Monday, December 29, 2014

Insider Threat Training Tips for Security Officers and Employers

Consider the Insider Threat. It’s a great bumper sticker and we’ve heard it a million times, but what does it mean? The thought should bear more weight to the practice of preventing the insider threat than to serve as a slogan. It is tempting to pay homage to the thought of insider threats, but those who successfully deter insider threats realize these thoughts take critical analysis to put them into action. Consider the fortresses many defense contractor organizations have become. Best practices to protect organizational, employee, materiel and cyber assets from outside actors are evident. Such careful contemplation must be made to counter the harmful accidental and deliberate actions of a trusted employee.


The insider is any trusted person who has any access to assets. For this article’s purpose, we’ll define the insider threat trusted person who deliberately or accidentally causes damage to national security. This article address requirements found in Executive Order (EO) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. Threats include acts of sabotage, theft, terrorism, unauthorized disclosure of classified information, and espionage.

While contemplating the insider threat, the analyst should be aware that anyone can exploit any level of permissions to steal, damage, or manipulate whatever they can affect. This includes the full and part time employees, vendors, consultants or others with the ability to touch or impact assets. The insider could have full range of motion throughout the organization or limited by technical or physical restrictions. These permissions give them some motion to negatively impact the organization. An example would be a trusted employee with access and need to know going through the proper permissions to accessing classified information. That same employee then takes advantage of privileges and removes the classified items unhindered and provides them to unauthorized persons.

The same opportunities exist for those accidental harmful occurrences, incidents or events that can harm an organization or their reputation. They could accidentally bypass safety, security and other countermeasures and cause major damage. For example, an employee introduces a harmful computer virus to the network by clicking on an email hyperlink. Also, consider a situation where an organization gives a tour of their production facility. A visitor ignores the rules and damages a sensitive electronic device while the overwhelmed escort is distracted answering questions from the other visitors. These unintentional events will harm the organization just as real as a deliberate threat would.

Now that we have identified ways an insider could harm an organization, let’s take a look at what the organization can do to deter, detect and prevent incidents. EO 13587 directs government agencies and task forces to evaluate and protect classified information from the influences of an insider threat. Though not yet a requirement on industry, policies and regulations may soon follow directing cleared contractors to take the appropriate steps to address the insider threat. These requirements may soon manifest in updates to DoD 5220.22-M, The National Industrial Security Program Operating Manual (NISPOM) or other policies.

Now is the time for cleared defense contractors to prepare for those directives by instituting policy addressing the insider threat. The Presidential Memorandum’s, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs spells out requirements that can be adapted for cleared defense contractor use. The memorandum states these requirements as the capability to gather, integrate, and centrally analyze and respond to key threat-related information; monitor employee use of classified networks; provide the workforce with insider threat awareness training; and protect the civil liberties and privacy of all personnel.

Cleared defense contractors can easily incorporate two of these requirements and meet the intent of future NISPOM guidance. These two efforts include:

Monitor employee use of classified networks.

This requirement can also be applied to unclassified networks hosting FOUO, technical data, proprietary, intellectual property, personally identifiable information, and other sensitive unclassified information. The first step is to understand what sensitive information (classified and unclassified) exists and develop controls that facilitate monitoring. For example, an unclassified network may host proprietary information critical to the organization’s product success. This information could be tagged in the information system and appropriately monitored. This effort is similar to document and inventory control. Authorized users would then be given access and controls set in place to limit viewing, printing, downloading, copying, and etc. What would be monitored? Access. The second step would be to identify those with need to know and allow their access to the information. Monitoring would then include ensuring only those with need to know are able to access the information.

Access is now limited to a specific group of insiders. Monitoring would now include how insiders are accessing and what they are doing with the information. An authorized insider with malicious intent could be easily recognized and stopped by a system audit to see who accessed, how they accessed and what they did with it (printed, downloaded, manipulated or viewed it). Flags could easily be raised when controls are bypassed. If information is missing or unaccounted for, an audit would provide the answer.

Threat awareness training.

