Chapter 6 Best Practices for the Prevention and Detection of Insider Threats
This chapter describes 16 practices, based on existing industry-accepted best practices, providing you with defensive measures that could prevent or facilitate early detection of many of the insider incidents other organizations experienced in the hundreds of cases in the CERT insider threat database.1 1. This chapter includes portions from “Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition–Version 3.1,” by Dawn Cappelli, Andrew Moore, Randall Trzeciak, and Timothy J. Shimeall. This chapter was written for a diverse audience. Decision makers across your organization will benefit from reading it. Insider threats are influenced by a combination of technical, behavioral, and organizational issues, and must be addressed by policies, procedures, and technologies. Therefore, it is important that personnel from your management, human resources, information technology, software engineering, legal, and security teams, along with your data owners, understand the overall scope of the problem and communicate it to all employees in your organization. We briefly describe each practice, explain what you should do, and provide a few actual case examples illustrating what could happen if the practice is not implemented. Finally, we describe how the practice could have prevented an attack or facilitated early detection. While you read, please remember everything else you have read so far in this book regarding contractors and trusted business partners. Although we usually use the term employee in this chapter, much of this chapter also applies to contractors and trusted business partners. Please keep this in mind, and do not overlook those insiders! Summary of Practices Each of the 16 practices is summarized here and then expanded on in the following sections. • Practice 1: Consider threats from insiders and business partners in enterprise-wide risk assessments. It is difficult for you to balance trusting your employees, providing them access
