ReliabilityFirst > Tools and Services > Insider Threat

Insider Threat

Understanding potential insider threats

Has your organization established an insider threat program? Maybe it has, but you still have questions or feel there’s room for improvement? ReliabilityFirst can help. The Entity Insider Threat Program (InTP) Maturity Assessment Tool can help evaluate your program’s maturity against multiple practices areas.

When following the self-guided, automatically-generated assessment, you can work with the Entity Engagement department’s Critical Infrastructure Protection (CIP) subject matter experts to review and evaluate your results and plan necessary policy or procedure updates identified within the recommendations. Understanding potential insider threat behavior is not only about identifying signs of negative behavior, but also understanding what processes and incentives your organization has in place to empower employees to do the right thing and help identify where they may become an unwitting insider threat.

To submit questions or a request for access to InTP, please visit our Contact Us page and reach out to the Entity Engagement department.

 

Frequently asked questions

What is the Insider Threat Program (InTP) Maturity Assessment?
This self-assessment tool is part of the ReliabilityFirst resilience and risk program. It allows entities to evaluate and benchmark their Insider Threat Program (InTP) maturity, as well as measure their program effectiveness. After assessing the operational readiness of your entity’s infrastructure in the presence of insider threat attacks, it provides a report with output to identify areas of improvement with insight into processes and components that impact insider threat risk management.

Why is assessing InTP maturity important?
Energy critical infrastructure with a large and dispersed cyber and physical footprint brings its own challenges to ensuring reliability, security and resilience of the Bulk Power System (BPS). Insider threat risk management is not covered under enforceable NERC cyber or operational standards, although some aspects of insider threat are broadly addressed under CIP-004, CIP-006, CIP-007 and EOP-004 standards. In order to holistically address risks from insiders to reduce the potential for disruptions to the BPS, awareness of best practices regarding insider threats is important, as well as assessing an existing program or establishing and building a new one.

Who is the self-assessment for?
Any registered entity within the ReliabilityFirst Region that is involved in or interested in learning about insider threat risk management is a great candidate for the self-assessment. This assessment can be taken by anyone at your organization who is familiar with your insider threat program, or it can be completed as a group, if that would provide more benefit within your organization. ReliabilityFirst encourages involvement of all personnel involved in insider threat program management during this assessment to derive meaningful indicators to act upon.

Currently, access to the tool will be granted by ReliabilityFirst and is based on the user information provided by an entity’s insider threat program contact.

Is there a cost to use the InTP?
No, this is available free of charge. You are free to complete the assessment as many times as you’d like. As you mature your program, completing the assessment multiple times can help benchmark against past performance or other entities’ insider threat programs.

Is the information submitted in the InTP protected?
The information stored in the InTP is in a database. The data in this database is always encrypted at rest. The data in transit is secured by secure sockets layer encryption.

ReliabilityFirst will periodically analyze the information in aggregate to generate anonymized regional observations and disseminate information anonymously to improve risk management.

How will I access my assessment report?
Upon completion of an assessment, the entity’s user will be able to generate the assessment report immediately. The report is accessed from each user’s assessment summary page within the tool. It can be viewed directly within the tool and downloaded as a PDF.

The report is a valuable internal resource to be used within an entity by anyone who may benefit from the information, but the document must be handled according to the entity’s data distribution and security policy.

How long does the InTP assessment take to complete?
Based on the pilot participants, the assessment may take a few hours to complete. You may pause the assessment at any point, the responses will be automatically saved, and you can resume at a later time. The time may vary based on your program/size/knowledge and the number of people involved.

Who can the report be shared with?
The report is a valuable internal resource to be used within an entity by anyone who may benefit from the information, but the document must be handled according to the entity’s data distribution and security policy.

How often should the assessment be completed?
Entities have the freedom to complete the assessment as many times as desired, on a voluntary basis. By completing the assessment multiple times, entities will be able to benchmark historical InTP performance to drive continuous improvement efforts.

Who should I contact if I have questions?
To submit questions or a request for access to InTP, please visit our Contact Us page and reach out to the Entity Engagement department.

Explore additional tools and services

Cyber Resilience Assessment Tool
Incident Response Preparedness Assessment Tool
Tabletop Exercises
Entity Appraisal