Building A Holistic and Risk-Based Insider Threat Program

Similar documents
Building A Holistic and Risk Based Insider Threat Program. An Approach to Preventing, Detecting and Responding to Insider Threats

COMPLIANCE TRUMPS RISK

Corporate Risk Management Services. Pinkerton is a leading provider of risk management services and solutions for organizations around the globe.

Enterprise Risk Management Framework

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Modernizing compliance: Moving from value protection to value creation

Risk appetite and assurance Do you know your limits?

Extended Enterprise Risk Management

An Overview of the AWS Cloud Adoption Framework

2008 BUSINESS RESILIENCY SURVEY RESULTS:

BEST PRACTICES IN Talent Management Article Title Format

Fulfilling CDM Phase II with Identity Governance and Provisioning

The Anatomy and Lifecycle of a Metric

Implementing a Compliance Monitoring Program. January 29, 2014

Avoiding Data Loss Prevention (DLP) Pitfalls A Discussion of Lessons Learned. April 2013

Ensuring Organizational & Enterprise Resiliency with Third Parties


Appendix A - Service Provider RACI Model

Risk Advisory Services Developing your organisation s governance for competitive advantage

Business Continuity Policy

LIFE CYCLE FACILITY ASSET MANAGEMENT. Presented by Pedro Dominguez Managing Principal, The Invenio Group

Building a Roadmap to Robust Identity and Access Management

When Recognition Matters WHITEPAPER OCTAVE RISK ASSESSMENT WITH OCTAVE.

Support Services Review Template

ENTERPRISE RISK MANAGEMENT USING DATA ANALYTICS. Dan Julevich and Chris Dawes April 17, 2015

Business Resilience: Proactive measures for forward-looking enterprises

Rail Carrier Minimum-Security Criteria

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Citizens Property Insurance Corporation Business Continuity Framework

San Francisco Chapter. Presented by Scott Perry - Slalom Consulting

Catching malicious insiders through behavioral analytics

CERT Resilience Management Model, Version 1.2

Miles CPA Review: BEC Q Updates for 2017 Edition

Risk Management Policy and Framework

Practices in Enterprise Risk Management

CYBERSECURITY INSIDER THREAT BEST PRACTICES GUIDE, 2 ND EDITION FEBRUARY 2018 PREPARED BY SIFMA WITH THE ASSISTANCE OF SIDLEY AUSTIN LLP

IN PRACTICE. Managing Risk in Customs. investment climate. Lessons from the New Zealand Customs Service

An Agile State of Issue Management

Securing the Future with Physical Identity and Access Management

Compliance Risk Management Powers Performance

International Finance Corporation

This resource is associated with the following paper: Assessing the maturity of software testing services using CMMI-SVC: an industrial case study

CGEIT Certification Job Practice

CTI Capability Maturity Model

IBM Data Security Services for activity compliance monitoring and reporting log analysis management

Effective implementation of COSO s new anti-fraud guidance

Identity and Access Management. Program Primer

Information Systems and Organizations

Your reputation is hard-earned. Why risk it with poor supply chain management?

SCCE Compliance & Ethics Institute. Agenda. Trust & Verify: Investigation and Compliance Forensic Tools. September 16, 2014

Why BSI? Our products and services. To find out more visit: bsigroup.com/en-au. Conclusion

PREVENT MAJOR DATA BREACHES WITH THREAT LIFECYCLE MANAGEMENT Seth Goldhammer, Senior Director of Product Management at LogRhythm

Certified Identity Governance Expert (CIGE) Overview & Curriculum

CORE VALUES AND CODE OF CONDUCT

POSITION DESCRIPTION

A Guide to HR Shared Services

REAL-TIME RISK ALERTS KNOW THE INSTANT AN EMPLOYEE BECOMES A THREAT

INTELLIGENT IAM FOR DUMMIES. SecureAuth Special Edition

RSA ARCHER IT & SECURITY RISK MANAGEMENT

Security Today. Shon Harris. Security consultant, educator, author

Risk Appetite Statement

Advancing analytics and automation within internal audit

On the road(map) again. Balancing the emerging regulatory requirements in the Middle East public sector

Security solutions White paper. Effectively manage access to systems and information to help optimize integrity and facilitate compliance.

