The document discusses insider threat programs and insider threats. It notes that in the last fiscal year, economic espionage and theft of trade secrets cost the American economy over $19 billion, and these crimes are increasingly linked to insider threats. The average cost per insider threat incident is $412,000, with average losses of $15 million per industry per year. Some incidents have exceeded $1 billion in losses. Intellectual property now represents most of a corporation's value, making assets more susceptible to espionage. The document discusses the need for organizations to implement insider threat programs to identify, prevent, detect and respond to insider threats in order to reduce losses.

1. Insider Threat Working Group

2. 2
“In the last fiscal year alone, economic espionage and theft of trade secrets cost
the American economy more than $19 billion… economic espionage and theft
of trade secrets are increasingly linked to the insider threat…”
- Christopher Munsey, FBI Counterintelligence Division (2013)
“The average cost per Insider Threat incident is $412,000. Average loss per
industry is $15 million/year. Multiple incidents have exceeded $1 billion.”
- Patrick Reidy, FBI, Senior Level Staff, Information Security Assurance Section (2013)

3. 0
50
100
1975 1985 1995 2005 2009
Composition of the S&P 500
Tangible Assets Intangible Assets
%Value
“ The U.S. economy has changed over the past 20 years. Intellectual capital rather than physical assets now represent
the bulk of a U.S. corporation’s value. This shift has made corporate assets far more susceptible to espionage.”
- Protecting Key Assets: A Corporate Counterintelligence Guide, Office of the National Counterintelligence Executive (2013)
3

4. 29
Figure 5. Types of
Insiders that
individuals believe
Pose the Biggest
Threat to
Organizations.
In your opinion, which of the following types of insiders pose the biggest threat to your
organization? (Percent of respondents, N=707, three responses accepted)

5. The Cambridge Five
5

6. Aldrich Ames : CIA Case Officer/Analyst
 Provided detailed information to KGB on CIA intelligence
operations and agents in the USSR.
 Received $4.6 million dollars in exchange for information.
 Convicted in 1994 : Sentenced to life imprisonment (without
possibility of parole) for espionage.
6
Robert Hanssen : FBI Special Agent
 Provided detailed information to KGB/SVR on FBI intelligence
operations against USSR/Russian Federation.
 Received $1.4 million dollars in cash and jewelry in exchange
for information.
 Convicted in 2001 : Sentenced to life imprisonment (without
possibility of parole) for espionage.

7.  Spies
 Turncoats
 Traitors
 Guilty of Treason
7
Sexual orientation... Blackmail… Greed... Ideology

8. Edward Snowden : NSA Systems Administrator Contractor
 Passed thousands of classified documents describing NSA
and allied intelligence agencies operations to The Guardian
and The Washington Post for public release.
 Considered a fugitive by US Government since 2013. Charged
with espionage and theft of government property. Granted
temporary asylum in Moscow by Russian Government.
PFC Bradley Manning : US Army Intelligence Analyst
 Passed thousands of classified diplomatic cables and military
reports to the WikiLeaks staff which posted this material on their
public web site.
 Convicted in 2013 : Sentenced to 35 years imprisonment (with
possibility of parole in eight years) for espionage.
8

9. 9
 Leakers
 Whistleblowers
 Dissidents
 Patriots
Justice… Ideology… Notoriety… ?

