What should an insider risk policy cover?

Just before the holidays, a company was faced with cutting the pay of their contracted janitors. That didn’t sit well with those employees.

Threat actors saw an opportunity and pounced, convincing the possibly vengeful employees to turn on their employer. According to Verizon’s recent breach report, the threat actors gave any agreeable janitor a USB drive to quietly stick into any networked computer at the company. It was later found, but the damage was done.

What were the responsibilities of any employees who witnessed this act? A thorough insider risk policy would have spelled it out. Here, security experts provide their insights on what makes for a successful insider risk policy.

“With the policies, team and playbook, you will minimize the impact of insider risk. And, although it is important to have a plan to reduce impact of insider threats, you must think prevention first. Have a strong risk management program and continuously monitor your risks to ensure you can prevent insider attacks. The worst time to assess risks and find the right technologies is when dealing with an incident, so create a strong security program that has preventative measures baked in from the start,” said Rinki Sethi, senior director of information security at Palo Alto Networks.

However, if you’re faced with a situation where something has already happened, and you need to investigate the suspicious behavior, use your policies and playbooks and be sure to make detailed notes including date and time stamps of the findings, Sethi said. “This information will be useful to paint a complete picture of the events and will allow you to continuously improve your risk posture and insider risk program.”

Jo-Ann Smith, director of Technology Risk Management and Risk Privacy at Absolute, said insider threat polices will vary depending on the organization’s maturity level, but it should always be consistent with the company’s broader risk management strategy. The insider risk policy should be wide-reaching, embedding its risk management standards and procedures into other departments’ processes and/or policies. This will provide an overarching, interdepartmental policy that defines accountabilities and methods for the entire organization and its employees of all levels. In a more operational manner, it should explain the purpose, role and benefits for embedding risk management standards and procedures into other organizational processes or policies.

Rinki Sethi, senior director of information security at Palo Alto Networks

Most importantly, an insider risk policy should be clear about who has access to networks and resources. For example, how does a contractor get access to informational resources? It should also establish controls over how access to information is reviewed, by whom, and how often, said Geoff Webb, vice president of strategy at Micro Focus. “This step is often missed by organizations, resulting in growing privilege-creep that allows long-time employees to garner far more access to data than they really need. Regular and active review of entitlements and access will help reduce the risk of overly-broad access while actually helping the business meet its compliance and governance requirements.”

Webb adds that insider risk policies should be clear on who owns the risks for insiders, “It’s far too easy for line of business managers to assume that the risk is owned by the IT department, or the security team. Managing the risk from insiders is everyone’s job, and it needs to be clearly spelled out as such.”

Steven Grossman, vice president of strategy and enablement at Bay Dynamics, said the policy should define the rules of the road, what employees and contractors should and should not be doing. It should also define ramifications if people violate policies, and include an exception process for those users who operate outside the parameters of the policy. Policies alone don’t accomplish anything unless there is a means for monitoring compliance, they are continuously updated and improved, and business processes are adjusted to align and enable employees to comply.

Adjudication rules should be clearly spelled out, said Steve Mancini, senior director of information security at Cylance. This should include how matters of emerging concern will be escalated. The policy should include obligations for employees to report suspicious activity, for managers to monitor employee morale and address issues fairly and proactively. The policy should clearly delegate roles and responsibilities to deliver fair, objective, respectful investigations processes that are compliant with local laws and regulations. The policy should call for periodic review of risks and controls. It should designate a chain of command to the insider risk program – ownership, accountability, governance and oversight.

Javvad Malik, security advocate at AlienVault, laid out the purpose of the policy succinctly as:

• Scope – Such as malicious insiders with bad intent, insiders who make an error, insiders that knowingly circumvent policy but for the benefit of employer, compromised credentials
• Outcome – Is this meant to deter, detect, prosecute?
• Responsibilities – This includes the people listed above, as well as employees

The policy should have standards and procedures that support each core program element, said Kennet Westby, president and co-founder at Coalfire Systems. The policy structure can be complex and needs to align with other IT security and personnel policies. It is also important to build a communication plan for the company/employees that includes strategy, objectives and life cycle.

Managing insider risk should be part of a holistic security program – both cyber and physical security perspectives coupled with information governance. It should also include acceptable use of company equipment, data classification and liability for loss, termination checklist, non-disclosure of confidential data, specifics on access and physical controls.

Kris Lovejoy, CEO of BluVector, said insider risk policies must recognize and instantiate the reality that not all insiders are equal. Certain groups – like developers or those who process personally identifiable information (PII) and/or regulated data – pose a higher risk to the organization. Therefore, acceptable use policies that cover topics like IT use, network use and social media use should be tailored accordingly. Likewise, technical controls implemented to assure adherence to the policies should also be tailored. 

Exabeam CEO and co-founder Nir Polak said the policy should minimize unnecessary access, should monitor for unusual behavior and should apply to everyone in the organization. “Too often, firms simply roll out a ‘privileged account management’ tool to control what their IT admins do, and then ignore the broad risks associated with non-privileged employees: the call center reps accessing customer records, contractors accessing finance records, partners accessing design docs, etc.”

A risk policy should incorporate insurance in case of breaches, with strong communication policies to implement after the breach occurs, said Hamesh Chawla, vice president of engineering at Zephyr. Consequences, and the method for communicating those consequences, must be included in this policy to help the insider risk team quickly address individuals who are found responsible for insider abuse.

Having an established change control process can also help identify any user of elevated privileges doing so outside of normal procedure, said Eric Stevens, director of consulting services for Forcepoint. Wherever possible, baselines of user network, application and data access behavior both on network and remote should be established to assist in detecting anomalous behaviors such as logins from countries other than where the user is based, which could indicate a compromised account.

And, lastly, Matias Brutti, a hacker at Okta, said the policy should include data categorization so the enterprise understands which teams can access which data. It should also include monitoring capabilities and the ability to regulate employee data access. Another aspect to consider is how many people work on teams together. In the enterprise, it’s easier for an individual to accidentally create a threat at work when that person is working on his/her own. But when specific high-risk tasks are performed by more than one person, there are other individuals to check the work and prevent a threat from happening. “It’s a matter of simple checks and balances.”

Your comments can be covered on our Facebook page.