How to Implement an Insider Threat Program

INSIDER THREAT MANAGEMENT GROUPPREVENT | DETECT | MITIGATE™

SHAWN M. THOMPSON, ESQ.Founder and President, ITMG

Insider Threat Management Program Guide:Initiate | Develop | Implement

[email protected]

Sponsored by

2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

An opinion is only worth the experience that supports it.

Founder and President, Insider Threat Management Group

Board Member, National Insider Threat Special Interest Group

Insider Threat Program Manager, Department of Defense

Senior Legal Advisor, National Insider Threat Task Force

Senior Special Agent, Department of Defense

Senior Litigation Attorney, Department of Defense

Assistant General Counsel, Federal Bureau of Investigation

Special Assistant United States Attorney, United States Department of Justice


Key Issues1. What are the ITMP Objectives?

2. What is an ITMP?

3. How do you build and ITMP?


What are the ITMP Objectives?

What is an “Insider Threat Program?”

It is NOT simply . . . Performing pre-employment background checks Deploying a DLP or UAM solution Collecting network logs Providing security training Designating someone as the ITPM An “INFOSEC” program A data problem A people problem



Initial Operating Capability

Governance and Strategy – roadmap, clarity of vision, alignment with business objectives

Background Investigation – baseline component, understand employee, good v. bad providers

Awareness and Training – first and best line of defense, clarity of roles and responsibilities, prevent and deter

Asset Management – discovery, classification, asset management capability

User Activity Monitoring – VISIBILITY, VISIBILITY, VISIBILITY

Investigation and Mitigation – trained personnel, option preservation, LEARN


Full Operating Capability

Continuous Evaluation – snapshots insufficient, people change

Risk-Based Access Control – access control plus, asset management alignment

Data Analysis – baseline, structured v. unstructured, acquire understanding

Insider Risk Assessment – individual risk scores, dynamic, [(impact)* (threat * vulnerability)]

Oversight and Compliance – watch-the-watchers, iterative, legitimizes the program


Insider Threat Program Build Process


Initiation PhasePlan for Success – baseline current capabilities, lay groundwork, engage executive leadership

Identify Stakeholders – build corporate team that will support the program, across business units

Create Business Case – VALUE, align with business objectives, tailor to audience

Assemble the Team – “crawl, walk, run,” identify work roles, personnel gaps


Development PhaseAssess Risk – overall risk posture, efficient resource allocation, repeatable processes

Develop Action Plan – understand risk, develop requirements, identify solutions

Develop Operating Framework – strategy and governance, roles, policies and procedures

Obtain Employee Support – critical, messaging plan, senior executives deliver


Implementation Phase

Develop Analytic Capability – understand data source, sharing agreements, identify analytic solution

Create Incident Response Plan – identify response needs, identify roles, create network, draft workflows

Develop Oversight and Compliance – identify lead and requirements, draft policies and procedures, create reporting metrics, develop feedback mechanisms


Key Takeaways Iterative Process Know Your People Know Your Assets Monitor interactions Investigate Learn


QUESTIONS?

SHAWN M. THOMPSON, ESQ.Founder and President

Insider Threat Management Group

itmg.co410-858-0006

Shawn M.Thompson, Esq.Insider Threat Management Group, [email protected]

How to Implement an Insider Threat Program

Software

Transcript of How to Implement an Insider Threat Program