Breaking Out of the Security Metrics Matrix: Steps in the Right Direction

ICMI PROFESSIONAL CERTIFICATION

Active Essex Risk Management Strategy

Leading financial institutions are transforming the way they manage IT risk

Extended Enterprise Risk Management

RSA ARCHER MATURITY MODEL: AUDIT MANAGEMENT

Building an Integrated Talent Management Strategy. Stavros Liakakos, VP HCM Strategy Knowledge Infusion

ISO 28002: RESILIENCE IN THE SUPPLY CHAIN: REQUIREMENTS WITH GUIDANCE FOR USE

The power of the Converge platform lies in the ability to share data across all aspects of risk management over a secure workspace.

ENTERPRISE RISK SERVICES Managing Risk, Driving Results

Business Continuity 101. Fairchild Resiliency Systems

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

The Change Challenge: Realizing the Full Value of Your Business Initiatives

CRISC EXAM PREP COURSE: SESSION 4

A Prevention-Oriented Approach to Protecting Your Employees and Workplace A PRIMER FOR EMPLOYERS AND MANAGERS

Human Resources Security Management towards ISO/IEC 27001:2005 accreditation of an Information Security Management System

Risk Management Policy Arvind Infrastructure Limited

A Message for Brokers Letter And Security Guidelines for Brokers

CORPORATE SOCIAL RESPONSIBILITY (CSR) POLICY

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Continuous Auditing/Monitoring Using Data Analytics Institute Of Internal Auditors/ISACA Conference, 27/28 August 2015 Presented by: Tricha Simon

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

MATURITY MODEL SNAPSHOT REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

Creating a Risk Intelligent Enterprise: Risk governance

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

The State of Fraud in Government

Transition From Reactive to Proactive IT Four Ways ITSM Solutions Help Create a Proactive Enterprise. Presented By:

CODE OF BUSINESS CONDUCT AND ETHICS. FRONTIER AIRLINES, INC. Adopted May 27, 2004

WHITE PAPER. Managing the Intelligence Life Cycle: Title A More Effective Way to Tackle Crime

Change is a Constant. Effective Lean Operations when Sourcing Globally

Guide to Internal Controls

One Calgary: Enabling Services Service Plan Preview

CORROSION MANAGEMENT MATURITY MODEL

Data rich and regulation wary

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

Transcription:

Building A Holistic and Risk-Based Insider Threat Program An Approach to Preventing, Detecting and Responding to Insider Threats Michael G. Gelles, Psy.D March 2015

Insider Threat Types & Drivers Insider threats include a wide rage of acts that can impact an organization's brand, reputation, financial standing, and national security. Insider Threats Terrorism Use of access to commit or facilitate an act of violence as a means of disruption or coercion for political purposes Workplace Violence Use of violence or threats of violence to influence others and impact the health and safety of the workforce and traveling public Compromise Use of access to facilitate and override security countermeasures (e.g. drug and contraband smuggling) Espionage Use of access to obtain sensitive info for exploitation that impacts national security and public safety Information Theft Use of insider access to steal or exploit information Physical Property Theft Use of insider access to steal material items (e.g., goods, equipment, badges) Sabotage Intentional destruction of equipment or IT to direct specific harm at Delta or an individual (e.g., inserting malicious code) Other Captures Delta s evolving threat landscape including emerging threats not covered in the previous examples Insider Threat Drivers Malicious Intent Complacency Ignorance An act that is malicious and intentional and done to cause damage Lax approach to policies, procedures, and potential information security risks Lack of awareness of policies and procedures creates risk Employees that are triggered by a specific work-related or non-workrelated incident such as a poor performance review, personal crisis, or shift in ideology or loyalty follow a path of idea to action Insiders typically develop a plan in advance that someone within the organization may detect Over time employees may become more lax about security policies and procedures Violators often assume that their specific behavior doesn t have a noticeable impact or that no one is monitoring their behavior. Includes passive aggressive behavior in the face of work frustration and feeling under valued - 2 - Employees being uninformed of polices and procedures or changes in in protocol is a challenge to CBP particularly when dealing with emerging threats and new employees Lack of understanding and experience with security protocols and the potential impact if not followed, further contributes to the likelihood

Core Principles The core principles below will inform the assessment and development of an insider threat program. In addition to these precepts, a robust insider threat program requires a holistic, people-centric approach with participation from a broad set of stakeholders. Cost Effective Employee Morale Recommendations made for a future insider threat program will align to the organization s culture and seek to ensure that employees and contractors feel trusted. Recommendations will balance additional costs with the need to mitigate risk to acceptable levels. Balanced Approach Too many security restrictions can impede the organization s mission and agile workforce, while having too few increases vulnerabilities. Recommendations will strike a balance between countering the threat and conducting business. Risk Based Monitoring As the perceived risk of an insider threat incident increases due to the detection of contextual, virtual, and non-virtual precursors, the amount of monitoring should also increase. 3 Continuous Improvement Routine, semi-annual evaluations of the insider threat program will address evolving threats and new vulnerabilities. - 3 - Beyond Regulations To assure the business and maintain our reputation, the organization should implement technologies, policies, and procedures that go beyond satisfying baseline requirements.

