Insider Threat Overlays 1. Identification
Insider Threat Overlays1. IdentificationThe Insider Threat Overlays identifies security control specifications needed to protect againstinsider threats and establishes an organizational Insider Threat Program for IT enterprises withnational security systems (NSS).In 2011, Executive Order (EO) 13587 required the establishment of Insider Threat Programs fordeterring, detecting, and mitigating insider threats, including the safeguarding of classifiedinformation from exploitation, compromise, or other unauthorized disclosure.Then in 2012, the White House Memorandum, National Insider Threat Policy and MinimumStandards for Executive Branch Insider Threat Programs, required agencies to monitor and audituser activity on classified networks.Thereafter in 2014, the White House Memorandum, Near-term Measures to Reduce the Risk ofHigh-Impact Unauthorized Disclosures required the implementation of corrective measures forclassified computer networks to improve business practices, enhance the security culture acrossthe workforce, and reduce the unique risks associated with privileged users.The Insider Threat Overlays correlates and applies the insider threat related requirementsestablished in these regulatory and statutory references, along with insider threat related policies,guidelines, and best practices from Committee for National Security Systems (CNSS),Intelligence Community (IC), Department of Defense (DoD), and National Institute of Standardsand Technology (NIST) issuances, to the security controls specified in NIST Special Publication(SP) 800-53 (Revision 4).The intended audience for this document includes, Information System Owners and SystemSecurity Engineers, Enterprise Security Service Providers, Insider Threat Program Management,Security Incident Responders, Security Control Assessors, and Authorizing Officials, who willuse the information contained in this document to understand the insider threat related aspects ofthe security controls specified by the overlays.The following documents were used to create these overlays: EO 13526, Classified National Security Information, 5 January 2010EO 13587, Structural Reforms to Improve the Security of Classified Networks and theResponsible Sharing and Safeguarding of Classified Information, 7 October 2011EO Amending the Civil Service Rules, Executive Order 13488, and Executive Order 13467 toModernize the Executive Branch-Wide Governance Structure and Processes for SecurityClearances, Suitability and Fitness for Employment, and Credentialing, and Related Matters,17 January 2017White House Memorandum, November 2012, Subject: National Insider Threat Policy andMinimum Standards for Executive Branch Insider Threat ProgramsWhite House Memorandum, February 2014, Subject: Near-term Measures to Reduce theRisk of High-Impact Unauthorized DisclosuresChairman of the Joint Chiefs of Staff Manual (CJCSM) 6510.01B, Cyber Incident HandlingProgram, 10 July 2012Insider Threat Overlays09/01/20181
CNSS Directive (CNSSD) 504, Directive on Protecting NSS from Insider Threat, 4 February2014CNSS Instruction (CNSSI) 1001, National Instruction on Classified Information Spillage,February 2008CNSSI 4009, Committee on National Security Systems (CNSS) Glossary, 6 April 2015.CNSSI 1015, Enterprise Audit Management Instruction for National Security Systems (NSS),September, 2013CNSSI 1253, Security Categorization and Control Selection for National Security Systems,27 March 2014CNSSI 1253 Appendix F Attachment 3, CDS Overlay, 24 April 2016CNSSI 1253 Appendix F Attachment 5, Classified Information Overlay, 9 May 2014CNSSI 1253 Appendix F Attachment 6, Privacy Overlay, 20 April 2015CNSS Policy (CNSSP) 11, National Policy Governing the Acquisition of InformationAssurance (IA) and IA-Enabled Information Technology Products, 10 June 2013CNSSP 15, National Information Assurance Policy on the Use of Public Standards for theSecure Sharing of Information among National Security Systems, 1 October 2012CNSSP 17, Policy on Wireless Systems, January 2014CNSSP 25, National Policy for Public Key Infrastructure in National Security Systems,March 2009DoD Directive (DoDD) 5205.16 The DoD Insider Threat Program, 30 September 2014Title 32, Code of Federal Regulations (CFR), Part 310, DoD Privacy ProgramDepartment of