okay. With Model four, we reviewed various ways to stop insider tax or at least reduce the risk. In Module five, we will review the concept of creating a policy and process to deal with the insider threat problem.
Okay, let's talk about policy and process. So the foundation of a security program is a policy. It is the structure. It is a repeatable structure that you define for your information security program. So the policy defines a process for implementing
operating a security infrastructure.
Further details for implementing a policy are outlined in a standard operating some Orin S O P s o the S. O. P. Is kind of more of a detailed checklist of how you do, for instance, how you set up a rule set for a firewall.
But the policy will tell you you must have a firewall. So there's overarching Policy says you haven't have a firewall. The S. O P tells you how to specifically configure a final, so that's kind of the difference between the two. But you put them all together, and you have this over Archie program
that governs and defines your information security
process. So best practice processes such as the NIST risk management framework, provide exhaustive details from implementing these kinds of policies. So NIST is we had a little diagram here. It's going the next page. So this is
management framework. It is an example of one of these pre coin predefined
processes that were created for general use. This one is kind of created and used mostly by the government and the military and so on. But some commercial companies were in are picking up in a lot of we're actually a lot of commercial companies supposedly are picking up that are M f the responsive framework as a general guy.
let me explain what the risk management framework is. So you have six steps here, okay? And this is how you structure your security process. So the first step is you want to bring a system onto the network,
okay? And you must make sure that that system is secure before you can bring it on the network. Okay. So you don't introduce more risk into your city, your network.
So the first step is to categorize the system.
So this is where you determine how important is the system and the data that is on this system. If it's super super important and the company will fold or die if this system goes down, then it needs tohave. Ah, lot more security controls.
If the system is not very important and you could wait six months before you fix it, if it goes down,
then it needs to have the minimal security controls. Okay, but it still needs controls. So when I'm talking about these controls, I'm talking about
configurations. Rule says things that implement security measures within the environment so it control could be how you do your firewall configuration. It could be that you need to do scanning. It could be that you need to do passion. It could be
that you need to have a a backup and recovery plan.
It's not just specific technical controls, but there's also administrative controls and so on.
the categorization of the system defines how much work in resource is need to be devoted to the system to make sure that it is secure.
so step two, now that you've defined,
categorized the system, then you go to step to. This is where you select the security controls. So based on how important the system is,
that tells you, um, the type of controls or the group of controls that need to be applied to the system to make sure it's secure commensurate with its importance.
Okay, then we go to step three. Step three is where we implement This is where the fun starts to happen.
This is where we implement the controls. So someone some third party or some other person has said we need to implement these 400 different controls
And so we go, and we do all that work we do, all the patching will do. The configuration would do the file file level, security, older level security. We do all the, you know, deleting unnecessary software. We do. We put on,
um, you know, application white listing software on there was
all these different things in place to make sure that the system is secure on and on and on and on. And
then once we've done that, we say, Okay, we're done. You guys check it out and see if we're good. That's where we go to step for. And this is where you assess the security controls. Okay, this is typically a different group, so that was a check and balance there. So you don't just pencil whip say you're done,
But this would be a different
Okay, if, obviously, if your company has the resource is in the number of people to do this. Um,
so this other group number at step for they will go look at everything you did, and they'll ask you to show them what you did, and they'll ask for evidence and all these different things. And when they're done, they will say they may say yes. We agree you have met all of these requirements or they may say,
you will have met all the requirements. Once you do A, B, C and D, there's a few last just finishes up, and you're good. So whatever they do, that's where that's where they make that judge.
I know this goes together into a package called Security Access Assessment report, a security assessment report or a star. Then it gets passed over to the evaluators are typically a group that is all part of the system does office,
and under the guidance of This is so and this is where they take a look at the package. Look at all the work that was done. Listen to all the testimony about what was done, and then they say Yet, boom, You are allowed to be on the network or no, you're not allowed to be on network until you fix these three things.
So whatever it is, that's that next step.
And then finally, once the system is finally made it to the network, it's It's been approved to be on the network. This is where it's plugged in. It's spun up. It's now it's computing, communicating and doing its job. And
this is where we start the continuous monitoring process.
And that is a process of exactly that continuously monitoring security status of the system so it doesn't fall back into a state of disrepair because of ah, easy system administrators like we talked about before. So, um,
this is where a checking bounces applied
and a you know, an independent group does the security scanning on a monthly or weekly or whatever basis. This is where they look at the logs and they look for vulnerabilities, and they ensure that the patch is done and that things are done that need to be done. And this is a continual cycle through the life cycle of the system.
