Here’s what each department should bring to the table:
C-Suite: A member of the executive team should be present because you’ll need buy-in from the executive team to ensure the other departments represented on the insider risk team have the authority to establish a risk-based monitoring program and sign off on an Acceptable Use Policy (if one isn’t already established); set boundaries of what’s acceptable behavior and what’s not; and tie the plan to the company’s strategic objectives and help outline a security policy.
Legal: The legal team should be present to ensure all employee/user monitoring activities meet any local, state and federal laws. They should also help define what is permissible to monitor, such as email and instant messages, the web sites employees visit, online apps they use or any content they download or print. Recording employees as they log into their bank accounts online could be a legal risk for the company if something happened to the employee’s account. Also, since IT might not be permitted to review the activity of higher-level employees, legal will work with the security team to determine which roles within the organization can review which sets of activity.
Human Resources: HR can help create the processes necessary to ensure there is a warranted and documented need for any monitoring, and that the security team is made aware of these issues without breaking any privacy laws. For example, they might be aware of an employee leaving (a potential risk) or an employee’s personal or financial issues that might make them high-risk and worth investigating. The HR team (or any of the department) would communicate this threat through the pre-determined risk level of the position, not the name of the individual employee.
IT / Security: IT – or whomever will be involved in both evaluating possible technology solutions and implementing the selected solution, will provide the other non-technical team members with context around which users have access to what sensitive data, as well as what’s possible when it comes to monitoring activity – all of which will be invaluable when putting the planning and preparation output of this team into practice. Technologies such as user behavior analytics, for example, look at patterns of behavior, and do not require inspection of the content of an employee’s activity to deliver on its promise of detecting insider threats. User activity monitoring software lets you capture and review the specific actions of an employee’s activity, including their emails or texts, if needed. There are versions of both that enable you to configure the types of activity monitored to align to your organization’s goals, with privacy protections woven throughout to address HR concerns.
“The risk of malicious activity from the seemingly trusted insider is still an ongoing reality for organizations worldwide. IT can’t implement a full insider risk program on its own – or keep one working properly,” Green said.
Sign up for CIO Asia eNewsletters.