This is the second note on Insider Threats reflecting the Common Sense Guide to Mitigating Insider Threats, 4th Edition, CMU/SEI-2012-TR-012, December 2012. The first note, Insider Threat and Incident Response, summarized key elements of the guide related to incident response planning and management. This note applies those elements to the incident response planning process.
The guide identifies the following items and practices of special importance to incident response when dealing with an insider threat:
According to the 2012 Cybersecurity Watch Survey a company has a 50% chance of experiencing an insider incident in any given year or a certainty of experiencing an incident in a 2 year time frame (see Insider Threat and Incident Response for specific references). Our note, A Data Breach and Insider Threats, examines the cost of a data breach and the potential roles played by insiders.
In our Response Management Framework we describe this as the Core and Extended Response Team.
An insider incident is likely to involve legal, human resources, and physical security. More importantly, the actions require special authorizations and notifications as the response proceeds. Using an agile approach – iterating through incident actions with the extended team members – provides a useful delineation of the appropriate actions.
Documented policies that are consistently enforced support defensible actions including employee or contractor termination. Documentation and consistent enforcement are even more important when stronger legal remedies apply. The incident response plan with its associated actions is a key element for documenting policies and for insuring consistent actions.
The Common Sense Guide recommends developing a comprehensive, enterprise-wide checklist to use at the time of separation. The checklist might identify: (1) a list of employees who need to know of the termination; (2) a list of accounts assigned to the employee; and (3) a list of resources to monitor after the termination.
The last point recognizes that terminating an employee may result in escalating the threat presented by the employee. Monitoring key resource post-termination may identify an incident before a serious impact occurs. The checklist can be used to help identify likely insider incidents.
It is important to note that when any insider incident occurs, the incident response may collect important documentation needed to support the termination process.
The guide recommends maintaining an up-to-date inventory of (1) all data types being processed; (2) all devices including network devices, mobile devices, and credentialing tools; and (3) your information geography: sensitive areas; single or multiple locations; domestic or foreign locations; and physical or virtual (cloud-based) locations.
These inventories are important tools needed for all effective incident response, not just insider incidents. Understanding your assets is a critical element of the next practice: an enterprise-wide risk assessment.
The guide recommends a number of controls that mitigate the risk of an insider threat, for example, background checks. But, the enterprise-wide risk assessment does more. It considers the risk insider threats pose against assets beyond information resources. It provides potential impact assessments associated with various assets. This information is important to building and effective incident response program.
In an earlier note, Risk Assessment and Incident Response, we talk about this important linkage.
A coordinated response is a bigger challenge when an incident involves an insider. Establishing en effective plan is an important step and the Common Sense Guide provides elements and practices to hone the perfect plan.
Let us help you with a response plan review that considers your exposure to insider threats.