Increasingly, organizations, including the federal government and industry, are recognizing the need to counter insider threats and are doing it through specially focused teams. The CERT Division National Insider Threat Center (NITC) offers an Insider Threat Program Manager certificate to help organizations build such teams and supports programs that are flexible, based on best practices, and tailored to the unique circumstances of individual organizations.

Insiders pose a substantial threat to organizations because they have the knowledge and access to proprietary systems, data, and facilities that allow them to bypass security measures through legitimate means. The nature of insider threats is different from other cybersecurity challenges; these threats require a different strategy for prevention and mitigation.

In January 2011, the federal Office of Management and Budget (OMB) released memorandum M-11-08, Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated Systems. The memorandum announced the evaluation of the insider threat safeguards of government agencies. This action by the federal government highlights the pervasive and continuous threat to government and private industry from insiders, as well as the need for programs that mitigate this threat.

In October 2011, then President Obama signed Executive Order (E.O.) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. The executive order requires all federal agencies that have access to classified information and systems to have a formal insider threat program.

In May 2016, the Department of Defense (DoD) released Change 2 to the National Industrial Security Program Operating Manual (NISPOM). This change, which came in the wake of a number of high-profile insider incidents involving government contractors, requires cleared federal government contractors to establish and maintain an insider threat program, meeting many of the requirements of E.O. 13587.

A formalized insider threat program as outlined in these documents provides an organization with a designated resource to address the problem of insider threat. Such a program sets the tone for the organization and creates a focal point for awareness about insider threats.

A successful insider threat program includes

• enterprise-wide participation in developing, implementing, and operating the program
• active senior leadership and executive management involvement and sponsorship
• integrated data collection and analysis of both technical and non-technical (behavioral) indicators of potential insider threat activity
• formal processes for response, communication, and escalation

Although both sets of requirements coming out of E.O. 13587 and the NISPOM focus on having an insider threat program that protects classified information and systems, it is widely recognized in the security community that a comprehensive, robust program should focus on all types of insider threat activity, beyond espionage and national security, integrating data from outside of classified networks and facilities. This means building a program to also deter, detect, and respond to activities by malicious and unintentional insiders that involve IT sabotage, intellectual property theft, fraud, unintentional disclosure of sensitive or proprietary or PII data, and acts of physical harm including workplace violence.

The NITC Insider Threat Program Manager Certificate can help organizations satisfy the requirements of E.O. 13587 and the NISPOM, along with providing guidance on building a broader, enterprise-focused program. The certificate program content and guidance is based on

• CERT NITC research, experience, and case analysis
• National Insider Threat Task Force (NITTF) minimum standards
• NISPOM requirements for insider threat

The certificate program has four components:

• Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats, a five-hour self-paced, online course
• Building an Insider Threat Program, a seven-hour self-paced, online course
• Insider Threat Program Manager: Implementations and Operations, a three-day, instructor-led course described below.
• Earning a passing score on the Insider Threat Program Manager Certificate Examination, an online exam consisting of 65 multiple-choice questions

After successfully completing all four components of the certificate program, the participant is awarded an electronic professional certificate.

This certificate program helps participants understand

• what is needed to build and operate an effective insider threat program
• technical issues from a management perspective
• problems and pitfalls to avoid
• best practices where applicable
• the importance of continued participation and buy-in from across the enterprise

The main audience for the certificate program is

• current or potential insider threat program (InTP) managers
• insider threat program team members

However, the certificate program may also be of interest to others who

• interact and support an insider threat program team (e.g., IT, Information Security, Human Resources, Physical Security, Legal/Privacy, Risk Management, Contract Officers, Software Engineering, "data owners")
• want to learn more about implementing and operating an effective program

Upon completion of this certificate program, participants will be able to

• identify the right people to involve in the planning and implementation of their InTP
• propose options for implementing their InTP
• plan the steps to build, implement, and operate their InTP
• identify policies, procedures, and training within their organization that require enhancement related to insider threat issues

More information on this certificate program can be found at https://www.sei.cmu.edu/education-outreach/credentials/credential.cfm?customel_datapageid_14047=15170.

Information on general NITC insider threat training can be found at https://www.sei.cmu.edu/research-capabilities/all-work/display.cfm?customel_datapageid_4050=21232.