Critical assets are the organizational resources essential to maintaining operations and achieving the organization’s mission. An insider threat program can protect these vital assets from malicious insiders or the unintended consequences from a complacent workforce.
Identify and Document Organizational Assets.
- Leverage a structured asset management process to inventory organizational assets. The resource guide listed below provides a model useful in identifying and documenting an organization’s people, information, technology, and facilities.
- Consider all internal and external assets, including but not limited to:
- Employees, contractors, vendors, visitors
- Contact and purchase information
- IT systems, networks, communications
- Employee PII, business sensitive or proprietary
- Facilities and equipment
- Buildings, vehicles, machinery
- Alarm, SCADA
- Supply chain
Prioritize Critical Assets Requiring the Most Protection
Critical assets are unique to each organization. The following questions can help determine what is critical to an organization:
- If compromised, will it impact workforce or public safety?
- Was it identified as critical in a Business Impact Analysis?
- Is it vital to the organization’s primary mission?
- What is the risk tolerance?
- Will a compromise have a negative impact on the organizational brand or reputation?
- Will damage, compromise, or disruption result in an unacceptable financial loss?
Determine Threat Types to Critical Assets.
Threat types can include:
- Physical violence targeting employees
- Physical theft of equipment
- Damage to facilities
- Information theft
- Economic espionage
- Financial fraud
- Sabotage of systems or information
Organizations are encouraged to conduct a thorough review of any previous insider incidents or patterns of misconduct that impacted their assets. This process can help to highlight potential vulnerabilities.
Consider the following questions to help identify the types of threats most likely to occur:
- Who has access to the asset?
- Why would an insider cause harm?
- What ways could an insider intentionally cause harm?
- How would an insider benefit from causing harm?
- How would outsiders use an insider to cause harm?
- How would outsiders benefit from causing harm?
- What ways could an insider unintentionally cause harm?
- What gaps in security or training increase likelihood of unintentional harm?
These free resources can assist organizations identify threats and associated risk levels.