CERT Insider Threat Vulnerability Assessments, ITVA Training Course, and ITVA Certificate Program
The CERT National Insider Threat Center (NITC) has been researching insider threats since 2001. In this blog post, we provide an overview of the CERT Insider Threat Vulnerability Assessment methodology, the CERT Insider Threat Vulnerability Assessor (ITVA) Training course, and the CERT Insider Threat Vulnerability Assessor Certificate program.
"Risks from malicious insiders are real and leave no sector of the economy or part of the country untouched. All organizations, whether in small towns or big cities, are vulnerable to insider attacks."
- NITTF "Protect Your Organization from the Inside Out: Government Best Practices" (2016)
After high-profile incidents and unauthorized disclosures of information during the past decade, the United States Government issued requirements, minimum standards, and guidance1 for executive branch departments and agencies to establish programs to prevent, detect, and respond to insider threats. Organizations in all sectors are becoming increasingly aware of the need to identify weaknesses and vulnerabilities that could enable an insider to intentionally (or unintentionally) do harm to the organization.
CERT Insider Threat Vulnerability Assessment
The CERT NITC developed an Insider Threat Vulnerability Assessment methodology to help organizations figure out how prepared they are to prevent, detect, and respond to insider threats. The assessment methodology is based on the CERT NITC's analysis of more than 1,300 actual cases where insiders took advantage of process or control weaknesses to negatively impact an organization. The assessment identifies technical vulnerabilities, business process gaps, and management practices. It also evaluates an organization's ability to integrate behavioral analytics into the threat assessment process.
The Insider Threat Vulnerability Assessment examines information technology, human resources, physical security, business processes, legal, management, contracting, and organizational issues. The assessment process includes reviewing documents, interviewing critical personnel in the organization, and observing crucial processes and security issues. The assessment report documents the key findings of the assessment. It identifies an organization's exposure to insider threats along multiple vectors (technical, behavioral, process, and policy) and includes recommendations to manage these issues and their associated risks.
The CERT Insider Threat Vulnerability Assessment uses the same methodology as the CERT Insider Threat Program Evaluation (ITPE). However, the two activities differ in scope and focus. The ITPE evaluates an organization's enterprise-wide establishment of an insider threat program2. It can be included in the annual reports on insider threat programs that are required of Federal departments and agencies. An Insider Threat Vulnerability Assessment is usually more narrowly focused on specific parts of an organization. It looks at a broad range of potential vulnerabilities in critical assets, controls, and processes that support key services related to the organization's mission, drawing upon observations from insider threat cases analyzed by the CERT NITC.
CERT Insider Threat Vulnerability Assessor (ITVA) Training Course
The CERT NITC offers an Insider Threat Vulnerability Assessor (ITVA) Training course that focuses on the skills and competencies needed to perform an insider threat vulnerability assessment of an organization. This three-day, classroom-based course is geared for two groups: those who want to create their own assessment instruments and processes, and those who want to use the CERT methodology and tools to perform insider threat vulnerability assessments. Course participants learn how to plan and execute an assessment as well as develop a final assessment report.
Using scenario-based exercises, this training course takes participants through all the steps to conduct an insider threat vulnerability assessment. The ITVA Training course topics and exercises include the following:
- ITVA assessment methodology lifecycle (Planning, Pre-Assessment, Onsite Assessment, and Post-Assessment / Reporting)
- ITVA capability workbook components (capabilities, levels of preparedness, indicators, evidence, and scoring)
- ITVA capability workbook areas (Data Owners, Human Resources, Legal, Physical Security, Information Technology, Software Engineering, and Trusted Business Partners)
- preparing and planning for the assessment
- pre-assessment activities (determining logistics, reviewing organizational documentation, developing a data collection plan)
- performing on-site data collection (interviews and observations)
- substantiating and corroborating evidence for meeting indicators
- recording and scoring data
- developing the assessment report
- an overview of ITVA capabilities and indicators for each area/workbook
Organizations have the option to license3 the CERT Insider Threat Vulnerability Assessment methodology and tools to either use internally or assess insider threats associated with other organizations.
CERT Insider Threat Vulnerability Assessor (ITVA) Certificate Program
The CERT NITC offers an Insider Threat Vulnerability Assessor (ITVA) Certificate program to enable assessors to better understand insider threats and identify and manage their associated risks. The ITVA Certificate program consists of four components:
- Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats, a 5 hour online course
- Building an Insider Threat Program, a 7 hour online course
- Insider Threat Vulnerability Assessor (ITVA) Training, the classroom course described earlier
- Earning a passing score on the Insider Threat Vulnerability Assessor Examination, an online test consisting of 65 multiple-choice questions
After successfully completing all four components of the certificate program, the learner is awarded an electronic certificate of completion.
1 U.S. Government, insider threat related mandates and guidance include the following:
- OMB Memorandum M-11-08, Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated Systems
- Executive Order (E.O.) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information
- National Insider Threat Task Force (NITTF) Minimum Standards for Executive Branch Insider Threat Programs
- National Industrial Security Program Operating Manual (NISPOM)
- NITTF "2017 Insider Threat Guide: A Compendium of Best Practices to Accompany the National Insider Threat Minimum Standards"
- NITTF "Protect Your Organization from the Inside Out: Government Best Practices"
2 Based on minimum standards, guidelines, and best practices identified by the National Insider Threat Task Force (NITTF) and the CERT NITC.
3 Organizations interested in licensing the CERT ITVA methodology and tools, which include copies of the CERT ITVA workbooks, supporting materials, and the CERT Joint Assessment Tool (JAT), must have candidate assessors be sponsored by an approved SEI Partner organization. For more information on the process and associated fees, please refer to SEI Certification Opportunities.