Get started Bring yourself up to speed with our introductory content.

Risk management: Baseline management and control

Identifying baseline controls is the second step to implementing insider threat controls as described in this article from SearchSecurity's Insider Threat Management Guide.

Next, establish baseline control standards that map to impact categories. NIST SP 800-53 provides baselines broken into high, medium and low control appendixes. The Australian NSW Baseline Controls and VISA PCI Data Security Standard are also well-written. In some cases, baseline controls will be procedural versus technological (e.g. storing sensitive documents under lock and key and using a cross-cut shredder to dispose of them). Insiders are familiar with internal controls and may find a way around a single or poorly implemented control. Pay particular attention to the control categories that follow.

Human Resources
Human resources personnel should follow well-defined in-processing and out-processing procedures. Conduct criminal background investigations, credit checks and employment verification for all personnel, including contractors, temporary staffing and cleaning crews. Periodically repeat background checks for people in highly-sensitive positions. Require all personnel to sign a document stating they have read and understand the information security policies. Ensure third party contractors and service providers comply with your security requirements (e.g. employment and background checks of new personnel). Establish an anonymous fraud, waste and abuse reporting mechanism. Many crimes committed by insiders were suspected by employees. Alert information security personnel when an employee is identified as troubled or disgruntled.

Security Awareness Program
All personnel must become familiar with security policies and procedures. Establish a comprehensive awareness program to include annual security training with a testing component, email tips, posters, a letter of support from senior management, self-assessment surveys, awareness luncheons and a security Web site. Better yet, supplement training with awareness briefings. Briefings give personnel the opportunity to ask questions and put the information security team in the position of advocating security initiatives.

Access Control
Accesses should be issued based upon a person's need-to-know in routine performance of their duties. When possible, issue accesses based upon role. Take into consideration IT roles such as developers, system and application administrators, etc. Define roles within accounting and payroll. All access requests should be formally documented and approved by a direct supervisor. For access to sensitive systems, require approval of a data owner as well. Two-person integrity controls should be implemented to secure extremely sensitive information (e.g. trade secrets). Configure building access cards to restrict personnel to the areas and time periods required in performance of their duties. Each quarter ask managers to formally sign-off on the privileges of their direct reports. As employees transition to new positions, they may retain accesses from their previous role.

Separation of duties should be used as an additional control. Here are a few examples: Separate roles should be required to create an account and write a check. Developers should not have access to production systems. Code reviews should be performed by someone other than the author of the code. Administrators should not be the only group reviewing logs. For more information, see the ISACA separation of duties matrix.

Establish applications that provide a view into sensitive data versus the ability to download the entire database. Use terminal servers to provide remote access to data and systems while preventing file downloads (e.g. when developing software).

Administrators have complete control over systems and applications. Prohibit use of default administrative accounts to facilitate accountability. Ensure Windows domain administrators use unique accounts tied to their name and the default administrator account is deleted from servers during the installation process. Configure Unix and Linux systems to force administrators to login as themselves, then use the switch users (su) command to access root-level administrative privileges. Application administrators and operations personnel may need access to a few root-level commands in performance of their duties. Use software to delegate specific root privileges to them (e.g. sudo, RBAC, RSBAC or Power Broker). Encrypt databases to prevent system administrators and anyone with access to a backup tape from viewing sensitive information.

Laptops can store large amounts of sensitive information and are frequent targets of thieves. Issue laptops based upon business need and with consideration of the type of information typically processed. The U.S. government has recently mandated laptop encryption and two-factor authentication. It makes sense to follow their lead. Configure bios passwords as an additional control.

Restrict workstation administrative access to the desktop team. This privilege can be used to install unlicensed software or circumvent security controls (e.g. disable antivirus software or reverse system hardening configurations). Exceptions should be limited to personnel with a well-defined need for administrative privileges in performance of their duties, including formal sign-off by their manager.

Finally, restrict who has access to use UBS storage devices. They can be used to download sensitive data and may also act as an avenue to introduce viruses into the network.

Network Security
Configure firewalls by security best practices. Restrict outbound traffic to common services such as HTTP and HTTPS. Use application proxies to limit traffic to designated protocols. Establish separate rules to limit outbound file transfers to an authorized set of users and systems. Restrict accesses between offices to specific systems, ports and protocols. Use network segregation to restrict access to systems hosting sensitive data based (e.g. DMZs, extranets and VLANs). Block peer-to-peer file sharing services, instant messenger and services that allow unauthorized external access to the corporate network (e.g. GoToMyPC, pcAnywhere and Citrix Online). Block external email Web sites as well. All email should be conducted using company systems. If an employee needs access to one of the above services, confirm the business requirement and create a specific rule to meet their needs. Finally, scan outgoing email for sensitive information such as project codenames. An SSL scanner should also be used to scan encrypted traffic streams.

Social Engineering
Con artists may attempt to extract information from authorized personnel or get them to take actions on their behalf. There are three basic methods to address this threat: (1) raise awareness of the techniques used by social engineers, (2) establish well-defined processes to protect sensitive data and valuable assets, and (3) provide an escalation path.

Conduct restore tests of critical systems at least annually. Disgruntled employees have been known to sabotage or blackmail companies by corrupting critical data and waiting for the change to spread through off-site backup rotation. Take backups of workstations to provide a record of employee activity. Encrypt backup tapes and e-vaulting data to keep sensitive information confidential while off-site.

Audit Trails and Monitoring
So far we have primarily addressed preventive controls. Detective controls are necessary because authorized personnel need privileges to get their jobs done. That brings us to audit trails and monitoring. Configure audit trails for each system component (e.g. network devices, operating systems, commercial software and custom applications). Learn the logging capabilities of each component and configure it to record significant events. Log actions taken by any individual with administrative privileges (e.g. execution of commands and access to audit trails). Audit trails must be protected by file permissions and synchronized in real-time to a central log server to prevent modification. Once centralized, logs should be reviewed by automated processes with notification sent to the appropriate personnel. Database administrators have access to sensitive information, so they must be monitored as well. Use intrusion detection software to identify suspicious activity. Implement file integrity software to monitor configuration files and sensitive data.


  Introduction: Insider threat management
  Data organization and impact analysis
  Baseline management and control
  Implementation of baseline control
  Risk management audit
  Risk management references
This was last published in August 2006

Dig Deeper on Security Awareness Training and Internal Threats-Information