Protecting VIPs (Cyber / Information)

This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.

Jim McConnell  |  info@askmcconnell.com  |  askmcconnell.com

Protecting VIPs (Cyber / Information) Policy

Updated: 25 May 2025

Critical Point: All humans are important and have the right to be protected from harm, but some individuals, for various reasons, have more threats directed against them and thus need to be protected differently than individuals with little to no targeting against them. We use “VIP” as a universal term for simplicity, but any threat level can change — from None to Imminent and back to None — quickly.

Reality: It is acknowledged that getting a senior executive/VIP to sign this and adhere to 100% of these rules 100% of the time while handling/possessing organization assets is aspirational — but it is expected that they will endeavor to do so.

  • I will report security incidents, concerns, vulnerabilities, and threats to my supervisor or the organization’s Ethics Hotline as soon as possible and safe; if they are not available and I feel unsafe, I will contact law enforcement.
  • I will engage the organization’s safety and security leadership in all organization activities that might involve a VIP.
  • I will not engage (face-to-face or online) with a known VIP at inappropriate times while under the responsibility of the organization’s security and safety control.
  • I will not initiate or cause (physical or online) threats, exposure, or vulnerabilities to a VIP while under the organization’s security and safety responsibility.
  • I will manage or support a State of Security Report and Presentation, under Executive Session, at least yearly, that covers incidents, vulnerabilities, improvements, and metrics across all domains of Security, including VIP Cyber and Information Security.
  • I recognize that VIP personal safety and physical security are far more important than the information they have access to.
  • Supported VIP:
    • I will not subvert the role or authority of any approved security or safety mechanism, process, or person charged with protecting the VIP during the supported time.
    • I will engage the security and safety team if I detect, see, or sense any vulnerability or threat against myself or another VIP before, during, or after the support period.
    • I will protect all security, safety, travel, schedule, and access information with the highest level of confidentiality while being supported by the organization.
    • I will not depend on the security and safety team to provide support when involving strictly personal activities, information, or technology.
    • I will be aware that unsolicited “helpful” individuals I did not personally arrange may be helpful — and may help themselves to my information or belongings.
    • I will fund or support the funding of all security and safety needs unique to my role in the organization.
    • I will support the minimization of technology (burner phones, non-smart watches, etc.) during travel to high-risk locations.
    • If my devices are taken or deemed out of my control by a government representative or unknown third party, I will notify Corporate Security as soon as it is safe to do so.
    • I will assume that my hotel, other venues (e.g., restaurants), and transportation environments may have individuals recording me for human intelligence, espionage, or other information-gathering purposes — I will watch my volume and my topics.
    • I will assume that photos/video I take may be copied, reviewed, and/or deleted, and that photos/video will be taken of me throughout my travels.
    • I will stay aware and hold myself accountable for information security challenges in open environments (e.g., hotel bar) and where alcohol or other beverages could impair verbal control. Think Before You Speak If You Drink.
  • Security / Safety Team:
    • I will begin Advance work as soon as details of the VIP’s cyber/information security environment are made available.
    • I will support the VIP’s cyber/information security and define and document roles and responsibilities immediately upon notice of the VIP’s technology-based security details.
    • I will maintain technology, access, gear, and team training that supports standard VIP cyber/information needs, and adapt as legally and operationally allowed.
    • I will notify the sponsoring/supporting point of contact and/or the VIP’s security/safety team if a need cannot be met (insourced or outsourced) or a vulnerability/threat cannot be mitigated.
    • I will manage or support an after-action report (AAR) for each VIP visit that involves cyber/information security elements and manage its identified gaps.
    • I will implement metrics to manage the security and safety aspects of protecting VIPs.
  • Technology Team supporting the VIP:
    • Where risk is material, I will implement and manage 24×7 the strongest security capabilities on all VIP devices managed by the organization, appropriate to the threats and vulnerabilities that could impact the VIP and based on the level of access the VIP has.
    • Based on travel risks, I will supply and support one-time-use/burner/wiped phones, tablets, and laptops, and provide the minimum amount of access required while traveling to high-risk countries.
    • I will support TSCM sweeps of all high-risk locations the VIP is attending where highly confidential discussions or information are involved.
    • I will provide USB physical protection devices to the VIP.

Signature Note: I am a huge fan of wet signatures on these types of documents for accountability and investigation reasons. You can add the signature lines below to each rule/policy document, or have a collective wet signature with references in the Security Commitment Agreement document available on the One-Pager library page. Organizational preference.

________________________
Print Full Legal Name

________________________
(Blue Ink) Full Legal Signature
Style of signature must closely match Driver’s License

________________________
Date

🖶 To save or print this policy, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.