Q

What are the proper procedures for handling a potential insider threat?

In this SearchSecuity.com Q&A, Mike Rothman discusses how corporations can avoid insider threats by forming an incident response plan and monitoring employee behavior.

MIS/employee support staffs have access to sensitive enterprise and personal information. As a security team, what measures should we recommend if we suspect that they aren't following proper security procedures?
The issue of handling insider bad behavior should fall under an organization's incident response plan. If sensitive and/or personal data might have been compromised, it's a possible incident. As with any incident, the rules of engagement should be defined before there is an issue. That means a documented plan that has been agreed upon by all of the applicable influencers; including legal and human resources groups.

The first thing to do is investigate the issue. Locking down devices and/or denying data access to suspected staff members is one way to go, but that would be a sure tip-off. In most cases, monitoring employee activity and building a case is the most productive plan of action. Keep in mind, this should not be done alone: legal and HR groups need to be involved to make sure any remediation, sanction or other activity is handled legally...

and within corporate policies.

Once enough information is gathered to prove foul play, then it will be up to the powers that be to handle the situation. Depending on the nature of the transgression, law enforcement may be brought in. In all cases, the documentation and other information that was used to build the case will need to be provided.

Prosecuting an incident is one of the worst parts of being in the security business. But it's critical and unfortunately it's usually best to make a public example of the transgression. You may or may not believe in the power of a "public execution" as a deterrent to future bad behavior – but I do. I've seen it work.

For more information:

  • In this Ask the Expert Q&A, Shon Harris provides resources you can use to devise an effective incident response plan.
  • Learn how creating a security awareness program can help thwart the insider threat.
  • This was first published in September 2007
    This Content Component encountered an error

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close