The single most important aspect of developing a successful insider threat program (InTP) framework is a clear vision. Therefore, it is imperative that you define your vision in a concept of operations document or charter.

Hi, this is Jason W. Clark, Ph.D, an insider threat researcher with the CERT Insider Threat Center. In this blog post, I will briefly describe and define an InTP framework document.

A framework document must clearly articulate the InTP mission and scope, including the following:

• Types of assets to be protected
• Consideration of classified versus unclassified systems
• Consideration of malicious versus unintentional acts
• Types of insider threat incidents to be reported
• Triggers for various types of incidents

It is crucial that this framework document clearly describes where the InTP will reside in the organization. Furthermore, there must be management buy-in and the hierarchy, functions, and operations must be well-established before implementation.

One of the primary reasons that InTPs fail is due to weak or missing relationships between the InTP and other parts of the organization (both internal and external). Additionally, all roles, responsibilities, and authority of the various components and stakeholders must be dispersed according to the mission and objectives of the InTP prior to implementation.

The graphic on the right shows the elements of an effective InTP and how the four areas are interconnected.

One common theme in mature InTPs we've encountered is consistency. This theme is especially relevant when determining priorities, severity, and escalation criteria.

There are various ways to structure an InTP, so it is imperative that an organization determine what works best for its environment and culture. Lastly, remember that an InTP mission must support the organization's goals and objectives.

We want to hear your feedback on this topic. If you have questions or want to share experiences you've had with your InTP, contact us.