Developing an insider threat management program is a difficult task without a process or structure to follow. This critical action becomes even more challenging without formal experience managing insider threats. Additionally, the lack of a understanding and consensus of what properly constitutes an “insider threat program” leads to confusion and misguided efforts . In this webinar, the author of the upcoming Guide will provide an overview and this much needed framework and clarity for developing your insider threat management program (ITMP) by discussing the following: -Context and definition of an ITMP -The primary objectives of an ITMP -The Initial Operating Capability and Full Operating Capability components of a holistic ITMP -The fundamental concepts of an ITMP -11 step process for developing a robust ITMP program

1. INSIDER THREAT MANAGEMENT GROUP
SHAWN M.THOMPSON, ESQ.
Founder and President, ITMG
InsiderThreat Management Program Guide:
Initiate | Develop | Implement
www.itmg.co
shawn@itmg.co
410-874-3712
Sponsored by

2. An opinion is only worth the experience that
supports it.
 Founder and President, InsiderThreat Management Group
 Board Member, National InsiderThreat Special Interest Group
 InsiderThreat Program Manager, Department of Defense
 Senior Legal Advisor, National InsiderThreatTask Force
 Senior SpecialAgent, Department of Defense
 Senior Litigation Attorney, Department of Defense
 Assistant General Counsel, Federal Bureau of Investigation
 SpecialAssistant United States Attorney, United States Department ofJustice
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

3. Key Issues
1. What are the ITMP Objectives?
2. What is an ITMP?
3. How do you build and ITMP?
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

4. What are the ITMP Objectives?
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

5. What is an “Insider Threat Program?”
It is NOT simply . . .
 Performing pre-employment background checks
 Deploying a DLP or UAM solution
 Collecting network logs
 Providing security training
 Designating someone as the ITPM
 An “INFOSEC” program
 A data problem
 A people problem
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

6. Initial Operating Capability
Governance and Strategy – roadmap, clarity of vision,
alignment with business objectives
Background Investigation – baseline component,
understand employee, good v. bad providers
Awareness andTraining – first and best line of defense,
clarity of roles and responsibilities, prevent and deter
Asset Management – discovery, classification, asset
management capability
User Activity Monitoring –VISIBILITY,VISIBILITY,
VISIBILITY
Investigation and Mitigation – trained personnel, option
preservation, LEARN
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

7. Full Operating Capability
Continuous Evaluation – snapshots insufficient, people
change
Risk-BasedAccess Control – access control plus, asset
management alignment
Data Analysis – baseline, structured v. unstructured,
acquire understanding
Insider RiskAssessment – individual risk scores,
dynamic, [(impact)* (threat * vulnerability)]
Oversight and Compliance – watch-the-watchers,
iterative, legitimizes the program
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

8. Insider Threat Program Build Process
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

9. Initiation Phase
Plan for Success – baseline current capabilities, lay
groundwork, engage executive leadership
Identify Stakeholders – build corporate team that will
support the program, across business units
Create Business Case –VALUE, align with business
objectives, tailor to audience
Assemble theTeam – “crawl, walk, run,” identify work
roles, personnel gaps
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

10. Development Phase
Assess Risk – overall risk posture, efficient resource
allocation, repeatable processes
Develop Action Plan – understand risk, develop
requirements, identify solutions
Develop Operating Framework – strategy and
governance, roles, policies and procedures
Obtain Employee Support – critical, messaging plan,
senior executives deliver
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

11. Implementation Phase
Develop Analytic Capability – understand data source,
sharing agreements, identify analytic solution
Create Incident Response Plan – identify response
needs, identify roles, create network, draft workflows
Develop Oversight and Compliance – identify lead and
requirements, draft policies and procedures, create
reporting metrics, develop feedback mechanisms
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

12. Key Takeaways
 Iterative Process
 KnowYour People
 KnowYour Assets
 Monitor interactions
 Investigate
 Learn
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.

13. QUESTIONS?
SHAWN M.THOMPSON, ESQ.
Founder and President
InsiderThreat Management Group
itmg.co
410-858-0006
Shawn M.Thompson, Esq.
Insider Threat Management Group, LLC
www.itmg.co
shawn@itmg.co
410-874-3712
2016 Copyright. Insider Threat Management Group, LLC. All rights reserved.