Implementation plans are an essential component of developing an Insider Threat Program (InTP). It is important to look at the development of an implementation plan from a strategic long-term perspective.

Hello, this is Tracy Cassidy, Insider Threat Researcher at the CERT Insider Threat Center. In this next-to-the-last blog post in our insider threat blog series, I'll provide an outline for developing an implementation plan.

Implementation plans vary and need to be tailored to the needs of each individual organization. These plans account for the processes and programs already in place, the scope of the organization's mission, and the complexity of structure and geography.

As an organization embarks on developing an implementation plan, it is essential to take note of what is already in place in order to maximize resources. Organizations should take inventory by answering some of following questions:

• What expertise exists?
• What tools and processes are already in place?
• What information do you already collect or have?
• What else do you need and in what priority?

Implementation plans include many requirements, such as methods for oversight and assessment, and reporting requirements. (Resources that contain roadmaps for developing an implementation plan for an insider threat program are available.)

These roadmaps include guidance for program implementation during the initial 90 days of the project as well as guidance for three to six months out. During the initial phases of implementation planning, we advise that when you establish a new InTP, you complete several steps, which include

• obtaining buy-in from top management
• creating the initial InTP framework and concept of operations documents, which must be approved by the organization's general counsel

As the implementation planning phase progresses, we also recommend that you create the initial set of InTP policies; begin to roll them out; and consistently enforce initial InTP policies, practices, and controls.

We've identified common problems that occur when developing an implementation plan. These problems include, but are not limited to, failure to include all involved parties and failure to develop an overall vision and framework. The performance of these initial policies should be closely monitored to adjust the policies during deployment.

More information on developing an implementation plan for an InTP can be found in our Insider Threat Program Manager Certificate Program. The training provided as part of the certificate program covers a wide array of tools, techniques, and best practices for collecting and analyzing insider threat data.

If you have questions or comments on this post or the series, please send us your feedback.