Figure 6: Common IT Security Controls

                    Administrative               Physical                    Technical

                    Policies and procedures.     Fire suppression.           Cryptography.
                    Personnel policies.          Heating, ventilation, and air   Virtual private networks (VPNs).
                    Password policies.             conditioning (HVAC).      Demilitarized zone (DMZ).
                    Service level agreements (SLAs).   Electromagnetic shielding (EMI).   Firewalls.
                    Security related awareness   Environmental monitoring.   Access control lists.
                      and training.              Video monitoring.           Proxy servers.
                    Change management.           Fences, gates, and walls.   Address translation.
                    Configuration management.    Lighting.                   Intrusion detection/prevention
                    Patch management.            Access cards.                  (IDS/IPS).
                    Archival, backup, and recovery   Guards.                 Honeypots.
                      procedures.                Locks, turnstiles, and mantraps.   Network segmentation.


                   Source: CERT, Model-Driven Insider Threat Control Selection and Deployment.

                   Reporting Phase

                   Monitoring and reporting are very important to
                   ensure the organization is addressing risks related   Legal Considerations
                   to  insider  threats  as  the  internal  and  external
                                                                     Employee monitoring controls are
                   environments  change.  The  organization  can     critical to managing insider threats,
                   repeat the steps in the implementation plan as
                                                                     but they can expose the organization
                   many  times  as  needed  as  part  of  a  continuous   to legal risk related to state, federal,
                   improvement approach.
                                                                     and cross-border laws protecting
                                                                     personal privacy. One example is the
                   Engagement Planning Information
                                                                     European Union’s (EU) general data
                   Activities internal auditors may perform to gain   protection regulation (GDPR)
                   an  understanding  of  the  organization’s  insider   intended to protect the privacy of all
                   threat program include but are not limited to:    individuals living in the EU.


                   Reviewing Documentation                           To manage this type of legal risk it is
                         Review current business plans and risk     important to coordinate activities
                          assessment results.                        with legal and HR to make sure that
                                                                     individual rights are taken into
                         Review prior assessments (internal
                                                                     account when considering
                          and external).
                                                                     monitoring practices.
                         Review organizational charts to identify
                          relevant stakeholders.
                         Review any policies or procedures related to user management, access management,
                          remote administration and access (e.g., vendor), and system configuration manuals.
                         Review asset and data inventories to identify the organization’s critical systems and data.



                         www.theiia.org                                      Auditing Insider Threat Programs   16