Creating an Insider Threat Program. NCMS June 2015

Similar documents
GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

DOD Insider Threat Management and Analysis Center COUNTERINTELLIGENCE AWARENESS WEBINAR SERIES

INSIDER THREATS. DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems

8/15/2013. Security Incidents Involving Special Circumstances. Information Security Webinar. Danny Jennings. DCO Meeting Room Navigation

Department of Defense DIRECTIVE

DEPARTMENT OF DEFENSE (DoD) INITIAL TRAINING GUIDE

Department of Defense DIRECTIVE

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, DC

EXECUTIVE ORDER 12333: UNITED STATES INTELLIGENCE ACTIVITIES

Initial Security Briefing

Department of Defense DIRECTIVE. SUBJECT: Unauthorized Disclosure of Classified Information to the Public

Defense Security Service Intelligence Oversight Awareness Training Course Transcript for CI

v. : 18 U.S.C. 371, 951 & 2 MICHAEL RAY AQUINO, : I N D I C T M E N T a/k/a "Ninoy" The Grand Jury in and for the District of New Jersey,

Department of Defense MANUAL

Security Asset Protection Professional Certification (SAPPC) Competency Preparatory Tools (CPT)

NUCLEAR REGULATORY COMMISSION [NRC ] Nuclear Regulatory Commission Insider Threat Program Policy Statement

Department of Defense DIRECTIVE

DoD Initial Briefing

January 3, 2011 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

Department of Defense INSTRUCTION. SUBJECT: DoD Information Security Program and Protection of Sensitive Compartmented Information

NATO SECURITY INDOCTRINATION

Overview of the Act on the Protection of Specially Designated Secrets (SDS)

DEPARTMENT OF THE NAVY INSIDER THREAT PROGRAM. (1) References (2) DON Insider Threat Program Senior Executive Board (DON ITP SEB) (3) Responsibilities

September 02, 2009 Incorporating Change 3, December 1, 2011

Student Guide - DSS Annual Security Awareness Training

Department of Defense MANUAL

Department of Defense DIRECTIVE. DoD Executive Agent (EA) for the DoD Cyber Crime Center (DC3)

DODEA ADMINISTRATIVE INSTRUCTION , VOLUME 1 DODEA PERSONNEL SECURITY AND SUITABILITY PROGRAM

Department of Defense INSTRUCTION

Question Distractors References Linked Competency

B. ACCESS, STORAGE, CUSTODY, CONTROL AND TRANSMISSION OF CLASSIFIED INFORMATION

NISPOM Update & Security Basics

DEPUTY SECRETARY OF DEFENSE 1010 DEFENSE PENTAGON WASHINGTON, DC

UNITED STATES ARMY INTELLIGENCE AND SECURITY COMMAND

Information Security Oversight Office

SECURITY OF CLASSIFIED MATERIALS B STUDENT HANDOUT

Preserving Investigative and Operational Viability in Insider Threat

Department of Defense DIRECTIVE

Joint Base Lewis-McChord (JBLM), WA Network Enterprise Center (NEC) COMPUTER-USER AGREEMENT Change 1 (30 Jun 2008)

BY ORDER OF THE COMMANDER AIR FORCE INSTRUCTION EGLIN AIR FORCE BASE EGLIN AIR FORCE BASE Supplement

SUBJECT: Directive-Type Memorandum (DTM) Law Enforcement Reporting of Suspicious Activity

2011 Annual Refresher Briefing

Personnel Clearances in the NISP

Protection of Classified National Intelligence, Including Sensitive Compartmented Information

STATEMENT OF JAMES R. CLAPPER FORMER DIRECTOR OF NATIONAL INTELLIGENCE BEFORE THE

INTELLIGENCE COMMUNITY DIRECTIVE NUMBER 501

DOD DIRECTIVE INTELLIGENCE OVERSIGHT

DEFENSE OFFICE OF HEARINGS & APPEALS (DOHA) April 20, 2006 Briefing for the JSAC and NCMS (ISSIG)

