examining insider threat risk at the us citizenship and immigration

Department of Homeland Security Office of Inspector General

Examining Insider Threat Risk at the USCitizenship and Immigration Services

(Redacted)

OIG-11-33 January 2011

Examining Insider Threat Risk at the

US Citizenship and Immigration Services

PreparedforDepartmentofHomelandSecurity

OfficeofInspectorGeneral

bytheSoftwareEngineeringInstituteatCarnegieMellonUniversity

Insider Threat Center at CERT

December 2010

NOWARRANTY

THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIAL ISFURNISHEDONANASISBASISCARNEGIEMELLONUNIVERSITYMAKESNO WARRANTIESOFANYKINDEITHEREXPRESSEDORIMPLIEDASTOANYMATTER INCLUDINGBUTNOTLIMITEDTOWARRANTYOFFITNESSFORPURPOSEOR MERCHANTABILITYEXCLUSIVITYORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITH RESPECTTOFREEDOMFROMPATENTTRADEMARKORCOPYRIGHTINFRINGEMENT

Useofanytrademarksinthisreportisnotintendedinanywaytoinfringeontherightsof thetrademarkholder

TableofContents

ExecutiveSummary 1

Recommendation2Incorporateinsiderthreatriskmitigationstrategiesintothe

Recommendation3Centralizerecordsofmisconductandviolationstobetterenablea

Background 2

Objective 3

Scope 3

AssessmentProcessMethodology 5

ResultsofAssessment 7

Organizational 7

HumanResources 9

PhysicalSecurity 11

BusinessProcesses 12

IncidentResponse 14

SoftwareEngineering 15

InformationTechnology 16

Recommendation1Instituteanenterpriseriskmanagementplan 22

Transformationeffort 22

coordinatedresponsetoinsiderthreats 22

Recommendation4 23

Recommendation5Considerseparationofdutiesforcriticalbusinessprocessesand theirrelatedinformationsystems 23

Recommendation7Employconsistentphysicalsecuritypoliciesforfieldofficesand

Recommendation9ExamineHRscreeningproceduresforhighriskpositionsandFSNs

Recommendation10Ensurethatphysicalandcomputeraccessisterminatedinatimely

Recommendation11Enforcearequirementforindividualaccountsoncriticalsystems

Recommendation6ConductauditofPICSandFSNaccountsforUSCISsystems 23

servicecentersincludingthephysicalcasefiles 23

Recommendation8Consistentlyenforceexitprocedures 24

24

fashion 24

25

CERT | SOFTWARE ENGINEERING INSTITUTE | i

Recommendation12 25

Recommendation13Reducethenumberofprivilegedaccountsforcriticaldatasystems

25

Recommendation14 25

Recommendation15Implementproceduralandtechnicalcontrolstopreventsource codeunderdevelopmentfrombeingreleasedwithoutappropriatereview 25

Recommendation16 26

Recommendation17 26

Recommendation18Periodicsecurityrefreshertrainingshouldberegularlyconducted andrequiredforallemployees 26

AppendixHAcronyms 107

AppendixIManagementCommentstotheDraftReport 109

AppendixJContributorstothisReport 110

AppendixKReportDistribution 111

ManagementCommentsandOIGAnalysis 27

Appendixes 28

AppendixAOrganizational 30

AppendixBHumanResources 37

AppendixCPhysicalSecurity 42

AppendixDBusinessProcesses 48

AppendixEIncidentResponse 62

AppendixFSoftwareEngineering 69

AppendixGInformationTechnology 75

CERT | SOFTWARE ENGINEERING INSTITUTE | ii

ExecutiveSummary

TheUSDepartmentofHomelandSecurityOfficeofInspectorGeneralengagedtheInsider ThreatCenteratCERToftheSoftwareEngineeringInstituteatCarnegieMellonUniversity toconductaninsiderthreatassessmentofUSCitizenshipandImmigrationServicesThe objectiveoftheassessmentwastodeterminehowUSCitizenshipandImmigrationSer viceshastakenstepstoprotectitsinformationtechnologysystemsanddatafromthe threatsposedbyemployeesandcontractorsTheassessmentevaluatedUSCitizenship andImmigrationServicesagainstapproximately400realinsiderthreatcompromisesdocu mentedintheCERTInsiderThreatCasedatabaseThesecasesallprosecutedintheUnited Statesincludefraudsabotageandtheftofintellectualproperty