10. 10

11. Game Changer!
Companies must adapt to a new, effective security
paradigm that provides an ROI in security.
The world is complex, so is our internal threat.
If Security does not evolve to contain the threat…
11

12. 12
• The ITWG is a joint effort by government and industry CSOs.
• The ITP is supported by ASIS International, NDIA and NCMS.
• It addresses both violent and non-violent employee behavior.
• ITP meets both compulsory (Federal) and effective (industry)
requirements.
• It is evolutionary not revolutionary in approach.
• Functional and psychometric analyses were used to design
the program.
• ITP updates and repurposes existing programs, thus
minimizing costs.
• Through effective use of metrics, ITP provides a
demonstrable ROI for senior management.
What are the characteristics of this program?
Insider Threat Program (ITP) Insider Threat Working Group (ITWG)

13. National Industrial Security Program Operation Manual (NISPOM) Conforming Change #2 (Fall 2015)
Will require US Defense Industry to establish Insider Threat Programs at all cleared contractor facilities.
NITTF Guide to Accompany the National Insider Threat Policy and Minimum Standards (November 2013)
Detailed implementation plan for federal agencies to comply with White House policy memo.
White House Memorandum: National Insider Threat Policy and
Minimum Standards for Executive Branch Insider Threat Programs (21 November 2012)
Directed federal agencies to establish effective insider threat programs to deter, detect and mitigate actions by employees who may represent a threat to
national security
E.O. 13587: Structural Reforms to Improve the Security of Classified Networks
and the Responsible Sharing and Safeguarding of Classified Information (7 October 2011)
Mandated responsible sharing and safeguarding of classified information on
computer networks by federal agencies.
Established NITTF to assist federal agencies in preventing, deterring and
detecting compromise of classified information by malicious insiders.
13

14. 14
ASIS CSO Roundtable Survey (August 2013)
 Establish baseline understanding of industry Insider Threat.
 Surveyed CSO of companies with > $1 billion dollars in
annual gross profit.
 78 of 330 CSOs participated in survey (24%).
 94% represented companies with > 999 employees.
NCMS Survey (March 2014)
 Expand survey database of industry Insider Threat
Programs to include small and medium size companies.
 Survey conducted through NCMS Board of Directors to
membership.
 777 of 5900 members participated in survey (13%).
 56% represented companies with < 500 employees.

15. 35.9%
47.2%
17.0%
Does your organization have an insider threat-related program?
Yes, formal
Yes, informal
No
43.2%
6.9%
37.1%
Please identify the relative size of your organization.
Small (1 to 249 employees)
Medium (250 to 499
employees)
Large (500 to 999
employees)
Enterprise (More than 999
employees)
21.8%
15

16. 16
An ITP is a proactive security implementation,
approved and directed by executive leadership
with cross-disciplinary participation to protect
specified organizational assets.
What is the goal of the ITP?
What is an insider threat program?
Insider Threat Program (ITP) Insider Threat Program Model (ITPM)
The goal of the ITP is to:
IDENTIFY > PREVENT > DETECT > RESPOND
to counterproductive workforce behaviors and attacks that may compromise
the safety and security of organizational assets.

17. 17
Model
Types
Recommendations

18.  The hub and key element of the ITP.
 The scope includes all planning and development
responsibilities – charter, leadership, policy creation, legal
and privacy review, plan documentation, implementation,
and requirements for each of the nine essential program
elements.
18
BASIC
Designated PoC and responsibilities for program planning
to include policies, procedures, and response protocols
INTERMEDIATE
ITP Manager installed with supporting staff to execute
program goals and objectives.
ADVANCED
Senior Executive leadership and skilled staff execute a
broad spectrum of detection and mitigation activities.

19.  Approach based on human behavior using technology as tools.
 Categorizes the inventory of behavioral indicators.
 Develops metrics to assess individual/organizational health.
 Builds advanced monitoring strategies to increase
positive “hit” rates and reduce false-positives.
 Informs senior leadership and conveys ROI.
19
BASIC
Focuses ITP resources on inventory of behavioral
indicators associated with insider threats.
INTERMEDIATE
Analyst role added to ITP team. Acceptable use profiles
created.
ADVANCED
Behavioral psychology expertise added to program.
Specialized analytics applied in pre/post-hiring selection
and monitoring to include social media.

