search menu icon-carat-right cmu-wordmark

InTP Series: Integration with Enterprise Risk Management (6 of 18)

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Like any other threat to the enterprise, risk must be considered when managing the insider threat. This management cannot be done without first acknowledging the risk and implementing it with other risk management processes the organization should already be doing.

Hi, this is George J. Silowash from the CERT Insider Threat Center. In this sixth installment of our blog series on establishing an Insider Threat Program, I will take a look at integrating the program with risk management.

Risk Management

Unintentional and malicious insiders pose a significant risk to the organization due to the fact that they have been granted authorized access to the organization's critical assets, including systems and data. Traditional defenses, which tend to focus on protecting the exterior of the organization, may not be effective at protecting against insider threats. Therefore, senior management must understand the risks posed by insiders (malicious and non-malicious) and take appropriate measures to mitigate the risk to an acceptable level for the organization: accept the risk or transfer the risk.

Know Your Assets

This function needs to be shared across the organization; one person cannot be responsible for determining the risks that insiders present to the organization. That is, departments from across the enterprise must determine their critical assets (both digital and physical) and assess the threats from insider activity. This information should be collected and fed into the organization's enterprise risk management program.


Continuous Evaluation

Organizations should follow the continuous cycle of assessing the risk, planning for risk control, and controlling the risk. This process continues until the risk is no long present within the organization. So long as a business continues to operate, the risk of unintentional and malicious insider activity will always be present.


Look for future blog posts about the components of an insider threat program. If you have more in-depth questions, the CERT Insider Threat Program Manager Certification may be a good fit for you and your organization.

We look forward to any comments you may have.

About the Author