Insider Threat Definition and Vulnerability Assessment Framework Four key components provide a framework for evaluating an organization s overarching ability to prevent, detect, and mitigate Insider Threats. Use of these four components creates a holistic framework to examine Insider Threat vulnerabilities and to prioritize high risk areas. Information Access and Technical Controls Role-based access, continuous monitoring programs, and Insider Threat-related network controls provide prevention and detection capabilities. Employee Lifecycle and Management Procedures associated with the recruitment, vetting, hiring, resignation, termination, and transfer procedures throughout the employee lifecycle. Policies and Training Non-technical controls and trainings that govern the mitigation of Insider Threats, set expectations, and ensure consistent enforcement. Risk Indicators Insider Threats are influenced by a combination of virtual, non-virtual, and organizational factors. An individual s behavior across each landscape must be evaluated and weighted based on the drivers of risk. The framework provides an approach to evaluate and develop a holistic and risk-based insider threat program that focuses on prevention, detection and response. - 4 -

Insider Threat Program Structure The insider threat program structure includes the routine engagement of stakeholders that sit on an insider threat working group, foundational building blocks that are likely in place within the organization and the use of an advanced analytics solution. Human Resources Operations Office of General Counsel Finance and Administration Policy Coordination Information Technology Stakeholders Multidisciplinary groups will coordinate and provide input and meet on a reoccurring basis Low Pre-employment Investigations & Procedures Education and Awareness Personnel Management Capabilities Termination Procedures Program Foundation policies, procedures and technology provide the foundation for mitigating insider threat Vetting, managing, and releasing personnel properly and safeguarding data and information in systems Based on factors such as virtual and non-virtual actions coupled with contextual descriptors risk mitigation efforts will focus on individuals perceived to be at an elevated risk Physical Access Contextual Descriptors (Access, Clearance) High Non-Virtual Indicators (Complaints, Investigations, Foreign Travel, etc.) Data Analysis & Reporting with Advanced Analytics Tool IT Access and Technical Controls Virtual Indicators Access and Technical Controls Serve as barriers to entry for personnel and require continued re-evaluation of necessary access In the event of an incident, resilience (e.g., system and data back-up and recovery procedures) is critical Individual Monitoring Aggregating data from disparate but related data sources provides improved insight into the risk profiles of individual employees Types of data collected will include PII and must be safeguarded to the fullest extent; access to this security information will be limited Data Analysis & Reporting Data from disparate sources is combined to identify individual employees at-risk Advanced analytics tool provides automated analysis and reporting based on a risk algorithm that aligns with the organization s risk tolerance Active Monitoring* - 5 - Insider Threat Program Stakeholders Insider Threat Program Components Data Elements Monitored Key Data Analytics Capability * Creates proactive awareness and potential for cross-disciplinary coordination, intervention, and resolution.

Insider Threat Maturity Model The maturity model below categorizes insider threat programs based on common maturity levels. Implementation of recommendations included herein will transition Blank from its current state, Stage 2, to Stage 4 thereby reducing the organization s insider threat risk. Stage 5: Optimized Stage 4: Managed and Measurable Stage 1: Initial / Ad Hoc Purely reactive posture Limited coordination across stakeholders No formal insider threat policy, trainings, or communications Lacking an advanced analytics capability Stage 2: Repeatable but Intuitive Incident response is not formal, standard or well documented Existing controls primarily address external threat vectors No formal training or security awareness on insider threat Monitoring procedures to detect insider threats are reactive only Advanced analytics capabilities exist but are not being used to detect insider threats Stage 3: Defined Process Semi proactive approach to threat mitigation Standardized policies are communicated/enforced Dedicated insider threat training curriculum and security awareness Foundational advanced analytics utilized Limited network alerts Incident response protocols established - 6 - Creation of insider threat working group and working definition of insider threat Potential risk indicators are collected in an analytics tool to monitor employee behavior Employee lifecycle change reviews are established Network tripwires are used to detect anomalies Incident response is defined with clear processes Requisite policies are established, enforced and routinely communicated Monitoring of common exfiltration points is in place Peer and behavior based anomaly detection Keyword and sentiment analysis on corporate communications Granular tracking of movements through buildings Evaluation of telephone metadata Robust role based access procedures in place to prevent the erosion of access control Advanced analytics tools utilize external data sources to identify emerging insider threats Most of Blank competitors are within Stage 2 or Stage 3 of maturity. Common vulnerabilities have stemmed from a historical emphasis on external threats, a de-prioritization of the insider threat, and risk mitigation strategies that relied on trusting employees without building the proper verification.

