asis nyc int presentation
TRANSCRIPT
Insider Threat Program Model Overview
ASIS International—NYC 2015
Daniel McGarvey
Insider Threat Working Group
Economic Impact of the Insider Threat
2
“In the last fiscal year alone, economic espionage and theft of trade secrets cost
the American economy more than $19 billion… economic espionage and theft
of trade secrets are increasingly linked to the insider threat…” - Christopher Munsey, FBI Counterintelligence Division
(2013)
“The average cost per Insider Threat incident is $412,000. Average loss per
industry is $15 million/year. Multiple incidents have exceeded $1 billion.” - Patrick Reidy, FBI, Senior Level Staff, Information Security Assurance Section (2013)
Why? Shifting Value of Corporate Assets
1975 1985 1995 2005 20090
20
40
60
80
100
Composition of the S&P 500
Tangible Assets Intangible Assets
% V
alu
e“ The U.S. economy has changed over the past 20 years. Intellectual capital rather than physical assets now represent the bulk of a U.S. corporation’s value. This shift has made corporate assets far more susceptible to espionage.” - Protecting Key Assets: A Corporate Counterintelligence Guide, Office of the National Counterintelligence Executive (2013)
3
29
Whose Who of Insiders
Figure 5. Types of Insiders that individuals believe Pose the Biggest Threat to Organizations.
THE REALITY IS THAT THE INVERSE IS TRUE.
In your opinion, which of the following types of insiders pose the biggest threat to your organization? (Percent of respondents, N=707, three responses accepted)
The Cambridge Five
Infamous Mid 20th Century Insiders
5
Aldrich Ames : CIA Case Officer/Analyst Provided detailed information to KGB on CIA intelligence
operations and agents in the USSR. Received $4.6 million dollars in exchange for information. Convicted in 1994 : Sentenced to life imprisonment (without
possibility of parole) for espionage.
Infamous Late 20th Century Insiders
6
Robert Hanssen : FBI Special Agent Provided detailed information to KGB/SVR on FBI intelligence
operations against USSR/Russian Federation. Received $1.4 million dollars in cash and jewelry in exchange
for information. Convicted in 2001 : Sentenced to life imprisonment (without
possibility of parole) for espionage.
Spies
Turncoats
Traitors
Guilty of Treason
How Did the Media/Public View Them?
7
Sexual orientation... Blackmail… Greed... Ideology
Edward Snowden : NSA Systems Administrator Contractor Passed thousands of classified documents describing NSA
and allied intelligence agencies operations to The Guardian and The Washington Post for public release.
Considered a fugitive by US Government since 2013. Charged with espionage and theft of government property. Granted temporary asylum in Moscow by Russian Government.
PFC Bradley Manning : US Army Intelligence Analyst Passed thousands of classified diplomatic cables and military
reports to the WikiLeaks staff which posted this material on their public web site.
Convicted in 2013 : Sentenced to 35 years imprisonment (with possibility of parole in eight years) for espionage.
Infamous 21st Century Insiders
8
How Does the Media/Public View Them?
9
Leakers
Whistleblowers
Dissidents
Patriots Justice… Ideology… Notoriety… ?
The public view?
10
Why Should Corporate Management Care?
Game Changer! Companies must adapt to a new, effective security paradigm that provides an ROI in security.The world is complex, so is our internal threat.If Security does not evolve to contain the threat…
Insider Threat Program Overview
12
• The ITWG is a joint effort by government and industry CSOs.
• The ITP is supported by ASIS International, NDIA and NCMS.
• It addresses both violent and non-violent employee behavior.
• ITP meets both compulsory (Federal) and effective (industry) requirements.
• It is evolutionary not revolutionary in approach.
• Functional and psychometric analyses were used to design the program.
• ITP updates and repurposes existing programs, thus minimizing costs.
• Through effective use of metrics, ITP provides a demonstrable ROI for senior management.
What are the characteristics of this program?Insider Threat Program (ITP) Insider Threat Working Group (ITWG)
USG Reaction to Insider Threat
National Industrial Security Program Operation Manual (NISPOM) Conforming Change #2 (Fall 2015)
Will require US Defense Industry to establish Insider Threat Programs at all cleared contractor facilities.
NITTF Guide to Accompany the National Insider Threat Policy and Minimum Standards (November 2013)
Detailed implementation plan for federal agencies to comply with White House policy memo.