Defense (DoD) Insider Threat Management and Analysis Center (DITMAC)System of Records Notice (SORN), 17 October 2016ICS 502-01, Intelligence Community Computer Incident Response and Computer NetworkDefense, 20 December 2013Intelligence Community Enterprise Audit Conceptual Framework, June 2011National Defense Authorization Act (NDAA) for Fiscal Year 2017NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systemsand Organizations, December 2014NIST SP 800-161 Supply Chain Risk Management, April 2015Office of the Secretary of Defense Insider Threat Mitigation, 12 July 2013The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, andBreach Rules, at 45 C.F.R. Parts 160 and 164 (2013)The Privacy Act of 1974, as amended, (P.L. 93-579), 5 U.S.C. §552aThese overlays should be reviewed and updated, as necessary, when new regulatory or statutorydirection is issued that impacts the designation or application of insider threat-related securitycontrols or upon the publication of a revision to NIST SP 800-53, CNSSI 1015, or CNSSI 1253.2. Overlay CharacteristicsThe Insider Threat Overlays applies to NSS that store, process, or transmit classified, nationalsecurity, or controlled unclassified information and to the enterprise security solutions andInsider Threat Programs that support those systems.Insider Threat Overlays09/01/20182
The Insider Threat Overlays provides guidance for information access, encryption,anonymization, redaction, disclosure, retention, disposal and disposal techniques of PersonallyIdentifiable Information (PII) and Protected Health Information (PHI). Information sharing andsafeguarding covered by this document includes but is not limited to, foreign contactinformation, foreign travel information, personnel security information, financial disclosureinformation, in addition to relevant databases and files, personnel security files, polygraphexamination reports, facility access records, security violation files, travel records, foreigncontact reports, and financial disclosure filings.This document contains four overlays (IT System, Enterprise, Insider Threat System, and InsiderThreat Program). These overlays in unison reflect enterprise-wide insider threat detection andmitigation activities and the shared responsibilities of service providers and system owners thatcomprise an enterprise insider threat solution.Figure 1 presents an enterprise level overview of the interrelationships among the variouscomponents of an insider threat program.1 The IT System and Enterprise Overlays refer tocomponents and functions external to the Centralized Hub (Private Enclave) and the InsiderThreat System and Insider Threat Program Overlays refer to components and functions internalto the Centralized Hub (Private Enclave).The IT System Overlay is based on a system categorization of Low Confidentiality, LowIntegrity, and Low Availability and specifies security controls applicable to all systemsregardless of system categorization. When a control that is specified only at a higher level (e.g.,Moderate or High) is addressed in the overlay, then such specification is clearly cited in theJustification for Selection.The Enterprise Overlay contains common and hybrid security controls that are inherited by oneor more organizational information systems. The controls specified in the Enterprise Overlay arebased on providing support to systems categorized with Low Confidentiality, Low Integrity, andLow Availability. When a control that is specified only at a higher level (e.g., Moderate or High)is addressed in the overlay, then such specification is clearly cited in the Justification forSelection.Figure 1 is based on Figure 1 in the NITTF 2014 Guide To Accompany the National InsiderThreat Policy and Minimum Standards.1Insider Threat Overlays09/01/20183
Figure 1 – Insider Threat Program: Enterprise ViewInsider Threat Overlays09/01/20184