Advanced Analytics : Conceptual Design Data elements listed are for illustrative purposes and do not represent the totality of data elements that will should be analyzed. Clearance Level Contracts Assigned Foreign Travel Info Subject of Investigation Attempts to Access Restricted Area HR Performance Ratings Start Date (Tenure) Notice of Resignation or Termination Date Complaint filed against or record of suspicious workplace behavior IT Privileged User Rights Irregularly large confidential downloads Utilizes removable media for sensitive info Large email attachments to personal email address Ethics & Compliance Subject or involved with Ethics Hotline report Non-compliance with audit requirements or industry requirements Non-compliance with training Business Ops Access to sensitive data, systems and critical business functions (e.g., employee risk level) Finance Irregularly large business expense report External data: accumulating large amount of debt and in financial stress Respond Monitor Prevent Detect Advanced Analytics tool monitored and operated by Objective quantitative risk scoring one to two full-time resource Anomaly Detection with algorithm will drive risk categories Business Rules (i.e., intelligence analyst). Risk Category Description Low Moderate High Employee falls within the acceptable risk tolerance set forth by organization Employee approaching risk threshold for additional evaluation Employee potentially subject to additional monitoring, scrutiny, or investigation based on evaluation and substantiation Analytics Tool 1. Automatic detection of anomalous activity above given threshold based on business rules Business Process Analyst Working Group Selected Owners Selected Owners 2. Substantiation of case to move forward 3. Convene stakeholders for decision on ownership and mitigation plan 4. Mitigation plan conducted by stakeholder group (HR, Ethics, etc.) 5. Acton taken based on collaboratively agreed upon mitigation approach - 7 -

Top Ten Considerations 1. Define Your Insider Threats Don t be surprised if your organization hasn t defined what an insider threat is. The reality is few organizations have a specific internal working definition as security and IT budgets have historically prioritized external threats. 2. Define Your Risk Appetite Define the critical assets (e.g., facilities, source code, IP and R&D, customer information) that must be protected and the organization s tolerance for loss or damage in those areas. 3. Optimize A Broad Set Of Stakeholders The program should have one owner but a broad set of invested stakeholders. Establish a cross-disciplinary insider threat working group that can serve as change agents and ensure the proper level of buy-in across departments and stakeholder (e.g., legal, physical security, policy, IT security). 4. Don t Forget the Fundamentals The insider threat challenge is not a purely technical one, but rather a people-centric problem that requires a holistic and people centric-solution. Organizations should avoid the common pitfall of focusing solely on a technical solution as the silver bullet. 5. Trust But Verify Establish routine and random auditing of privileged functions, which is commonly used to identify insider threats across a broad spectrum of threats in a variety of industries. 6. Look For Precursors Case studies have shown that insider threats are seldom impulsive acts. Rather, insiders move on a continuum of the idea of committing an insider act to the actual act itself. 7. Connect The Dots By correlating precursors or potential risk indicators captured in virtual and non-virtual arenas, your organization will gain insights into micro and macro trends regarding the high risk behaviors exhibited across the organization. 8. Stay A Step Ahead Insiders methods, tactics and attempts to cover their tracks will constantly evolve, which means that the insider threat program and the precursors that it analyzes should continuously evolve as well. 9. Set Behavioral Expectations Define the behavioral expectations of your workforce through clear and consistently enforced policies (e.g., social media, removable media, reporting incidents, BYOD, etc.) that define acceptable behavior and communicate consequences for violating policies. 10. One Size Does Not Fit All Customize training based on the physical and network access levels, privilege rights and job responsibilities.). - 8 -

Copyright 2012 Deloitte Development LLC. All rights reserved.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback