Back to Resource Centre
Blog Img

Summary: Enhancing Canada's Critical Infrastructure Resilience to Insider Risk

Earlier this year, the Canadian Government released a document to provide Canadian critical infrastructure organizations information on how to mitigate insider risk. It defines insider risk as “anyone with knowledge or access to an organization’s infrastructure (both physical and computer networks) who maliciously, or by chance, misuses their trusted access to harm the organization’s employees, customers, assets, reputation or interests. As defined by Carnegie Mellon’s CERT Insider Threat Centre (CERT Inside Threat Center, 2016), an insider risk is a person that works from within an organization to subvert the confidentiality, integrity, and availability of the information contained within the walls of that entity.”

Given security risks are relevant for all technology professionals in all industries, it is a good document to read through and understand. If you can’t look at it immediately, here is a summary of the eight recommended security actions, divided into three themes:

Theme 1: Establish a Holistic Approach to Security

  1. Establish a Culture of Security

    1. Establish Senior Management Engagement and Accountability

    2. Identify a Senior Official Responsible for Managing Insider Risks

    3. Build a Whole-of-Organization Commitment to Security and Emphasize Leadership at All Levels

  2. Develop Clear Security Policies and Procedures

    1. Define Clear Expectations and Outcomes (ex. account access management, password control and integrity, access rights, etc.)

    2. Identify Risk Levels of Positions in the Organization

    3. Align Employee Access with Position Risk Levels

  3. Reduce Risks from Partners and Third Party Providers

    1. Understand Key Assets and Systems

    2. Know Your Partners

    3. Know Your Risks

Theme 2: Know and Empower Your People

  1. Implement a Personnel Screening Life-Cycle

    1. Conduct Pre-employment Screening

    2. Implement Ongoing Employee Security Screening

    3. Incorporate Departure and Internal Movement Procedures

    4. Establish Transparent Security Policies

  2. Provide Training, Raise Awareness, and Conduct Exercises

    1. Provide Regular Training to Decrease the Risk of Unintended Security Infractions

    2. Raise Awareness of Potential Warning Signs (ex. alcohol abuse, changes in financial situation, absenteeism, etc.)

    3. Foster a Culture of Vigilance and Empower Employees

Theme 3: Identify and Protect what is Critical

  1. Identify Critical Assets and Protect Them

    1. Identify and Rank Key Assets and Systems

    2. Secure Key Assets and Systems

    3. Leverage Signage and Visible Deterrents to Access

    4. Apply the Principle of Least Privilege

    5. Separate Duties

  2. Monitor, Respond to, and Mitigate Unusual Behaviour

    1. Track Remote Access and Monitor Device Endpoints

    2. Establish Effective Incident Reporting, Tracking, and Response Measures

    3. Raise Awareness of best practices regarding the use of Social Networking Sites

  3. Protect Your Data

    1. Establish and Test Business Continuity Plans and Procedures

    2. Implement Procedures to Limit Information Exit Points