Earlier this year, the Canadian Government released a document to provide Canadian critical infrastructure organizations information on how to mitigate insider risk. It defines insider risk as “anyone with knowledge or access to an organization’s infrastructure (both physical and computer networks) who maliciously, or by chance, misuses their trusted access to harm the organization’s employees, customers, assets, reputation or interests. As defined by Carnegie Mellon’s CERT Insider Threat Centre (CERT Inside Threat Center, 2016), an insider risk is a person that works from within an organization to subvert the confidentiality, integrity, and availability of the information contained within the walls of that entity.”
Given security risks are relevant for all technology professionals in all industries, it is a good document to read through and understand. If you can’t look at it immediately, here is a summary of the eight recommended security actions, divided into three themes:
Theme 1: Establish a Holistic Approach to Security
Establish a Culture of Security
Establish Senior Management Engagement and Accountability
Identify a Senior Official Responsible for Managing Insider Risks
Build a Whole-of-Organization Commitment to Security and Emphasize Leadership at All Levels
Develop Clear Security Policies and Procedures
Define Clear Expectations and Outcomes (ex. account access management, password control and integrity, access rights, etc.)
Identify Risk Levels of Positions in the Organization
Align Employee Access with Position Risk Levels
Reduce Risks from Partners and Third Party Providers
Understand Key Assets and Systems
Know Your Partners
Know Your Risks
Theme 2: Know and Empower Your People
Implement a Personnel Screening Life-Cycle
Conduct Pre-employment Screening
Implement Ongoing Employee Security Screening
Incorporate Departure and Internal Movement Procedures
Establish Transparent Security Policies
Provide Training, Raise Awareness, and Conduct Exercises
Provide Regular Training to Decrease the Risk of Unintended Security Infractions
Raise Awareness of Potential Warning Signs (ex. alcohol abuse, changes in financial situation, absenteeism, etc.)
Foster a Culture of Vigilance and Empower Employees
Theme 3: Identify and Protect what is Critical
Identify Critical Assets and Protect Them
Identify and Rank Key Assets and Systems
Secure Key Assets and Systems
Leverage Signage and Visible Deterrents to Access
Apply the Principle of Least Privilege
Separate Duties
Monitor, Respond to, and Mitigate Unusual Behaviour
Track Remote Access and Monitor Device Endpoints
Establish Effective Incident Reporting, Tracking, and Response Measures
Raise Awareness of best practices regarding the use of Social Networking Sites
Protect Your Data
Establish and Test Business Continuity Plans and Procedures
Implement Procedures to Limit Information Exit Points