Developing an insider threat management program is a difficult task without a process or structure to follow. This critical action becomes even more challenging without formal experience managing insider threats. Additionally, the lack of a understanding and consensus of what properly constitutes an “insider threat program” leads to confusion and misguided efforts .
In this webinar, the author of the upcoming Guide will provide an overview and this much needed framework and clarity for developing your insider threat management program (ITMP) by discussing the following:
-Context and definition of an ITMP
-The primary objectives of an ITMP
-The Initial Operating Capability and Full Operating Capability components of a holistic ITMP
-The fundamental concepts of an ITMP
-11 step process for developing a robust ITMP program
1. INSIDER THREAT MANAGEMENT GROUP
SHAWN M.THOMPSON, ESQ.
Founder and President, ITMG
InsiderThreat Management Program Guide:
Initiate | Develop | Implement
www.itmg.co
shawn@itmg.co
410-874-3712
Sponsored by
2. An opinion is only worth the experience that
supports it.
Founder and President, InsiderThreat Management Group
Board Member, National InsiderThreat Special Interest Group
InsiderThreat Program Manager, Department of Defense
Senior Legal Advisor, National InsiderThreatTask Force
Senior SpecialAgent, Department of Defense
Senior Litigation Attorney, Department of Defense
Assistant General Counsel, Federal Bureau of Investigation
SpecialAssistant United States Attorney, United States Department ofJustice
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
3. Key Issues
1. What are the ITMP Objectives?
2. What is an ITMP?
3. How do you build and ITMP?
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
4. What are the ITMP Objectives?
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
5. What is an “Insider Threat Program?”
It is NOT simply . . .
Performing pre-employment background checks
Deploying a DLP or UAM solution
Collecting network logs
Providing security training
Designating someone as the ITPM
An “INFOSEC” program
A data problem
A people problem
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
6. Initial Operating Capability
Governance and Strategy – roadmap, clarity of vision,
alignment with business objectives
Background Investigation – baseline component,
understand employee, good v. bad providers
Awareness andTraining – first and best line of defense,
clarity of roles and responsibilities, prevent and deter
Asset Management – discovery, classification, asset
management capability
User Activity Monitoring –VISIBILITY,VISIBILITY,
VISIBILITY
Investigation and Mitigation – trained personnel, option
preservation, LEARN
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
7. Full Operating Capability
Continuous Evaluation – snapshots insufficient, people
change
Risk-BasedAccess Control – access control plus, asset
management alignment
Data Analysis – baseline, structured v. unstructured,
acquire understanding
Insider RiskAssessment – individual risk scores,
dynamic, [(impact)* (threat * vulnerability)]
Oversight and Compliance – watch-the-watchers,
iterative, legitimizes the program
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
8. Insider Threat Program Build Process
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
9. Initiation Phase
Plan for Success – baseline current capabilities, lay
groundwork, engage executive leadership
Identify Stakeholders – build corporate team that will
support the program, across business units
Create Business Case –VALUE, align with business
objectives, tailor to audience
Assemble theTeam – “crawl, walk, run,” identify work
roles, personnel gaps
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
10. Development Phase
Assess Risk – overall risk posture, efficient resource
allocation, repeatable processes
Develop Action Plan – understand risk, develop
requirements, identify solutions
Develop Operating Framework – strategy and
governance, roles, policies and procedures
Obtain Employee Support – critical, messaging plan,
senior executives deliver
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
11. Implementation Phase
Develop Analytic Capability – understand data source,
sharing agreements, identify analytic solution
Create Incident Response Plan – identify response
needs, identify roles, create network, draft workflows
Develop Oversight and Compliance – identify lead and
requirements, draft policies and procedures, create
reporting metrics, develop feedback mechanisms
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
12. Key Takeaways
Iterative Process
KnowYour People
KnowYour Assets
Monitor interactions
Investigate
Learn
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
13. QUESTIONS?
SHAWN M.THOMPSON, ESQ.
Founder and President
InsiderThreat Management Group
itmg.co
410-858-0006
Shawn M.Thompson, Esq.
Insider Threat Management Group, LLC
www.itmg.co
shawn@itmg.co
410-874-3712
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.
Notas del editor
Bona fides
“Opinion only worth the amount of experience on a given topic”
Compliance is key – must comply with your own rules to create legitimacy
Collection is not King – simply b/c you can collect most everything, doesn’t give you the right to “use” it in whichever manner you choose
Polices are vital – not simply important
Maintain reasonableness – don’t let the ability to collect everything cloud your judgment, courts give great deference to “legitimate business needs” . . . This could change if businesses begin to encroach upon all aspects of employees’ lives for no legitimate business need
Seek legal counsel