The Insider Threat System Overlay specifies security controls for IT systems that directlysupport the Insider Threat Program. The Insider Threat System Overlay is based on a systemcategorization of High Confidentiality, High Integrity, and Moderate Availability. The InsiderThreat System Overlay also includes security and privacy controls based on the PersonallyIdentifiable Information (PII) Confidentiality Impact Level High and Protected HealthInformation (PHI) Privacy Overlays.The Insider Threat Program Overlay contains common and hybrid security controls specificallyimplemented by the Insider Threat Program, which are then inheritable by the enterprise. TheInsider Threat Program Overlay is based on a system categorization of High Confidentiality,High Integrity, and Moderate Availability. The Insider Threat Program Overlay also includessecurity and privacy controls based on the PII Confidentiality Impact Level High and PHIPrivacy Overlays.The assumptions that underlie the security control selections and serve as the basis to justify theallocation of controls in the Insider Threat Overlays include: The IT System and Enterprise overlays were developed without differentiation for aparticular classification or sensitivity of the information. These overlays are intended to beuniversally applicable to all classification and sensitivity levels, to include Top Secret/SCI,Top Secret Collateral, Secret, Confidential, and Controlled Unclassified Information (CUI)(e.g., Law Enforcement, PII/PHI, For Official Use Only (FOUO), Limited Distribution(LIMDIS)).The Insider Threat System and Insider Threat Program overlays were developed to providethe requisite level of protection for, up to, Top Secret/SCI and all Privacy (e.g., PIIHigh/PHI) information.The Insider Threat System overlay was developed with the basis that there are no wireless orremote (external to the local network) accesses to Insider Threat Systems (i.e., systems thatdirectly support the Insider Threat Program).All Insider Threat overlays were developed without differentiation between NSSorganizations (e.g., IC, DoD, Executive Branch). Best practice policies and guidelines wereuniversally included and consolidated from all organizational communities without limitationto the community from which they were established.3. ApplicabilityUse the following questions to determine the applicability of the Insider Threat Overlays:a. Is your organization required to establish an Insider Threat Program per EO 13587? If theanswer is no, the Insider Threat Overlays do not apply. If the answer is yes, continue throughthe additional questions below to determine which of the Insider Threat Overlays applies.b. Are the security controls being applied to an individual IT system? If the answer is yes, thenfollow the guidance for the IT System overlay.c. Are the security controls being implemented by an enterprise solution for inheritance by oneor more IT systems? If the answer is yes, then follow the guidance for Enterprise overlay.Insider Threat Overlays09/01/20185
d. Are the security controls being applied to an IT system that directly supports the InsiderThreat Program? If the answer is yes, then follow the guidance for Insider Threat Systemoverlay.e. Are the security controls being implemented by the organization’s centralized Insider ThreatProgram? If the answer is yes, then follow the guidance for Insider Threat Program overlay.4. Overlay SummaryThe table below contains a summary of the security control specifications as they apply in theInsider Threat Overlay. The symbols used in the table are as follows: The letter “B” indicates the control is a CNSSI 1253 baseline control using a Confidentiality Low, Integrity Low, and Availability Low baseline for all IT systems and aConfidentiality High, Integrity High, and Availability Moderate for Insider ThreatSystems.The letter “P” indicates the control is a PII Moderate and/or PHI Privacy Overlay baselinecontrol.A plus sign (“ ”) indicates the control is to be selected.Two dashes (“--”) indicates the control is not to be selected.The letter “E” indicates there is a control extension.The letter “G” indicates there is supplemental guidance, including specific tailoring guidanceif applicable, for the control.The letter “V” indicates the overlay defines a value for an organizational-defined parameterfor the control. (The parameter value may be from CNSSI 1253, the DoD SpecificAssignment Values (DSPAV), or created specifically for this overlay.)The letter “R” indicates there is at least one regulatory/statutory reference that requires thecontrol selection or that the control helps to meet the regulatory/statutory requirements.Absence of any symbol (i.e., a blank cell) indicates the security control or enhancement doesnot apply to that overlay.Table 1: Insider Threat Overlays Security ControlsControlIDControl NameAC-2Account ManagementAC-2(1) Account Management Automated System AccountManagementAC-2(2) Account Management Removal of Temporary /Emergency AccountsAC-2(3) Account Management Disable Inactive AccountsInsider Threat derThreatSystemBGVRBVBV6InsiderThreatProgram
ControlIDControl NameAC-2(4) Account Management Automated Audit ActionsAC-2(5) Account Management Inactivity LogoutAC-2(7) Account Management RoleBased SchemesAC-2(9) Account Management Restrictions On Use of SharedGroups / AccountsACAccount Management Shared2(10)/ Group Account CredentialTerminationACAccount Management Usage2(11)ConditionsACAccount Management 2(12)Account Monitoring / AtypicalUseACAccount Management 2(13)Disable Accounts for HighRisk IndividualsAC-3Access EnforcementAC-3(2) Access Enforcement DualAuthorizationAC-3(4) Access Enforcement Discretionary Access ControlAC-3(9) Access Enforcement Controlled ReleaseACAccess Enforcement Audited3(10)Override of Access ControlMechanismsAC-4Information Flow EnforcementAC-4(4) Information Flow Enforcement Content Check EncryptedInformationACInformation Flow Enforcement4(15) Detection of UnsanctionedInformationACInformation Flow Enforcement4(17) Domain AuthenticationACInformation Flow Enforcement4(18) Security Attribute BindingAC-5Separation of DutiesInsider Threat -InsiderThreatProgramBGVBGVBGVBGVBGVBPVBEG GVRBPEG GVRBGVBGVPVPV GV GVBPV GVPVPVPVBGVR7BPGVRBGV
ControlIDControl NameAC-6Least PrivilegeAC-6(1) Least Privilege AuthorizeAccess to Security FunctionsAC-6(2) Least Privilege NonPrivileged Access forNonsecurity FunctionsAC-6(3) Least Privilege NetworkAccess to PrivilegedCommandsAC-6(5) Least Privilege PrivilegedAccountsAC-6(7) Least Privilege Review ofUser PrivilegesAC-6(8) Least Privilege PrivilegeLevels for Code ExecutionAC-6(9) Least Privilege Auditing Useof Privileged FunctionsACLeast Privilege Prohibit Non6(10)Privileged Users FromExecuting PrivilegedFunctionsAC-7Unsuccessful Logon AttemptsAC-8System Use NotificationAC-9Previous Logon (Access)NotificationAC-9(1) Previous Logon (Access)Notification UnsuccessfulLogonsAC-10 Concurrent Session ControlAC-11 Session LockACSession Lock Pattern-Hiding11(1)DisplaysAC-12 Session TerminationACSession Termination User12(1)Initiated Logouts / MessageDisplaysAC-14 Permitted Actions WithoutIdentification OrAuthenticationAC-16 Security AttributesInsider Threat GVRBGVBGVBGBPGBGBPGBGVBGVR GRBGVBGVR GR GR GR GVRBGVBGBGVRBPGVBGBPVBVBVBPV8InsiderThreatProgram
ControlIDControl NameSecurity Attributes Maintenance of AttributeAssociations by InformationSystemACSecurity Attributes 16(6)Maintenance of AttributeAssociation by OrganizationAC-17 Remote AccessACRemote Access Automated17(1)Monitoring / ControlACRemote Access Protection of17(2)Confidentiality / IntegrityUsing EncryptionACRemote Access Managed17(3)Access Control PointsACRemote Access Privileged17(4)Commands / AccessACRemote Access Protection of17(6)InformationACRemote Access Disconnect /17(9)Disable AccessACWireless Access Restrict18(4)Configurations by UsersAC-20 Use of External InformationSystemsACUse of External Information20(2)Systems Portable StorageDevicesACUse of External Information20(3)Systems NonOrganizationally OwnedSystems / Components /DevicesAC-21 Information SharingAC-22 Publicly Accessible ContentAC-23 Data Mining ProtectionAT-2Security AwarenessAT-2(2) Security Awareness InsiderThreatAT-3Security TrainingAT-3(2) Role-Based Security Training Physical Security ControlsITSystemEnterpriseAC16(3)Insider Threat GVRBGVRBEGVRBPVBGRBGRBPVBGV9
ControlIDControl NameAT-3(4) Role-Based Security Training Suspicious Communicationsand Anomalous SystemBehaviorAT-4Security Training RecordsAU-1 Audit and AccountabilityPolicy and ProceduresAU-2 Audit EventsAUAudit Events Reviews and2(3)UpdatesAU-3 Content of Audit RecordsAUContent of Audit Records 3(1)Additional Audit InformationAUContent of Audit Records 3(2)Centralized Management ofPlanned Audit Record ContentAU-4 Audit Storage CapacityAUAudit Storage Capacity 4(1)Transfer to Alternate StorageAU-5 Response to Audit ProcessingFailuresAUResponse to Audit Processing5(1)Failures Audit StorageCapacityAUResponse to Audit Processing5(2)Failures Real-Time AlertsAU-6 Audit Review, Analysis, andReportingAUAudit Review, Analysis, and6(1)Reporting Process IntegrationAUAudit Review, Analysis, and6(3)Reporting Correlate AuditRepositoriesAUAudit Review, Analysis, and6(4)Reporting Central Reviewand AnalysisAUAudit Review, Analysis, and6(5)Reporting Integration /Scanning and MonitoringCapabilitiesInsider Threat VRBPGVRBPGVRBGPBGVR GVR BPGRBGRBGR GVRBGVRBGVR
