CISA Publishes Insider Threat Mitigation Guide for Critical Infrastructure

Last month, the Department of Homeland Security’s (DHS), Cybersecurity and Infrastructure Security Agency (CISA), issued a comprehensive Insider Threat Mitigation Guide to help organizations establish or enhance insider threat prevention and mitigation programs needed to secure assets, systems and networks that are essential to critical infrastructure operators. The Guide is the most recent resource available for the private sector and serves as a compilation of other guides, best practices and frameworks CISA has provided to the private sector to help mitigate the risks of insider threats. Importantly, the Guide recognizes the depth and complexity of the problem, by creating a scalable framework of best practices that can be adjusted and scoped to meet sector- or organization-specific needs.

According to the National Insider Threat Task Force (NITTF), insider threats regularly account for major losses and disruptions to organizations and can range from intellectual property theft and loss, to workplace violence resulting in death, injury or physical property damage, to the loss and compromise of sensitive and protected data. The multifaceted nature of risks presented by insider threats have long been recognized as vectors that could present unique issues and complexities for organizations in designing and implementing mitigation measures. As an example, in the most recent version of NIST’s Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, insider threat controls are included as part of the awareness and training family of controls, along with the incident response and program management control families.  This diverse methodology for addressing insider threat risks tracks directly with CISA’s Guide, which calls for insider threat mitigation programs to span the “entire organization,” requiring the coordination of security, IT, and risk management personnel, but also human resources, legal and executive management.

For the private sector, defining what constitutes an insider threat is an important first step in developing a better understanding of the scope of the risk.  CISA asserts that an insider threat comes from any individual with access to or knowledge of an organizations systems, processes, personnel or facilities, and who uses that access or knowledge to disrupt the “integrity, confidentiality, and availability of the organization, its data, personnel, facilities and associated resources.” Further, such disruptions have a tendency to manifest themselves in five categories of threats: cyber, sabotage, espionage, violence, and/or theft.  Both the definition and threat categorization rubric are essential for organizations to understand because these baseline concepts allow them to assess both the likelihood and impact these specific threat vectors could have on their operations.

 From there, CISA puts forward a basic, principles-driven, insider threat mitigation framework that can be adjusted and scoped to the needs and maturity of the organization.  The basic principles that should underly the insider threat mitigation programs are: a supportive climate of accountability and mutual respect to encourage reporting; promoting organizational values like privacy, civil liberties; and remaining adaptive to organizational changes and realignments. The basic framework for implementing and operating a successful program includes:

  • Planning, which includes identifying, tracking, and monitoring critical assets to establish guiding principles and policies that align organizational values with the purpose and goals of the insider threat program. 

  • Organizing and equipping the program with the technology, information, personnel, reporting paths and investigators needed to assure success.

  • Training and executing the program through all levels of the organization and focus on messaging that emphasizes prevention and shared awareness of the threat and responsibility to report, as well as the policies, procedures, and agreements that have been put in place to ensure both personal and organizational accountability.

  • Evaluating and improving the program through regular exercises and reviews that are designed to update and align the mitigation program with changes to the organizations missions, visions or values.

CISA’s Insider Threat Mitigation Guide is a functional tool that the private sector can utilize to implement and operate an effective mitigation program.  While scoped and intended for critical infrastructure owners and operators, the flexibility and adaptability built into the framework presented in the Guide, will allow for broader adoption across a wide range of companies looking to implement and address insider threats. Additionally, for companies looking to do business with the federal government, this Guide provides a readily accessible framework that could help bolster your insider threat mitigation program with state-of-the-practice techniques that are shared across federal agencies.   

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wiley Rein LLP | Attorney Advertising

Written by:

Wiley Rein LLP
Contact
more
less

Wiley Rein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.