How to Implement an Insider Threat Program
Transcript of How to Implement an Insider Threat Program
INSIDER THREAT MANAGEMENT GROUPPREVENT | DETECT | MITIGATE™
SHAWN M. THOMPSON, ESQ.Founder and President, ITMG
Insider Threat Management Program Guide:Initiate | Develop | Implement
Sponsored by
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
An opinion is only worth the experience that supports it.
Founder and President, Insider Threat Management Group
Board Member, National Insider Threat Special Interest Group
Insider Threat Program Manager, Department of Defense
Senior Legal Advisor, National Insider Threat Task Force
Senior Special Agent, Department of Defense
Senior Litigation Attorney, Department of Defense
Assistant General Counsel, Federal Bureau of Investigation
Special Assistant United States Attorney, United States Department of Justice
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
Key Issues1. What are the ITMP Objectives?
2. What is an ITMP?
3. How do you build and ITMP?
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
What are the ITMP Objectives?
What is an “Insider Threat Program?”
It is NOT simply . . . Performing pre-employment background checks Deploying a DLP or UAM solution Collecting network logs Providing security training Designating someone as the ITPM An “INFOSEC” program A data problem A people problem
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
Initial Operating Capability
Governance and Strategy – roadmap, clarity of vision, alignment with business objectives
Background Investigation – baseline component, understand employee, good v. bad providers
Awareness and Training – first and best line of defense, clarity of roles and responsibilities, prevent and deter
Asset Management – discovery, classification, asset management capability
User Activity Monitoring – VISIBILITY, VISIBILITY, VISIBILITY
Investigation and Mitigation – trained personnel, option preservation, LEARN
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
Full Operating Capability
Continuous Evaluation – snapshots insufficient, people change
Risk-Based Access Control – access control plus, asset management alignment
Data Analysis – baseline, structured v. unstructured, acquire understanding
Insider Risk Assessment – individual risk scores, dynamic, [(impact)* (threat * vulnerability)]
Oversight and Compliance – watch-the-watchers, iterative, legitimizes the program
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
Insider Threat Program Build Process
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
Initiation PhasePlan for Success – baseline current capabilities, lay groundwork, engage executive leadership
Identify Stakeholders – build corporate team that will support the program, across business units
Create Business Case – VALUE, align with business objectives, tailor to audience
Assemble the Team – “crawl, walk, run,” identify work roles, personnel gaps
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
Development PhaseAssess Risk – overall risk posture, efficient resource allocation, repeatable processes
Develop Action Plan – understand risk, develop requirements, identify solutions
Develop Operating Framework – strategy and governance, roles, policies and procedures
Obtain Employee Support – critical, messaging plan, senior executives deliver
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
Implementation Phase
Develop Analytic Capability – understand data source, sharing agreements, identify analytic solution
Create Incident Response Plan – identify response needs, identify roles, create network, draft workflows
Develop Oversight and Compliance – identify lead and requirements, draft policies and procedures, create reporting metrics, develop feedback mechanisms
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
Key Takeaways Iterative Process Know Your People Know Your Assets Monitor interactions Investigate Learn
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
QUESTIONS?
SHAWN M. THOMPSON, ESQ.Founder and President
Insider Threat Management Group
itmg.co410-858-0006
Shawn M.Thompson, Esq.Insider Threat Management Group, [email protected]