Control NameITSystemAudit Review, Analysis, andReporting Correlation withPhysical MonitoringAudit Review, Analysis, andReporting Full Text Analysisof Privileged CommandsAudit Review, Analysis, andReporting Correlation withInformation FromNontechnical SourcesAudit Review, Analysis, andBGReporting Audit LevelAdjustmentAudit Reduction and ReportGenerationAudit Reduction and ReportGeneration AutomaticProcessingAudit Reduction and ReportGeneration Automatic Sortand SearchTime StampsBGVTime Stamps Synchronization BGVRwith Authoritative TimeSourceProtection of AuditBGRInformationProtection of Audit GVRInformation Audit Backup onSeparate Physical Systems /ComponentsProtection of Audit GRInformation CryptographicProtectionProtection of AuditBEGVRInformation Access by Subsetof Privileged UsersProtection of Audit GVRInformation Read OnlyAccessNon-RepudiationGVRNon-Repudiation Associationof IdentitiesInsider Threat Overlays09/01/201811Enterprise GRInsiderThreatSystemBGRInsiderThreatProgramBGR GR GR GRBGBPGGRBPGRGVRBPGVR GVRPGVRBGVRBGVBGVRBGRBGRBPGBPGVR GRBPGRBEGVRBEGVRBEGVR GVR GVR GVRBPGVRPV
(1)CA-2(2)CA-3CA-3(2)CA-3(3)CA-3(5)CA-5CA-6Control NameNon-Repudiation Chain ofCustodyAudit Record RetentionAudit Record Retention Long-Term RetrievalCapabilityAudit GenerationAudit Generation SystemWide / Time-Correlated AuditTrailAudit Generation Changes byAuthorized IndividualsSession AuditSession Audit System StartUpSession Audit Capture/Record and LogContentSession Audit RemoteViewing / ListeningCross-Organizational AuditingCross-Organizational Auditing Identity PreservationCross-Organizational Auditing Sharing of Audit InformationSecurity AssessmentsSecurity Assessments Independent AssessorsSecurity Assessments Specialized AssessmentsSystem InterconnectionsSystem Interconnections Unclassified Non-NationalSecurity System ConnectionsSystem Interconnections Unclassified Non-NationalSecurity System ConnectionsSystem Interconnections Restrictions On ExternalSystem ConnectionsPlan of Action and MilestonesSecurity AuthorizationInsider Threat ystemBGVRBGVInsiderThreatProgram RBGBGRBGBGRBGRBGRBGRBGRBGBG GVR GVR GRBG GVR GR GVRPGVRBPVBGVGVRBPV VPVBPVBVBPV12
ControlIDControl NameCA-7Continuous MonitoringCA-7(3) Continuous Monitoring TrendAnalysisCA-8Penetration TestingCA-9Internal System ConnectionsCA-9(1) Internal System Connections Security Compliance ChecksCM-2 Baseline ConfigurationCMBaseline Configuration 2(1)Reviews and UpdatesCMBaseline Configuration 2(2)Automation Support forAccuracy / CurrencyCMBaseline Configuration 2(3)Retention of PreviousConfigurationsCM-3 Configuration Change ControlCMConfiguration Change Control3(1) Automated Document /Notification / Prohibition ofChangesCMConfiguration Change Control3(2) Test / Validate / DocumentChangesCMConfiguration Change Control3(4) Security RepresentativeCMConfiguration Change Control3(5) Automated Security ResponseCMConfiguration Change Control3(6) Cryptography ManagementCM-4 Security Impact AnalysisCMSecurity Impact Analysis 4(1)Separate Test EnvironmentsCMSecurity Impact Analysis 4(2)Verification Of SecurityFunctionsCM-5 Access Restrictions forChangeCMAccess Restrictions for5(1)Change Automated AccessEnforcement / AuditingInsider Threat Overlays09/01/2018ITSystemEnterpriseBGVR GRInsiderThreatSystemBPVR siderThreatProgramBPGVR GR
ontrol NameAccess Restrictions forChange Review SystemChangesAccess Restrictions forChange Signed ComponentsAccess Restrictions forChange Limit Production /Operational PrivilegesAccess Restrictions forChange Limit LibraryPrivilegesConfiguration SettingsConfiguration Settings Automated CentralManagement / Application /VerificationConfiguration Settings Respond to UnauthorizedChangesLeast FunctionalityLeast Functionality PeriodicReviewLeast Functionality PreventProgram ExecutionLeast Functionality Registration ComplianceLeast Functionality Unauthorized Software /BlacklistingLeast Functionality Authorized Software /WhitelistingInformation SystemComponent InventoryInformation SystemComponent Inventory Updates During Installations /RemovalsInformation SystemComponent Inventory Automated MaintenanceInsider Threat GVBGVBGVBGV GV GV GVBGVRBGVRBGVRBVBPBGR14BGRBGRInsiderThreatProgram
