How To Get Started IMPACT 2015 Phil Robinson 2 Video removed due - - PowerPoint PPT Presentation

SLIDE 1

Insider Threat Programs:

How To Get Started

IMPACT 2015

Phil Robinson

SLIDE 2

2

Video removed due to size constraints

SLIDE 3

Theme

— Insider Threat is NOT ONLY about protecting data on your network… — Risk: Tolerance/Avoidance/Acceptance — Company culture and willingness to adjust — Understand your business environment — Needs vs. wants vs. dollars — Advancement of your program – total assets protection

3

SLIDE 4

NISPOM CC#2

what we know today (27 April 2015)

— When issued NISPOM Conforming Change 2 will require cleared industry to implement insider threat program — Industry has six-months to implement upon issuance of the NISPOM Conforming Change 2 — The NISPOM will outline minimum standards that include;

— Establish and maintain an insider threat program — Designate insider threat senior official — Gather, integrate, and report — Conduct self-assessments of insider threat program — Insider threat training — Monitoring network activity — User acknowledgements — Classified Banners

4 Source: DSS

SLIDE 5

Before you go Down that Road

— Ask yourself a host of questions:

— Why have an Insider Threat Program? — What does Insider Threat mean to your company? — What’s the stated goal? — What are the objectives? — Are you prepared to drive the message? — Do you have needed resources? — Do you have an SME on your team? — Do you have a network to bounce ideas off?

5

SLIDE 6

Before you go Down that Road

— Do you have support?

— Senior Leadership — Potential Stakeholders — Business

— What’s your company’s tolerance / culture?

— Size — Scope — Acceptance — “Insider Threat” the right phraseology

6

SLIDE 7

Bottom line: what do you really need? Compliancy only OR Value add

Before you go Down that Road

— Assess your data – determine what needs to be protected under this umbrella — Perform a risk analysis of your data — Understand what you are protecting

7

SLIDE 8

General Overview What is Insider Threat?

— Definition CERT:

A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the

• rganization's information or information systems.

[focus: data loss prevention]

8 Source: CERT

SLIDE 9

General Overview What is Insider Threat?

— Definition DoD: Acts of commission or omission by an insider who intentionally or unintentionally compromises or potentially compromises DoD’s ability to accomplish its

• mission. These acts include, but are not limited to,

espionage, unauthorized disclosure of information, and any other activity resulting in the loss or degradation

• f departmental resources or capabilities.

[focus: protection of national security information]

9 Source: DSS

SLIDE 10

General Overview What is Insider Threat?

Industry - For Consideration:

An Insider Threat is a current or former employee, contractor,

• r other business partner who exceeds or misuses, intentionally
• r unintentionally, access in a manner that violently or non-

violently negatively impacts COMPANY’S assets; computer systems, networks, people, information, processes, reputation, facilities, equipment, operations, etc. This includes any person with authorized access to United States Government resources; personnel, facilities, information, equipment, networks, or systems while a representative of the company.

[focus: protection of the company; extended to clients]

10

SLIDE 11

Existing Programs

Robust

— Formal Insider Threat Team with assigned analysts and SMEs — Defined insider threat response plan — Integrated information sharing and data collection including technical and behavioral indicators — Focused across current and former employees, contractors, subcontractors, supply chain, and

• ther trusted business partners

Less Robust

— Ad-hoc group called together to handle events and incidents or incident handled by response processes and personnel — Use existing incident response plan or no response plan — User monitoring via host and network based analysis only — Focused on current and former employees

11 Source: CERT

SLIDE 12

Existing Programs

Robust GOLD plated

— Formal Insider Threat Team with assigned analysts and SMEs — Defined insider threat response plan — Integrated information sharing and data collection including technical and behavioral indicators — Focused across current and former employees, contractors, subcontractors, supply chain, and other trusted business partners

Less Robust Economical

— Ad-hoc group called together to handle events and incidents or incident handled by response processes and personnel — Use existing incident response plan or no response plan — User monitoring via host and network based analysis only — Focused on current and former employees

12 Source: CERT

Your Company

SLIDE 13

A-typical Multifaceted Insider Threat Program Model

13


 
 
 
 
 
 
 
 


3

Source: ASIS D&C ITWG

SLIDE 14

• Identify and

review historical insider threat incidents

• Need & purpose

for ITP articulated

• Obtain senior

executive buy-in for program charter

• Select ITP model

and components

• Build consensus

and advocacy among core stakeholders (Convergence)

• In concert with

General Council and HR develop corporate ITP policy

• Develop

comprehensive plan and timelines

• Form IT Working

Group (ITWG)

