The CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute has announced a new certificate aimed to help information security leaders develop formal insider threat programs.
Carnegie Mellon touts the new Insider Threat Program Manager (ITPM) certificate as a means for federal agencies to meet the requirement of establishing an insider threat program that was originally laid out in President Barack H. Obama's Executive Order (EO) 13587 from September 2011 -- a partial response to the Bradley Manning WikiLeaks scandal from a year earlier.
EO 13587 also led to the creation of the National Insider Threat Task Force in October 2011 and, after extensive coordination between government agencies, the issuance of the National Insider Threat Policy, which established the minimum standards for federal insider threat programs.
Randy Trzeciak, technical manager of the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute, said the ITPM certificate -- the first of three insider threat-related certs to be rolled out by Carnegie Mellon this year -- is intended to provide the building blocks for establishing an insider threat program from scratch that will satisfy the requirements in EO 13587.
Through a series of online and multi-day in-person classes, Trzeciak said attendees will learn how to implement a variety of components that are needed for a successful insider threat program -- including how an insider threat is likely to manifest itself, how to deploy a program effectively and even how to communicate the tenets of a program throughout an organization.
Another key component of the certificate, according to Trzeciak, is an insider threat awareness training course that ideally will be taken by employees across the scope of an organization, not just those directly involved with the insider threat team. That's because an effective insider threat program must involve everyone from human resources to physical security -- even general legal counsel should be involved, he said, to help manage the employee privacy requirements established in EO 13587.
Perhaps most importantly, Trzeciak stressed that organizations should look to build insider threat programs inside of an established enterprise-wide risk assessment program rather than build and maintain each independently.
"And really, that enterprise-wide risk assessment process needs to start with identifying the critical assets within an organization," Trzeciak said. "An organization must identify what it needs to protect, what is most critical and then determine what are the threats -- both internal and external -- to those critical assets."
While the ITPM cert is initially aimed at federal agencies looking to comply with EO 13587, it may soon have broader applicability. Proposed changes to the National Industrial Security Program Operating Manual (NISPOM), the federal government's security guideline for contractors, may require that federal contractors adhere to the insider threat guidelines outlined in EO 13587 as well.
Even without changes to NISPOM, Trzeciak said that the CERT Insider Threat Center is planning to make the training for the certificate applicable to industries outside the government, mainly by relying on established best practices that are known to be effective in identifying and mitigating insider threat risks.
"We've been contacted by a number of industry partners in the past 13 years that have been interested in developing insider threat programs. We've done insider threat vulnerability assessments for banking and finance organizations, as well as other industry partners, and they've definitely recognized the need to protect their critical assets, whether it's key intellectual property, preventing fraudulent activity or it's ensuring that organizations can sustain or make resilient information technology assets to allow them continued operation," said Trzeciak. "We certainly envision that there will be equal interest from industry partners as well, from the nongovernment organizations."