Page 383 - ITGC_Audit Guides

P. 383

Initiation Phase

During this phase the organization identifies the need for an insider threat program, defines the
scope for the program, and identifies the main stakeholders. Some of the questions that may help
the organization to identify and prioritize the protection of its critical assets include:

 What critical assets do we have?
 Do we know the current state of each critical asset?
 Do we understand the importance of each critical asset and can we explain why it is
critical to our organization?
 Can we prioritize our list of critical assets?
 Do we have the authority, money, and resources to effectively monitor our critical assets?

Planning Phase

The planning phase usually starts by obtaining senior management buy-in, and identifying the
assets that must be protected. Some of the steps the organization may take to complete this
phase include:

 Identify systems and digital assets.
 Identify regulatory requirements.
 Conduct a risk assessment.
 Develop a formal implementation project plan.

 Create (if needed) governance structure and policies.
 Develop communication, training, and reporting plans.

Operations Phase
During this phase the organization analyzes needs and gaps and prioritizes activities to address
them. Some of the typical activities that take place during this phase include:

 Cost/benefit analysis.
 Develop insider threat profiles.
 Identify/implement the necessary controls to address insider threats (examples of
common IT security controls are shown in Figure 6).
 Develop key performance indicators.
 Formalize IT security incident management procedures.

www.theiia.org Auditing Insider Threat Programs 15

378 379 380 381 382 383 384 385 386 387 388