Ensure accesses are systematically rescinded when personnel leave the organization or their role changes. Obtain a list of current personnel from human resources and compare it to active accounts (e.g. network accounts, remote access and local accounts on servers). Stand-alone applications must be checked as well (e.g. voicemail and company directories).
Review physical security access logs. Pay particular attention to employee visits after-hours and on the weekends. If suspicious activity is detected, cross reference video surveillance feed and system audit trials.
Conduct the assessments identified above at least quarterly. Automate auditing as much as possible to conserve resources and detect security violations as they occur. For more information, see the IIA GTAG Continuous Auditing Guide.
This article scratches the surface of insider threat mitigation. For more information, see the US-CERT Common Sense Guide to Prevention and Detection of Insider Threats. The ACM Occupational Fraud & Abuse Report provides examples of how fraud is committed and guidance for preventing and detecting it. The Yahoo insider-threat group is a good resource to keep up with current events and new developments.
As you can see the threat from within is very real. Trust is necessary but it must be controlled and monitored.
INSIDER THREAT MANAGEMENT GUIDE
Introduction: Insider threat management
Data organization and impact analysis
Baseline management and control
Implementation of baseline control
Risk management references
This was first published in August 2006