search menu icon-carat-right cmu-wordmark

Common Sense Guide to Mitigating Insider Threats - Best Practice 15 (of 19)


Hello, this is Randy Trzeciak, Technical Team Lead of Research in the CERT Insider Threat Center, with the fifteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The fifteenth of the 19 best practices follows.

Practice 15: Implement secure backup and recovery processes.

Insiders pose a substantial threat to an organization's critical assets by virtue of their knowledge and access to facilities, information, and technology. Trusted insiders can bypass existing physical and electronic security measures through legitimate measures and in many instances know what controls are in place to prevent or detect suspicious activity. Despite all of the protections applied throughout the organization, it is possible that a determined insider may still cause harm. It is essential that organizations recognize the threat posed by insiders and take the necessary steps to ensure organizational resilience by implementing and regularly testing backup and recovery processes.

The backup, logging, and recovery processes should all be secure, both in terms of what is being backed up as well as where and how the backups and logs are stored. Consider implementing dual control in backup generation, logging, and recovery processes. In a number of cases in the CERT Insider Threat Database, a disgruntled IT employee was able to disrupt the backup process, steal the backup media, modify various systems logs to frame another employee for malicious activity or wipeout all evidence of the incident, hindering the organization's ability to recover or investigate the incident.

Backup and recovery strategies should include

  • controlled access to the backup storage facility
  • controlled access to the physical media
  • separation of duties and the two-person rule when changes are made to the backup process
  • separate backup and recovery administrators

Ask yourself the following questions when assessing your backup and recovery processes:

  • Are you confident you can recover from a disruption of service to the levels specified in your service level agreements, including disruptions perpetrated by trusted insiders?
  • When was the last time you tested your complete recovery process for all systems and services throughout your organization?
  • Does your disaster recovery process include recovery from an incident committed by an insider working for a trusted business partner responsible for implementing your backup and recovery strategy?

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 16, Develop a formalized insider threat program, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to