Employees would be educated concerning what needs protection (assets), who an insider is, what the impact of damage could be, how to prevent it, and how to report incidents. Employees would be briefed on access and need to know privileges and limitations as well as how to operate within their allowances.

Cleared Defense Contractors should be aware of the insider threat and make the concept more than a bumper sticker. Real analysis is required to go above the gates and guards approach to keeping out the malicious actor. With the insider threat comes the question of how to limit access to those with need to know and protect sensitive information from exploitation by authorized personnel. The President has issued EOs and memorandums to address this issue as applied to government agencies. Cleared defense contractors can be proactive and protect their organizations from the insider threat by analyzing the requirements and creating a system to meet those requirements.

As published by


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Wednesday, December 17, 2014

ISP Certification, FSOs, and New Year's Resolutions

Wow, New Year’s Eve is just around the corner and many of us have already set goals. It’s traditional to plan events as the calendar rolls over to a new year. It’s great to dream big and visualize these goals, it’s quite another to actually reach them. So let’s talk professional goals, the NCMS’ ISP Certification is a great one to strive for.

It’s one thing to dream and another to plan. The difference is what you do from the vision to make it a reality. Here are some deliberate actions you can use to help develop a plan to become ISP Certified.

1.  Begin at the NCMS, ISP Certification information website @ There you can find ISP Certification testimonials, brochures, application and other information about the certification. When you review the qualification, study and application information, begin with the end in mind. If your goal is to become ISP Certified in 2015, gather all the data needed and determine the possibility. If the application, approval and study timeline is too timely, consider changing your goal to “Prepare for ISP Certification in 2016” or “Study for ISP Certification”. The goal is to study the requirements and build a realistic plan to achieve your goal. Let preparation set the way and not a calendar date. Once you determine how long it will take to get prepared (6 months, 1 year, etc.) build a plan based on the date and work backward.

2. Understand the application process. There are minimum experience requirements that applicants must meet as well as administrative tasks built into the process. If an applicant does not meet minimum requirements, they can begin study, but will have to wait to meet those requirements before applying. This should be built into the timeline. Applicants who meet the minimum, should build in the administrative tasks into the timeline. This includes filling out applications, payment, getting approval to take the exam and setting up a test date.

3. Understand the testable topics. Gather the relevant test information from the website. Understand the requirements and get a feel of where you are professionally and any gaps you need to breach to bring your knowledge of NISPOM and ISP Certification categories to where it needs to be. It’s not necessary to be an expert in all areas or to be able to quote regulations and requirements. What’s important is a knowledge of where to find information in source documents and apply that knowledge to question based scenarios. In other words, understand where the information can be found and applied to the situation in a quick manner. For example, a person appointed as FSO may have substantial experience with personnel and contract security after working those areas exclusively for many years. However, they are still responsible for understanding information security as outlined in the NISPOM. This means that they will need to spend some time understanding where to find topic related information and answer questions in context.

4. The following are some things that you can do to prepare to fill those knowledge gaps:

a. Study the NISPOM and other reference document structure and understand where to find topic related information. Also, become familiar with key industry standard words found in the source documents. Some of these words are original classification authority, government contracting agency, DSS, security clearance, cognizant security agency, and etc. The NISPOM and source documents are available in print and electrons and can be used in the exam. Understand where certain information can be found or how to search an electronic copy is a very good technique for real life and test based scenarios.

b. Join the NCMS study group. There you can study their material, ask questions and get feedback.

c. Find an ISP certified professional mentor. They understand the stress of working full time and studying for a professional level exam. Mentors can calm fears, answer questions, put rumors to rest, and put the right perspective on stress, studying and life in general.

5. Set a date. Just like getting married, sometimes you just have to put a date down. Once that date is set and approved, you have a certain amount of to take the test before having to reapply. Setting the date will keep you motivated to study and stay focused.

Dreaming is one this, but achieving is another. The best way to ensure success is to build a plan and follow it. Begin with the end in mind, understand the limitations, meet those limitation, set a date and stay focused. Let 2015 be the start of a new professional achievement.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".