) = 1–25; 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.

Severity tierL×I bandTrigger conditionNotifyMethodAcknowledgement target
[e.g., Critical][e.g., 21–25][e.g., major financial crime, violent conviction, or active espionage indicator][ ][e.g., immediate phone + secure email][e.g., within 1 hour]
[e.g., High][e.g., 16–20][e.g., credential compromise, travel to hostile country, or moderate integrity concern][ ][e.g., secure email + follow-up call within 4 hours][e.g., within 24 hours]
[e.g., Elevated][e.g., 11–15][e.g., adverse media, financial distress, or social-media expression requiring confirmation][ ][e.g., secure email + daily check-in][e.g., within 48 hours]
[e.g., Moderate/Low][e.g., 1–10][e.g., routine refresh item, minor news mention, or low-confidence signal][ ][e.g., weekly summary / included in periodic report][e.g., within 7 days]

5. Service Levels (SLA)

Bind measurable service-level commitments to the cadence (§2/§3) and escalation timing (§4): detection/refresh timeliness, alert-delivery time per tier, product-delivery punctuality, availability, and the remedy when a target is missed. Every target must be measurable and have a measurement method.

MetricTargetMeasurement methodReportedRemedy / credit on miss
[e.g., tripwire alert delivery by tier][e.g., Critical <1 hr, High <4 hrs, Elevated <24 hrs][e.g., timestamp of alert creation vs. delivery log][e.g., quarterly SLA report][e.g., service credit / re-run at no charge]
[e.g., periodic re-vetting report on cadence][e.g., 100% punctuality vs. scheduled cadence][e.g., delivery timestamp vs. contract schedule][e.g., each report delivery][e.g., extended term / credit]
[e.g., monitoring availability / source uptime][e.g., ≥98% per calendar quarter][e.g., lane uptime log + collection success rate][e.g., quarterly SLA report][e.g., service credit]
[e.g., false-positive rate / accuracy][e.g., ≤5% of alerts require no follow-up action][e.g., monthly accuracy review vs. client confirmation][e.g., quarterly SLA report][e.g., enhanced review / credit]

6. Review & Renewal

State the cadence of formal service review, the change-control process for adding/removing watch items or adjusting cadence, and the renewal, re-scoping, and termination terms.

ItemSpecification
Service-review cadence[ ]
Watch-list change-control[e.g., process to add/retire a §1 watch item, approval authority]
Cadence / scope adjustment process[e.g., how to modify collection frequencies, source lanes, or population scope]
Renewal terms[e.g., annual / bi-annual review + re-authorization of personnel list]
Termination / offboarding terms[e.g., final re-vetting sweep + data return/purge within X days]

Annex A - Source & Watch-List Register (graded)

Register every standing source and watch item with its current Admiralty grade. Reproduce the scales verbatim; grade each sourced datum as a two-character code (e.g., B2).

NATO Admiralty source reliability (A–F): A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Reliability cannot be judged. NATO Admiralty information credibility (1–6): 1 Confirmed by other sources · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Truth cannot be judged.

Source / watch itemLane (→ §2)Reliability (A–F)Credibility (1–6)GradeLast verifiedNotes
[ ][ ][ ][ ][e.g., B2][ ][ ]
[ ][ ][ ][ ][ ][ ][ ]
[ ][ ][ ][ ][ ][ ][ ]

Annex B - Onboarding / Offboarding & Data-Handling Checklist

Capture the standing-up and tearing-down steps and the data-handling regime over the term: authorization capture, baseline ingest, collection standup, retention/destruction, and offboarding.

StepPhaseOwnerStatus
[e.g., capture authority/consent + scope sign-off + personnel list][e.g., onboarding][ ][ ]
[e.g., ingest baseline pre-employment screening (OSINT-007)][e.g., onboarding][ ][ ]
[e.g., stand up re-vetting collection lanes + tripwire thresholds][e.g., onboarding][ ][ ]
[e.g., establish alert escalation paths + contact tree][e.g., onboarding][ ][ ]
[e.g., data retention / destruction schedule + compliance attestation][e.g., steady-state][ ][ ]
[e.g., offboarding + data return/purge + final certifications][e.g., offboarding][ ][ ]

END OF SERVICE PLAYBOOK

Model wiring

Generated from cell frontmatter at publish time.