Page 371 - ITGC_Audit Guides
P. 371

For organizations that already have insider threat
                   programs, internal auditors may use this guidance   Business Impact
                   to  design  assurance  engagements  to  assess  the
                                                                     The damage that an insider threat
                   effectiveness of the program.
                                                                     can cause could be quantified in
                   The  guide  also  describes  approaches  to       millions. In recent years it was
                   consulting engagements, which internal auditors   reported that three employees of a
                   may use to help management identify and assess    superconductors manufacturing
                   risks that should be considered when designing    organization stole trade secrets and
                   and implementing a new insider threat program     sold them to a competitor over a six-
                   or  to  benchmark  the  maturity  of  an  existing   year period. The estimated cost of
                   program and help improve it. Finally, the GTAG    the trade secrets was $800 million,
                   provides  tips  for  communicating  to  the  board   however the loss of shareholder
                                                                                               2
                   about the significance of the risks and the need   equity was closer to $1 billion.
                   for  responses  to  identify,  prevent,  detect,
                   respond to, and recover from IT security incidents
                   related to insider threats.



                   Insider Threat Overview

                   The term threat is sometimes used to refer to the threat actor or an attack. For this reason it is
                   important to define some key terminology that will be used throughout this guide:

                   Impact is the positive or negative result or effect of a risk.


                   Threat  is  any  circumstance  or  event  with  the  potential  to  adversely  impact  organizational
                   operations, organizational assets, individuals, other organizations.


                   Threat actor is the entity responsible for the action (or inaction) that adversely impacts the organization.

                   Threat source is the intent and method targeted at the intentional exploitation of a vulnerability or
                   a situation and method that may accidentally exploit a vulnerability.

                   Risk  is  the  possibility  of  an  event  occurring  that  will  have  an  impact  on  the  achievement  of
                   objectives. Risk is measured in terms of impact and likelihood.

                   Vulnerability is a weakness in an information system, system security procedures, internal controls,
                   or implementation that could be exploited by a threat source.





                   2  Christopher Burgess, “Sinovel Wind Group found guilty of IP theft, fined $1.5 million,” CSO magazine, July 9, 2018,
                   https://www.csoonline.com/article/3256305/loss-prevention/sinovel-wind-group-found-guilty-of-ip-theft-valued-at-
                   800-million.html.


                         www.theiia.org                                      Auditing Insider Threat Programs   4
   366   367   368   369   370   371   372   373   374   375   376