Archives page

Posts Tagged ‘Insider threat’

Mitigating the Insider Threat Through Personnel Surety Counterintelligence
Read More

Mitigating the Insider Threat Through Personnel Surety Counterintelligence

The Department of Homeland Security in coordination with US Customs and Border Protection are at the forefront of preventing insider threats within its law enforcement operations. These threats take the form of overt actions because of gaps in coordination and process mistakes that lead to self-created but preventable vulnerabilities.

To assure this continued success, a Personnel Surety Counterintelligence mission must be put in place through a management and implementation functionality that will meet the following objectives:

• Assess and audit the effect of the insider threat through risk analysis threat algorithms

• Establish a collaborative information-sharing personnel surety data base system that tracks action requirements and assigns accountability on a continuous basis

• Build a personnel surety counterintelligence business process into each law enforcement mission area, both operational and technologically supported through stakeholder collaboration

• Create a culture built around a robust personnel surety plan to ensure that a need to share for operational success supersedes the need to protect information

• Identify the insider threat and vulnerabilities through a continual monitoring system of checks and balances

• Counter the inadvertent mistakes that lead to the insider threat through the deployment of technologies that drive mission success and efficiencies

 

Coordinating the Government’s Personnel Surety Mission

The multi-faceted challenges of working in today’s mission-critical environmental and multiple enterprise coordination formats require innovative approaches that stress stakeholder creation and participation with built-in accountability, under an umbrella set of governance parameters. This is especially true in the world of counter-intelligence / insider threat in light of the number of initiatives currently underway to protect the United States government information infrastructure. It is imperative that the following initiatives be established:

• Establishing a government-wide personnel surety process and management discipline supported by standardized and relevant technologies

• Coordinating the activities of multiple operational centers, including sharing information about malicious activity and establishing common operating standards and procedures to: track information sharing, require acknowledgement of information received, and provide reports of counter-actions taken

• Deploying technology advancements in order to counter the threats both from an IT and behavioral perspective

• Engaging the private sector, as a partner, to extend the envelope of protection beyond the government’s firewall in a manner that is clear and manageable to that sector

These initiatives are designed to break the pattern of information silos and to overlay new paradigms that will mandate sharing and accountability to protect lives and critical mission information while providing stakeholders tangible metrics for their participation.

They also address the technology aspects required to support this new paradigm by ensuring that the most appropriate tools are in place, under the most cost-effective basis.

Establishing Enterprise-Level Governance

As recent events have proven, internal barriers may well be the biggest stumbling blocks to “connecting the dots” on a threat and preventing violence.

Deployment of a CBP Enterprise Program Management Office (EPMO) is a successful methodology that will enable CBP to break through such barriers and establish an enterprise-level governance functionality that will assure the success of the insider threat mission. An insider threat EPMO will allow CBP to:

• Coordinate the Counterintelligence Mission Focus across all of the Federal Mexican Police Department

• Deploy technologies that drive mission success and efficiencies

• Establish performance metrics and measurable outcomes linked to meeting the counterintelligence insider threat mission

 

Successfully Deploying the EPMO

A successful Counterintelligence EPMO will require the following focus to its activities:

• Developing and documenting a clear understanding of the mission

• Establishing an executive Governance Board

• Organizing with a focus on meeting the counterintelligence mission

• Deploying operations that protect the mission from internal/external threats

• Leveraging technology to enable the counterintelligence mission

• Establishing a disciplined standards-based foundation

It is critical that CBP establish an EPMO to serve as a central program management body, one which both manages and coordinates core insider threats and counterintelligence activities. The EPMO performs much of the program management related work for individual programs as well as the organization at an enterprise level, while still valuing the individual program contributions and objectives.

Establishing and sustaining this focus for the EPMO will require that four themes be addressed: statutory and other mandatory drivers, organization and supporting processes, technology requirements, and cultural change.

1. Statutory and Other Mandatory Drivers

Any EPMO is responsive to the statutory and / or regulatory drivers that established the mission for a sponsoring agency, augmented by internal agency directives or other mandated requirements. It is critical that information on these be gathered, analyzed, and clearly understood. After this it must be coalesced into a charter statement that all stakeholders will commit to support and follow under a program organization that has been developed and accepted in a collaborative process. Specific mission performance objectives may then be developed. Successful implementation of these is a function of establishing a common operating environment that has two components: process and supporting technology.

2. Organization/Process

The processes defining the EPMO’s operating framework must promote the effectiveness, efficiencies, and collaboration necessary to successfully meet the established counterintelligence insider threat mission. Once established, these characteristics must be sustained by adopting a regular process or review through which the operational and control processes of the EPMO are assessed, revised and opportunities for improvement are incorporated. The effective EPMO deploys Key Performance Indicators (KPIs) measuring key processes, especially those that touch the counterintelligence insider threat customer.

The EPMO monitors the KPIs to identify reductions in performance, and as a result, to proactively deploy revised and improved processes. Incorporation of standards and ratings to insure ongoing performance maturity is essential in order to ensure that the stakeholders of the EPMO are receiving the best information and are participating in decision-making as appropriate.

3. Technology

Even while most EPMOs operate in a highly automated environment, the successful counterintelligence insider threat EPMO team understands the use of technology is not the answer to all problems. That team also understands that well-deployed technology remains a critical, but supporting, component to highly qualified personnel and a well-run EPMO organization.

These technologies should be “smart”, scalable, flexible, extensible, and self-monitoring. The requirements for deployment must be based on the automation of a collection of previously manual processes and should provide short-term tactical efficiencies in response time, effectiveness, and productivity. It cannot disrupt processes, unless it is part of a well-understood process improvement strategy. It must be well understood and require users and customers to be well-trained and able to quickly incorporate the technology capabilities into the responsibilities assigned to them.

4. Culture

The EPMO must be staffed by program, change, technology, and counterintelligence professionals who are directly accountable to the counterintelligence mission and to the Department’s strategic objectives. The individuals in the EPMO must have the necessary credentials, as well as managerial, consultative and functional counterintelligence experience, necessary to operate a Department level counterintelligence program office. While necessity often requires that personnel and resources are gathered from other parts of the Department, once those resources are assigned or brought into the EPMO, the mission of the EPMO takes precedence; any adherence to previous cultural and organizational barriers become of secondary priority.

The above four goals must be addressed via a specific implementation process consisting of three primary phases: Initiation, Planning, and Execution, coupled with ongoing Assessment and Update once all facets of the EPMO have been deployed. Each phase has its own input requirements and results in deliverables which are critical to day-to-day execution of the mission objectives.

The advantages of this phased approach are multiple:

• An over-arching mission definition is established, to ensure that all participating agencies are operating to the same goals and objectives

• Agency and other users are provided hands-on guidance to support them through collaborative / facilitated involvement and integration into the counter- intelligence program

• EPMO establish standards, processes and performance measures as well as measuring tools

• Agencies left with flexibility in the management of individual counter- intelligence activities while adhering to enterprise business rules

• Some impact on organization and may require changes in organization structure and / or roles and responsibilities

• Relieves agencies and program teams of much of the responsibility and details of program management-related activities

• Allows users to focus on the counterintelligence activities, resolution of technical issues, and threat adjudication under a common set of ground rules and information-sharing environments

Conclusion

The need for a successful counterintelligence program demands a direct approach to establishing coordination. Therefore, the Counterintelligence / Insider threat EPMO would provide the most robust construct for securing enterprise wide coordination and help break down the organizational silos preventing success. The EPMO will provide a personnel security program as well as counterintelligence / insider threat coordination to the entire enterprise:  from the Executive level to managers, to Federal Officers, to professional staff, to security personnel, to IT personnel, and finally, to IT Security personnel down to administrative and clerical staff.

Contributing Author:

BillCarrollBill Carroll is a co-founder and the President of the EnProVera Corporation, a Service Disabled Veteran Owned Small Business and Native American Owned Small Disadvantaged Business.  Prior to EnProVera, he was the Managing Partner of Strikeforce Consulting.  Bill has over 40 years of experience in law enforcement, in the U.S. Government, and in the Government Contracting Industry.  He retired from the U.S. Government in 1998 after a distinguished career in the Immigration and Naturalization Service (INS).  Bill was the Director of the INS Washington District Office and Deputy Director of the Los Angeles District Office. 

 

 

Insider Threat Programs: 5 Easy Steps to Protect Your Company
Read More

Insider Threat Programs: 5 Easy Steps to Protect Your Company

The insider threat is a real concern across government and industry and unfortunately, we continue to see significant evidence of the damage incurred by malicious insiders, such as Snowden and Manning.  In the next few years, we will see changes to Government policy, including the National Industrial Security Program Operating Manual (NISPOM) to ensure we are properly protecting national security information and corporate assets.

Since the mere thought of how to create an insider threat plan can be overwhelming, the following five steps are intended to help you put things into perspective as you begin to develop and document your corporate plan.  There are many sources of information available for companies to reference (see list of sources).

Step 1:  Identify the Team

Assemble a team who can make decisions, change policies and understand the importance of the issues.  It is critical the team has a solid understanding of your overall business and your corporate assets.  You may want to include a member of executive management (COO) with budget authority as well as representatives from HR, Security, IT and your legal department.  Schedule a regular meeting time and assign someone on the team to take minutes.  An agenda can also be helpful as you begin to cover the elements of the plan.  The team needs to be able to work across the organization and have the synergy necessary to ensure that when a problem arises, it can be handled quickly.  The team should know the staff and be able to recognize concerning behaviors as potential indicators.

Step 2:  Conduct a Risk Assessment

One of the best ways to protect your company is to fully understand your assets and ensure you are taking the appropriate steps to secure them.  Sit down with executive management and outline what your corporate assets are, such as trade secrets, salary data, proposal data, proprietary data, sponsor or Government National Security data, strategic plans, Personally Identifiable Information (PII), and your IT systems and servers, etc.

Once you have established what the assets are, determine how well they are protected.  What is the risk if the information is leaked to a competitor or a foreign entity?  Look at who has access to the information.  You will want to take steps to limit vulnerability by controlling access to files by staff who do not need the information to complete their job function.  In addition, ascertain if someone terminates to go to a competitor, or for any reason, that you understand immediately what information the person has access to.  Ensure you have procedures in place to be able to take immediate steps to terminate access to information.

Determine if you want to hire consultants to conduct a risk assessment or if you prefer to handle the risk assessment with the senior staff in-house.  The benefit of utilizing consultants may be an unbiased result but may be cost prohibitive.  You might find that you would rather allocate funds to purchase new equipment, such as a new firewall, to protect the assets.

Step 3:  Tighten Up Procedures/Policies

Ideally, the insider threat team will work together to strengthen the procedures, gather feedback, implement changes, and document the new policies as part of the plan.

Start this step by looking at the procedures and policies currently in place to protect  the assets you identified during the risk assessment.  For example, if you have identified certain proposal data as proprietary, you should engage your IT staff to monitor who is downloading the data.  You can also tighten up the procedures surrounding the termination of employees to ensure they understand the NDA’s they signed.  This will protect your company’s assets.  If possible, at the first notification of a termination, look at what the employee has been accessing for the past 30 days.  At this time, remind the person of the NDA signed at date of hire.

In addition to tightening up procedures, adapt an Acceptable Use Policy for your company.  The purpose of an Acceptable Use Policy is to outline the proper use of company information systems.  The policy is established to protect the employee as well as your company from risks (including virus attacks, compromise of network systems and services, and legal issues) due to inappropriate use and/or malicious conduct.  Ensure your staff understands the Acceptable Use Policy and the sanctions associated when the policy is violated.

Step 4:  Security Education

Security education can be as creative as you are!  Many companies that contract with the Government have a security education program in place.  Supplementing the plan with insider threat material is easy with all the resources available online.  The goal of the security education program is to ensure your employees understand how to recognize a threat, both internal to the organization as well as from the outside (such as recruitment), the importance of reporting the potential threat, and how to file a report.

Encourage your staff to report and provide a confidential means of reporting.  If your staff is required to report adverse information, remind them of the requirement.  Reporting may lead to early detection of malicious insiders as well as possible recruitment.

Below are a few examples of indicators but please refer to the sources below for more detailed lists of threat indicators and observable behaviors that may indicate someone is involved in malicious activities.

  • Unexplained affluence or excessive indebtedness
  • Efforts to conceal foreign contacts, foreign travel or foreign interests
  • Requesting access to or accessing information outside official job duties including sensitive or classified information
  • Disgruntled behavior at work
  • Drug or alcohol abuse, excessive gambling, or criminal activity
  • Questionable judgment or untrustworthiness
  • Apparent mental, emotional or personality disorders
  • Working odd hours (suddenly changing working hours)
  • Printing or downloading files excessively

Here are a few ideas to introduce and begin to implement your insider threat program.  Add a few slides to your annual refresher training as a means of introducing the topic and outlining the requirements for reporting.  You can also add to or begin to publish a monthly newsletter to highlight threat indicators and reporting procedures.  Both DSS and the FBI websites have downloadable brochures with relevant information.  If you need a little humor, Threat Geek has great cartoons with insider threat content that will deliver your message in an entertaining way.

Step 5:  Document Your Plan

By the time you get to this step you should be well on your way toward creating a successful plan.  If you have maintained good notes along the way, it will be easy to put the results of your risk assessment, new policies and procedures you have implemented, the details of your security education program, and the team responsibilities into a corporate plan.

Remember, you are never done!  Insider threat is an ongoing and evolving issue and your plan should be continuously amended as you gain more experience working through various issues that arise.

Contributing Author:  Katherine D. Mills

Kathy Mills square

Katherine D. Mills is Chief Security Officer and Security Director for GTSC Member CENTRA Technology, Inc.   She has over 20 years experience in security and at CENTRA is responsible for all aspects of security operations under the company’s National Industrial Security Program, including personnel, program, physical, and information security, at both CENTRA’s Arlington and Burlington locations. 

 

Sources:

CERT: Common Sense Guide to Mitigating Insider Threats

DSS: Insider Threat Courses & Brochures

FBI: Insider Threat Briefing

ONCIX: Insider Threat Relevant Reports, Briefings & Reading Material

American Society Industrial Security, Security Management, October 2013:

Threat Geek, cartoons for security education

  • http://www.threatgeek.com/