GOV-027 Insider Threat Program
Description
An insider threat program is established that includes processes for identifying and responding to insider risk indicators. The program is cross-functional (security, HR, legal) and includes defined escalation paths, investigation procedures, and staff awareness of reporting channels.
Rationale
Insiders with legitimate access present risks that perimeter controls cannot address. A dedicated program provides the organizational structure for detecting, investigating, and responding to insider threat indicators before material harm occurs.
Framework Mappings (3)
| 5.3 | Segregation of duties | partial |
| PM-12 | Insider Threat Program | full |
| CC3.3 | COSO Principle 8: Assesses Fraud Risk | partial |
Evidence (2)
Insider threat program policy or procedure defining detection processes, escalation paths, investigation procedures, and reporting channels.
Example: Insider Threat Program Policy or Procedure (Confluence), approved by CISO, HR, and Legal, covering: behavioral and technical indicators to monitor, escalation path (security → HR → Legal), investigation procedure, and the reporting channel available to staff.
Test: Request the insider threat program policy. Verify: (1) the document is approved by at least two of the three required functions (security, HR, legal), (2) indicators of insider risk are listed (both behavioral and technical), (3) escalation paths are named, (4) an anonymous or confidential reporting channel is described, (5) the policy is approved and dated within the last 12 months.
Insider threat program activity report or log showing the program is operational — indicators reviewed, cases escalated, or tests conducted.
Example: Insider threat quarterly review report (Confluence / PDF) or case management log (ServiceNow / legal hold system), showing: the review period, number of alerts or indicators reviewed, number escalated to investigation, and disposition — with names or case IDs redacted as appropriate.
Test: Request the most recent insider threat program activity report or case log summary. Verify: (1) the report covers the most recent defined review period, (2) at least one category of indicator monitoring is documented as active (e.g. DLP alerts, UEBA anomalies, HR reports), (3) a cross-functional review (security + HR or legal) is evidenced, (4) a named program owner is identified.
Questions (2)
Does your organization have a formal insider threat program that includes defined processes for identifying and responding to insider risk indicators, cross-functional involvement (security, HR, legal), and staff awareness of reporting channels?
The program policy should be co-approved by at least two of: security, HR, and legal. It should list both behavioral and technical indicators and define an escalation path.
Which of the following insider threat detection and response capabilities does your organization currently have in place?
Evidence should show the program is operational — at minimum, one active detection capability and at least one cross-functional review or case record in the last 12 months.