Insider Threat Supply Chain Best Practices
This blog post outlines best practices for establishing an appropriate level of control to mitigate the risks involved in working with outside entities that support your organization's mission. In today's business landscape, organizations often rely on suppliers such as technology vendors, suppliers of raw materials, shared public infrastructure, and other public services. These outside entities are all examples of the supply chain, which is a type of trusted business partner (TBP). However, these outside entities can pose significant security risks.
Understanding the Problem
The CERT Division's National Insider Threat Center (NITC) has found that over 15% of insider threat incidents were perpetrated by someone in the victim organization's supply chain. Although even more incidents of this kind occur in the private sector, that figure demonstrates that the issue remains relevant in the government sector. A case example of a supply chain incident follows:
The insider was employed as a customer service representative by a TBP of the victim organization, who was responsible for handling the organization's employees' healthcare claims. The insider worked with 3 outsiders. While on site and during work hours, the insider used their access over 6 months to steal addresses of medical service providers from the organization's database, and also manipulated the organization's system to divert millions of dollars in payouts to fraudulent Medicare claims. The insider was not able to make all of the necessary data modifications, and built a rapport with two employees who were able to do so, enabling themselves to carry out the scheme. The organization performed an internal audit and detected the fraud. The insider was arrested, convicted, and ordered to pay $89,000. The insider was sentenced to about 8 years imprisonment and about 5 years of probation. The incident related impact was $1.2 - $20 million.
By modeling the motivations, methods, and targets of the perpetrators in these incidents, it is possible to identify a set of best practices that can be used to develop and implement a mitigation strategy for supply chain risk management.
Mandates and Regulations
Several existing mandates and regulations provide organizations a given set of standards. Even if an organization is not legally required to follow them, these standards are a great starting point for developing robust and secure supply chain policies and procedures. To begin, your organization should consider how insiders might collude with someone in the supply chain or take advantage of weaknesses in supply chain processes and how that might affect your organization, and you should review existing policies and procedures with those repercussions in mind.
Here are a few examples of the available mandates and regulations your organization can use as a starting point: the International Organization for Standardization (ISO) 28000 series, ISO 20243, ISO/IEC 15408 Common Criteria, National Institute for Standards and Technology (NIST) SP 800-161, NIST SP 800-171, NIST 800-53, and the Defense Federal Acquisition Regulation Supplement (DFARS).
The list below outlines several best practices that are available to assist you with mitigating insider threat risk within the supply chain. You should revisit these practices on an annual basis as they might change over time.
- Establish and put supply chain trusted insiders' scope review, risk identification, and risk management in place. To accomplish this, review and identify each supplier's scope of activities and where they fit into your organization's supply chain. You must also use any risk management and assessment activities conducted by your organization to identify and address specific risks and threats to critical assets and data that members of the supply chain might introduce.
- Define and document the rules of engagement for the supplier's operation within your organization's daily activities by establishing supplier and organizational terms and conditions. Ensuring these rules are integrated into the contract between your organization and the supplier can provide protections for your organization if the supplier fails to follow the set terms and conditions.
- Deploy a monitoring strategy that identifies criteria for monitoring supplier interactions and methods for identifying anomalies or deviations. Be sure to outline these criteria in the supplier and organizational defined terms and conditions.
- Form effective relationships and communications strategies that are supported by all levels of your organization. These strategies are critical because TBP management focuses on establishing an appropriate level of controls to manage the risks that originate from or are related to the organization's dependence on these external entities.
- Make background screenings required for all supply chain providers to ensure that the supply chain adequately mitigates insider threat risk. The rigor of these screenings should be equal to those conducted by your organization, at a minimum. Be sure to consider all legal requirements when creating policies involving background screenings.
- Develop a formal onboarding process that includes clear, formal, and codified agreements with suppliers as part of the initiation process to help your organization manage its resilience over the lifecycle of the relationship. Assign and update all appropriate points of contacts for both your organization and the supplier as necessary.
- Ensure the Acceptable Use Policy (AUP), which informs employees of the proper use of the organization's IT systems and services, is followed by supply chain personnel who have been granted access to the organization's IT systems. You might need to put customized AUPs in place for those who have temporary or guest-level access.
- Develop an intellectual property (IP) ownership right policy defining your organization's ownership rights over IP created by TBPs. Documents such as non-disclosure agreements (NDAs), non-competes, and IP agreements should be required and enforced.
- Reporting of policy violations should be mandatory for all TBPs. These reports can include technical or physical security violations, and should contain any violations that indicate insider risk. Violations should be reported immediately to an appointed point of contact at the organization (e.g. Insider Threat Program Manager or Corporate Security) through a defined process. A clearly articulated Supplier Code of Conduct should be put in place and suppliers should be monitored for adherence.
- Ensure that the appropriate mandates and regulations are reviewed and applied as necessary and that the best practices are put in place at your organization.
Insider threat remains a large part of an organization's overall risk, and TBPs who are part of an organization's supply chain account for a portion of insider threat incidents. The CERT Division's National Insider Threat Center (NITC) at the Software Engineering Institute at Carnegie Mellon University has used its expansive incident corpus of over 1,000 empirically analyzed cases to identify nine best practices related to the prevention, detection, and response to insider threats within the supply chain. The best practices discussed above, along with the mandates and regulations, should be reviewed and applied as necessary to help reduce insider threat risk to the supply chain. Policies and procedures associated with insider threat risk should also be incorporated into the organization's overall security framework.