CONTINUOUS RE-VETTING & INSIDER-THREAT MONITORING
This is a standing re-vetting and insider-threat monitoring subscription on a defined employee/contractor population or sensitive-access cohort: it defines the refresh watch criteria/tripwires, the periodic re-screening and reporting cadence, the escalation routes, and the service levels under which we keep the client current on personnel integrity and threat-signal emergence over the term. It does NOT cover the one-off baseline pre-employment screening (Pre-Employment Screening), nor any staffed operational detail (guard force / GSOC staffing under the staffed retained-service archetype). Prescriptive throughout: this is what we watch, how often, and what we do when a tripwire fires - not an analytic estimate of personnel risk.
Document Control
| Field | Value |
|---|---|
| Service name | [ ] |
| DID | OSINT-012 |
| Population / monitoring target | [ ] |
| Client / sponsor | [ ] |
| Classification & handling | [e.g., classification + caveats + dissemination control] |
| Version | [ ] |
| Author / service owner | [ ] |
| Effective date | [ ] |
| Term / period of performance | [e.g., start–end, auto-renew terms] |
| Seeding product (baseline) | [e.g., reference to the OSINT-007 pre-employment screening that establishes the baseline vetting] |
Scope, Authorities & Limitations
State the authorized scope (which personnel cohort, which lawful source lanes, which jurisdictions), the engagement authority/consent basis, and what is explicitly out of scope; reproduce the verbatim caveats below; name the sibling products this service routes to.
This is a monitoring/operational service, not an investigation, a guarantee of detection, or legal advice. Collection is limited to lawful, authorized sources within the agreed scope; no unlawful access, intrusion, pretexting, or surveillance of non-consenting third parties is performed. Alerting is best-effort within the stated SLA and does not warrant prevention of any event.
| Boundary | Statement |
|---|---|
| In scope | [ ] |
| Out of scope | [ ] |
| Authority / consent basis | [ ] |
| Routes to (seeding product) | [e.g., OSINT-007 Pre-Employment Screening] |
| Routes to (escalation/staffed services) | [e.g., OSINT-005 Detailed Subject Investigation / 08 Protective Intelligence / HR investigation] |
1. Scope & Watch Criteria / Tripwires
Enumerate every re-vetting watch item; per the load-bearing rule each row MUST bind a tripwire (the observable threshold that fires it), implicitly a cadence (§2), and an escalation route (§4). Risk-score each watch item with the L×I key reproduced in §4. No row may omit a tripwire or an escalation route.
| # | Watch item | Observable indicator | Tripwire threshold | Likelihood (1–5) | Impact (1–5) | L×I (1–25) | Severity tier | Escalation route (→ §4) |
|---|---|---|---|---|---|---|---|---|
| [ ] | [e.g., criminal records - new charges/convictions] | [ ] | [e.g., any arrest, conviction, or pending charge in the relevant jurisdiction(s)] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [e.g., credential compromise - password leak/breach] | [ ] | [e.g., personnel username/email flagged in a public or dark-web credential dump] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [e.g., adverse media - financial distress / legal action] | [ ] | [e.g., public report of bankruptcy, foreclosure, lawsuit, or liens] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [e.g., travel anomalies - high-risk destination] | [ ] | [e.g., international travel to sanctioned/hostile countries or unexpected pattern break] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [e.g., social media red flags - ideological / threat signaling] | [ ] | [e.g., public expression of extremist ideology, violence-sympathetic content, or organizational security concerns] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [e.g., employment history - unauthorized departure or conflict] | [ ] | [e.g., unexpected termination, resignation, or public dispute with current/former employer] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [e.g., financial irregularity - sudden wealth / unexplained spending] | [ ] | [e.g., public indicators of sudden asset acquisition, luxury acquisition, or cash-based lifestyle misaligned with declared income] | [ ] | [ ] | [ ] | [ ] | [ ] |
2. Collection Cadence & Sources
Specify each lawful collection lane keyed to the watch items above, its method, its collection cadence, the expected source grade (Admiralty, see Annex A), and the owning collector. Free/browser-first lanes before escalation-tier platforms; no live tool names here - describe the lane.
| Source / lane | Watch item(s) served | Collection method | Cadence | Expected source grade (Admiralty) | Owner |
|---|---|---|---|---|---|
| [ ] | [e.g., criminal records] | [e.g., court records + corrections database queries + regulatory watchlist subscriptions] | [e.g., monthly / quarterly] | [e.g., A–F × 1–6] | [ ] |
| [ ] | [e.g., breach + password intelligence] | [e.g., subscription feeds + dark-web corpus monitoring] | [e.g., real-time + weekly digest] | [ ] | [ ] |
| [ ] | [e.g., adverse media] | [e.g., news aggregation + financial disclosure + bankruptcy filing feeds] | [e.g., daily / weekly] | [ ] | [ ] |
| [ ] | [e.g., travel patterns] | [e.g., flight-manifest data + border-crossing feeds + sanctions list cross-reference] | [e.g., monthly] | [ ] | [ ] |
| [ ] | [e.g., social media monitoring] | [e.g., open-source social platform surveillance + altmetrics] | [e.g., continuous + daily review] | [ ] | [ ] |
| [ ] | [e.g., employment verification + corporate news] | [e.g., employment verification services + corporate announcements + LinkedIn monitoring] | [e.g., quarterly / semi-annual] | [ ] | [ ] |
| [ ] | [e.g., financial intelligence] | [e.g., property records + asset filings + UBO disclosure monitoring] | [e.g., quarterly / semi-annual] | [ ] | [ ] |
3. Reporting Cadence & Product Format
Define each recurring product the service emits, what triggers it (scheduled cadence or tripwire-driven), its format, recipient, and delivery channel. Distinguish the routine cadence product from the on-tripwire alert product.
