New Insider Threat Controls in 800-53 rev4

The NIST revision to 800-53 controls that is known as rev4 added new controls related to insider threats.

  • PM-12 (0) INSIDER THREAT PROGRAM – this is the master control requiring an insider threat program, including a team that is focused on insider threat incident handling. The team needs to have cross-discipline representation that allows them to monitor and correlate behavior patterns from different parts of the organization and in different forms. The program should include security controls that require such monitoring and correlation. The controls listed below offer a good starting point:
  • PM-1  INFORMATION SECURITY PROGRAM PLAN – this plan lays out the foundation and framework for the entire security program.  Incorporate requirements, roles and responsibilities, and cross-organizational coordination for dealing with insider threats here.
  • PM-14  TESTING, TRAINING, AND MONITORING – security testing, training and monitoring also need the same high level focus on insider threat as mentioned above in PM-1.
  • AC-6 (9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS – prohibit privileged access to the information system by non-organizational users.
  • AT-2 (2) SECURITY AWARENESS | INSIDER THREAT – training on how to notice indicators and pre-cursors of insider threat activity.
  • AU-6 (9) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH INPUT FROM NON-TECHNICAL SOURCES – correlation of non-technical input with audit information can reveal patterns of potential insider threat activity.
  • AU-7 AUDIT REDUCTION AND REPORT GENERATION – audit data can be selectively filtered to reduce data size and facilitate concentration on specific issues, such as unauthorized insider activity
  • AU-10  NON-REPUDIATION – without the use of non-repudiation in key areas, malicious insiders would be able to deny their activities
  • AU-12  AUDIT GENERATION – use the definable parameters to focus the audit trail on insider activity that is of concern, and to limit insiders ability to make changes
  • AU-13  MONITORING FOR INFORMATION DISCLOSURE – monitor designated sites for evidence of information disclosure
  • CA-2 (2) SECURITY ASSESSMENTS | TYPES OF ASSESSMENTS – selectable parameters offer a variety of forms of security assessments, including a focus on insider threat
  • CA-7  CONTINUOUS MONITORING – continuous monitoring is designed to raise awareness of the current functioning status of controls, the security posture of the system that results, and any change in the status of threats or vulnerabilities in relation to the security posture.  As such, these metrics can be focused on controls (in this list) that provide protection against insider threats
  • CP-2 (1) CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS – the insider threat plan needs to be integrated into the contingency plan (CP) and coordinated with other parts of the CP
  • IA-4  IDENTIFIER MANAGEMENT – a good certification process (MULTIPLE FORMS OF CERTIFICATION)protects against allowing insider access inappropriately;  identifying user status (IDENTIFY USER STATUS) and coordinated management of identifiers (CROSS – ORGANIZATION MANAGEMENT) protect against sharing information with insiders inappropriately
  • IR-4 (6) INCIDENT HANDLING | INSIDER THREATS – SPECIFIC CAPABILITIES – this control can be added to the baseline during the tailoring process to provide an emphasis on specific aspects of insider threat and how the organization intends to defend against the threat and respond to it when detected.
  • IR-4 (7) INCIDENT HANDLING | INSIDER THREATS – INTRA-ORGANIZATION COORDINATION – it should be obvious that intra-organizational cooperation will be key to handling insider threats. A selectable parameter allows organizational elements to be specified.
  • MP-7  MEDIA USE – restricting and/or prohibiting the use of specified types of media can protect against unauthorized access, exfiltration of data, and possibly more threats, including exposure to malware
  • PE-2  PHYSICAL ACCESS AUTHORIZATIONS – physical access has the potential to bypass many other security protections.  Since insiders already have some level of physical access, it is important to carefully monitor and control physical access according to the level of protection required and the need of the individual to access the physical area
  • PS-3  PERSONNEL SCREENING – a well done personnel screening process includes variable conditions and frequencies depending upon the types of information that are involved
  • PS-4  PERSONNEL TERMINATION – good exit interviews and promptly disabling system access and revoking credentials can prevent problems from disgruntled employees being terminated
  • PS-5  PERSONNEL TRANSFER – access control status can change when individuals are reassigned or transferred
  • PS-8  PERSONNEL SANCTIONS – policies and procedures have to be enforced with penalties in order to be effective
  • SC-5 (1) DENIAL OF SERVICE PROTECTION | RESTRICT INTERNAL USERS – it may be wise to restrict or limit the ability of insiders to use components of the information system to launch denial of service attacks. A selectable parameter allows such attacks to be specified.
  • SC-7  BOUNDARY PROTECTION – managing interfaces at both external and internal boundaries reduces unauthorized access and information flow
  • SC-7 (9)  BOUNDARY PROTECTION | RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC – detect outgoing traffic that can pose a threat to other systems and identify the internal user associate with it
  • SC-7 (10) BOUNDARY PROTECTION | PREVENT UNAUTHORIZED EXFILTRATION – manage interfaces to detect and prevent against unauthorized exfiltration 
  • SC-38  OPERATIONS SECURITY – identify information that can be key to threat actors and prevent it from leaking
  • SI-4 (12) INFORMATION SYSTEM MONITORING | AUTOMATED ALERTS – alerts can be used to focus attention on unusual activity


NIST SP 800-53 rev4


New OPSEC Controls in 800-53 rev4

Comments are closed.