Hello, this is Randy Trzeciak, Technical Team Lead of Insider Threat Research for the CERT Program, with the second of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The second of the 19 best practices follows.

Practice 2: Clearly document and consistently enforce policies and controls.

It is important that organizations develop policies and controls that focus on the protection of their critical assets, people, information, technology, and facilities. But beyond the creation of policies and controls, organizations must clearly communicate the existence of these policies and controls and take the necessary steps to ensure they are consistently enforced for all members of the organization, including employees, contractors, sub-contractors, and other trusted business partners.

Organizations should ensure that the policies and controls are

• concise and coherent, including reasoning behind the policy, where applicable
• consistently enforced
• reinforced through periodic employee training

Organizations should be particularly clear on policies regarding

• acceptable use of the organization's systems, information, and resources
• use of privileged or administrator accounts
• ownership of information created as a work product
• evaluation of employee performance, including requirements for promotion and financial bonuses
• processes and procedures for addressing employee grievances

Organizations should strive to meet the needs of their employees while consistently setting realistic expectations to avoid employees becoming disgruntled due to perceived injustice. Disgruntlement is a common motivation of insiders who went on to harm an organization by sabotaging one or more of its IT systems. Consistent enforcement may be an effective way to manage the disgruntlement on the part of employees who are affected by organizational events and conditions. Inconsistent enforcement may lead to employees feeling that certain people within the organization are immune to the rules.

Quick Wins

• Ensure that senior management advocates, enforces, and complies with all organizational policies.
• Ensure all employees are briefed on all policies and procedures.
• Ensure all policies are easily accessible to all employees.
• Ensure all employees are required to take regular refresher training.
• Ensure all policies are consistently enforced to prevent the appearance of favoritism and injustice.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 3, Incorporate insider threat awareness into periodic security training for all employees, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.