Insider Threat Program – Basic Structure

Quote

Governance of an Insider Threat Program

A mature governance structure is essential to effectively develop, deploy, and manage an insider threat program. The CERT Insider Threat Center recommends that the organization implement a governance structure that enables the insider threat program to

  •  Maintain an updated knowledge base related to insider threats including staying current with the latest research and capturing lessons learned.
  • · Provide support to the insider threat program stakeholders to ensure the groups are meeting their objectives, providing the appropriate inputs to the insider threat program manager and appropriately communicating results and decisions to other insider threat program stakeholders.
  • · Monitor governance practices to ensure that governing bodies are meeting insider threat program needs, to make recommendations for improvement, and to refine the measures as needed.
  • · Capture and communicate insider threat program success stories to internal and external stakeholders to increase program support.
  • · Execute a comprehensive program-risk-management approach and required procedures for insider threat program stakeholders.
  • · Perform processes including budgetary review, the development of future technical requirements, continuous operation procedures, and risk management.
  • · When applicable, facilitate both formal and informal Continuous Diagnostic Monitoring (CDM) governance training for the CDM program staff, departments and/or agencies (D/As), partners, and stakeholders.
  • · Maintain and execute the program schedule for updating charter guidance, procedures, and policies based on ongoing lessons learned (both internally and externally), best practices, and stakeholder input.

Common Sense Guide to Mitigating Insider Threats, Fifth Edition, The CERT Insider Threat Center, Software Engineering Institute at Carnegie Mellon University ( http://www.sei.cmu.edu), December 2016
TECHNICAL NOTE: CMU/SEI-2015-TR-010

Why a Muslim Registry is a Bad Idea

Originally posted in answer to the question What is so bad about a Muslim registry? on Quora.

I am going to provide an IT perspective on this question.

Yes, that’s right, an Information Technology, computers and the-people-who-deal-with-the-machines-collecting-and-crunching-the-data-perspective.

Why? Because when someone decides to ‘create a registry’ someone (similar to myself) is tasked with the job of creating a database AND reports generated by that database.

As illustrated by the wonderful commentary generated by the Y2Gay database discussions, IT has an important perspective on these things: Gay marriage: the database engineering perspective

Creating Databases Means Identifying Key Data

When a database is created, the first thing that must be done is simply this:

  1. identify the key data being collected
  2. identify the reports and other deliverables created by the database

While you might thing the second item could be restated as ‘identify the reason for the database’ nothing could be further from the truth. When dealing with non-computer people it is not unusual to have someone demand that a database be created to gather information “that creates a positive customer service experience for our customers!”…or something equally unclear yet very pep-rally appropriate. Then, after talking to multiple people and FINALLY getting them to explain what, exactly, they are going to DO with the data, the unofficial and IT specific purpose changes to: “create a mailing list.”

This is one of those near-universal experiences people in IT like to laugh and complain about. It applies to government and private sector equally.

So, in the case of a Muslim registry, the first step (key data) is partially addressed in the notes included with this question:

I am shocked there is not already a registry of ALL citizens with info such as race, gender, religion, languages etc. At least a Muslim registry is a step in the right direction, seeing as a great threat to America happens to belong to a single religion (I know most Muslims are not terrorists).

As noted in other answers, many of these elements are already gathered through existing databases, like the US Census and ID Cards.

Don’t Make Me Fill Out ANOTHER Form!

When data is already being collected and reported, the individuals responsible for that data tend to get cranky when someone comes in asks them to fill out another form, create another report, and generally re-enter the same stuff AGAIN. There’s also the possibility of entering errors into the data source when it’s being created/generated/imported/modified multiple times by multiple people.

Of the items listed, everything except religion and language are already included on divers licenses and state IDs. The data collected by the DMV is free and available to the general public (personally, I do NOT agree with this massive dumping of personal information…but I digress) so an enterprising database designer could…potentially…import the DMV data and connect it to the missing elements: religion and language.

With the right connections and political power, it could also connect to the state and federal databases containing anyone and everyone who has ever been arrested for any reason (including those cleared as innocent) AND the databases maintained by the department of homeland security, the no-fly list, and even the records maintained by public schools. Several of these databases INCLUDE religion and race.

In short, we COULD create a complete profile on every person residing within the United States neatly coordinated within a single location just by importing already existing data.

Explain to me…again…why we are doing this?

That brings us to the second question – what, specifically, is going to be DONE with this data?

Since the Muslim registry enters into the network of existing information specifically for the purpose of:

  1. collecting religion and language
  2. identifying terrorists
  3. focusing specifically on Muslims as potential terrorists

Then the database being created is more like a report-generating app that connects all existing data, spits out lists of known Muslims, their home address, the school they attend, the language they speak, connections to known terrorists groups, their place of worship, and anything else that might be deemed important.

Presumably, this information would be provided to people in the field, who would add information to individual files, as needed.

As an IT person, I’m thinking: soooo…you want to re-create the department of homeland security?

