Security Policies to Address Internal Threat

We hear reports of new data breaches almost daily. While most of them are fairly complex stories, they most always begin at some point with a human “insider” making a mistake. In fact, 2011 could be considered the “Year of the Insider.” From the RSA hack and Sony Playstation breach, to the Epsilon e-mail breach and the Oak Ridge Lab phishing attack, database breach announcements that started with insider mistakes have become common news. Malicious threats are also on the rise, as recently Bank of America was hit with over $10 million in losses due to a malicious insider.

But who IS the insider and how can we implement controls to help stop them? In this new Information Shield white paper, The Insider Threat – Security Policies to Reduce Risk, we break down the various attributes of the insider threat, and suggest some information security policies that can help reduce the likelihood of current and former employees causing harm to the organization. We illustrate some of these controls will sample policies from our security policy sample library.

Since the very notion of an insider threat involves the risk of people’s behavior, and since information security policies are design to impact behavior, it makes sense to look at the problem of the insider threat from the perspective of the “lifecycle” of an employee’s access to information. (This is represented in sections 8.1 to 8.3 of the ISO 27002 framework.)