Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.
Issue link: http://uscgproceedings.epubxp.com/i/436751
76 Proceedings Winter 2014 – 2015 www.uscg.mil/proceedings Your insider threat program can be simple or complex, depending on your organization's needs and resources. But it should be tailored to the organization and its mission, functions, and people. About the author: Mr. Scott O'Connell served more than 20 years as an Army intelligence offcer, mostly in counterintelligence assignments at the operational, com mand, and staff levels. He was director of Joint Counterintelligence on the JCS staff and director of operations at the Department of Defense Coun terintelligence Field Activity. He most recently served as the director of the National GeospatialIntelligence Agency's Counterintelligence Threat Miti gation Center. Each organization should have a "playbook" set up in advance that lays out roles and responsibilities of the stake- holders, based on the nature of the threat. A "tiger team" of cross-functional experts should meet regularly to ensure roles and responsibilities are clearly understood. Legal and Privacy Considerations Any insider threat program must have extensive legal review and oversight. Ensure all plans and programs receive a legal opinion. But lawyers should not render such opinions in a vacuum. Those charged with the insider threat mission need to work closely with their counsels to inform them on programs and procedures early on, so everyone can work jointly to ensure legal suffciency as well as protection from malicious threats. This makes sense on many levels, but especially if a threat comes in the form of criminal activity. It would do no one any good to be unable to prosecute because a sound legal basis for the program was not front-loaded. Privacy is a growing area of expertise in the government as well as private industry. In today's information age, management must ensure its employees' personally iden- tifable information is protected. Some organizations have appointed privacy offcers who are trained and have exper- tise in how to comply with privacy requirements. Others leave that role to their legal counsel. Either way is fne, as long as those safeguards are incorporated into the organiza- tion's insider threat program. Deciding What's Best Should my organization, port, or vessel have an insider threat program? Perhaps, but it is likely that it already does, albeit not necessarily a formal one. Basic due diligence in hiring and alert supervisors and employees exist in every agency. These provide a seminal alert system for potential problems. But in most modern organizations that might not be enough. The complexity of the modern workplace, in a port or at sea, makes all too easy for someone who has gone bad to do incalculable damage. A well-crafted insider threat program can go a long way to avoid or limit that damage. And failure to have adequate safeguards can result in a cataclysmic loss of mission, resources, proprietary data, and even people. For more information: There are numerous resources available for those trying to build an insider threat program. National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs. Washington, DC: White House Memorandum, November 2012. Bunn, M. and Scott D. Sagan. A Worst Practices Guide to Insider Threats: Lessons Learned from Past Mistakes. American Academy of Arts and Sciences, 2014. Silowash, G., and Dawn Cappelli, Andrew Moore, Randall Trzeciak, et al (2012). Common Sense Guide to Mitigating Insider Threats. Software Engineering Institute, Technical Report, 4 th Edition. Guido, M. D., and Mark W. Brooks. Insider Threat Program Best Practices. MITRE Corporation, 2011. Caputo, D. D. and Greg Stephens, Brad Stephenson, Minna Kimm. Human behavior, Insider Threat and Awareness. Institute for Information Infrastructure Protection, July 2009.