search menu icon-carat-right cmu-wordmark

InTP Series: Incident Response Planning (Part 12 of 18)

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Your incident response plan should cover the entire incident lifecycle, including processes for how incidents are detected, reported, contained, remediated, documented, and prosecuted (if applicable).

Hello, this is Mark Zajicek at the CERT Insider Threat Center. In this week's blog post, I summarize some guidance and suggest considerations to help you to develop an insider incident response plan.

Your insider threat program (InTP) needs a well thought-out and documented incident response plan with supporting procedures. These procedures ensure that your response to an insider incident is standardized, repeatable, and consistently applied. Also make sure that your procedures comply with all legal, ethical, privacy, and civil liberties requirements.

Your incident response plan and procedures should provide guidance for responding to incidents whether involving a malicious insider or an unintentional insider. Your insider incident response plan could build upon an existing, general incident response plan (for example, responding to external intrusions or attacks), or you could choose to have a separate plan for insider incident response. If you have a separate plan, you should ensure that your response plan for insider incidents ties into and is consistent with your general response plan.

When insider threat anomalies are detected or when allegations of insider threat behavior are received by your InTP, an inquiry should be conducted within the authority of your InTP to attempt to substantiate or refute the information. Your incident response plan should also integrate with and support your communication plan and define the processes for escalation, notification of management and other stakeholders, and handoff to an investigations unit or law enforcement.

Your specific response processes will likely differ for different types of incidents (e.g., fraud versus theft of intellectual property versus sabotage) as well as whether the activity was malicious versus unintentional. Depending on the nature and details of the incident, internal response options could range from simple retraining of the insider, up through personnel actions, organizational sanctions, or legal actions. If appropriate, external responses could include referrals to an internal investigative unit, counter intelligence, or local or federal law enforcement.

Here are some basic tenets to consider when developing your insider incident response plan:

  • Responses must be documented and practiced consistently.
  • All response procedures should be coordinated with General Counsel.
  • Privacy and civil liberties must be considered in response procedures.
  • All inquiries should receive a disposition after a reasonable period of inactivity.
  • All inquiries should have a retrievable record after their disposition.
  • Until anomalies or allegations are substantiated, the name of the individual must be kept confidential and not revealed outside of the personnel who are authorized to resolve insider threat concerns.

To help you sustain and improve your response processes, you should hold a postmortem review after notable incidents (e.g., incidents involving high-value assets, situations that did not go well) and periodically test your insider incident response plan (e.g., mock incident scenarios or table top exercises). You can then identify and implement improvements to your plan based on feedback and lessons learned.

More information about developing an insider incident response plan is provided in our courses that are part of our Insider Threat Program Manager (ITPM) Certificate.

If you have questions or comments about this post or this blog series, please contact us.

About the Author