Insider Threat Management is an optional module under Certification Assistant Premium and displays in the Plans section of the dashboard. This module is provided as an option for companies wanting an understanding of not just the risk of a failed control, but the risk around human behavior that could cause a compliance failure. The risk assessment associated with this module may support but does not replace the risk assessment required for Cybersecurity Maturity Model Certification (CMMC).
Plan Description
The Plan Description describes the What aspect of your compliance program, and is not year specific. It describes the year-to-year plan for this compliance requirement and what needs to be achieved, as well as what regulations are you planning to comply with and why.
2. Click Next to advance to the next section.
Stakeholders
Stakeholders describes the Who aspect of your compliance program: who is managing the plan, who has sign off/approval authority, who is involved in ensuring compliance, and who would be affected in the event of a compliance failure?
2. Select the user with sign off/approval authority on the plan from the drop down list.
3. Check the departments that may be impacted by this plan from the generic list provided.
4. Use the Next or Previous buttons to move between sections.
Risk Assessment
Where do you assess the current levels of your compliance program regarding Insider Threat Management and what sort of improvement would you like to see over the year? It is always a good idea to determine where you currently are and get an idea of where you would like to be. The following questions focus on compliance and ethics regarding this plan. Answer honestly and use this assessment to focus your efforts on achieving your improvement goals.
The ability of an employee to justify and act of business misconduct. Also defined as person’s process of knowingly or unknowingly (blind spot) deciding the misconduct is permissible. In the tables below, select where your organization is today and where you would like to be by the end of the year.
Opportunity
The ease with which an employee can commit misconduct. Also defined as the means to execute whatever misconduct the employee has decided to do, effectiveness of compliance controls.
Pressure
The motive or incentive for employees to commit misconduct. Whatever might drive an employee to consider misconduct. Managerial pressure to accomplish performance goals; personal pressure to achieve success.
Consequence
Assessing Impact: The potential financial/business impact of misconduct.
Mitigation
Assigned tasks that will help the organization move from the current risk assessment to the future goal. To assign a Mitigation Task:
1. Enter the details of the task.
2. Assign a user.
3. Select a due date and click Save.
The task displays on the home page task list for the assigned user, and the user also receives an email notification of the task assignment.
Procedures
Procedures describe the How aspect of your compliance program: what internal documents are going to guide the management of this Plan, how are you going to communicate the rules and guidelines for managing the plan, and what are the legal requirements you need to be aware of for this plan?
2. Input how the policies and procedures are communicated with your staff.
3. Input applicable legal regulations related to this plan.
Training Plan
What training resources do you have available for Insider Threat Management? Let us know the name of the courses and how it is delivered to your employees. Example: Cybersecurity Online Webinar; or Know When NOT to Click.
Approval
Signature of the individuals responsible for approving the content of this compliance plan. The ability to sign off will only be enabled for the users selected in the Stakeholders tab.
Evaluation
Signatures are only enabled when the users assigned in Stakeholders are accessing this section. Complete a year-end evaluation and click Complete to return to the home page:
- Identify and discuss any awareness activities performed during the year.
- Were any internal/external evaluations performed during the review period?
- Identify and discuss any changes to regulations that occurred during the plan year.
- Identify and discuss any changes to business activities/operations (relative to this plan) that occurred during the plan year.
- Identify and discuss any plan activity that will not complete during the year and why.