1. Identify your Organisational Assets and Systems
As part of your organisation's protective security risk assessment its vital organisational assets and systems necessary for the delivery of effective operations or are of specific organisational value are identified. As part of this asset identification, understand where your assets are geographically located, whether they are managed by a third party and if they may be co-located with other businesses.
2. Categorise Assets and Systems
Once your assets and systems have been identified these should then be categorised and classified in relation to their level of criticality to ensure continued functionality of the business.
3. Identify Threats
Your business will need to identify and understand threats to your organisation. You should seek to obtain threat information from key sources (such as NPSA,* NCSC, Government Departments, police, partner organisations and peer groups). Good quality threat assessment data will help inform you in the following stages of the process.
4. Assess Risks
Knowing what you need to protect and the type and range of threats your organisation may face will help develop the threat scenarios (security risks) within your organisation's risk register.
You should identify which roles (based on access) present the greatest opportunity to facilitate the identified threat scenario's occurring. Consider the Impact/likelihood of the scenario:
- How likely is it this act will happen?
- Has it happened before?
- What is the impact of this happening? For example, will it stop your organisation being productive for 1 day, 1 month or 1 year?
- And, what level of risk can your organisation tolerate?
As part of your assessment consider the geographical location of these key roles. Does this increase the risk? Consider whether those with legitimate access could be motivated or coerced through loyalty to family or country to facilitate insider activity.
5. Building your Insider Risk Register - existing measures
You now need to map out and document the existing personnel security mitigations that will reduce the threat scenario being facilitated by an insider. Consider (and document) whether the existing measures are sufficient to reduce impact and likelihood identified in Step 4.
6. Building your Insider Risk Register - additional measures
Using this information, consider (& document) what additional mitigation's your organisation may consider implementing that are proportionate to the current threat and risks identified. These mitigations should be reviewed in response to any increase or reduction in the threat picture.
Your organisation should prioritise these additional mitigations based on the current threat and organisational security vulnerability. Not all security mitigations will get senior endorsement (particularly if some measures require financial resource) hence the importance of the prioritisation process.
8. Development & Implementation
Pending sign off, the assigned action owner for a proposed mitigation measure should initiate steps to ensure the mitigation is correctly implemented across your organisation. For example, your organisation may have identified a need to deliver security refresher training on socially engineered attacks for personnel who may have access to organisational finance data. To support effective security behaviour change, organisations are encouraged to utilise NPSA's Embedding Behaviour Change to maximise impact of the mitigation measure.
9. Monitoring and Review
Monitor and review the effectiveness of the additional mitigations you have implemented. For example, has the implementation of a security behaviour change campaign achieved the desired impact? Has your organisation successfully detected any employee suspicious activity on your networks? Further work may be required to the desired outcome.
Risk management is an ongoing programme and therefore your organisation should review insider risks such as: on a change in threat and changes to your operating environment. Ensure that adequate management information is in place to reassure senior decision makers the measures you have in place to address insider risk at a period of heightened political tension.
10. Briefing and Communications
Seek to utilise organisational governance structures, such as your Insider Threat Stakeholder Group, to ensure all personnel that need to be involved in changes to the insider risk programme are fully briefed. Consider legal, HR, Senior Decision Makers, I.T., Finance and any staff in roles that may be directly affected by changes.
Caveat this 10-step plan provides high level points your organisation should have in place to reduce the risk of insider activity within your organisation. We encourage you to refer to the NPSA Insider Risk Assessment Guidance for further support.
"The majority of insider cases in the study were self-initiated (76%) rather than as a result of deliberate infiltration (6%); i.e. the individual saw an opportunity to exploit their access once they were employed rather than seeking employment with the intention of committing an insider act."
NPSA Insider Data Collection Study 2013