• Define critical

positions and modify position descriptions based on criticality

• Corporate wide

ITP metrics/ measures developed

• Metrics

dashboard designed

• Design

comprehensive education plan

• High-level

company-wide policies are approved and published

• ITP is formally

launched and is

• perational
• Monitoring and

Audit procedures initiated

• Mitigation

procedures

• perational
• Risk Security

Risk Management (ESRM) processes initiated to identify assets, threats and vulnerabilities

• Integrate ESRM

and ITP metrics into an analytical structure

• Identify

requirements for core elements: Operations, Analytics, Collaboration, and Education

EVALUATION FORMULATION INITIATION

I M P L E M E N T A T I O N

• Policies and

procedures are written to support the development and operation of all ITP elements

• Incorporate

counterintelligen ce controls and measures

• Security

education plan modified to incorporate ITP requirements

• Determine

technologies for monitoring and analytics

• Formulate

incident response requirements

• Audit and

improvement requirements incorporated

• Completed ITP

plan is reviewed and approved as appropriate

• Develop

collaboration plan for external relationships

• Pilot ITP

Design Steps

Example

14 Source: ASIS D&C ITWG

SLIDE 15

Program Road Map

Example

15 Source: INSA

SLIDE 16

A-typical Insider Threat Organizational Stakeholder Model

16

Insider Threat Program

HR Security Legal IT/SOC Business Exec Sponsor

SLIDE 17

17

The journey

SLIDE 18

Theme (principle tenants)

— Insider Threat is NOT ONLY about protecting data on your network… — Risk: Tolerance/Avoidance/Acceptance — Company culture and willingness to adjust — Needs vs. wants vs. dollars

18

SLIDE 19

Know Your Company

— Understand your company’s dynamics

— Cultural acceptance of a program

— Naming convention sensitivities [Insider Threat] — Who/what org leads investigative activities today?

— Is security / risk a focus area supported by management? — What could be managements expectations? — Do you have the clout to “carry the message”? — How does a program benefit your company?

— Identify, understand, and outline the need

— Contractual & Regulatory Compliancy's

— NISPOM Conforming Change #2 (TBA – EOM July 15 >) — DFAR — FAR — DD254 — Contractual Source Documentation

19

SLIDE 20

Know Your Company

— Know if you have Proprietary Information — Where your government information is housed

— Classified — Sensitive — Technology

— Do elements of a program already exist?

— Fraud — Counterintelligence (NISP) — Physical Security — Information Systems Security — Ethics hot line — Etc…

— Leverage client driven requirements

20

SLIDE 21

The Art of the Deal

its all in how you communicate

— Frame the conversation to your benefit — Guide opinions and direct your team — Acceptance and tolerance of others’ opinions — Guard against your AAA Security Practitioner stubbornness (my way or hi-way attitude) — Learn how to compromise — Does the end state concur with your goal?

21

SLIDE 22

Make a Convincing Case

— Build a Communication Plan

— Design your message so that it carries on its merits — Level set message to particular audiences / individuals — Know what you communicate

— Who you communicate with — Understand their tolerance for the discussion

— Work the halls of the company

— Start to message your intentions with stakeholder departments — Insert verbiage in your traditional security awareness materials

22

SLIDE 23

Make a Convincing Case

— Interject Insider Threat into the business

— “Bang for the Buck” approach — Market the Idea

— Work relationships

— Senior Executive staff — Business Leaders — Department Heads - (to be stakeholders) — Functional Managers

— Seek guidance and advice of industry and government colleagues

23

SLIDE 24

Be The Ball Subject Matter Expert

— Knowledge is power and you gain influence… — Gather available information — Read and learn as much as possible — Be the undeniable acknowledged SME — Become the “go-to” person

24

Don’t approach this project as a high school project – it is your doctoral thesis

“There’s no force in the universe that makes things

• happen. All you have to do is get in touch with it, stop

thinking, let things happen and be the ball. --Ty Web

SLIDE 25

Evaluate In-House: Tools, People, and Processes

— Tools:

— What tools do you have in place today? — IT Monitoring Systems?

— People:

— What skill sets does your team posses? — Do you need an expert?

— Processes:

— Policies and procedures? — Event escalation?

