Professional Documents
Culture Documents
I. INTRODUCTION
This paper contains an initial exploration of the effects of
the international landscape on the implementation of
cybersecurity practices in general and insider threat best
practices in specific. Any nation can use this mapping as (1) a
preliminary exploration into international policy issues related
to insider threats or other cybersecurity concerns; and (2) a
short educational guide to preventing insider threats. Practices
developed in one nation may require adaptation to be
effectively implemented in other nations. The international
analytical framework introduced in this paper examines the
effect of five factors on the implementation of cybersecurity
controls. The factors are technology, laws/regulations, law
enforcement, corruption, and culture. The CERT Insider
Threat Center defines an insider threat as a current or former
employee, contractor, or business partner who has or had
authorized access to an organizations network, system, or data
and intentionally exceeds or uses that access in a manner that
negatively affects the confidentiality, integrity, or availability
of the organizations information or information systems [1].
Based on its analysis of more than 700 insider threat cases
mainly from the United States, the CERT Program
recommends 19 best practices, adapted from the Common
Sense Guide to Mitigating Insider Threats, 4th Edition [1], for
preventing, detecting, and responding to insider threats. This
paper does not consider the effectiveness of the guides
strategies; rather, it maps these cybersecurity best practices to
international issues that affect practice implementation.
International Considerations
National laws may affect how an organization uses
particular mobile features, for example by recommending that
employers adopt geolocation services available on mobile
devices when demonstrably necessary for a legitimate
business purpose and the same goals cannot be achieved with
less intrusive means [29]. Cultural norms or laws may also
define what monitoring is acceptable for devices that can be
used for both personal and work matters [30]. Nations may set
forth specific requirements for collecting information on
remote workers, for example by requiring employers to ensure
that the employees personality [sic] and moral freedom are
respected [31]. Such considerations impact monitoring of
system access, especially from mobile devices.
Practice 14: Develop a comprehensive employee termination
procedure.
Organizations should develop, communicate, and
consistently follow a policy for dealing with voluntary and
involuntary employee terminations. All terminated employee
accounts must be closed, all organization-owned equipment
returned, and all coworkers notified of the departure.
Organizations should develop and follow a termination
checklist, with an individual assigned to each task, to ensure
that the terminated employees physical and electronic access
are disabled. Finally, organizations should consider reviewing
the departing employees online actions during the 30 days
prior to termination to identify suspicious network activity
[32].
International Considerations
Standard organizational structures vary between countries,
as do the set of departments responsible for termination tasks.
Laws governing monitoring the online actions of terminating
employees and notifying coworkers of the termination vary
among jurisdictions. Organizations must consider legal issues
surrounding enforcement of agreements on noncompetition,
nondisclosure, and intellectual property.
Practice 15: Implement secure backup and recovery
processes.
Organizations must have a secure, tested backup and
recovery process to ensure compliance with all SLAs. If
possible, organizations should implement separation of duties
to ensure that a single privileged IT administrator cannot
modify the backup and recovery process to prevent the
organization from recovering. Transaction logs should be
protected so that IT administrators cannot modify logs to
obfuscate or delete records of malicious activity. Organizations
that rely on a cloud service provider for their secure backup
and recovery process should refer to Practice 9.
International Considerations
The availability, variety, and affordability of technical
solutions vary among nations of different levels of
development. Practice 11s considerations apply here.
International Considerations
International considerations related to communication
issues surrounding social media sites are similar to training
issues in Practice 3. Expectations vary according to different
national, cultural, legal, and organizational norms, and
organizations should consider local expectations when
managing the extent to which employees are permitted to use
social networking sites, both inside and outside the workplace,
and the degree to which employees are permitted to disclose
information about the organization. Some nations do regulate
an organizations ability to address employees behavior
online, for example with respect to protected discussions of
work conditions [33].
Practice 19: Close the doors to unauthorized data exfiltration.
An organizations first step to addressing insider threats is
to identify its critical assets (people, information, technology,
and facilities), people who should have authorized access to
those assets and those who actually do, and asset locations. To
identify risks posed to critical assets, the organization must
understand how information assets can be copied or removed.
Many technologies and services could be used to exfiltrate
data. An organization must be able to account for all devices
that connect, physically or wirelessly, to its information
system. The challenge is to balance security with productivity.
Controls should allow authorized information exchanges but
prevent unauthorized exfiltration.
