Jo-Ann Smith, director of Technology Risk Management and Risk Privacy at Absolute, said the first task for an insider threat team should be to define the various types of risks that exist within each level of their organization. Next, the team should prioritize the risks and implement solutions, which include setting guidelines for interactions with their own direct reports, providing direction on the type of baseline controls that will be required to reduce or mitigate risk, and establishing baseline standards that will enable the company to measure existing risk levels and report on them.
The team should conduct thorough, regular vetting of employees and vendors. This is especially important for personnel who may have exhibited strange behavior or have formal complaints, as well as those in positions with privileged access to critical assets and sensitive information, Burke said.
Westby said a team lead should be responsible for establishing and managing the overall effort and reporting to any security, board or audit committees on insider risk. The core team should have an operational lead that is responsible for executing monitoring, testing, incident response and remediation activities. A program architect/designer should lead the development of policies, controls, processes and selection of tools for the program. An analyst should work with team members and their organizations to execute the risk assessment process and reporting. Finally, an oversight lead would help measure performance and ensure compliance.
Chris Gray, practice leader and vice president of enterprise risk and compliance at Optiv Security, said “Monitor, monitor, monitor. I cannot stress enough how important threat identification is and rapid, effective identification stems from good monitoring processes. If you don't know what right looks like, how can you identify wrong?”
Dottie Schindlinger, governance technology evangelist at Diligent, said the policy should institute a program of training, testing and auditing of the systems/controls. The policy should lead to a procedure that identifies the specific systems and controls in place to help identify, mitigate and manage potential insider risks. The procedure should also explain the process for anyone within the company to report potential insider risks, and the protections available for “whistleblowers.” Ideally, the policy and its associated procedure should be reviewed, tested and audited at least annually.
“Compliance should own the process, requirements and procedures, as they are the gatekeepers of these areas,” Brutti said. He added that all teams should routinely meet and discuss new scenarios, and keep a matrix that allows the company to map teams to access levels and data that can be reached. From this matrix, the teams can adjust, prioritize and create policies. They can also institute key segregation of duties to disperse the crucial functions of certain processes to more than one person or department.
Sign up for CIO Asia eNewsletters.