TheassessmentteamperformedfieldworkinthenationalcapitalregionVermontService CenterandUSCitizenshipandImmigrationServicesBurlingtonofficesDuetothelimited scopeoftheassessmentsystemsreviewedandlocationsvisitedCERTwasnotabletover ifytheinstitutionalizationandenforcementofanyUSCitizenshipandImmigrationSer vicesrsquopoliciesorrenderanoverallopinionoftheeffectivenessofUSCitizenshipandImmi grationServicesinsiderthreatpostureTheOfficeofInspectorGeneraldidnotrequest CERTtoconductacomprehensiveinformationsystemrsquostechnicalsecuritycontrolsreviewor vulnerabilityassessmenttodeterminethesusceptibilitytointernalthreatsTheOfficeof InspectorGeneralmayperformanindepthfollowupreviewtorenderanoverallopinionof theeffectivenessofUSCitizenshipandImmigrationServicesinsiderthreatposture

USCitizenshipandImmigrationServiceshasmadeprogressinimplementingelementsof aneffectiveinsiderthreatprogramSpecificallyithasestablishedaConvictionTaskForce toreviewformeremployeesconvictedofcriminalmisconductwithinthescopeoftheirdu tiesperformsriskmanagementforinformationtechnologyandfinancialmanagementde velopedexitproceduresforemployeesimprovedprotectionofitsfacilitiesandassetsand adherestoformalizedprocessesforsomesystemsInadditionitisimplementingHome landSecurityPresidentialDirective12forphysicalandelectronicaccountmanagement

WhiletheseeffortshaveresultedinsomeimprovementsUSCitizenshipandImmigration Serviceshasopportunitiestoimproveitssecuritypostureagainstthreatsposedbyemploy eesandcontractorsForexampleitcaninstituteanenterpriseriskmanagementplanand incorporateinsiderthreatriskmitigationstrategiesintoitsnewbusinessprocessesItcan alsocentralizerecordsofmisconductandviolationsinstitutealoggingstrategytopreserve systemactivitiesimplementseparationofdutiesforadjudicativedecisionsconductaudits ofnonUSCitizenshipandImmigrationServicesaccountsemployconsistentpoliciesfor physicalsecurityandconsistentlyenforceemployeeexitprocedures

Theassessmentteamismaking18recommendationstotheDirectorofUSCitizenshipand ImmigrationServicestostrengthenthedepartmentrsquossecuritypostureagainstmaliciousin siderthreatsUSCISconcurredwithallofourrecommendationsandhasalreadybegunto takeactionstoimplementthemThedepartmentrsquosresponseisincludedinitsentiretyas appendixI

CERT | SOFTWARE ENGINEERING INSTITUTE | 1

Background

TheUSDepartmentofHomelandSecurity(DHS)OfficeofInspectorGeneral(DHSOIG) engagedtheCERTprogramintheSoftwareEngineeringInstituteatCarnegieMellonUniver sitytoconductaninsiderthreatvulnerabilityassessmentofUSCitizenshipandImmigra tionServices(USCIS)Theprojectapproachestheinsiderthreatproblemontwoprimary fronts

Thehumanbehavioralcomponent

Thetechnologicalsolutionforautomatingpreventionanddetectioncapabilitiesto identifymeasuremonitorandcontrolinsiderthreatvectors

Insiderscanbecurrentorformeremployeescontractorsorbusinesspartnerswhohaveor hadauthorizedaccesstotheirorganizationssystemandnetworksTheyarefamiliarwith internalpoliciesproceduresandtechnologyandcanexploitthatknowledgetofacilitate attacksandevencolludewithexternalattackersCERTrsquosresearchconductedsince2001 hasfocusedongatheringdataaboutactualmaliciousinsideractsincludinginformation technology(IT)sabotagefraudtheftofconfidentialorproprietaryinformationespionage andpotentialthreatstoourNationscriticalinfrastructures

CERTdevelopedaninsiderthreatvulnerabilityassessmentinstrumentforevaluatingvulner abilitiestoinsiderthreatbasedonresearchtodateBecauseofthecomplexityofthein siderthreatproblemmdashinvolvingsecurityofficersinformationtechnologyinformationsecu ritymanagementdataownerssoftwareengineeringandhumanresourcesmdashorganizations needassistanceinmergingthewealthofavailableguidanceintoasingleactionableframe workCERTadvisesorganizationstousethisassessmentinstrumenttohelpsafeguardtheir criticalinfrastructure

CERTbuilttheassessmentbasedonresearchofapproximately400insiderthreatcasesin theCERTInsiderThreatCasedatabase1Thesecasesareacollectionofrealinsiderthreat compromisesmdashprimarilyfraudsabotageandtheftofintellectualpropertymdashthathavebeen prosecutedintheUnitedStatesStartingin2002CERTcollaboratedwithUSSecretSer vicebehavioralpsychologiststocollectapproximately150actualinsiderthreatcasesthat occurredinUScriticalinfrastructuresectorsbetween1996and2002andexaminedthem frombothatechnicalandabehavioralperspectiveSincethatoriginalstudyCERThascon tinuedtoaddcaseswithfundingfromCarnegieMellonrsquosCyLab2bringingthecaselibraryto atotalofapproximately400casesTheinstrumentencompassestechnicalbehavioral processandpolicyissuesandisstructuredaroundinformationtechnologyinformation securityhumanresourcesphysicalsecuritybusinessprocesseslegalandcontracting managementandorganizationalissues

1Notethatthedatabasedoesnotcontainnationalsecurityespionagecasesinvolvingclassifiedin formation 2httpwwwcylabcmuedu


Objective

TheobjectiveoftheinsiderthreatvulnerabilityassessmentwastodeterminehowUSCIShas takenstepstoprotectitsITsystemsanddatafromthethreatposedbyemployeesandcon tractorsThisassessmentwasbasedonbehavioralaswellastechnicalexperienceanditis intendedtoassistUSCISinsafeguardingitscriticalinfrastructureTheassessmentwill

EnableUSCIStogainabetterunderstandingofitsvulnerabilitytoinsiderthreatand provideanabilitytoidentifyandmanageassociatedrisks

Identifytechnicalorganizationalpersonnelbusinesssecurityandprocessissues intoasingleactionableframework

Identityshorttermcountermeasuresagainstinsiderthreats

HelpguideUSCISinitsongoingriskmanagementprocessforimplementinglong termstrategiccountermeasuresagainstinsiderthreats

Scope

USCISemploysapproximately18000governmentemployeesandcontractorslocatedat250 officesthroughouttheworld3Theinsiderthreatvulnerabilityassessmentisintendedto focusoncriticalsystemsandhighriskareasofconcernthatcanbeassessedina3to5day timeframeThereforeatapreassessmentwalkthroughmeetingUSCISstaffidentified3 systemsofthe96systemsusedbytheagencyascriticaltoitsoverallmission

VerificationInformationSystem(VIS)mdashthispublicfacingsystemiscomposedoffive differentapplicationsThepurposeofthesystemistoprovidemdash

o Immigrationstatusinformationtogovernmentbenefitgrantingorganiza tionstohelpthemdeterminetheeligibilityofalienswhoapplyforbenefits

o Ameansforprivateemployerstoperformemploymenteligibilityverifica tionofnewlyhiredemployees

ComputerLinkedApplicationInformationManagementSystem(CLAIMS)mdashThissys temprovidesthefollowingfunctions

3httpwwwuscisgovportalsiteuscismenuitemeb1d4c2a3e5b9ac89243c6a7543f6d1avgnextoi d=2af29c7755cb9010VgnVCM10000045f3d6a1RCRDampvgnextchannel=2af29c7755cb9010Vgn VCM10000045f3d6a1RCRD


o CLAIMS3LocalAreaNetwork(C3LAN)wasoriginallydevelopedtotrack thereceiptingofapplicantorpetitionerremittancesandtoproducenotices documentingtheremittanceC3LANnowincludesadjudicationarchive cardproductioncasehistorycasetransferondemandreportselectronic filetrackingimagecaptureproductionstatisticsstatusupdateandelec tronicingestofapplicationdatacapturedthroughtheEFilingwebapplica tionandtheDepartmentofTreasurysponsoredlockboxoperations

o C3mainframesupportsprocessingofUSCISapplicationsandpetitionsfor variousimmigrantbenefits(egchangeofstatusemploymentauthoriza tionandextensionofstay)

FraudDetectionandNationalSecurityDataSystem(FDNSDS)mdashThissystemwasde velopedtoidentifythreatstonationalsecuritycombatbenefitfraudandlocate andremovevulnerabilitiesthatcompromisetheintegrityofthelegalimmigration system

