InTP Series: Establishing an Insider Threat Program (Part 1 of 18)
Are you planning on establishing an insider threat program in your organization? If so, you'll find this series of 18 blog posts helpful. In this post, the first in the series, I explain why having an insider threat program is a good idea and summarize the topics my colleagues and I will be covering in this series.
My name is Randy Trzeciak, the Technical Manager of the Insider Threat Center in the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University. For the past 14 years, our team has been researching insider threats in an attempt to understand how insider incidents evolve over time as well as how organizations can prepare themselves to mitigate this complex threat. To date, we have collected and analyzed over 1000 actual insider incidents and have published over 100 reports that describe the threat and best practices for addressing it (www.cert.org/insider-threat/publications).
Because of a number of high-profile incidents that have significantly impacted organizations recently (e.g., sabotage, theft of information, fraud, national-security espionage), many organizations across government, industry, and academia have recognized the need to build an insider threat program (InTP) to protect their critical assets. Over the course of the next few months, we will be discussing the following topics as part of our blog series:
- Introduction to the CERT Insider Threat Center
- Components of an Insider Threat Program
- Requirements for a Formal Program
- Organization-Wide Participation
- Oversight of Program Compliance and Effectiveness
- Integration with Enterprise Risk Management
- Prevention, Detection, and Response Infrastructure
- Insider Threat Training and Awareness
- Confidential Reporting Procedures and Mechanisms
- Insider Threat Practices Related to Trusted Business Partners
- Data Collection and Analysis Tools, Techniques, and Practices
- Insider Incident Response Plan
- Communication of Insider Threat Events
- Policies, Procedures, and Practices to Support the Insider Threat Program
- Protection of Employee Civil Liberties and Privacy Rights
- Defining the Insider Threat Framework
- Developing an Implementation Plan
- Conclusion and Resources
In this series we will describe the key elements of an effective insider threat program. We will begin by examining the need to build a program. If you work within the U.S. Federal Government and your organization operates or accesses classified computer networks, you are required by Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, to establish a program for deterring, detecting, and mitigating insider threats.
If you support the federal government in a contracting role, there are anticipated changes to the National Industrial Security Program Operating Manual (NISPOM) (Confirming Change 2) that will require your organization to build an insider threat program. If you work outside the government, it is likely that your organization has critical assets that it needs to protect as well.
We believe that organizations across all critical infrastructure sectors will benefit from building a formal insider threat program with the following objectives:
- Deter, detect, and mitigate insider threats.
- Monitor and audit technical, physical, and behavioral information across the organization.
- Designate a senior official responsible for the program.
- Ensure proper data management practices that properly protect sensitive data.
- Protect the privacy and civil liberties of employees by involving legal counsel.
- Perform self and independent evaluations to improve the effectiveness of the program.
- Provide regular insider threat security awareness training.
In a blog we cannot provide sufficient detail to provide everything you need to build your program, but we can point you to the resources you need. If you are looking for in-depth training on how to build your program, would like to obtain an Insider Threat Program Manager Certificate, or would like our team to help you build or evaluate your program, please visit http://www.cert.org/insider-threat/, or contact the SEI at 412-268-5800.
This series describes a framework we hope you can use as a basis for building your insider threat program. Keep in mind that the majority of your employees and trusted business partners will not go on to harm your organization. However, as we've seen from actual incidents, the few that do go on to harm an organization have impacts (e.g., safety, monetary, and operational) that can be significant.
Please watch for additional posts on this subject in the coming weeks.