20. Part I: Apparel
 Mind with USB port access
 Metaphysical Lab Coat
 Psychometric Goggles
 Analytical Tongue Depressor
20
Part II: Questions
 Who is the Insider Threat?
 What do you do with 150+ identified possible behaviors?
 How and when do you measure bad behavior?
 Do you want to identify behavior before it becomes bad, or after?
 What do you do next?

21. 21
Who is the Potential Insider?
 The challenge is to address personality traits that remain
consistent, not cultural norms which change over time.
 According to the DMS-5, depending on the disorder, 2-6% of
the population suffer with Personality Disorders associated
with personality traits reflecting inappropriate behaviors.
 7,000,000 to 21,000,000 in the USA alone.
 Few will be diagnosed, fewer still will ever be a threat.
How many Insiders does it really take to:
 Damage a brand name,
 Significantly impact profits, and
 Hurt your organization….
BUT…

22. How many Insiders does it take to Seriously
damage an ORGANIZATION?
PFC Bradley Manning
US Army
22
An Army of ONE

23. How many Insiders does it take to Seriously
damage an ORGANIZATION?
Edward Snowden
1 - NSA
2 - Booze Allen Hamilton
23
One Insider,
TWO ORGANIZATIONS
damaged

24. How many Insiders does it take to Seriously
damage an ORGANIZATION?
Add Name
Your Company
24
It only takes ONE.

25. Personality Disorder– An enduring pattern of inner experience and behavior that deviates markedly from
the expectations of the individual’s culture, is pervasive and inflexible, has an onset in adolescence or
early adulthood, is stable over time, and leads to distress or impairment. (DSM-5)
Metrics–The science of measurement. Metrics enable process assessment and controls, drive business
policies and investment decisions, influence collaboration for enterprise-wide benefits, and motivate
strategic and profit center alignment. (Persuading Senior Management w/Effective, Evaluated Security Metrics)
25
Counterproductive Work Behavior– Any intentional action by members of organizations that
violates core organizational and/or social norms. (Vardi and Weiner)
Personality disorders are characterized by impairments in
personality functioning and pathological personality traits.
Cognitive:
 Stressor-Emotion Model – Integrating human aggression and
occupational stress
 Organizational Citizen Model – Counterproductive work behavior as
protest
Clinical Models
 True Psychology of the Insider Spy (Dr. David Charney)
 Diagnostic and Statistical Manual of Mental Disorders (DSM-5)
Define/Measure/Optimize

26. 26
Behavioral Family
(Individual) Minor
Nonviolent
 Poor performance
ratings
 Late to work/meetings
 Poor quality work
 Misuse of Time
 Misuse of resources
 Not accepting
feedback
 Disgruntled
 Incongruent work
history
 Unreported changes
in personal history
Behavioral Family
(Individual) Serious
Violent
 Open Anger
 Destruction of Property
 Assault
 Theft
 Increasing Paranoia
 Actions Dangerous to
Self and Others
 Disregard for authority
 Arrests
Behavioral Family
(Individual) Serious
Nonviolent
 Falsifying employment
data
 Excessive absenteeism
 Theft of
information/property
 Time Card fraud
 Falsifying work related
data
 Exhibits paranoia
attitudes
 Disregard for authority
 Excessive secrecy
 Distrust of others
Behavioral Family
(Individual) Minor
Violent
 Unsafe behavior (risk
taking)
 Drug Use
 Alcohol Abuse
 Bullying of co-workers
 Verbal Abuse/profane
language
 Unexpressed Anger
 Aggression toward
others
 Demonization