As noted above, all of this information already exists and it is a well known fact that federal agencies have made concerted effort to connect and share data. I guarantee you, this sort of thing already exists – along with similar reports on every religion, hate group, environmentalist group, activist community and whatever else someone in ANY federal level policing agency (or state level or whatever) might deem important to know…for whatever reason,

In fact, if human behavior remains consistent (and it usually does) there are probably databases and reports that focus on individuals, groups and concerns going back to the beginning of data collection – and people working in all levels of law enforcement who occasionally stumble across these things and scratch their heads wondering why in holy hades do they even HAVE this?

Duplicate with different purpose…and the reason is what?

So, again, why are we building this?

Now we are getting down to brass tacks. The key term here is registry.

A registry managed by the government contains data on people that is made publicly available (GovernmentRegistry.org – Public Records Online). A category-specific registry is usually (always?) focused on presenting information about people who are deemed dangerous enough to warn the general public on a permanent basis.

For example:

Therefore, this isn’t data collection, this is data distribution to the general public.

Whats Wrong With a Muslim Registry?

Creating a database of all individuals who associate with a specific religion and making it publicly available for the express purpose of warning all individuals NOT associated with that religion to be wary of interaction due to potential terrorism…

Yeah, that’s a problem.

Why? Because that’s not purpose-driven data collection, that’s propaganda.

I suggest reading any of the other posts that focus on the registries maintained by the Nazis or the crimes committed again the Japanese here in the USA during WWII. I’m sure there are other equally powerful examples and all of them come down to the same thing: when the government ostracizes a group of people and generates a marketing campaign that vilifies all members of said group…and a registry would achieve that goal (and ONLY that goal)…then bad things happen.

Really bad things.

We don’t need that here in the United States.

Important Change

Quote

Amazon.com

The important changes begin with you and then spread outward to others.

Team Geek: A Software Developer’s Guide to Working Well with Others by Brian W. Fitzpatrick and Ben Collins-Sussman

True Friends Constructively Criticize

Quote

Amazon.com

If you can find friends or colleagues who will constructively criticize your work when you ask them, hang on to these people because they’re worth their weight in unobtainium.

Team Geek: A Software Developer’s Guide to Working Well with Others by Brian W. Fitzpatrick and Ben Collins-Sussman

Building Team Culture

Quote

Amazon.com

A “strong culture” is one that is open to change that improves it, yet is resistant to radical change that harms it.

The interesting thing about team culture is that, if you build a strongly defined one, it will become self-selecting.

Just as important as your team’s decision-making process is the manner in which team members treat one another, because this is more self-selecting than anything else.

Team Geek: A Software Developer’s Guide to Working Well with Others by Brian W. Fitzpatrick and Ben Collins-Sussman

Sustainability and IT

Quote

Amazon.com

“Sustainability is a stakeholder need and business requirements. But more than anything, it is a human responsibility. IT plays an important role. ”

“IT can be a solution or part of the problem, depending on how it is governed and managed.”

“For business to be sustainable, it has to consider sustainability as a strategic priority…COBIT 5 assists enterprises in achieving this goal.”

The Time for Sustainable Business Is Now: Leveraging COBIT 5 in Sustainable Businesses, ISACA Journal, Volume 3, 2015, by Graciela Braga

Source of Conflict

Quote

Amazon.com

Almost every social conflict can ultimately be traced back to a lack of humility, respect, or trust.

Note that “being humble” is not the same as saying one should be an utter doormat: there’s nothing wrong with self-confidence.

Team Geek: A Software Developer’s Guide to Working Well with Others by Brian W. Fitzpatrick and Ben Collins-Sussman

Team is the Goal

Quote

Amazon.com

Creating a superstar team is the real goal, and is fiendishly difficult. The best teams make brilliant use of their superstars, but the whole is always greater than the sum of its parts.

Team Geek: A Software Developer’s Guide to Working Well with Others by Brian W. Fitzpatrick and Ben Collins-Sussman

Team Communication Technique

Quote

Amazon.com

This idea is pure genius:

We used to work on a team with a vocal interrupt protocol: if you wanted to talk, you would say “breakpoint Mary” where Mary was the name of the person you wanted to talk to. If Mary was at a point where she could stop, she would swing her chair around and listen. If Mary was too busy, she’d just say “ack” and you’d go on with other things until she finished with her current head state.

Team Geek: A Software Developer’s Guide to Working Well with Others by Brian W. Fitzpatrick and Ben Collins-Sussman

Relevancy Requires Teamwork

Quote

Amazon.com

Ambitious projects evolve quickly and have to adapt to changing environments as they go. Projects run into unpredictable design obstacles, or political obstacles, or simply discover that things aren’t working as planned. Requirements morph unexpectedly. How do you get that feedback loop so that you know the instant your plans or designs need to change? Answer: by working in a team.

People working in caves awake to discover that while their original vision may be complete, the world has changed and made the product irrelevant.

Team Geek: A Software Developer’s Guide to Working Well with Others by Brian W. Fitzpatrick and Ben Collins-Sussman