White House Memorandum: National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (21 November 2012)
Directed federal agencies to establish effective insider threat programs to deter, detect and mitigate actions by employees who may represent a threat to national security
E.O. 13587: Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information (7 October 2011) Mandated responsible sharing and safeguarding of classified information on computer
networks by federal agencies.Established NITTF to assist federal agencies in preventing, deterring and detecting
compromise of classified information by malicious insiders.
ITWG Insider Threat Industry Surveys
14
ASIS CSO Roundtable Survey (August 2013) Establish baseline understanding of industry Insider Threat. Surveyed CSO of companies with > $1 billion dollars in
annual gross profit. 78 of 330 CSOs participated in survey (24%). 94% represented companies with > 999 employees.
NCMS Survey (March 2014) Expand survey database of industry Insider Threat
Programs to include small and medium size companies. Survey conducted through NCMS Board of Directors to
membership. 777 of 5900 members participated in survey (13%). 56% represented companies with < 500 employees.
15
Insider Threat Program SurveyA joint Survey ASIS/CSOs and NCMS
35.9%
47.2%
17.0%
Does your organization have an insider threat-related program?
Yes, formalYes, informalNo
43.2%
6.9%
37.1%
Please identify the relative size of your organization.
Small (1 to 249 em-ployees)
Medium (250 to 499 employees)
Large (500 to 999 employees)
Enterprise (More than 999 employees)
21.8%
Insider Threat Program Overview
16
An ITP is a proactive security implementation, approved and directed by executive leadership with cross-disciplinary participation to protect specified organizational assets.
PeopleProperty
ASSETSFacilities
InformationInfrastructure
SystemsWhat is the goal of the ITP?
What is an insider threat program?
Insider Threat Program (ITP) Insider Threat Program Model (ITPM)
The goal of the ITP is to:
IDENTIFY > PREVENT > DETECT > RESPOND to counterproductive workforce behaviors and attacks that may compromise the safety and security of organizational assets.
Design Components
17
Common Properties
Model TypesDesign Elements
Recommendations
The hub and key element of the ITP. The scope includes all planning and development
responsibilities – charter, leadership, policy creation, legal and privacy review, plan documentation, implementation, and requirements for each of the nine essential program elements.
18
1 Operations Management & PlanningD e s i g n E l e m e n t
BASICDesignated PoC and responsibilities for program planning to include policies, procedures, and response protocols
INTERMEDIATEITP Manager installed with supporting staff to execute program goals and objectives.
ADVANCEDSenior Executive leadership and skilled staff execute a broad spectrum of detection and mitigation activities.
Approach based on human behavior using technology as tools. Categorizes the inventory of behavioral indicators. Develops metrics to assess individual/organizational health. Builds advanced monitoring strategies to increase
positive “hit” rates and reduce false-positives. Informs senior leadership and conveys ROI.
Analytics
19
D e s i g n E l e m e n t 2BASIC
Focuses ITP resources on inventory of behavioral indicators associated with insider threats.
INTERMEDIATEAnalyst role added to ITP team. Acceptable use profiles created.
ADVANCEDBehavioral psychology expertise added to program. Specialized analytics applied in pre/post-hiring selection and monitoring to include social media.
Part I: Apparel Mind with USB port access Metaphysical Lab Coat Psychometric Goggles Analytical Tongue Depressor
Analytical Requirements
20
Part II: Questions Who is the Insider Threat? What do you do with 150+ identified possible behaviors? How and when do you measure bad behavior? Do you want to identify behavior before it becomes bad, or after? What do you do next?
Analytical Requirements
21
Who is the Potential Insider? The challenge is to address personality traits that remain
consistent, not cultural norms which change over time. According to the DMS-5, depending on the disorder, 2-6% of
the population suffer with Personality Disorders associated with personality traits reflecting inappropriate behaviors.
7,000,000 to 21,000,000 in the USA alone. Few will be diagnosed, fewer still will ever be a threat.
How many Insiders does it really take to: Damage a brand name, Significantly impact profits, and Hurt your organization….
BUT…
How many Insiders does it take to Seriously damage an ORGANIZATION?
PFC Bradley Manning
US Army
Analytical Requirements
22
An Army of ONE
How many Insiders does it take to Seriously damage an ORGANIZATION?
Edward Snowden
1 - NSA
2 - Booze Allen Hamilton
Analytical Requirements
23
One Insider, TWO ORGANIZATIONS
damaged
How many Insiders does it take to Seriously damage an ORGANIZATION?
Add NameYour Company
Analytical Requirements
24
It only takes ONE.
