search menu icon-carat-right cmu-wordmark

Common Sense Guide to Mitigating Insider Threats - Best Practice 16 (of 19)


Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst and Lori Flynn, Insider Threat Researcher for the CERT Program, with the sixteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The sixteenth of the 19 best practices follows.

Practice 16: Develop a formalized insider threat program.

One of the key elements to mitigating the insider threat is to have an insider threat program. It should have an enterprise-wide scope with an established vision and defined roles and responsibilities for preventing, detecting, and responding to insider incidents. An insider threat program develops clear criteria for identifying insider threats, a consistent procedure for implementing technical and nontechnical controls to prevent and/or detect malicious insider behavior, and a response plan in the event an insider does harm to the organization.

As shown in the figure below, which represents the information flow within a generic insider threat program, relevant information is gathered from many parts of the organization, but received and analyzed only by the insider threat program's core team and manager. Organizations in the U.S. generally use functional groups and position names shown in the figure. The insider threat program's core team usually consists of a representative from each of the following departments:

  • Information Technology
  • Information Assurance
  • Human Resources
  • Physical Security
  • Legal Counsel

A C-level manager (or equivalent) should act as the program manager or chairperson of the insider threat program so that its members have the authority to perform the program's duties. While the five department representatives are key members of the program, they must work with other team members from across the organization to receive information they need to be effective.

A formal insider threat program includes members of different teams from across the enterprise on an as-needed basis. People from across the organization can fill many of the program's roles; however, it is important to identify these individuals and roles before an insider incident occurs. The insider threat core team's response plan must include a method that can be used to communicate privately in case standard communication channels are compromised.

Legal counsel participation is required for information-gathering processes to ensure that all evidence is gathered and maintained according to legal standards. Legal counsel should also ensure that information is shared properly among insider threat project members, working within the confines of the law while maintaining privacy and confidentiality. Maintaining confidentiality is important to protecting the integrity of inquiries and the reputation of innocent inquiry subjects.

These are just a few things to consider when developing an insider threat program. For a more detailed discussion, we encourage you to review best practice 16 in the Common Sense Guide to Mitigating Insider Threats.

Check back in a few days to read about best practice 17, Establish a baseline of normal network device behavior, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed