Monday, July 9, 2018

Establishing the Insider Threat Program Plan

This article addresses establishment of the Insider Threat Program Plan. The article is derived from the Self Inspection Handbook for NISP Contractors, and uses the format to walk through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.
Topic Question(s):
Has the company developed and implemented an insider threat program plan endorsed by the ITPSO?

Do you have a written program plan that has been self-certified to DSS as current and implemented?

EVIDENCE: Provide the policy, internal guidelines, and procedures.

If you do not have an insider threat program established, do you have an implementation plan, roadmap, or milestones for establishing your program?

EVIDENCE: Provide the implementation plan or milestones way ahead.

NISPOM Reference(s):
1-202a

Discussion:
Once the Insider Threat Program Senior Official (ITPSO) is designated, the Celared Defense Contractor (CDC) enterprise can begin to create an Insider Threat Program (ITP) that will be endorsed by the ITPSO. The ITPSO should begin the next tasks to build the ITP team and develop the ITP and the required Insider Threat Training. These topics will be covered in future articles.

The ITPSO should establish the program to prevent, detect, or stop a trusted employee from committing espionage or sabotage to the CDC and their product or contract deliverables.

ITP Guidance

Elements of a successful insider threat program are listed in the NISPOM. NISPOM guidance can be used as measurable criteria to establish and determine ITP effectiveness. The NISPOM has identified the following requirements to establish an Insider Threat Program:

1. Designate an Insider Threat senior official
2. Establish an Insider Threat Program / Self-certify the Implementation Plan in writing to DSS.
3. Establish an Insider Threat Program group
4. Provide Insider Threat training
· cleared employees (initial security briefing and follow-up briefings)
· cleared employees assigned insider threat program responsibilities
5. Monitor classified network activity
6. Gather, integrate, and report relevant and credible information; detect insiders posing risk to classified information; and mitigate insider threat risk
7. Conduct self-inspections of Insider Threat Programs

ITP Goals

Insider Threat Program should be levied to develop awareness of and respond to information indicative of potential or actual insider threats. ITP goals should be to:

1. Gather insider threat information-what evidence is available that suggests potential or actual insider threat (actions, observations, direct communication, tampering, etc.)
2. Integrate gathered information-develop a communication channel to report such information for the ITP. The ITP should understand how to gather, respond and report relevant information
3. Report relevant and available insider threat information as required by:
· Executive Order (EO) 13587 - directs the heads of agencies that operate or access classified computer networks
· National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs
· And the catchall; as required by the appropriate CSA (DSS)

CDCs who do not have a ITP at this point should have a strategy or plan outlying how they will achieve compliance. This plan should outline how they will appoint the IPTSO, establish the working group, and apply the guidance. The plan should have milestones and measurable results that DSS can review and understand.

Validation:
1. ITPSO is appointed in writing. Appointment is available for review.
2. Written policy, procedures and / or guideline is available demonstrating how the ITP is applied and measured.
3. Where no policy is in place, a roadmap or “get healthy” plan is available.
4. ITP team members are identified and trained (certificates or memorandums of record)
5. CDC employees have received insider threat training (certificates or memorandums of record)

Insider Threat Programs and appropriate training are required of all CDCs. CDS should appoint an ITPSO in writing and establish the ITP with the goal of gathering, integrating, and reporting insider threat information.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: