- The Cybersecurity and Infrastructure Security Agency (CISA) launched its Insider Risk Mitigation Program Evaluation (IRMPE) on Tuesday, a self-assessment tool to determine if an organization has "management structures, policies, relationships, and communications in place for an Insider Risk Program," the document said.
- For a thorough Insider Risk Program, organizations must have an understanding of critical assets, a defined insider risk policy, actions that would prompt threat detection or identification, effective communication, governance and oversight into insider risk activity, CISA said. The program should be folded into existing organizational or enterprise risk management.
- Beyond the Insider Risk Program, CISA offers questions to determine how effective an organization is in personnel and training initiatives, and incident response and behavioral analysis. Organizations completing the questionnaire can submit responses to generate a report in a downloadable PDF.
Despite having traditional preventative technologies in place for insider threats, the majority of companies suffered some sort of breach during the pandemic. Data loss prevention tools and cloud access security brokers became less effective in a remote-work landscape.
Remote work has made it easier for employees to intentionally — or unintentionally — move data around. For IT and security teams who hardened defenses, employees might have been blocked from legitimate file activity they need for their jobs, creating room for unsanctioned workarounds.
There are a variety of misuse cases that perpetuate insider risks, including privilege abuse, mishandling data, unapproved workarounds, or knowledge abuse, according to Verizon's 2021 Data Breach Investigations Report. Prior to 2021, breaches caused by insider privilege misuse were the longest to uncover. This year, however, the difference in privilege misuse and system intrusion were "negligible," Verizon said.
While not all insider threats are inherently malicious — accidents happen — organizations have to know if they have the tools in place for an employee to report "that sinking feeling that they screwed up," Verizon said. Employees' abilities to report something that feels wrong could be one of the quickest ways to remediate an insider threat.
The IRMPE is a straightforward questionnaire in each of the domains highlighted: Insider Risk Program, personnel and training, and incident data collection and analysis. While the tool is designed for any organization, CISA said it's "especially" for small and mid-sized organizations that "may not have in-house security departments, to gauge their vulnerability to an insider threat incident."
Within each component of the program, CISA asks a series of questions. Each question is meant to gauge how near completion an organization is to each goal of the program. For example, to reach the ability to detect, identify, assess and management capabilities for insider incidents, CISA asks some of the following:
- Does the organization have the capability to prevent or deter different types of insider risk?
- Of those capabilities, are they inclusive of "positive deterrence to attract employees to act in the interest of the organization?"
- Does the organization have employee assistance programs to alleviate some of the stressors that might lead an employee to act in a harmful manner toward the organization?
CISA does not collect the data submitted through the PDF, it is a tool only for the organization using it. Upon submitting their assessments, CISA will provide guidance on how to interpret their scores and suggest mitigations.