And that is the six steps of the risk management framer.
Okay, so now we here we are at employee background investigations. This is an important one.
The goal of unemployed background investigation is to attempt.
Attempt is a key work to establish. Trust
it, uh, assists and narrowing down the field of candidates to those
who are the lowest risk. That is the goal. You want to try to get the most trustworthy people
based on all the evidence you confined
to work for you. Okay. If you do that, you're probably decrease the risk that someone's gonna try to do execute an insider threat attack.
So background investigations include things that criminal check this kind of like an electronic check to see if you're in any database. Is out their credit history also in electronic check
drug screening. That's actually a medical appointment type thing. Or will you go give a sample et cetera on, then work and education verification. You know, if you say you went to Harvard and got a computer science degree. You should be able to prove that. And that's where you verify. Did you actually go too hard and get a computer science degree?
Um, that is a valid ah,
Polygraph. Now, a polygraph is probably only gonna be reserved for Mork critical sensitive positions that have,
you know, exposure to really sensitive company secrets, classified information in the government or the military, et cetera. And that's where you sit down and you put on these leads all over your body and you sit in a chair and you can't move. You can't flex any muscles and you have to answer a battery of questions,
and it helps them establish how trustworthy you are, OK? And next we have field investigations. This is where again, one of the more extreme scenarios where you want you trust everything that they've told you about their background in their life and everything where they've been, what they've done.
You actually send people out into the field to ask questions to verify fax, to verify that they lived in that apartment in New Yorker that they grew up in Indiana, whatever. So that is the purpose of the field investigation. Okay,
The goal of the employee background investigation is to establish trust so that you can hire the most trustworthy people that you could possibly find
and lower the risk that one of your employees is going to execute an insider threat hat.
Okay, so now let's talk about employee awareness training. So an insider threat training program insures that the employee population is aware,
uh, of the threat, the indicators of such a threat and the potential legal ramifications
if you take part in something like an inside threat. Uh,
activity. Okay, So, um, the training that you deliver in this type, of course, in includes of some of these some of the following things define the threat. You want to define the threat and explain what it is.
But pencil indicator you wanted You wanted to find
what might lead you to believe that someone is doing some of these inside of threat activities. Recruitment. You want to make people aware that someone may try to recruit them
to do these things. They may try to entice them into doing these things with money and et cetera, et cetera. Targeted data assets. You want to explain what kind of things bad guys might be trying to go after within the company's environment?
Collect a collection of targeted data. You want to understand what it means or what the indicators are when someone is starting to collect the pieces slowly so they can steal the data. What is reportable now? You don't want to train your employees to harass everybody. So everybody wants to quit.
to Onley report something when it really is valid.
Okay. And so So you want to find what exactly is reportable? Okay, so a user monitoring awareness, that is the concept of, um
letting everybody know that they're being watched on their work computer and on their phone they could be listen to on the phone. There were computer. What they're typing on there could be monitored just for security purposes and someone for the company or for the organization of the military organization. You want to make sure that they're aware of that,
so that so you get them to,
uh, to understand that they're being monitored.
goes a consent to monitoring, which is a document they sign a legal document that signs that they understand that they are being monitored
so that they can't, sue said. So then you also want to do a nondisclosure agreement that makes that also tries, tries to legally bind them from disclosing
company secrets or organizations secrets except okay.
And you want to make it clear what the penalties are
if you do break these rules if you break the consent. If you break the nondisclosure agreement, if you release information if you leak information. If you steal information, what are the company and the legal penalties that you could be faced with if you do these things
so again, Employees Awareness Training is there to make sure that your employee base understands the concept,
understands the motivations, understands the problems,
and it understands the penalties that could be father.
Okay, so now let's check
the foundation of a security infrastructure
The details for implementing a policy are outlined in
answer. Standard operating procedures.
The goal of en blank blank blank is to attempt to establish
employee background investigation.
Okay, so here we are, Module five. Okay, so this module reviewed the foundation of an insider threat program
known as a policy and the process for employing such a program.
IT policy is simply an organized approach to dealing with the problem of the insider threats.
A process reveals the details about that. How to implement your policy into the real world. Things like standard operating procedures
explained how to do the detail, step by step things to actually implement
what you've outlined in your overarching policy,