Please paraphrase the below

Information Security Management Standards, Best Practice and the Insider Threat

Information security management is the subject of many best practice guides, reg- ulation specific for different sectors of business, legislation and international stan- dards. The vast majority of these approaches focus on regulation and in doing so, ad- dress a number of prime insider threats including fraud and theft. There is an empha- sis on setting the appropriate security culture from the top of the organisation, and indeed in the informal field observations confirmed senior management attitude as a significant factor in increasing or decreasing insider risk. There are risk methodolo- gies that profile attackers and their motivations but interestingly these methodolo- gies are not included in many of the mainstream information security management standards and best practice guides. This section considers the ISO 27000 family of security management standards and the specific guidance available for managing the insider risk.

General Security Management Standards

There are a number of standards which are used to design and implement informa- tion security management controls and processes. The majority of these standards are control-focused and concentrate on responses to particular types of information security risk. The family of standards which underpins information security man- agement is the ISO 27000 family. The two main standards are ISO 27001 which

presents the ISMS and ISO 27002 which presents the control set used by the ISMS to respond to context [22, 23]. The control set breaks down into twelve areas each of which are characterised in terms of the dimension of information security that they relate to. There are various controls that can be used to respond to the risk from insiders [21]. Table 1 presents the control classifications defined in Annex A of ISO 27001:2005.

As Humphreys discusses, all ISO 27002 control areas have relevance for re- sponding to the insider threat [21]. Broadly speaking, three distinct categories of controls can be identified: controls used to identify insiders from outsiders, con- trols used to identify unexpected insider behaviour and controls used to influence the development of an organisation's security culture. The majority of the controls in this final category can be found in the set of controls termed "Human Resources Security", which are guidelines to be followed upon recruitment and prior to or post employment. These include, amongst others, personnel screening, disciplinary processes, awareness programs, incident reporting and response. In this category, emphasis is also placed on security policy, awareness programmes and security ed- ucation. Access control and authentication methods, both physical and logical, are the main control groups used to differentiate between insiders and outsiders (e.g., segregation of duties, controls for advanced users or for specific technologies, i.e., mobile devices). This differentiation is also partly carried out using controls that relate to asset management and information classification, labelling and handling.

The event monitoring, compliance and information security incident manage- ment categories are the main control groups for determining unexpected insider be- haviour. Finally, the standards include controls for continuity management to min- imise the impact of the insider threat. Business continuity and resilience planning is an important response for risks which are either difficult to analyse, complicated to respond to or where the risks are unknown. Insider risks can often be categorised in this way, and therefore a business continuity framework and controls that provide resilience offer a way of reducing the impact of an attack from an insider and reduce the need to define insiderness.

Guidelines Focused on the Management of the Insider Threat

Similar guidelines to the ones found in ISO 27002 are also included in the 16 tech- niques suggested by the CERT's guide for insider threat prevention and detection, as found by examining 150 cases of insider incidents that were detected and reported [8]. The controls are not general but are specifically designed for insider threat pre- vention and detection. These include access control, logging and audit, personnel measures equivalent to the ones of ISO27002, physical and environmental controls, controls for software development, change management, policies, awareness and training programs, backup and recovery and incident response. The 16 proposed practices, their relevance to ISO27002,