| Product | Trigger / cadence | Format | Recipient | Channel |
|---|---|---|---|---|
| [e.g., periodic re-vetting summary] | [e.g., quarterly / semi-annual per scope] | [e.g., summary briefing + table of re-checked items + current status] | [ ] | [ ] |
| [e.g., tripwire alert - watch-item fire] | [e.g., on tripwire fire, per §1] | [e.g., immediate alert + source citation (Admiralty grade) + preliminary assessment] | [ ] | [ ] |
| [e.g., re-vetting status report] | [e.g., on request or scheduled] | [e.g., updated personnel status vs. baseline + new findings] | [ ] | [ ] |
| [e.g., service health + collection availability] | [e.g., quarterly] | [e.g., summary of source availability, lane uptime, collection gaps] | [ ] | [ ] |
4. Escalation & Notification Triggers
Map severity tiers to trigger conditions, the party notified, the notification method, and the acknowledgement target. Each tier must correspond to severity bands derived from the L×I key below; every §1 watch item routes to a tier here.
Risk scoring key (reproduce verbatim): Likelihood (1–5) × Impact (1–5) = 1–25; 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.
| Severity tier | L×I band | Trigger condition | Notify | Method | Acknowledgement target |
|---|---|---|---|---|---|
| [e.g., Critical] | [e.g., 21–25] | [e.g., major financial crime, violent conviction, or active espionage indicator] | [ ] | [e.g., immediate phone + secure email] | [e.g., within 1 hour] |
| [e.g., High] | [e.g., 16–20] | [e.g., credential compromise, travel to hostile country, or moderate integrity concern] | [ ] | [e.g., secure email + follow-up call within 4 hours] | [e.g., within 24 hours] |
| [e.g., Elevated] | [e.g., 11–15] | [e.g., adverse media, financial distress, or social-media expression requiring confirmation] | [ ] | [e.g., secure email + daily check-in] | [e.g., within 48 hours] |
| [e.g., Moderate/Low] | [e.g., 1–10] | [e.g., routine refresh item, minor news mention, or low-confidence signal] | [ ] | [e.g., weekly summary / included in periodic report] | [e.g., within 7 days] |
5. Service Levels (SLA)
Bind measurable service-level commitments to the cadence (§2/§3) and escalation timing (§4): detection/refresh timeliness, alert-delivery time per tier, product-delivery punctuality, availability, and the remedy when a target is missed. Every target must be measurable and have a measurement method.
| Metric | Target | Measurement method | Reported | Remedy / credit on miss |
|---|---|---|---|---|
| [e.g., tripwire alert delivery by tier] | [e.g., Critical <1 hr, High <4 hrs, Elevated <24 hrs] | [e.g., timestamp of alert creation vs. delivery log] | [e.g., quarterly SLA report] | [e.g., service credit / re-run at no charge] |
| [e.g., periodic re-vetting report on cadence] | [e.g., 100% punctuality vs. scheduled cadence] | [e.g., delivery timestamp vs. contract schedule] | [e.g., each report delivery] | [e.g., extended term / credit] |
| [e.g., monitoring availability / source uptime] | [e.g., ≥98% per calendar quarter] | [e.g., lane uptime log + collection success rate] | [e.g., quarterly SLA report] | [e.g., service credit] |
| [e.g., false-positive rate / accuracy] | [e.g., ≤5% of alerts require no follow-up action] | [e.g., monthly accuracy review vs. client confirmation] | [e.g., quarterly SLA report] | [e.g., enhanced review / credit] |
6. Review & Renewal
State the cadence of formal service review, the change-control process for adding/removing watch items or adjusting cadence, and the renewal, re-scoping, and termination terms.
| Item | Specification |
|---|---|
| Service-review cadence | [ ] |
| Watch-list change-control | [e.g., process to add/retire a §1 watch item, approval authority] |
| Cadence / scope adjustment process | [e.g., how to modify collection frequencies, source lanes, or population scope] |
| Renewal terms | [e.g., annual / bi-annual review + re-authorization of personnel list] |
| Termination / offboarding terms | [e.g., final re-vetting sweep + data return/purge within X days] |
Annex A - Source & Watch-List Register (graded)
Register every standing source and watch item with its current Admiralty grade. Reproduce the scales verbatim; grade each sourced datum as a two-character code (e.g., B2).
NATO Admiralty source reliability (A–F): A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Reliability cannot be judged. NATO Admiralty information credibility (1–6): 1 Confirmed by other sources · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Truth cannot be judged.
| Source / watch item | Lane (→ §2) | Reliability (A–F) | Credibility (1–6) | Grade | Last verified | Notes |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [e.g., B2] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Annex B - Onboarding / Offboarding & Data-Handling Checklist
Capture the standing-up and tearing-down steps and the data-handling regime over the term: authorization capture, baseline ingest, collection standup, retention/destruction, and offboarding.
| Step | Phase | Owner | Status |
|---|---|---|---|
| [e.g., capture authority/consent + scope sign-off + personnel list] | [e.g., onboarding] | [ ] | [ ] |
| [e.g., ingest baseline pre-employment screening (OSINT-007)] | [e.g., onboarding] | [ ] | [ ] |
| [e.g., stand up re-vetting collection lanes + tripwire thresholds] | [e.g., onboarding] | [ ] | [ ] |
| [e.g., establish alert escalation paths + contact tree] | [e.g., onboarding] | [ ] | [ ] |
| [e.g., data retention / destruction schedule + compliance attestation] | [e.g., steady-state] | [ ] | [ ] |
| [e.g., offboarding + data return/purge + final certifications] | [e.g., offboarding] | [ ] | [ ] |
END OF SERVICE PLAYBOOK
Model wiring
Generated from cell frontmatter at publish time.