CP-6(1)CP-6(3)CP-7CP-7(1)CP-7(3)CP-9Control NameInformation SystemComponent Inventory Automated UnauthorizedComponent DetectionInformation SystemComponent Inventory Accountability InformationConfiguration ManagementPlanSoftware Usage RestrictionsSoftware Usage Restrictions Open Source SoftwareUser-Installed SoftwareUser-Installed Software Alerts for UnauthorizedInstallationsUser-Installed Software Prohibit Installation withoutPrivileged StatusContingency PlanContingency Plan Coordinatewith Related PlansContingency Plan ResumeEssential Missions / BusinessFunctionsContingency Plan IdentifyCritical AssetsContingency TrainingContingency Plan TestingContingency Plan Testing Coordinate with Related PlansAlternate Storage SiteAlternate Storage Site Separation from Primary SiteAlternate Storage Site AccessibilityAlternate Processing SiteAlternate Processing Site Separation From Primary SiteAlternate Processing Site Priority of ServiceInformation System BackupInsider Threat ystemBGVBVBBBVBGV GVBGBGV Program
(1)IA-2(2)IA-2(3)IA-2(4)IA-2(5)IA-2(6)Control NameInformation System Backup Testing for Reliability /IntegrityInformation System Backup Transfer to Alternate StorageSiteInformation System Recoveryand ReconstitutionInformation System Recoveryand Reconstitution Transaction RecoveryInformation System Recoveryand Reconstitution Restorewithin Time PeriodIdentification andAuthentication (OrganizationalUsers)Identification andAuthentication (OrganizationalUsers) Network Access toPrivileged AccountsIdentification andAuthentication (OrganizationalUsers) Network Access toNon-Privileged AccountsIdentification andAuthentication (OrganizationalUsers) Local Access toPrivileged AccountsIdentification andAuthentication (OrganizationalUsers) Local Access to NonPrivileged AccountsIdentification andAuthentication (OrganizationalUsers) Group AuthenticationIdentification andAuthentication (OrganizationalUsers) Network Access toPrivileged Accounts - SeparateDeviceInsider Threat ystemBVBVBPBBVBEGRBPEGRBGRBGRBGRBGR GRBGRGRBGRBGBGPV16InsiderThreatProgram
-3(1)IA-4IA-4(4)IA-5IA-5(1)IA-5(2)IA-5(3)Control NameIdentification andAuthentication (OrganizationalUsers) Network Access toNon-Privileged Accounts Separate DeviceIdentification andAuthentication (OrganizationalUsers) Network Access toPrivileged Accounts – ReplayResistantIdentification andAuthentication (OrganizationalUsers) Network Access toNon-Privileged Accounts Replay ResistantIdentification andAuthentication (OrganizationalUsers) Remote Access Separate DeviceIdentification andAuthentication (OrganizationalUsers) Acceptance of PIVCredentialsDevice Identification andAuthenticationDevice Identification andAuthentication CryptographicBidirectional AuthenticationIdentifier ManagementIdentifier Management Identify User StatusAuthenticator ManagementAuthenticator Management Password-BasedAuthenticationAuthenticator Management PKI-Based AuthenticationAuthenticator Management In-Person or Trusted ThirdParty RegistrationInsider Threat GVBGVBPGVBGV BG BGBGBV17InsiderThreatProgram
R-3(2)IR-4Control NameAuthenticator Management Automated Support forPassword StrengthDeterminationAuthenticator Management No Embedded UnencryptedStatic AuthenticatorsAuthenticator Management Multiple Information SystemAccountsAuthenticator Management Hardware Token-BasedAuthenticationAuthenticator Management Expiration of CachedAuthenticatorsAuthenticator Management Managing Content of PKITrust StoresAuthenticator FeedbackCryptographic ModuleAuthenticationIdentification andAuthentication (NonOrganizational Users)Adaptive Identification andAuthenticationRe-authenticationIncident Response Policy andProceduresIncident Response TrainingIncident Response Training Simulated EventsIncident Response Training Automated TrainingEnvironmentsIncident Response TestingIncident Response Testing Coordination with RelatedPlansIncident HandlingInsider Threat VGBPGBPG