Personality Disorder– An enduring pattern of inner experience and behavior that deviates markedly from the expectations of the individual’s culture, is pervasive and inflexible, has an onset in adolescence or early adulthood, is stable over time, and leads to distress or impairment. (DSM-5)
Metrics–The science of measurement. Metrics enable process assessment and controls, drive business policies and investment decisions, influence collaboration for enterprise-wide benefits, and motivate strategic and profit center alignment. (Persuading Senior Management w/Effective, Evaluated Security Metrics)
Behavioral Model Definitions
25
Counterproductive Work Behavior– Any intentional action by members of organizations that violates core organizational and/or social norms. (Vardi and Weiner)
Personality disorders are characterized by impairments in personality functioning and pathological personality traits.
Cognitive: Stressor-Emotion Model – Integrating human aggression and
occupational stress Organizational Citizen Model – Counterproductive work behavior as
protestClinical Models True Psychology of the Insider Spy (Dr. David Charney)
Diagnostic and Statistical Manual of Mental Disorders (DSM-5)
ModelsProfiled
And integrated
Define/Measure/Optimize
26
What to Measure (examples)
Behavioral Family (Individual) Minor
Nonviolent Poor performance
ratings Late to work/meetings Poor quality work Misuse of Time Misuse of resources Not accepting feedback Disgruntled Incongruent work
history Unreported changes in
personal history
Behavioral Family (Individual) Serious
Violent Open Anger Destruction of Property Assault Theft Increasing Paranoia Actions Dangerous to
Self and Others Disregard for authority Arrests
Behavioral Family (Individual) Serious
Nonviolent Falsifying employment
data Excessive absenteeism Theft of
information/property Time Card fraud Falsifying work related
data Exhibits paranoia
attitudes Disregard for authority Excessive secrecy Distrust of others
Behavioral Family (Individual) Minor
Violent Unsafe behavior (risk
taking) Drug Use Alcohol Abuse Bullying of co-workers Verbal Abuse/profane
language Unexpressed Anger Aggression toward
others Demonization
S t r e s s o r - E m o t i o n C W B
27
What to Measure (examples)
Behavioral Family (Environmental) Minor
Moderating Factors Medical issues
(self/family) Depression Being bullied at work Injustice (self or
others) Financial losses Reward system Job satisfaction shift Suicide in family
Behavioral Family (Corporate) Minor Moderating Factors
Practice vs. Policy Inconsistent
Selection Process Lack of Training Mal-assignments Distrust of
Employees Reward System
Changes Ignoring Security
rules Inconsistent reward
process Perceived authority
shift
Behavioral Family (Corporate) Serious Moderating Factors
Change of Employee Authority
Layoffs Furloughs No Communication Benefit Loss Employee Treatment
(loyalty) Patronage
(Selection/Promotion) Terminations Ethics violations
S i t u a t i o n a l Tr i g g e r sBehavioral Family
(Environmental) Serious Moderating Factors Loss of control (real
or perceived) Poor work
relationships Marital/family
difficulties Poor job ratings Passed over for
promotion Pending termination Mal-assignment
Collaboration
28
D e s i g n E l e m e n t 3BASIC
Liaison is established with internal stakeholders and external government agencies and industry organizations.
INTERMEDIATETechnologies are in place to support data collection, retention, and sharing.
ADVANCEDInteractive engagement and knowledge exchange with IC, federal, state, and local law enforcement authorities, trade associations.
Details and administrates internal cross-organizational interactivity required to execute the ITP plan.
Details external collaboration requirements and knowledge sharing protocols necessary to facilitate the acquisition of information potentially indicative of insider threat behaviors and activities.
Collaboration
29
Why Collaborate? Internal Collaboration Industry Collaboration Government Collaboration Scalable Collaboration
Basic-Intermediate-Advance
30
Human
Res
ourc
es
Info
rmat
ion
Tech
nolo
gyLe
gal
Ethi
cs
Secu
rity
Count
erin
telli
genc
e
Opera
tions
Fina
nce/
Accou
ntin
g
Mar
ketin
g/Sa
les
0.0%10.0%20.0%30.0%40.0%50.0%60.0%70.0%80.0%90.0%
100.0%
Which departments within your organization participate with your insider threat-related program? (Check all that apply).
