Critical Asset Identification (Part 1 of 20: CERT Best Practices to Mitigate Insider Threats Series)
The first practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 1: Know and Protect Your Critical Assets. In this post, I discuss the importance and nature of this practice, which is a cornerstone of shaping and scoping a robust insider threat program.
The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, and provides case studies of organizations that failed to do so. The first of the 20 best practices follows.
Practice 1: Know and Protect Your Critical Assets.
When building an information assurance or security strategy, the first step is to identify and understand what you need to protect. In most organizations, this means identifying critical assets--assets that impact confidentiality, integrity, and/or availability and support business mission and functions.
Critical assets can include patents/copyrights, corporate financial data, customer sales information, human resource information, proprietary software, scientific research, schematics, and internal manufacturing processes.
For example, an ecommerce business might identify its website, inventory system, sales and accounts receivable system, any proprietary products it produces, and interfaces with delivery systems, either electronic or physical.
You can identify critical assets using different methods, including risk assessments, asset tracking through a service or hardware inventory, and network traffic monitoring that reveals the most frequently used network and system components.
Once you identify your critical assets, you must determine which ones are at the most risk of being attacked by authorized insiders and how these assets should be protected and monitored. From an insider threat perspective, for each critical asset, risks should be identified from privileged users, employees, contractors, trusted business partners, and others. The insider threat team works in collaboration with other parts of an enterprise (e.g., human resources, risk management, information technology, legal, etc.) to identify high-risk users who most often interact with these assets.
To protect critical assets, mitigation strategies are prioritized and implemented to ensure the highest value assets have the most comprehensive security. Actions include putting appropriate configurations, controls, training, and defenses in place. Often protections for critical assets also provide protections for other assets within the enterprise.
Although identifying critical assets is directly tied to an insider threat program, the asset inventory and tracking are not usually done by the insider threat team. Critical asset identification is usually done by a risk management group or similar team. Working with the critical asset owners, the risk or inventory team ensures it has the most up-to-date information about the assets. This information then needs to be passed to the insider threat team in a timely manner.
Identifying your assets is not easy. It takes knowledge, funding, and resources to collect information, conduct the inventory, and keep it current. Failing to follow this practice can result in the inadequate protection of key resources, delayed response to critical breaches or data exfiltration, and impediments to mission success.
This practice works hand in hand with Practice 6: Consider Threats from Insiders and Business Partners in Enterprise-Wide Risk Assessments, which we will post about as part of this series in mid-May.
Check back next week to read about Practice 2: Develop a formalized insider threat program or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.