Position Risk Designations for Insider Threat Programs
Viewing insider threat as part of the organization’s enterprise risk management efforts can provide an organizational construct that resonates with decision-makers, and links insider threat risks to other partners and resources that can help the program grow and mature. Many Insider Threat/Risk Programs benefit from risk-based prioritization of roles in their organization. High-risk roles can receive additional scrutiny or elevated risk scoring and weighting.
Prioritizing the highest-risk roles (not individuals) within the organization can help focus limited resources whilst the program is being built, with potential expansion to other roles as a program grows and matures. Programs that prioritize role-based risk do not have any systematic process to identify and prioritize job roles that focuses on identifying and articulating the assets and risks that are uniquely associated with those roles. Practically, it is difficult to identify an individual’s actual role based on the data from account privileges, job titles, and job codes typically available across HR, the Corporate Address Book (e.g., LDAP), and User Account Administration Settings. These data sources rarely provide a comprehensive and up-to-date view of what an individual does in their current day-to-day job and to what they access. The development or implementation of more formal position risk designations should not: be associated with or a precursor to changes in personnel status, reductions in force or layoffs; designate “importance” or “value” of roles, information, systems, or processes; or replace any Compliance or business continuity plans or reviews. The goal of this project was to provide Insider Threat/Risk Programs and their key partners (HR) with an easy-to-use tool that enables them to standardize the risk designation for new, existing, or recently modified positions.
MITRE’s behavioral scientists developed an easy-to-use Position Risk Designation Toolkit (PRDT) as a repeatable, systematic process for assigning and prioritizing role-based risk across all the roles at an organization. The toolkit enables an Insider Threat/Risk Program and other relevant groups (HR) to standardize the risk designation for new, existing, or recently modified positions. The process leverages and tailors the U.S. Government Office of Personnel Management’s (OPM) Position Designation Tool (PDT), though the approach is applicable to all critical infrastructure industry organizations. This process involves operationalizing risks associated with specific positions’ roles, responsibilities, and information access as well as determining the degree of damage such risks could pose to the organization. MITRE leveraged industry leading practices in managing risk to enterprises by carrying out a process allowing the organization to establish an objective and repeatable standard for identifying and classifying the risk associated with position roles, responsibilities, and information/system access. The toolkit has been successfully deployed in government and critical infrastructure industry.