How to quickly assess your insider threat mitigation

May 6, 2015
Micro-assessment template rates insider threat mitigation against 19 best practices from the CERT Insider Threat Center

All organizations have some degree of insider threat.  According to the annual "CyberSecurity Watch Survey," conducted by the U.S. Secret Service, the CERT Insider Threat Center, and CSO Magazine:

  • 43 percent of survey respondents had experienced at least one malicious, deliberate insider incident in 2010. (53 percent in 2011 and 2012.)

Do you know where your organization stands regarding insider threats? Wouldn’t your management team like to know, too?

Organizations have begun to acknowledge the importance of detecting and preventing insider threats. For many organizations, establishing an insider threat program and beginning to look for potentially malicious insider activity is a new business activity. So reports the CERT Division of the Software Engineering Institute at Carnegie Mellon University.

Since 2001, the CERT Insider Threat Center has conducted empirical research and analysis to develop and transition socio-technical solutions to combat insider cyber threats. The Insider Threat Center partners with the U.S. Department of Defense, the U.S. Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community.

Each year, the Insider Threat Center publishes its research findings, lessons learned and best practices regarding insider threat mitigation.

One of its most valuable publications is the "Common Sense Guide to Mitigating Insider Threats, 4th Edition." In this report, the authors define insider threats and outline current insider threat patterns and trends. More importantly, the report describes 19 practices that organizations should immediately implement to prevent and detect insider threats, and presents case studies of organizations that failed to do so.

Insider Threat Mitigation Micro-Assessment Template

After studying this important document, I developed the "Insider Threat Mitigation Micro-Assessment Template" to help you quickly get a baseline reading against the 19 best practices for insider-threat mitigation presented in the CERT guide. This is not a full-blown insider threat data risk assessment. It is a simple assessment that can be performed easily that will give you the status of your organization's insider threat mitigation controls compared to 19 best practices for insider threat mitigation. Most organization's don't know and can't report to management exactly where they stand with regard to these critical best practices.

The template also includes a link to guidance on establishing insider threat metrics.

You don’t have to be a security practitioner to perform this micro-assessment. You just need to be able to consult with the responsible/knowledgeable parties in these areas of your organization:

  • Human Resources (HR)
  • Legal
  • Physical Security
  • Data Owners
  • Information Technology (IT)
  • Information Assurance (IA)
  • Software Engineering

If the scope of your job does not easily provide you with such access, there are still options for accomplishing the assessment. You can partner with someone who does have such access, obtain sponsorship from a more senior individual who can open organizational doors for you, or forward these materials to someone above you who agrees that insider threat is an important security issue.

If your organization does not have an in-house IT department or a software engineering group, you can still check with the organization that provides any such services to you.

A Note about Data Owners

All organizations have "data owners," whether or not they use that particular phrase. Typically the term is applied to the individuals who are given the authority or right to decide who can have access to enterprise data (i.e. access management). In large organizations with formal data governance programs, the data owner possesses a broad amount of accountability for the data generated and consumed, and is responsible to ensure adequate safeguards are in place to manage data risks.

Click here to download the Insider Threat Mitigation Micro-Assessment Template, as well as the "Common Sense Guide to Mitigating Insider Threats, 4th Edition."

Insider threat is a significant challenge. Most organizations have a hard time getting started on developing an insider threat program.  The results of the "Insider Threat Mitigation Micro-Assessment" can be very helpful in getting discussions rolling, and in raising awareness of the different aspects of insider threat mitigation that your organization hasn’t yet implemented but should be considering.

Editor's note: "Micro-Assessment Template – Insider Threat Mitigation," is based on "Common Sense Guide to Mitigating Insider Threats, 4th Edition" by George Silowash, Dawn Cappelli, Andrew P. Moore, Randall F. Trzeciak, Timothy J. Shimeall, and Lori Flynn, CMU/SEI-2012-TR-012, (c) 2012 Carnegie Mellon University; however, neither Carnegie Mellon University nor its Software Engineering Institute have reviewed this work and accordingly do not directly or indirectly endorse this work.

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

Follow him on LinkedIn: www.linkedin.com/in/raybernard

Follow him on Twitter: @RayBernardRBCS.