Posted on by Insider Threatin
This blog post outlines best practices for establishing an appropriate level of control to mitigate the risks involved in working with outside entities that support your organization's mission. In today's business landscape, organizations often rely on suppliers such as technology vendors, suppliers of raw materials, shared public infrastructure, and other public services. These outside entities are all examples of the supply chain, which is a type of trusted business partner (TBP). However, these outside entities can pose significant security risks.
The CERT Division's National Insider Threat Center (NITC) has found that over 15% of insider threat incidents were perpetrated by someone in the victim organization's supply chain. Although even more incidents of this kind occur in the private sector, that figure demonstrates that the issue remains relevant in the government sector. A case example of a supply chain incident follows:
The insider was employed as a customer service representative by a TBP of the victim organization, who was responsible for handling the organization's employees' healthcare claims. The insider worked with 3 outsiders. While on site and during work hours, the insider used their access over 6 months to steal addresses of medical service providers from the organization's database, and also manipulated the organization's system to divert millions of dollars in payouts to fraudulent Medicare claims. The insider was not able to make all of the necessary data modifications, and built a rapport with two employees who were able to do so, enabling themselves to carry out the scheme. The organization performed an internal audit and detected the fraud. The insider was arrested, convicted, and ordered to pay $89,000. The insider was sentenced to about 8 years imprisonment and about 5 years of probation. The incident related impact was $1.2 - $20 million.
By modeling the motivations, methods, and targets of the perpetrators in these incidents, it is possible to identify a set of best practices that can be used to develop and implement a mitigation strategy for supply chain risk management.
Several existing mandates and regulations provide organizations a given set of standards. Even if an organization is not legally required to follow them, these standards are a great starting point for developing robust and secure supply chain policies and procedures. To begin, your organization should consider how insiders might collude with someone in the supply chain or take advantage of weaknesses in supply chain processes and how that might affect your organization, and you should review existing policies and procedures with those repercussions in mind.
Here are a few examples of the available mandates and regulations your organization can use as a starting point: the International Organization for Standardization (ISO) 28000 series, ISO 20243, ISO/IEC 15408 Common Criteria, National Institute for Standards and Technology (NIST) SP 800-161, NIST SP 800-171, NIST 800-53, and the Defense Federal Acquisition Regulation Supplement (DFARS).
The list below outlines several best practices that are available to assist you with mitigating insider threat risk within the supply chain. You should revisit these practices on an annual basis as they might change over time.
Insider threat remains a large part of an organization's overall risk, and TBPs who are part of an organization's supply chain account for a portion of insider threat incidents. The CERT Division's National Insider Threat Center (NITC) at the Software Engineering Institute at Carnegie Mellon University has used its expansive incident corpus of over 1,000 empirically analyzed cases to identify nine best practices related to the prevention, detection, and response to insider threats within the supply chain. The best practices discussed above, along with the mandates and regulations, should be reviewed and applied as necessary to help reduce insider threat risk to the supply chain. Policies and procedures associated with insider threat risk should also be incorporated into the organization's overall security framework.