Itisimportanttonotethattheinsiderthreatvulnerabilityassessmentislimitedtoareasof concernobservedinthehundredsofcasesintheCERTInsiderThreatdatabasePeople technologyandorganizationsareconstantlychangingandmaliciousinsiderscontinueto comeupwithnewavenuesofattackinordertodefeatapreviouslyeffectivecountermea sureHowevermanyofthecountermeasuressuggestedinthisreportareapplicabletoa multitudeofattackvectors

ItisalsoimportanttonotethatCERTrsquosinsiderthreatresearchhasonlyexploredintentional insidercrimesAccidentaldataleakageisanareaofsignificantconcernfororganizations howeverCERThasnotyetexploredthataspectofinsiderthreatInadditionthefocusof theresearchtodateistodescribehowtheinsiderthreatproblemevolvesovertimeCERTrsquos longtermresearchdoesincludemeasuringtheeffectivenessofmitigationstrategies


AssessmentProcessMethodology

AnentranceconferencewasconductedbytheDHSOIGCERTandUSCISonFebruary23 2010TheentranceconferenceintroducedUSCIStotheCERTassessmentteamFollowing theentranceconferenceapreassessmentwalkthroughwasheldatUSCISheadquarterson March102010AtthatmeetingtheCERTassessmentteamandtheDHSOIGteamex plainedtheassessmentprocesstorepresentativesofUSCISUSCISprovidedsomedocu mentationtotheassessmentteamatthattimeandmoredocumentsthroughouttheas sessmentthosedocumentswerereviewedtoprovidesubstantiationforfindingsinthis report

USCISidentified96systemsitusesFollowingtheinitialmeetingUSCISleadershipandthe assessmentteamchosetheVISCLAIMSandFDNSDSsystemsbecausetheywerecriticalto theoverallmissionofUSCISThesethreesystemswerethefocusofthe5dayonsiteas sessment

AtthepreassessmentwalkthroughUSCISindicatedthatithadcreatedaConvictionsTask Forcetoreviewtheactivitiesof10formeremployeesconvictedofcriminalmisconduct withinthescopeoftheirofficialdutiesThepurposeofthetaskforceistoidentifyissues theseemployeesexploitedtocommittheircrimesThetaskforceintendedtodevelopfind ingsandrecommendationsaimedatpreventingsimilarcrimesinthefutureItgraciously extendedaninvitationtotheCERTandDHSOIGteamstoparticipateAsaresulttheteams observedorreviewedtranscriptsofalltelephoneconferencesconductedbythetaskforce Thesefindingsarereflectedinthisreport

TheCERTinsiderthreatteamandtheDHSOIGliaisonwereonsiteatvariousUSCISloca tionsinthenationalcapitalregion(NCR)fromMarch30throughApril12010

TheDHSOIGliaisonswerepresentatallinterviewsTheDHSOIGattendedtheseinterviews asanobserverandassistedCERTasneeded

Facetofaceinterviewswereconductedwithapproximately58representativesintheNCR followedby32representativesintheVermontServiceCenterandUSCISBurlingtonoffices InadditiontelephoneconferenceswereheldwithstafffromtheOfficeofSecurityandIn tegrity(OSI)InvestigationsDivisionandtheSecurityNetworkOperationsCenter(SNOC) Intervieweesrepresentedthefollowingareas

DataOwners(VISCLAIMSandFDNSDS)

ComputerSciencesCorporation(CSC)(softwareengineeringandoperationalsup portforVISCLAIMSandFDNSDS)


OSI(PhysicalSecurityRegionalSecurityInvestigationsPersonnelSecurityCounter intelligence)

HumanCapitalandTraining(TrainingHumanResourcesOperationsCenterLabor EmployeeRelations)

OfficeofInformationTechnology(OIT)(ITSecurityComputerSecurityIncidentRe sponseTeamSecurityandNetworkOperationsCenterAccountManagementEn terpriseOperations)

Legal(ProcurementLaw)

VermontServiceCenter(adjudicatorsdataentryclerkssupervisordirectorsOIT softwareengineering)

Allinterviewswereconsideredconfidentialnorecordofparticipatingemployeesisincluded inthisreportorinsubsequentbriefingsFindingsareattributedonlytoagroupordepart mentinterviewedadocumenttheConvictionsTaskForcetelephoneconferencesordirect observation