The Joint Legislative Audit Committee requested that we

Department of Defense INSTRUCTION

Annual Report to Congress on Foreign Economic Collection and Industrial Espionage 2001

Intelligence Community Whistleblower Protection

Department of Defense INSTRUCTION

Identification and Protection of Unclassified Controlled Nuclear Information

Department of Defense DIRECTIVE

August Initial Security Briefing Job Aid

UNITED STATES ARMY INTELLIGENCE AND SECURITY COMMAND

Department of Defense DIRECTIVE

Protecting US Military s Technical Advantage: Assessing the Impact of Compromised Unclassified Controlled Technical Information

The DD254 & You (SBIR)

PERSONNEL SECURITY CLEARANCES

Senate Select Committee on Intelligence. July 3, 2018

SECURITY OF CLASSIFIED MATERIALS W130119XQ STUDENT HANDOUT

United States District Court

DO Off-Boarding Session Agenda Tuesday January 10, 2017

Department of Defense INSTRUCTION

I. PURPOSE DEFINITIONS. Page 1 of 5

General Security. Question Answer Policy Resource

Department of Defense INSTRUCTION

San Francisco Bay Area

Department of Defense DIRECTIVE

National Security Program Application

Department of Defense INSTRUCTION

Presenting a live 90 minute webinar with interactive Q&A. Td Today s faculty features:

Contract Security Classification Specification. DD-254 Guidance

SECRETARY OF THE ARMY WASHINGTON

Chapter 2 - Organization and Administration

Department of Defense MANUAL

A. AUTHORITY: The National Security Act of 1947, as amended; Executive Order (EO) 12333, as amended; and other applicable provisions of law.

UNITED STATES ARMY INTELLIGENCE AND SECURITY COMMAND

Department of Defense MANUAL

REPORT ON COST ESTIMATES FOR SECURITY CLASSIFICATION ACTIVITIES FOR 2005

INSTRUCTIONS FOR REQUESTING AN AFOSI LEOSA ID CARD Updated: 1 February 2018

JOINT REGIONAL INTELLIGENCE CENTER (JRIC) MEMORANDUM OF UNDERSTANDING (MOU)

Department of Defense DIRECTIVE

Compliance Program Updated August 2017

ANNUAL POST-EMPLOYMENT CERTIFICATION & NOTIFICATION TO SENIOR OFFICIALS OF POST-GOVERNMENT EMPLOYMENT RESTRICTIONS UNDER 18 U.S.C.

Suggested Contractor File Folder Headings

JOINT INTERAGENCY TASK FORCE SOUTH

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION

OFFICE OF THE DIRECTOR OF NATION At INTELLIGENCE WASHINGTON, DC 20511

Recommendations Table

Webinar. Insider Threat Brief

UNITED STATES ARMY INTELLIGENCE AND SECURITY COMMAND

Introduction to Industrial Security, v3

DoD Update Insider Threat and the NISP

JOINT INTERAGENCY TASK FORCE SOUTH

DALLAS CYBER TASK FORCE. Standard Memorandum of Understanding. Between THE FEDERAL BUREAU OF INVESTIGATION. and

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release January 17, January 17, 2014

Transcription:

Creating an Insider Threat Program NCMS June 2015

Agenda Introduction History 101 Recent Events What is Insider Threat and Why We Need A Program? The National Archives Program NISPOM Requirements What is a Program? Sources of Data and the HUB Scope and Assets Base Line (What is Normal?) Implementation Case Studies (Data Use) Q & A Resources

Samuel Slater (June 9, 1768 April 21, 1835) In the UK he was called "Slater the Traitor

What about these? Wen Chyu Liu Kexue Hauang Yaun Li Elliot Doxer Sergey Aleynikov Michael Mitchell Shalin Jhaveri Hanuajn Jin Greg Chung Chi Mak Conspired with internal employees Foreign Travel Foreign Contacts Business Government Download and copied MBs of data Thousands of documents and files

Recent Events.. Many of the documents leaked by Manning to Wikileaks and Snowden have shown us a new wave of threats by personnel that have access and training that can damage national security.

