Each organization needs to establish an “insider risk” team that specifically addresses the associated challenges – from determining who has (or should have) access to confidential corporate and client data and what each positional “risk level” should be to what constitutes inappropriate user behavior, how their activity will be monitored and how the organization will communicate which behavior is acceptable and the ramifications for breaking "the rules,” he added.
Scottie Cole, network and security administrator at AppRiver, said insider risk teams are vital to an organization’s security. However, insider risk teams don’t necessarily have to be dedicated, full-time positions, but rather a broad spectrum of positions to bring the most holistic security angle.
For an insider risk team to be successful it takes collaboration across the company, said Shawn Burke, Global CSO at Sungard Availability Services. Procurement for vendor due diligence, Human Resources for screening, internal communication and consequence protocols, and Risk Committee for overall response strategy. However, General Counsel and the Chief Compliance Officer are key stakeholders as insider monitoring must comply with a spate of new state and national privacy legislation.
Mancini said an effective insider risk team that will design controls, take action, provide governance, and investigate. “Governance and control are critical to an insider risk team, who will watch the watchers? Audit capabilities must be woven into the process.”
Kennet Westby, president and co-founder, at Coalfire Systems, says that the insider risk team should also include representatives from any other users/groups with elevated access and privilege, including any vendor management and third-party contracting teams. Others believe the team should include the CISO, CIO, and Risk and Compliance officers.
Steven Grossman, vice president of strategy and enablement at Bay Dynamics, noted that everyone in an organization needs to play a role. “However the key core players must be comprised of multiple talents that understand user behavior, and the overall landscape of cyber risk. That includes the type and value of applications, hosts associated with those applications, and the vulnerability posture of those hosts and applications. Application security owners who have a deep business understanding of the value and security of the applications under their governance play an essential role on the team. They know whether a seemingly unusual behavior was indeed business justified,” he said.
Team punch list
Initial, valuable activities to identify in insider threat risk assessment and analysis are:
- Shared service accounts used by multiple staff, typically with administrative-level access
- Local systems accounts exclusive of shared authentication and authorization systems
- Outside, remote entry accounts used by vendors and consultants with elevated access levels
- Culture and policy enforcement for personal device and data use
- Security awareness and learning management
- Controls for identity access management
- Management practices for notification of personnel separation, terminations, and transfers
Sign up for CIO Asia eNewsletters.