AcriticalissueforUSCISisensuringthattheentireorganizationisriskawareandimple mentingaformalriskmanagementprocesstoaddressriskconsistentlyandcontinually acrosstheenterpriseTheredoesnotappeartobeaconsistentunderstandingofthebroad spectrumofrisksfacingUSCISTheassessmentteamwastoldthereisnoenterprisewide riskmanagementprogramatUSCISOITperformsriskmanagementforInformationTech nology(IT)andFinancialManagementperformsriskmanagementforfinancialmattersbut noonewasawareofanyenterprisewideeffortsInadditioneachfieldofficeandservice centerappearstooperatefairlyindependentlyItisimportantforthoseorganizationsto worktogethertoidentifyprioritizeandaddressriskOngoingcommunicationbetweenall componentsofUSCISwillhelpensurethatnewthreatsattackvectorsandcountermea suresarecommunicatedandhandledeffectivelybyall

InadditionUSCISemployeesandcontractorsholdthekeystooneoftheworldrsquosmostcov etedkingdomsmdashUScitizenshipThismakesemployeesandcontractorsattractivetargets forrecruitmentBecauseofthesensitivenatureofUSCISmissionsomeofitsemployees andcontractorshavebeentargetsforrecruitmentfortheftorunauthorizedmodificationof USCISdataAllemployeesshouldbeawareoftheconsequencesofparticipatinginfraud againstUSCISTheyshouldalsobeinstructedonhowtoreportsolicitationsmadetocom mitfraud

Transformation

TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesUSCISisrelyingheavilyonTransformationtocorrectmanyoftheproblemsresulting fromlegacysystemsThisrelianceonasingleeffortmakesitseffectivenessveryimportant TheteamfoundtheTransformationefforttobeamassiveundertakingthatappearstobe implementingaverydetailedprojectplan

Basedontheteamrsquosreviewoftherequirementsforfrauddetectionandnationalsecurity issuesitappearstherearenorequirementstoaddressinsiderthreatsTheassessment teamreviewedfivecomprehensiveTransformationdocumentsaspartofthisassessment ThedocumentsdescribesystemrequirementsindetailFrauddetectionreferstodetection offraudperpetratedbyapplicantsandpetitionersnationalsecurityissuesfocusonthe handlingofinvestigationswithinUSCISthatinvolvenationalsecurityissues

Againanenterpriseriskmanagementapproachshouldbeconsideredwhendefiningre quirementsforTransformationInsidersatUSCIShaveperpetratedfraudinthepastasevi dencedbytheConvictionsTaskForceInadditionUSCISinsidersarecapableofgranting legalresidencyorcitizenshipstatustosomeonewhoposesanationalsecurityrisktothe UnitedStates


TrainingandAwareness

Itisessentialthatsecurityawarenesstrainingisconsistentlyprovidedtoallemployeesto ensuresecuritypoliciesandpracticesareinstitutionalizedthroughoutanorganization Manytimescoworkersandsupervisorsarethefirstpeopletoobserveconcerningbehavior exhibitedbymaliciousinsidersFailuretoreportconcerningbehaviorbycoworkersoroth ersinanorganizationwasaprimaryreasoninsidersintheCERTInsiderThreatCasedata basecontinuedtosetuporcarryouttheirattacks

USCISshouldcontinuetoprovidesecurityawarenesstrainingtoallemployeesandcontrac torsacrosstheglobeThistrainingshouldbeconsistentlyappliedtoeachsitewithaconsis tentmessageofsecurityofUSCISpeoplesystemsanddataItisimperativethatallUSCIS employeesberesponsibleforachievingthemissionofUSCISandprotectingthecriticalas setstothehighestextentpossible

HumanResources

Anorganizationrsquosapproachtoreducinginsiderthreatshouldfocusonproactivelymanaging employeeissuesandbehaviorsThisconceptbeginswitheffectivehiringprocessesand backgroundinvestigationstoscreenpotentialcandidatesOrganizationsshouldalsotrain supervisorstomonitorandrespondtobehaviorsofconcernexhibitedbycurrentemploy eesSomecasesfromtheCERTInsiderThreatdatabaserevealedthatsuspiciousactivity wasnoticedintheworkplacebutnotacteduponOrganizationsmustestablishawell organizedandprofessionalmethodforhandlingnegativeemploymentissuesandensuring thathumanresourcepolicyviolationsareaddressed

Organizationalissuesrelatedtofunctionssharedbyhumanresources(HR)andsecurityper sonnelareattheheartofinsiderriskmanagementEmployeescreeningandselectionis vitaltopreventingcandidateswithknownbehavioralriskfactorsfromenteringtheorgani zationoriftheydoensuringthattheserisksareunderstoodandmonitoredClearpolicy guidelinesaddressingbothpermittedandprohibitedemployeebehaviorarevitaltorisk detectionandmonitoringClearrequirementsforensuringemployeesrsquoknowledgeofthese guidelinesarealsoessentialtotheirsuccessInadditionreportsofpolicyquestionsand violationsneedtobesystematicallyrecordedsothatmanagementHRandsecurityper sonnelcanapproachcasedecisionswithcompletebackgroundinformation