27. 27
Behavioral Family
(Environmental) Minor
Moderating Factors
 Medical issues
(self/family)
 Depression
 Being bullied at work
 Injustice (self or
others)
 Financial losses
 Reward system
 Job satisfaction shift
 Suicide in family
Behavioral Family
(Corporate) Minor
Moderating Factors
 Practice vs. Policy
 Inconsistent
Selection Process
 Lack of Training
 Mal-assignments
 Distrust of
Employees
 Reward System
Changes
 Ignoring Security
rules
 Inconsistent
reward process
 Perceived
authority shift
Behavioral Family
(Corporate) Serious
Moderating Factors
 Change of Employee
Authority
 Layoffs
 Furloughs
 No Communication
 Benefit Loss
 Employee Treatment
(loyalty)
 Patronage
(Selection/Promotion)
 Terminations
 Ethics violations
Behavioral Family
(Environmental) Serious
Moderating Factors
 Loss of control (real
or perceived)
 Poor work
relationships
 Marital/family
difficulties
 Poor job ratings
 Passed over for
promotion
 Pending termination
 Mal-assignment

28. 28
BASIC
Liaison is established with internal stakeholders and
external government agencies and industry organizations.
INTERMEDIATE
Technologies are in place to support data collection,
retention, and sharing.
ADVANCED
Interactive engagement and knowledge exchange with IC,
federal, state, and local law enforcement authorities, trade
associations.
 Details and administrates internal cross-organizational
interactivity required to execute the ITP plan.
 Details external collaboration requirements and
knowledge sharing protocols necessary to facilitate the
acquisition of information potentially indicative of
insider threat behaviors and activities.

29. 29
 Why Collaborate?
 Internal Collaboration
 Industry Collaboration
 Government Collaboration
 Scalable Collaboration
Basic-Intermediate-Advance

30. 30
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
100.0%
Which departments within your organization participate with your insider threat-related program? (Check all that apply).
Internal
ASIS/NCMS Insider Threat Survey

31.  Industry Peers (Cleared Defense Contractors)
◦ Classified Threat Reporting from supported offices
 Customers and Suppliers
 Professional Association and Working Groups
◦ ASIS, AIA, NCMS, National Industrial Security
Program Policy Advisory Committee (NISPPAC),
National Intellectual Property Rights Coordination
Center
 Trade Groups
36

32. 37
 US Businesses [DOMESTIC]
◦ NCIX/NCSC reporting
◦ FBI Field Office
 US Businesses [INTERNATIONAL]
◦ U.S. Embassy (Commercial Services,
Legal Attaché)
◦ AMCHAM
 Law Enforcement (Local, State and Federal)
 Regulators/Law Makers
 Government Contracting Activities and Security Offices
 Defense Security Service (Industrial Security
Representatives and Counterintelligence Special Agents)

33.  Details the requirements for education, training, and
awareness concerning insider threat behaviors and risk.
 Provides customize training that address program
objectives of each design element.
33
BASIC
Basic insider threat education, training, and awareness
provided at hiring and on an annual basis.
INTERMEDIATE
Customized training for various org units e.g., C-suite,
R&D, IP group(s), LoB. etc.
ADVANCED
Advanced CI training programs. Redundancy in training
roles, sharing lessons learned for ITP improvement.
Training effectiveness metrics defined and deployed.

34.  Who must receive insider threat
education, training, and awareness?
◦ Insider Threat Program Personnel
◦ Executive Leadership
◦ Workforce
 What must be included in the program?
 Where and when should it be taught?
 How should this training be conducted?
 What resources are available to support
this training?
34

35. Section 3-103. Insider Threat Training. The designated Senior
contractor official will ensure that contractor program personnel
assigned insider threat program responsibilities and all other
cleared employees are trained.
a. Contractor Insider Threat Program Personnel must be trained in:
(1) Counterintelligence and security fundamentals to include applicable legal
issues;
(2) Procedures for conducting insider threat response actions;
(3) Applicable laws and regulations regarding the gathering, integration,
retention, safeguarding, and use of records and data, including the
consequences of misuse of such information; and
(4) Applicable legal, civil liberties, and privacy policies.
35
 Proposed NISPOM Conforming Change #2 identifies specific Insider Threat training
requirements for U.S. defense contractors. The following training syllabus may be required to
be implemented during 2015:
 Our ITP covers these requirements in all three model types:
Basic – Intermediate – Advanced

