ETS were tasked with building a quality Insider Threat program in a forward looking four phase process that strongly mitigated the risk of existential harm from those with critical access.
PHASE I – Pre-Assessment Survey and Liaison
- Questionnaire sent to the client team to initiate the gap analysis process
- Arranging on-site visit, interviews with key stakeholders/leaders, and initiating the gap analysis
- Identify – What is critical? Where is it located? Who has/needs access?
Phase II – Vulnerability Assessment/Gap Analysis
- Client shares internal policies, procedures, and guidelines for 7 functional areas (HR, IT, Software Engineering, Data Owners, Legal, Physical Security, Trusted Partners)
- ETS utilizes – Carnegie Mellon University Capabilities Maturity Model
- ETS document review, on-site visit, stakeholder interviews (remote and on-site), high risk areas identified
- Further Identifying – What is critical? Where is it located? Who has/needs access and where are the vulnerabilities.
PHASE III – Report
- ETS provided Executive Summary, Process Reviews, Findings and Recommendations
PHASE IV – Implementation Planning for Identified High Risk Areas
- Policy, process, documentation creation or improvement
- Establish Governance model involving Human Resources, General Counsel, Ethics, Privacy, Communications, Chef Information Security Office, and Security
- Suspected Loss/Egress Incident Response Plans (Recognize, Report, Respond)
- Communications, training and awareness, initial roll-out, branding and messaging
- Other areas as decided in concert with client leadership
- High risk areas management guidance
- ETS provided training and awareness, new employee orientation, refresher training