What is an Insider Threat and Why do We Need A Program?

What is an insider threat? It is a threat posed to U.S. national security by someone who has authorized access to classified information but who misuses or betrays that access to provide classified information to another entity not authorized to possess it. That entity could be another government, another individual, or even the media.

Why does the United States need an Insider Threat Programs? The exposure of hundreds of thousands of classified and sensitive USG documents by the WikiLeaks internet site demonstrated to the government and the public that current sharing and safeguarding procedures for classified information were inadequate and put our nation s security at risk. In November 2012, after an interagency review of the NITTF s work products, the President issued the National Insider Threat Policy and the Minimum Standards for Executive Branch Insider Threat Programs via a Presidential Memorandum.

National Archives and Records Administration

Why does the National Archives need an Insider Threat Program? NARA is responsible for the safety and protection of holdings which include information classified by every department and agency authorized to do so, as well as electronic systems used as part of our work with those holdings or to otherwise support NARA operations. Hundreds of NARA staff, other agencies' employees, and Federal government contractors have access to this information and these systems every day in the course of their work. It is our responsibility, as directed by the President, to prevent individuals with access to NARA's classified holdings and systems from giving classified information to individuals or organizations not authorized to possess it.

Back Ground NARA We have 600 plus Employees and Contractors have access to National Security Information We have the most mosaic collection of classified information in the US government. Presidential Libraries Intelligence Community Records Department of Defense (Armed Services and Combatant Commands) Departments of State, Energy, Commerce, Treasury, etc, etc, We have generational media types, disks, tapes, textual, maps, photos, etc, of highly sensitive national security information.

ITP is within the Chief Operating Officers Office

NARA ITP Developed Policy NARA 242 On going development of Implementation Guide Developed Training Hired Staff (1 IT Security Specialist and 1 Program Analyst) Currently Base lining our Agency Gather Data Developing Priorities Reviewing Policies and Process

The Challenge Educating Leadership and Staff on what is and is not the Program is.. 46 Locations across the United States plus affiliated Archives and Records Facilities. We own the records but NOT the classified information and the records a PERMENANT! We do not classify records and most of our classified electronic systems are standalones and LANs. Plus we have 100 s of other Federal Employees and Contractors assisting in the review of classified information for declassification.

Economic Impact of the Insider Threat In the last fiscal year alone, economic espionage and theft of trade secrets cost the American economy more than $19 billion economic espionage and theft of trade secrets are increasingly linked to the insider threat -Christopher Munsey, FBI Counterintelligence Division (2013) The average cost per Insider Threat incident is $412,000. Average loss per industry is $14 million/year. Multiple incidents have exceeded $1 billion. -Patrick Reidy, FBI CISO, Black Hat Conference (2013) Source Global Skills Exchange, CORP.

NIPSOM Requirements

What is your Challenge!? Establish a program that: Has a designated Senior Official and Insider Threat Official who will Gather, integrate, and report potential or actual insider threat Maintain pertinent records to insider threat for when requested and rendering assistance if necessary Report events that may indicate the employee poses an insider threat or affect proper safeguarding of classified information Training Requirement

Requirements Senior Official Establish a Program Train Staff Maintain Necessary Records and Documentation Report

What is the Program? Proactive Behavioral Risk Management Overlaid onto Existing Programs Integrates Data from MULTIPLE sources Discrete

Sources of Information Information flowing into the HUB can be passive and active. Active information is that information requested when it is believe that a staff member is engaged in malicious behavior. Passive information will feed into the HUB by electronic feeds with no human action. 4/3/2015 DRAFT DRAFT DRAFT 20

Data Sources UAM Data Financial Disclosure Physical Security Insider Threat Hub Foreign Contacts Foreign Travel Metrics Leads Human Resources Behavioral Assessments EAM Data Personnel Security Insider Inquiries Manual or Automated Processing ANALYST Reports 4/3/2015 21