Internal
ASIS/NCMS Insider Threat Survey
Industry Peers (Cleared Defense Contractors)◦ Classified Threat Reporting from supported offices
Customers and Suppliers Professional Association and Working Groups
◦ ASIS, AIA, NCMS, National Industrial Security Program Policy Advisory Committee (NISPPAC), National Intellectual Property Rights Coordination Center
Trade Groups
36
Industry I n d u s t r y P a r t n e r s
37
GovernmentG o v - P a r t n e r s
US Businesses [DOMESTIC]◦ NCIX/NCSC reporting◦ FBI Field Office
US Businesses [INTERNATIONAL]◦ U.S. Embassy (Commercial Services,
Legal Attaché)◦ AMCHAM
Law Enforcement (Local, State and Federal) Regulators/Law Makers Government Contracting Activities and Security Offices Defense Security Service (Industrial Security
Representatives and Counterintelligence Special Agents)
Details the requirements for education, training, and awareness concerning insider threat behaviors and risk.
Provides customize training that address program objectives of each design element.
Education
33
4 D e s i g n E l e m e n t
BASICBasic insider threat education, training, and awareness provided at hiring and on an annual basis.
INTERMEDIATECustomized training for various org units e.g., C-suite, R&D, IP group(s), LoB. etc.
ADVANCEDAdvanced CI training programs. Redundancy in training roles, sharing lessons learned for ITP improvement. Training effectiveness metrics defined and deployed.
Education, Training, & Awareness
Who must receive insider threat education, training, and awareness?◦ Insider Threat Program Personnel
◦ Executive Leadership
◦ Workforce What must be included in the program? Where and when should it be taught? How should this training be conducted? What resources are available to support
this training?
O v e r v i e w
34
Defense Industry Training Mandate
Section 3-103. Insider Threat Training. The designated Senior contractor official will ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees are trained.
a. Contractor Insider Threat Program Personnel must be trained in:
(1) Counterintelligence and security fundamentals to include applicable legal issues;
(2) Procedures for conducting insider threat response actions;
(3) Applicable laws and regulations regarding the gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information; and
(4) Applicable legal, civil liberties, and privacy policies.
35
Proposed NISPOM Conforming Change #2 identifies specific Insider Threat training requirements for U.S. defense contractors. The following training syllabus may be required to be implemented during 2015:
Our ITP covers these requirements in all three model types:
Basic – Intermediate – Advanced
Defense Industry Training Mandate
36
b. All cleared employees must be provided insider threat awareness training, either in-person or computer-based, within 30 days of initial employment or prior to being granted access to classified information, and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum:
(1) The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee;
(2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within information systems;
(3) Indicators of insider threat behavior, and procedures to report such behavior; and
(4) Counterintelligence and security reporting requirements, as applicable.
c. The contractor will establish a system to validate and maintain a record of all cleared employees who have
completed the insider threat briefings.
Section 3-107. Initial Security Briefings. Prior to being granted access to classified information, an employee shall receive an initial security briefing that includes the following:
a. A threat briefing security briefing, to include insider threat awareness in accordance with 3-103b, Insider
Threat Training.
37
Key Education & Training Considerations
Insider Threat terminology Different types of Insider Threats Case examples of Insider Threats Available data Personal and organizational factors which prompt an Insider Threat Behavioral Indicators Current organizational policies and controls Legislative and regulatory requirements on the Insider Threat Laws and related penalties Document the training program
38
Specific Group Training Agendas Executive Leadership:
Why is an Insider Threat Program necessary? How can it be implemented? What will it cost? What checks and balances are in place?
Insider Threat Program Personnel: What should be tracked? How is reporting managed? What civil liberties need to be protected?
Workforce: What are we protecting? What assets are most wanted by others? How can suspicious activities be reported? What checks and balances are in place?
The Insider Threat is Real
39
Optimize
Individual Welfare: Odd or suspicious behaviors are often associated with life crises, such as work stress, financial pressure, divorce, and death.
Helping is Not Snitching: By sharing with management, information about a coworker displaying odd or suspicious behaviors, that person may get help to resolve a life crisis.
Employee Assistance: Investigations are not the only solution to responding to suspicious behavior; employee assistance programs (EAPs) can increase individual wellness and decrease pernicious emotions.
Motivating Action: If employees understand that their involvement may help an individual and prevent them from taking harmful actions, they may be more inclined to report what they observe.
Employee health ensures corporate health
I n s i d e r T h r e a t & W e l l n e s s , a D i ff e r e n t P e r s p e c t i v e
40
Executive Syllabus
Identify your company’s “Crown Jewels”: Key assets, products and services.
Give real life examples of Insider Threat and show the consequences.
Provide economic rationale and ROI for implementing Insider Threat Program.
Explain ethical obligations, legal limitations and regulatory requirements.
Outline how your program will be established and operated.