-8IR-9IR-9(3)IR-9(4)IR-10MA-1Control NameIncident Handling AutomatedIncident HandlingIncident Handling Continuityof OperationsIncident Handling Information CorrelationIncident Handling InsiderThreats - Specific CapabilitiesIncident Handling InsiderThreats - Intra-OrganizationCoordinationIncident Handling Correlationwith External OrganizationsIncident MonitoringIncident Monitoring Automated Tracking / DataCollection / AnalysisIncident ReportingIncident Reporting Automated ReportingIncident Reporting Vulnerabilities Related toIncidentsIncident Response AssistanceIncident Response Assistance Automation Support forAvailability of Information /SupportIncident Response Assistance Coordination with ExternalProvidersIncident Response PlanInformation Spillage ResponseInformation Spillage Response Post-Spill OperationsInformation Spillage Response Exposure to UnauthorizedPersonnelIntegrated InformationSecurity Analysis TeamSystem Maintenance Policyand ProceduresInsider Threat BGVRBGVRBGVBGVBGGBGBPGBGBGBPGVBGBGVGBGVBG GBGVBPGBGBGBGBGVBPGVBVBVBVGBPGBPV19
(2)MP6(3)MP6(8)MP-7MP7(1)MP-8Control NameControlled MaintenanceControlled Maintenance Automated MaintenanceActivitiesMaintenance ToolsMaintenance Tools InspectToolsMaintenance Tools InspectMediaMaintenance Tools PreventUnauthorized RemovalNonlocal Maintenance Auditing and ReviewNonlocal Maintenance Comparable Security /SanitizationMaintenance PersonnelTimely MaintenanceMedia Protection Policy andProceduresMedia AccessMedia MarkingMedia StorageMedia TransportMedia Transport Cryptographic ProtectionMedia SanitizationMedia Sanitization Review /Approve / Track / Document /VerifyMedia Sanitization Equipment TestingMedia Sanitization Nondestruc
Sep 05, 2019 · The Insider Threat Program Overlay contains common and hybrid security controls specifically implemented by the Insider Threat Program, which are then inheritable by the enterprise. The Insider Threat Program Overlay is based on a system categorization of High Confidentiality,
Counter-Insider Threat Program Director's vision to integrate the social and behavioral sciences into the mission space. As part of a partnership with the PERSEREC Threat Lab, CDSE provides links to their insider threat resources in the Insider Threat toolkit. This promotes the applied use of research outcomes to the insider threat community.
the CERT Division's National Insider Threat Center (NITC) at Carnegie Mellon University's Software Engineering Institute. Serves as the Chair of the Open Source Insider Threat (OSIT) information sharing group for industry insider threat practitioners. Develops detection and mitigation strategies for insider threat programs.
Establish an Insider Threat Program group (program personnel) from offices across the contractor's facility, based on the organization's size and operations. Provide Insider Threat training for Insider Threat Program personnel and awareness for cleared employees. Monitor classified network activity.
insider threat practitioner can foster both individual two years. As a result, community to emphasize and organizational raising awareness of the the importance of resilience leading to Insider Threat and the safeguarding our nation positive outcomes for all. role of Insider Threat . from the risks posed by . programs in mitigating
Execute insider threat awareness training requirements: Insider threat professionals must have the ability to: Prepare and conduct briefings, or otherwise offer training to their department/agency workforce to promote awareness of potential insider threats and reporting requirements.
THE INCREASING THREAT FROM INSIDE A PROACTIVE TARGETED APPROACH TO MANAGING INSIDER RISK Insider threat, one of the greatest drivers of security risks that organizations face. It only takes one malicious insider to cause significant harm. Typically, a malicious insider utilizes their (o
the 2018 verizon data breach investigations report recorded 2,216 confirmed breaches, attributing nearly a third of those primarily to insider actors. the 2018 insider threat intelligence report Insider threats re
This standard employs the principles of API 650; however, storage tank owner/operators, based on consideration of specific construction and operating details, may apply this standard to any steel tank constructed in accordance with a tank specification. This standard is intended for use by organizations that maintain or have access to engineering and inspection personnel technically trained .