Office Stakeholders Office of Human Capital Labor/Employee Relations and Benefits Staffing and Recruitment Business Support Services Facilities and Property Security Management Information Services IT Security External Owners of Classified Networks May need an MOU 4/3/2015 22

Labor/Employee Relations and Benefits Staffing and Recruitment DATA Name (First and Last) Organization Code, Office Symbol, and Description Pay Plan, Occupational Series, Position Title and Grade Supervisory Status Employees Supervisor Location (Physical) Employment Status Start Date Other needed Information Anniversary Dates Termination Date Performance Ratings Transfers, Promotions, and Details to other Offices that require different access Administrative Leave or other Disciplinary Action Work Hours, Flex Time, 4/10s etc Date in Current Position 4/3/2015 23

Security Management Information Via Forms Foreign Travel, Contacts (name and nationality), official or personal. Dates, Destination, and Unusual changes in itinerary Clearance Level and Access Security Infractions and Violations Statement of Personal History SF 86 Classified Room Access Logs Employee financial disclosure reports as appropriate Government Official Passport holders Requests for Access or Keys to Areas not within Staff Scope of Work Staff needing temporary pass Notifications via E-mail Changes in relationship status (divorced, widow, marriage) or cohabitation Financial Problems (bankruptcy, garnished wages, or leans) Arrests (for any reason), or other involvement with the legal system Psychological or Substance abuse counseling does not need reporting if sought on your own initiative. Outside Activities or Employment that could create an apparent conflict of interest Notification of pending termination or under special watch by Security Incident while attempting to leave through baggage checks 4/3/2015 24

IT Security Websites visited or repeated attempts Downloads from websites or Access to E-mail after work areas? Weekend? Holidays? Accessing shared drives after hours. Downloading off Attempting to access unauthorized drives during or after hours Attempts to bypass security protocols Attempts to encrypt data on drives Requests for new user accounts Remotely accessing the system and performing task atypical to the individuals responsibilities Elevating or assigning administrator roles to unauthorized users or accounts Accessing another users computer when left unattended Failing to follow policies and controls Accessing user s and administrators accounts after termination of employment. Using computer resources to conduct a side business Anyone staff member having been recently terminated, disciplined, demoted or changed duties and roles. 4/3/2015 25

SCOPE and Your Assets.

What is the scope of your Insider Threat Program? Will you only monitor staff that have direct access to classified national security information? Will you monitor trusted business partners? Will you monitor all system administrators? Unclassified networks? Where is your DATA? Who has access? How soon to new hires get access?

HUB Priorities All New Employees and Contractor s Moderate Risk Offices and Staff High Risk Offices or Staff Problem Employees or Watch List Highly Sensitive Information Offices and Staff Other Agency Staff and Contractors HUB IT Program Staff Low Risk Offices and Staff Special Studies and Audits 4/3/2015 28

User Activity Monitoring (UAM) USER Analyst Workbench Analytic HUB (Private Enclave) ANALYST 4/3/2015 29

Baseline What is your normal? 16 14 12 10 Foreign Travel 8 6 4 2 0 Base Travel 2014 2015

Implementation Have a written Policy And Implementing Guide Engage the C Suite Educate and Inform Internal Communication on the Program ICN Web Be Transparent Train, Train, and Train staff Set Reasonable Goals when beginning Document and Record your internal activities Stay Current with your organization

Turning on the Switch

Case Studies

Resources FBI http://www.fbi.gov/about-us/investigate/counterintelligence/the-insiderthreat CERT https://www.cert.org/insider-threat/ NCIX DSS www.ncix.gov/issues/ithreat/ http://www.dss.mil/documents/ci/insider-threats.pdf

My Contact Information Neil C. Carmichael, Jr. Program Manager Insider Threat Program National Archives and Records Administration 301-837 3169 (office) 301-502-3704 (bb) neil.carmichael@nara.gov Member NCMS Chesapeake Bay Chapter

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback