Appendix D. CERT Best Practices to Mitigate

                   Insider Threats


                   The  following  table  appears  in  the  “Common  Sense  Guide  to  Mitigating  Insider  Threats,  Fifth
                   Edition,” authored by the CERT® Insider Threat Center of Carnegie Mellon University’s Software
                   Engineering Institute. The 20 best practices are intended to be a reference for organizations that
                   need  to  create  or  update  an  insider  threat  program  and  should  be  customized  to  suit  the
                   organization’s needs, culture, and risk appetite. The order in which CERT has arranged the practices
                   is intended to make the process of implementing an insider threat program easier.

                   These 20 best practices are high-level statements or control objectives and each best practice is
                   broken down into more specific control activities in the guide.

                    Order    Best Practice

                       1     Know and protect your critical assets.
                       2     Develop a formalized insider threat program.
                       3     Clearly document and consistently enforce policies and controls.

                       4     Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
                       5     Anticipate and manage negative issues in the work environment.
                       6     Consider threats from insiders and business partners in enterprise-wide risk assessments.
                       7     Be especially vigilant regarding social media.

                       8     Structure management and tasks to minimize unintentional insider stress and mistakes.
                             Incorporate malicious and unintentional insider threat awareness into periodic security training
                       9
                             for all employees.
                      10     Implement strict password and account management policies and practices.
                      11     Institute stringent access controls and monitoring polices on privileged users.
                             Deploy solutions for monitoring employee actions and correlating information from multiple
                      12
                             data sources.
                      13     Monitor and control remote access from all end points, including mobile devices.
                      14     Establish a baseline of normal behavior for both networks and employees.
                      15     Enforce separation of duties and least privilege.
                             Define explicit security agreements for any cloud services, especially access restrictions and
                      16
                             monitoring capabilities.
                      17     Institutionalize system change controls.

                      18     Implement security backup and recovery processes.
                      19     Close the doors to unauthorized data exfiltration.
                      20     Develop a comprehensive employee termination procedure.

                   Source: CERT, “Common Sense Guide to Mitigating Insider Threats, Fifth Edition,” 2016, Table 1, pg. xii.



                         www.theiia.org                                      Auditing Insider Threat Programs   42