InTP Series: Policies, Procedures, and Practices (Part 14 of 18)
An InTP requires two sets of policies, procedures, and practices: one set describing the operation and components of the program and the other set describing insider threat program (InTP) activities.
Hi, I'm Cindy Nesta of the CERT Insider Threat Center. In this 14th installment of the InTP Blog Series, I will provide you with a clear explanation of the policies, procedures, and practices that an InTP requires.
Many of the policies, procedures, and practices necessary for an InTP to operate successfully may already exist in some state within your organization, so you should start by identifying what you already have in place. As you build and implement the structure around your InTP, review all related areas to see what practices exist and to what extent they need to be revised to support the InTP's mission.
Defining the InTP
A formalized InTP should at least have defined policies, procedures, and practices that define the following:
- the InTP and its compliance process
- the actions and operations of the InTP team and corresponding investigative teams
- the process for detecting and mitigating insider threats and malicious activity
- the type of response options available
- the role employees are expected to fill in support of the InTP
In addition to the creation of specific insider threat policies, procedures, and practices, other organizational policies, procedures, and practices should be reviewed to identify which should
- be adjusted or revised to support InTP activities
- describe activities in other areas, such as Human Resources or Information Technology, that support appropriate and effective insider threat incident prevention, detection, and response
Policies, Procedures, and Practices Defining InTP Activities
The following are some general policies, procedures, and practices that should be in place to operate an InTP:
- an approved organization-wide insider threat policy that is applicable to employees, contractors, and trusted business partners
- a defined mission and function for the InTP
- an incident response plan that accommodates insider incidents
- policies and procedures detailing the data collection and aggregation process
- policies and procedures for user monitoring
- a financial plan and budget for the InTP
- a policy and procedure requiring the inventory of high-value assets and their criticality
- supporting policies, such as procedures for investigating suspicious actions by employees, anonymous reports, or potential insider threat activities
Related Policies, Procedures, and Practices
Other policies, procedures, and practices that should be in place for different areas of the organization such as Human Resources, Legal, Counter Intelligence, Information Technology, physical security, data owners, and others who are part of the organizational-wide program:
- acceptable use policy
- data retention policy
- access control policies and procedures
- account auditing policies and procedures
- data controls governing data destruction and corresponding policies and procedures
- background screening policies and procedures
- hiring and employee separation policies and procedures
- physical security policies and procedures
- foreign travel policies and procedures
Consider the following legal tasks that must be considered when creating your InTP:
- Create, maintain, and enforce acceptable use and monitoring policies.
- Obtain employee acknowledgement of policies and communicate any updates.
- Protect proprietary information through technical measures, such as access control.
- Consider the need to review logs for evidence when creating your data retention policies.
- Be cautious of performing your own investigations; make sure to preserve evidence.
- Be prompt when issuing a legal response.
Remember, it's a good practice to conduct a quarterly review of InTP policies, procedures, and practices. As time goes by, there will be organizational changes, technology changes, and day-to-day operational change. InTP policies, procedures, and practices should reflect or be revised to accommodate changes.
If you want more information about the insider threat policies, procedures, and practices, consider taking steps to earn our Insider Threat Program Manager Certification. If you have any questions or comments, please feel free to contact us!