Introduce key members of your Insider Threat Program Personnel.
Gain specific support commitments from each executive.
41
ITP Security Team Syllabus Educate the ITP security team on Insider threat terminology; behaviors, motives, anomalies and
ways to “connect the dots.” Educate your team on how data collection points indicate insider threat:
◦ Human Resources◦ Legal◦ Physical Security ◦ IT-Security◦ Information Assurance ◦ Data Owners ◦ Ethics and Compliance◦ Internal Audit◦ EAP
Determine what is normal within your organization (both behavioral and on the computer). Educate the team members on new and developing trends. Teach team members how to interpret data and generate metrics.
42
Workforce Syllabus
Explain what needs to be protected and why. Point to policies and procedures already in
place. Explain what suspicious activities look like. Explain how to report suspicious activities. Develop a multi-pronged, repetitive approach
to education. Consider your audience when developing
materials.
Executive Leadership
ITP Personnel
Workforce
43
How Should Your Training Be Conducted?
Before formalizing this Insider Threat training program consider what current company policies and procedures and resources already in place.
Procedures for reporting suspicious behavior or employees / trusted partners.
Access Control Systems / Badging Procedures
Annual Security Awareness training New Hire Orientation Pamphlets / Posters
ALL employees should understand their role on eliminating internal threat.
Initial Security Briefing Computer usage policy / wireless
device policy / social media policy Procedures for handling sensitive,
proprietary and personally identifiable information (PII) as well as classified information.
Procedures for reporting suspicious activities and security incidents.
Use ASIS ITIR as Your Education Resource
44
Where is the ASIS Insider Threat Information Repository and who can access it?
Access the ASIS site: www.asisonline.org Sign in Under “Membership,” select Library (IRC)
Enterprise Security Risk Management
45
D e s i g n E l e m e n t 5 Details the identification, assessment, and prioritization of risk associated with specified assets within the scope of the ITP.
Coordinates the economical use of resources to minimize, monitor, and control the probability and/or impact of security events.
BASICRisk management processes are initiated to accomplish ITP asset protection objectives.
INTERMEDIATEITP assets are mapped to owners, custodians, persons with access, geo-locations, servers, workstations, laptops networks, systems, applications and endpoints.
ADVANCEDDeploys sophisticated monitoring techniques to track the movement of asset(s) across electronic and physical boundaries.
Example—ESRM Flow Chart
46
Systematic approach to acquiring and analyzing the information necessary for protecting assets and allocating resources.
Source: USAF/SAF/AA
Source: Insider Threat Mitigation Group, LLC 2010
Bloggers Darknet Operatives
Competitive Intel-Agents
Independent Entrepreneurs Internet Entrepreneurs Market Analysts Information Brokers
Domestic International
Organized Criminals Organized “net” Gangs
Identity Thieves
Allied States Foreign Govt Intelligence-Agents Adversarial States
DomesticCompetitors Foreign
Hacker-for-Hire Freelance Hacker Cyber Criminals Anonymous Hacker Unwitting Hacker
Domestic Operatives Terrorist Operatives International Operatives Al Qaeda
BASICCI basic principles operate in unison with existing security implementation–somewhat reactive in nature.
INTERMEDIATECI program elements and practices evolve for a more comprehensive and strategic approach.
ADVANCEDCI operates with a degree of autonomy from conventional security implementation.
Details a strategic approach to the identification, disruption, neutralization, and defeat of insider attacks.
Drives proactivity in ITP operations.
Counterintelligence
47
D e s i g n E l e m e n t6
CI Essentials for Industrial Security: Essential Body of Work (EBW)
1. Manage the CI Process
2. Determine resource allocation
3. Identify triggers and risk indicators
4. Apply CI techniques
5. Compile, process, and organize CI reports
6. Prepare and present CI awareness briefings
7. Develop an operational structure
8. Conduct vulnerability assessments
9. Evaluate, integrate, analyze, and interpret threat information
10. Maintain compliance
11. Identify and respond to cyber intrusions
12. Initiate and oversee CI investigations
13. Communicate threat awareness culture
14. Apply technical solutions
48
Source: Global Skills X-change (GSX)
Incident Response
49
D e s i g n E l e m e n t 7Deterrence
Details procedures and protocols required to respond to technical (Cyber) and non-technical (human) indicators, incidents, and events.
Develops protocols for integrated direct and indirect interventions, investigations, and related response scenarios.
BASICConfidential reporting protocols are instituted pursuant to documented plan.