36. 36
b. All cleared employees must be provided insider threat awareness training, either in-person or computer-based,
within 30 days of initial employment or prior to being granted access to classified information, and annually
thereafter. Training will address current and potential threats in the work and personal environment and will include
at a minimum:
(1) The importance of detecting potential insider threats by cleared employees and reporting suspected
activity to the insider threat program designee;
(2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular
within information systems;
(3) Indicators of insider threat behavior, and procedures to report such behavior; and
(4) Counterintelligence and security reporting requirements, as applicable.
c. The contractor will establish a system to validate and maintain a record of all cleared employees who have
completed the insider threat briefings.
Section 3-107. Initial Security Briefings. Prior to being granted access to classified
information, an employee shall receive an initial security briefing that includes the following:
a. A threat briefing security briefing, to include insider threat awareness in accordance with 3-103b, Insider
Threat Training.

37.  Insider Threat terminology
 Different types of Insider Threats
 Case examples of Insider Threats
 Available data
 Personal and organizational factors which prompt an Insider Threat
 Behavioral Indicators
 Current organizational policies and controls
 Legislative and regulatory requirements on the Insider Threat
 Laws and related penalties
 Document the training program
37

38. Executive Leadership:
 Why is an Insider Threat Program necessary?
 How can it be implemented?
 What will it cost?
 What checks and balances are in place?
Insider Threat Program Personnel:
 What should be tracked?
 How is reporting managed?
 What civil liberties need to be protected?
Workforce:
 What are we protecting?
 What assets are most wanted by others?
 How can suspicious activities be reported?
 What checks and balances are in place?
38
The Insider Threat is Real

39. 39
 Individual Welfare: Odd or suspicious behaviors
are often associated with life crises, such as work
stress, financial pressure, divorce, and death.
 Helping is Not Snitching: By sharing with
management, information about a coworker
displaying odd or suspicious behaviors, that person
may get help to resolve a life crisis.
 Employee Assistance: Investigations are not the
only solution to responding to suspicious behavior;
employee assistance programs (EAPs) can increase
individual wellness and decrease pernicious
emotions.
 Motivating Action: If employees understand that
their involvement may help an individual and
prevent them from taking harmful actions, they may
be more inclined to report what they observe.
Employee health ensures corporate health

40.  Identify your company’s “Crown Jewels”: Key assets, products and services.
 Give real life examples of Insider Threat
and show the consequences.
 Provide economic rationale and ROI for
implementing Insider Threat Program.
 Explain ethical obligations, legal limitations
and regulatory requirements.
 Outline how your program will be established and
operated.
 Introduce key members of your Insider
Threat Program Personnel.
 Gain specific support commitments from each executive.
40

41.  Educate the ITP security team on Insider threat terminology; behaviors, motives, anomalies and
ways to “connect the dots.”
 Educate your team on how data collection points indicate insider threat:
◦ Human Resources
◦ Legal
◦ Physical Security
◦ IT-Security
◦ Information Assurance
◦ Data Owners
◦ Ethics and Compliance
◦ Internal Audit
◦ EAP
 Determine what is normal within your organization (both behavioral and on the computer).
 Educate the team members on new and developing trends.
 Teach team members how to interpret data and generate metrics.
41

42.  Explain what needs to be protected and why.
 Point to policies and procedures already in
place.
 Explain what suspicious activities look like.
 Explain how to report suspicious activities.
 Develop a multi-pronged, repetitive approach
to education.
 Consider your audience when developing
materials.
42
Executive Leadership
ITP Personnel
Workforce

43.  Before formalizing this Insider Threat training program consider what current
company policies and procedures and resources already in place.
43
 Procedures for reporting suspicious
behavior or employees / trusted
partners.
 Access Control Systems / Badging
Procedures
 Annual Security Awareness training
 New Hire Orientation
 Pamphlets / Posters
ALL employees should understand their role on eliminating internal threat.
 Initial Security Briefing
 Computer usage policy / wireless
device policy / social media policy
 Procedures for handling sensitive,
proprietary and personally identifiable
information (PII) as well as classified
information.
 Procedures for reporting suspicious
activities and security incidents.

