A Crawl, Walk, Run Strategy to Developing an Insider Threats Playbook
Insider Threat Policies and Procedures, a Development Strategy
In my last post, I broke down some basic Insider Threat perceptions where they most often focus on the Malicious Insider, when statistically, the vast majority of the Insider Threats are a result of unintended consequences of an authorized user. Before you can begin building up an effective security program, you need to understand where the organization currently stands; their Baseline if you will. What is the basic level of understanding of the leadership team and most importantly, the employees and trusted users?
Policies and Procedures mean different things to different people. For clarity in this discussion:
A Policy is defined as an approved, written statement which delineates the position and values of the organization on a specific topic, defining rules and process.
A Procedure is defined as a series of instructions which delineates the recommended process to complete a series of approved actions, or tasks.
Determine and Establish an Approval Process
Before you can begin building policies and procedures for your insider threat program, you need to establish an approval process to facilitate the time to deliverable for each policy, procedure, and changes to the same. A likely approval process might be as simple as the C-Suite or the Board of Directors. The specifics of the approval process and all those involved should be made available to those authoring the policies. Ensure you involve as many as you can in the policies and procedures development for each specific discipline, engaging the management and key players for each discipline.
Baseline Education and Initial Policy Development
You need to begin baseline training and policy development, targeting the lowest common denominator. Interestingly enough these days, many of your entry-level employees will understand the basic terminology and expectations of disciplined policies and procedures; but it’s to be expected there will be apprehension and even some concern, as they are used to openness with little oversight to their day-to-day activities.
“Canned” Security and Awareness Training tends to fail miserably and it is extremely important to conduct research to understand the target audience, and gauge their level of understanding ahead of time.
Building Insider Threat Discipline with Policies
Policies and procedures will vary by organization, but core to the implementation is full disclosure to your staff and partners to ensure they have a good understanding of why policies and procedures are suddenly being introduced. Remember, in many cases, you may be part of a startup where the rules of engagement have been very different for a long period of time. In most instances, it’s “Fly-By-the-Seat-of-Your-Pants” until the vision of the company begins to gel and cash begins to flow. Suddenly, it’s time to come into a disciplined operations tempo and protect the company, it’s investors, and clients.
Next time, I’ll start diving into the Continuity of Operations, or COOP Planning, and get you to start thinking about your self assessments. What do you mean you’re not doing “self assessments”? Don’t sweat it just yet… neither are your competitors… Crawl, Walk, Run… it’s a process.