SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Policy and Control Documentation and Enforcement (Part 3 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Posted on by in

The third practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 3: Clearly document and consistently enforce policies and controls. In this post, I discuss the importance of having consistent and articulated policies and controls in place within your organization.

The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, and provides case studies of organizations that failed to do so. The third of the 20 best practices follows.

Practice 3: Clearly document and consistently enforce policies and controls.

Employees can pose risks to organizational assets when they don't follow the organization's policies and controls. Not following policies and controls can be unintentional or malicious. Unintentional violations can take place when employees are not familiar with current policies and controls. Malicious violations can take place when employees are disgruntled because they have unmet expectations, such as insufficient salary increases, limitations on the use of company resources, diminished authority or responsibilities, perception of unfair work requirements, or feelings of being treated poorly by co-workers.

Clearly documenting and enforcing policies and controls can prevent employee misunderstandings, thereby reducing the chance that employees will inadvertently harm the organization because they are unaware of the policies and controls. Likewise, clear documentation also reduces intentional violations because of unmet expectations or perceived injustices.

Your organization should document and communicate its policies and controls concisely and coherently and make them easily available to employees for their reference and review. Providing consistent and regular employee training ensures all organizational members understand and follow the latest policies and controls.

Your organization should be particularly clear when documenting policies regarding acceptable use, information ownership (intellectual property), employee performance evaluation, and employee grievance processes and procedures. It should also consider creating special policies for privileged users and accounts. (See related Practice 10: Implement strict password and account management policies and practices.)

Your organization should ensure that all individuals receive policies and acknowledge (in writing) that they reviewed them when they join the enterprise. Your organization should review its policies regularly and consistently enforce its policies and controls across divisions and roles within the enterprise. Also the organization should determine how these policies are provided to and enforced within trusted business partner organizations.

Key activities outlined in this practice require management involvement, including

  • advocating, enforcing, and complying with all policies
  • briefing employees
  • making policies easily accessible
  • mandating annual refresher training
  • enforcing policies consistently

Common challenges to implementing this practice are

  • designing clear and understandable policies
  • defining methods that ensure consistent enforcement
  • establishing and following processes for reviewing, updating, and disseminating revised policies as needed

Check back next week to read about best practice 4: Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.

For more information about the CERT Insider Threat Center, see www.cert.org/insider-threat/, or contact us at info@sei.cmu.edu.

More from Mark T. Zajicek

Posts


View other blog posts by Mark T. Zajicek.