International Considerations
Availability, variety, and affordability of technical solutions
varies among nations of different levels of development. Laws
on monitoring and investigations vary among jurisdictions.
III. FUTURE WORK
Planned work includes expanding on the ideas described
broadly in this paper to create a detailed international and
cross-cultural framework for fighting insider threat. Much work
must be done to better understand and characterize different
nations cultural, technical, legal, regulatory, and corruption
environments as they affect information security in general and
insider threats in particular. Country-specific sets of cases need
to be gathered and empirically analyzed for significant
correlations between countries and indicators of insider threat
risks. The CERT Program has begun collecting international
insider threat cases to add to a database originally composed of
only cases from the United States, which may help researchers
characterize insider threats in various countries. The
effectiveness of database-based best practice development
could benefit from analysis, as could the effectiveness of
specific recommended practices related to their costs (both
direct and indirect). The international analysis framework
initially developed for this paper will also be applied to
additional types of cybersecurity practices, beyond those
directed at insider threats.
IV. ACKNOWLEDGEMENT
We thank members of the CERT Divisions Enterprise
Threat and Vulnerability Team who provided helpful review
[12] Wikipedia,
Racism,
http://en.wikipedia.org/wiki/Racism
accessed Aug. 30, 2012.
[13] United Nations High Commissioner for Human Rights,
Discriminatory laws and practices and acts of violence against
individuals based on their sexual orientation and gender
identity, in Annual report of the United Nations High
Commissioner for Human Rights and reports of the Office of the
High Commissioner and the Secretary-General, A/HRC/19/41,
Nov. 17, 2011.
[14] Elaine Kaplan, Special Counsel, U.S. Office of Special Counsel.
The international emergence of legal protections for
whistleblowers, The Journal of Public Inquiry, Fall/Winter
2001, pp. 37-42.
[15] United States Department of Labor, The Whistleblower
Protection
Program
[online].
Available:
http://www.whistleblowers.gov/
[16] P. Collins, L. Stein, C. Trombino, and Perkins Coie LLP,
Consider the source: How weak whistleblower protection
outside the United States threatens to reduce the impact of the
Dodd-Frank reward among foreign nationals, The Third
Annual National Institute on the Foreign Corrupt Practices Act,
2010.
[17] G. Hofstede, Cultures consequences: International differences
in work-related values, Newbury Park: Sage, 1980.
[18] Federal Trade Commission, Financial institutions and customer
information: Complying with the Safeguards Rule [online],
2006.
Available:
http://business.ftc.gov/documents/bus54financial-institutions-and-customer-information-complyingsafeguards-rule
[19] Italian Personal Data Protection Code, Legislative Decree no.
196
of
30
June
2003,
Annex
B.
Available:
http://www.privacy.it/privacycode-en.html
[20] F. Valdez, P. Buttles, and J. Mogilensky, The role of
organizational culture in process improvement, SEPG North
America 2009, San Jose, CA.
[21] M. Bishop and C. Gates, Defining the insider threat,
Proceedings of the Cyber Security and Information Intelligence
Research Workshop, article 15, May 2008.
[22] Security Standards Council, Payment card industry data security
standard: Requirements and security assessment procedures
version
2.0,
October
2010.
Available:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
[23] Federal Deposit Insurance Corporation, Section 4.2 Internal
routine and controls, segregation of duties, in Risk management
manual of examination policies [online]. FDIC, 2012. Available:
http://www.fdic.gov/regulations/safety/manual/section4-2.html
[24] Royal decree 994/1999, of 11 June, which approves the
regulation on mandatory security measures for the computer
files which contain personal data, 1999. Available:
http://www.agpd.es/portalwebAGPD/english_resources/regulati
ons/common/pdfs/reglamento_ingles_pdf.pdf
[25] 45 CFR 164.312(2), 2007.
[26] Spring and Huth, The impact of passive DNS collection on enduser privacy, SATIN 2012, Appendix C Section C. Available:
http://conferences.npl.co.uk/satin/papers/satin2012-Spring.pdf
[27] Copland v. UK, ECHR 253, 2007.
[28] Wugmeister and Bevitt, Comparing the U.S. and EU approach
to employee privacy, in Morrison and Foerster [online], 2008.
Available:
http://www.mofo.com/comparing-the-us-and-euapproach-to-employee-privacy-02-29-2008/