44. 44
 Where is the ASIS Insider Threat Information Repository and who can access it?
 Access the ASIS site: www.asisonline.org
 Sign in
 Under “Membership,” select Library (IRC)

45. 45
 Details the identification, assessment, and prioritization of risk
associated with specified assets within the scope of the ITP.
 Coordinates the economical use of resources to
minimize, monitor, and control the probability and/or
impact of security events.
BASIC
Risk management processes are initiated to accomplish
ITP asset protection objectives.
INTERMEDIATE
ITP assets are mapped to owners, custodians, persons
with access, geo-locations, servers, workstations, laptops
networks, systems, applications and endpoints.
ADVANCED
Deploys sophisticated monitoring techniques to track the
movement of asset(s) across electronic and physical
boundaries.

46. 46
Systematic approach to acquiring and analyzing the information necessary for protecting assets and allocating resources.
Source: USAF/SAF/AA

47. Source: Insider Threat Mitigation Group, LLC 2010
Bloggers
Darknet Operatives
Competitive Intel-Agents
Independent
Entrepreneurs
Internet Entrepreneurs
Market Analysts
Information Brokers
Domestic
International
Organized Criminals
Organized “net” Gangs
Identity Thieves
Allied States
Foreign Govt
Intelligence-Agents
Adversarial States
Domestic
Competitors
Foreign
Hacker-for-Hire
Freelance Hacker
Cyber Criminals
Anonymous Hacker
Unwitting Hacker
Domestic Operatives
Terrorist
Operatives
International Operatives
Al Qaeda
BASIC
CI basic principles operate in unison with existing security
implementation–somewhat reactive in nature.
INTERMEDIATE
CI program elements and practices evolve for a more
comprehensive and strategic approach.
ADVANCED
CI operates with a degree of autonomy from conventional
security implementation.
 Details a strategic approach to the identification, disruption,
neutralization, and defeat of insider attacks.
 Drives proactivity in ITP operations.
47

48. 1. Manage the CI Process
2. Determine resource allocation
3. Identify triggers and risk indicators
4. Apply CI techniques
5. Compile, process, and organize CI
reports
6. Prepare and present CI
awareness briefings
7. Develop an operational structure
8. Conduct vulnerability assessments
9. Evaluate, integrate, analyze, and
interpret threat information
10. Maintain compliance
11. Identify and respond to cyber
intrusions
12. Initiate and oversee CI
investigations
13. Communicate threat awareness
culture
14. Apply technical solutions
48
Source: Global Skills X-change (GSX)

49. 49
Deterrence
 Details procedures and protocols required to respond to
technical (Cyber) and non-technical (human) indicators,
incidents, and events.
 Develops protocols for integrated direct and indirect
interventions, investigations, and related response
scenarios.
BASIC
Confidential reporting protocols are instituted pursuant to
documented plan.
INTERMEDIATE
Response policies and procedures reviewed and revised
in response to incident findings– preventative measures
are implemented.
ADVANCED
Acceptable use training is provided to emphasize
expectations and enforcement consequences for non-
conformity.

50. 50
Detection BASIC
Monitoring strategy is implemented pursuant to the asset
protection requirements of the ITP plan.
INTERMEDIATE
Monitoring practices are refined through analytics and
lessons learned. Documented profiles inform decision-
maker and buttress tech-tool and resource requisitions.
ADVANCED
Technical and non-technical resources are integrated
providing automated monitoring processes to include
executive dashboards for timeline visibility.
 Details the metric-based design and implementation of human and
technical monitoring technologies, processes, and protocols.
 Defines and manages data collection requirements.
 On-boards analytic software and predictive algorithms
to measure linguistic patterns.