25

SLIDE 26

Challenges

— Demonstrate the need for a program

— Identify risks and threats — Regulatory compliance

— Company culture — Identify a Senior Executive Sponsor — Sway leadership & CFO to set aside funds

— Software purchases — Additional personnel (dedicated to the program) — Space and supplies — Assessments

— Stakeholders commitment, time, and inputs — Analyze what people, processes and tools are presently in place and how to maximize their use in the program

26

SLIDE 27

Challenges

— Stakeholder group playing nice — Company internal pressures / stressors — Recurring meetings — Educate the stakeholder group

— Behavioral traits — Characteristics — Statistical data — Compare and contrast — Offer case examples — Outside experts — External training sessions

27

SLIDE 28

Challenges

— Recognition as the Company’s SME — Stay ahead of perceptions

— Control the message — Get the ear of the exec sponsor — Avoid “rabbit hole” and “what if” scenarios — Keep the group focused

— Training

— FSO and security staff — Company leadership — Stakeholders — Management / supervisor focused — Employees / partners

28

SLIDE 29

Challenges (IT Centric)

29

SLIDE 30

Challenges (IT Centric)

30

SLIDE 31

Challenges

— Investigations

— Assign the right people — Properly trained — Knowing limitations of the investigative team

— Fusion analysis

— Culture — Stove pipe mentality (my bucket) — Legalities (privacy)

— CONUS — OCONUS (by country)

31

SLIDE 32

Lessons Learned

• President’s support is widely known
• President mandates stakeholder training

— Will alleviate and diffuse many challenges

• Hesitation of the stakeholders to share
• Add an SME to the team at programs onset
• Develop a full program before you go to market

32

SLIDE 33

Successes Factors

— You’ll need these to get started

— Definition of a program — Board Members as Champions — A senior leader as the program’s sponsor — Dedicated program manager — A solid program framework — A signed program charter — Approvals

— Hiring of personnel if needed — A budget line dedicated to the program

— When company leadership and other managers repeat your words verbatim at Board meetings and the like

33

SLIDE 34

Design the Plan Where are the threats?

Insider Threat Focus Areas

Financials Shared Services Legal Information Technology Training Physical Security Human Resources

34

SLIDE 35

Design the Plan Where are the threats?

35

Physical Security

Facility Accesses Visitors Odd Hours Sensitive Areas

SLIDE 36

Design the Plan Where are the threats?

36

Financials

Accounts Payable Accounts Receivable Fraud Embezzlement

SLIDE 37

Design the Plan Where are the threats?

37

Shared Services

Payroll Timesheets Credit Card

SLIDE 38

Design the Plan Where are the threats?

38

Legal

Sensitive Investigations Contractual Improprieties Ethics Allegations of Wrong Doing

SLIDE 39

Design the Plan Where are the threats?

39

Human Resources

On-Boarding

Off-Boarding

Job Performance Termination Behavioral Issues

SLIDE 40

Design the Plan Where are the threats?

40

Information Technology

Telecommunications

Non-Company email

Drop Box

Personal Devices Social Media Networks Financial

Proposal

Compartmented

External Internal Development

Classified

Privileged

SLIDE 41

The Utopian Vision an approach

41

SLIDE 42

Board Level Risk Categories

— Financial — Business Continuity and Resiliency — Reputation and Ethics — Human Capital — Information — Legal: Regulation/Compliance and Liability — New or Emerging Markets for Business — Physical Premises — Intellectual Property and Products — National Industrial Security Program Compliance

42

SLIDE 43

A Framework Model

Stakeholders/Partners/Policy Owners

Insider Threat Program

HR

SME Inputs

(as needed)

Industrial Security IT Security Business Owners Legal Cyber (SOC)

43

SLIDE 44

A Framework Model Risk Steering Committee

44

Risk Steering Committee

Chief Security Officer Vice Chairperson Chief Information Security Officer BU Management Representation Human Resources Legal Ad-Hoc Invitee as Needed Chief Operating Officer Chairperson

Comprises the Risk Steering Committee

Board

• f Directors

Government Security Committee

SLIDE 45

A Framework Model

Centralized Administration, Management, and Governance Decentralized Execution

45 Counterintelligence Industrial Security Information/Cyber Security (CISO)

Training & Awareness Audit & Compliance Physical Security FOCI NISP Compliance Focused Risk Mitigated Approach

Office of Security and Risk

Emergency/Crisis Management Response Team

Chief Security Officer Chief Operating Officer President

SLIDE 46

Program Documentation Program Charter

46

See attachment

SLIDE 47

Program Documentation Policy Charter

47

See attachment

SLIDE 48

Program Documentation Program Management Plan

48

See attachment

SLIDE 49

Org model

49

SLIDE 50

Notification model

50

SLIDE 51

Escalation plan

51

SLIDE 52

Sources

— Cygnus Advisory Group, LLC (CAG) — Global Skills X-change (GSX) — Carnegie Mellon CERT — INSA — ASIS — DoD and DSS — Multiple open source documentation

52

SLIDE 53

53

SLIDE 54

Insider Threat Programs:

How To Get Started

IMPACT 2015

Phil Robinson 703.227.7412 Philr.cygnusag@gmail.com

54