3.2.3 has a weight of -1 points
(Awareness and Training Family) 3/3
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Video
Example of Sysytem Security Plan (SSP):
Control Identifier: 3.2.3
Control Title: Insider Threat Awareness Training
1. Control Description: Control 3.2.3 ensures that our organization actively provides security awareness training focusing on recognizing and reporting potential indicators of insider threat.
2. Implementation Status: Implemented
3. Implementation Description:
a. Objective: Our company’s primary goal is to ensure that all our staff members are proficiently educated on identifying signs of insider threats and feel confident in reporting any suspicious activities.
b. Methodology:
- We have instituted an annual review and completion of insider threat training for all our employees.
- Our training material derives from the Department of Defense (DoD) insider threat training resources. This choice ensures that the content we provide is up-to-date, relevant, and consistent with government standards.
c. Supervision:
- Our HR manager or an equivalent supervisory role oversees the training’s delivery and completion. This oversight ensures a consistent training experience across our organization and maintains the standards we aim to achieve.
4. Monitoring & Reporting:
- Post-training, our employees are obligated to confirm their understanding. We actively encourage and provide avenues for them to report potential indicators discreetly.
- Our internal security or HR team evaluates any reports of suspicious activities, ensuring due diligence and necessary actions.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M) for Control 3.2.3
Control Identifier: 3.2.3
Control Title: Insider Threat Awareness Training
1. Background: Control 3.2.3 aims to provide comprehensive insider threat awareness training. It emphasizes not just the identification of threats but also the reporting of potential indicators. The company relies on the DoD’s insider threat training resources to ensure relevant and up-to-date content.
2. Milestones:
| Milestone | Description | Responsible | Start Date | End Date | Status |
|---|---|---|---|---|---|
| M1 | Annual Training Initiation | Identify and notify employees due for their annual insider threat awareness training. | HR Manager | 01/01/2023 | 01/07/2023 |
| M2 | Training Material Update | Review and update training materials from the DoD to ensure the latest content is used. | HR & Security Team | 01/02/2023 | 01/04/2023 |
| M3 | Training Session Conduct | Carry out training sessions (both in-person and digital) for all employees. | HR Manager | 01/07/2023 | 01/21/2023 |
| M4 | Post-training Review | Gather feedback from employees about the training session to identify areas for improvement. | HR & Security Team | 01/22/2023 | 01/25/2023 |
| M5 | Monitoring & Reporting Initiation | Set up a system/process for employees to report potential indicators and for these reports to be evaluated. | Security Team | 01/26/2023 | 02/01/2023 |
Insider Threat Awareness Training :
click here
Insider Threat Awareness
This course provides a thorough understanding of how Insider Threat Awareness is an essential component of a comprehensive security program. With a theme of, “If you see something, say something” the course promotes the reporting of suspicious activities observed within the place of duty. Using a few case study scenarios, the course teaches the common indicators which highlight actions and behaviors that can signify an insider threat. The instruction promotes a proactive approach to reporting the suspicious activities.
NOTE 1: If you are completing this course as a prerequisite for a CDSE instructor-led course or as part of a specific CDSE training curriculum, you must take the final exam in STEPP to receive credit for completion. The passing grade is (75%) for the examination. You may register for the course/exam via STEPP.
NOTE 2:
- You may attempt this course an unlimited number of times.
- The quiz must be completed from start to finish in a single session. There is no bookmarking available.
- You must receive a passing score (75%) in order to receive a certificate for this course.
- You must print or save a local copy of the certificate as proof of course completion. CDSE does not maintain records of course completions.
https://securityawareness.usalearning.gov/itawareness/index.htm
RELEVANT INFORMATION:
Potential indicators and possible precursors of insider threat include behaviors such as: inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of the policies, procedures, directives, rules, or practices of organizations. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role (e.g., training for managers may be focused on specific changes in behavior of team members, while training for employees may be focused on more general observations).
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.