51. 51
Cyber Measures
• Registry entries
• Intrusion Detection System (IDS)
events Firewall logs
• Host event logs
• Host print logs
• Network print logs
• Database server logs
• Web server logs
 File permissions
 Access to account
 Keystroke records
 Digital signatures
 Local stored or cached files
 Proximity card data
 Applications Installed
 Search engine queries (from query
logs)
 Domain Name Server (DNS) logs
 Known software signature
 Email content capture
 Instant messaging
HR Measures Performance Measures
• Disciplinary records (theft,
violence, harassment,
abuse)
• Personnel Files
• Absentee records
• Employee turnover
• Employee surveys
• Termination of
Employment
• Exit Interview Details
• Supervisor assessments
• Corporate performance
evaluations
• 360-degree evaluations
• Job performance statistics
• Customer feedback
Behavioral Assessment

52. 52
Technical Criteria – Category 1
 Reliability
 Validity
 Generalizability
Operational (Security) Criteria – Category 2
 Cost
 Timeliness
 Manipulation
Strategic (Corporate) Criteria – Category 3
 Return on Investment
 Organizational Relevance
 Communication

53. 53
Guidelines to make presentations more
compelling
• Present metrics that are aligned with the
organization’s objectives or risks or that measure
the specific issues management is most
interested
• Present metrics that meet measurement
standards
• Tell a story
• Use graphics, and keep presentations short
• Present metric data regularly

54. 54
BASIC
Designated PoC and responsibilities for program planning
to include policies, procedures, and response protocols.
INTERMEDIATE
ITP Manager installed with supporting staff to execute
program goals and objectives.
ADVANCED
Senior Executive leadership and skilled staff execute a
broad spectrum of detection and mitigation activities.
 Details the ITP’s review and audit management processes.
 Assures that the program is operating pursuant to plan.
 Applies lessons learned, and implements improvements
based on metrics and other analysis.

55. •Identify and review
historical insider threat
incidents
•Need & purpose for ITP
articulated
•Obtain senior executive
buy-in for program
charter
•Select ITP model and
components
• Build consensus and
advocacy among core
stakeholders
(Convergence)
•In concert with General
Council and HR
develop corporate ITP
policy
•Develop comprehensive
plan and timelines
•Form IT Working
Group (ITWG)
•Define critical
positions and modify
position descriptions
based on criticality
•Corporate wide ITP
metrics/measures
developed
•Metrics dashboard
designed
•Design comprehensive
education plan
•High-level company-
wide policies are
approved and
published
•ITP is formally
launched and is
operational
•Monitoring and Audit
procedures initiated
•Mitigation procedures
operational
•Risk Security Risk
Management (ESRM)
processes initiated to
identify assets,
threats and
vulnerabilities
•Integrate ESRM and
ITP metrics into an
analytical structure
•Identify requirements
for core elements:
Operations,
Analytics,
Collaboration, and
Education
EVALUATION
FORMULATION
INITIATION
I
M
P
L
E
M
E
N
T
A
T
O
N
D
E
S
I
G
N
•Policies and
procedures are written
to support the
development and
operation of all ITP
elements
•Incorporate
counterintelligence
controls and measures
•Security education
plan modified to
incorporate ITP
requirements
•Determine
technologies for
monitoring and
analytics
•Formulate incident
response requirements
•Audit and improvement
requirements
incorporated
•Completed ITP plan is
reviewed and approved
as appropriate
•Develop collaboration
plan for external
relationships
•Pilot ITP
55

56. 56
Contact:
Jeff Vish (Chair, ITWG)
Jeff.vish@Mantech.com
571.388.8688
Dan McGarvey (Chair, D&IC)
DMcGarvey@Skillsdmo.com
703.684.5067 ext.115