INTERMEDIATEResponse policies and procedures reviewed and revised in response to incident findings– preventative measures are implemented.
ADVANCEDAcceptable use training is provided to emphasize expectations and enforcement consequences for non-conformity.
Monitoring
50
D e s i g n E l e m e n t 8Detection BASIC
Monitoring strategy is implemented pursuant to the asset protection requirements of the ITP plan.
INTERMEDIATEMonitoring practices are refined through analytics and lessons learned. Documented profiles inform decision-maker and buttress tech-tool and resource requisitions.
ADVANCEDTechnical and non-technical resources are integrated providing automated monitoring processes to include executive dashboards for timeline visibility.
Details the metric-based design and implementation of human and technical monitoring technologies, processes, and protocols.
Defines and manages data collection requirements. On-boards analytic software and predictive algorithms
to measure linguistic patterns.
Metrics: Where to Measure
51
Cyber Measures• Registry entries• Intrusion Detection System (IDS)
events Firewall logs• Host event logs• Host print logs• Network print logs• Database server logs• Web server logs
File permissions Access to account Keystroke records Digital signatures Local stored or cached files Proximity card data Applications Installed
Search engine queries (from query logs)
Domain Name Server (DNS) logs Known software signature Email content capture Instant messaging
HR Measures Performance Measures• Disciplinary records (theft,
violence, harassment, abuse)
• Personnel Files • Absentee records
• Employee turnover• Employee surveys• Termination of
Employment• Exit Interview Details
• Supervisor assessments• Corporate performance
evaluations • 360-degree evaluations • Job performance statistics
• Customer feedback
Behavioral Assessment
52
Technical Criteria – Category 1 Reliability Validity Generalizability
Operational (Security) Criteria – Category 2 Cost Timeliness Manipulation
Strategic (Corporate) Criteria – Category 3Return on InvestmentOrganizational RelevanceCommunication
How to MeasureS e c u r i t y M e t r i c E v a l u a t i o n To o l - S M E T
53
Guidelines to make presentations more compelling
• Present metrics that are aligned with the organization’s objectives or risks or that measure the specific issues management is most interested
• Present metrics that meet measurement standards
• Tell a story
• Use graphics, and keep presentations short
• Present metric data regularly
How to MeasureS e c u r i t y M e t r i c E v a l u a t i o n To o l - S M E T
Audit & Improvement
54
9 D e s i g n E l e m e n t
BASICDesignated PoC and responsibilities for program planning to include policies, procedures, and response protocols.
INTERMEDIATEITP Manager installed with supporting staff to execute program goals and objectives.
ADVANCEDSenior Executive leadership and skilled staff execute a broad spectrum of detection and mitigation activities.
Details the ITP’s review and audit management processes. Assures that the program is operating pursuant to plan. Applies lessons learned, and implements improvements
based on metrics and other analysis.
55
Designing the Insider Threat Program
• Identify and review historical insider threat incidents
•Need & purpose for ITP articulated
•Obtain senior executive buy-in for program charter
•Select ITP model and components
• Build consensus and advocacy among core stakeholders (Convergence)
• In concert with General Council and HR develop corporate ITP policy
•Develop comprehensive plan and timelines
•Form IT Working Group (ITWG)
•Define critical positions and modify position descriptions based on criticality
•Corporate wide ITP metrics/measures developed
•Metrics dashboard designed
•Design comprehensive education plan
•High-level company-wide policies are approved and published
• ITP is formally launched and is operational
•Monitoring and Audit procedures initiated
•Mitigation procedures operational
•Risk Security Risk Management (ESRM) processes initiated to identify assets, threats and vulnerabilities
• Integrate ESRM and ITP metrics into an analytical structure
• Identify requirements for core elements: Operations, Analytics, Collaboration, and Education
EVALUATIONFORMULATION
INITIATION
IMPLEMENTATION
DESIGN
•Policies and procedures are written to support the development and operation of all ITP elements
• Incorporate counterintelligence controls and measures
•Security education plan modified to incorporate ITP requirements
S T E P S•Determine
technologies for monitoring and analytics
•Formulate incident response requirements
•Audit and improvement requirements incorporated
•Completed ITP plan is reviewed and approved as appropriate
•Develop collaboration plan for external relationships
•Pilot ITP
56
There Is No Crystal Ball…
…But, a Good Plan Provides Good Optics
…to Mitigate the Risk
Contact:
Jeff Vish (Chair, ITWG)[email protected]
Dan McGarvey (Chair, D&IC)[email protected]
703.684.5067 ext.115