Analysisofthesereportsacrossindividualsanddepartmentscansupplyvitalknowledgeof problemareasbeyondindividualcasesRelationshipsinwhichHRsecurityandmanage mentpersonnelcollaborateaseducatorsandconsultantsarevitaltoearlydetectionand effectivemanagementofemployeesposinganinsiderriskTheneedforclearpolicies


completepersonnelriskdataandclosemanagementHRsecuritycollaborationisrarely greaterthanwhenhandlingemployeeterminationissueswhethervoluntaryorinvoluntary

ScreeningandHiringPractices

SeveralpersonnelscreeningandhiringpracticesposearisktoUSCISsystemsanddata

USCISdoesnothaveaconsistentprocedurefordecidingwhethertoconductafacetoface interviewpriortohiringanapplicantbeingscreenedforgovernmentemploymentThere wasanimpressionatUSCISheadquartersthatnearly100ofthoseemployeeshiredby managersareinterviewedbutrepresentativesinBurlingtonVermonttoldusotherwise Thisgapbetweenperceptionandreality(thereisnotapolicystatingthatthismustbedone) isaconcernUSCISshouldrequireinterviewsforallpositionsTheinterviewsneedtobe conductedbysomeoneinvolvedinthedaytodaysupervisionofthepositiontobefilled

Ifapersonalissue(egsubstanceabuserelativelylargefinancialindebtedness)arisesdur ingPersonnelSecurityrsquos(PERSECrsquos)screeningPERSECmayissuealetterofadvisementto thecandidateandclearthatpersonforhirePERSECishesitanttosharenegativeinforma tionaboutapplicantswithUSCISbecauseofprivacyconcernsBecauseoftheseconcernsa managermaynotknowthatsomeoneiscomingintoapositionwithahistoryofalcohol andordrugabusefinancialindebtednessetcTheprivacywallbetweenPERSECandfield personnelconcernedwithhiringistroublingItisdifficultforPERSECrepresentativestoin dicatetheirconcernsaboutpotentialhiresiftheyhaveriskfactorsthatdonotcrossadjudi cationguidelinesfordisqualification

ForeignServiceNational(FSN)employeeswhoworkatUSembassiesandconsulates abroadhaveaccesstoUSCIScriticalsystemsanddatainsomecasesInordertobehired andgrantedaccesstoanyofthosesystemsFSNsarevettedbytheUSDepartmentof StateAlthoughtheaccesstoUSCISsystemsmustbeapprovedbythechiefsecurityofficer (CSO)andchiefinformationofficer(CIO)forDHSUSCIShasverylittlevisibilityintothe screeningprocessforFSNs

ExitProcedures

Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerorContract ingOfficerrsquosTechnicalRepresentative(COTR)Italsoappearsdifferentmanagersfollow


differentprocedurestoensurethataccessisdisabledandequipmentisreturnedasem ployeesandcontractorsleaveUSCISThisgapmaymanifestitselfintheinconsistentcollec tionofbadgeslaptopsmobiledevicesandotherUSCISequipmentandimproperdisabling orterminationofaccess

PhysicalSecurity

SomeinsidersdocumentedintheCERTInsiderThreatCasedatabaseexploitedphysicalse curityvulnerabilitiesSomewereabletogainaccesstoorganizationfacilitiesoutsideof normalworkinghourstostealcontrolledinformationortoexactrevengeontheorganiza tionbysabotagingcriticaloperationsPhysicalsecuritycanprovideanotherlayerofdefense againstterminatedinsiderswhowishtoregainphysicalaccesstoattackJustaswithelec tronicsecurityhoweverformeremployeeshavebeensuccessfulinworkingaroundtheir organizationrsquosphysicalsecuritymeasuresItisimportantfororganizationstomanage physicalsecurityforfulltimeparttimeandtemporaryemployeescontractorsandcon tractlaborers

USCISPhysicalSecurityhasmadesignificantprogressprotectingUSCISfacilitiesandassetsin theNCRsinceJanuary2008whenitstoodupanewphysicalsecurityprogramAlthough physicalsecurityintheNCRisconsistentlydirectedandenforcedbyPhysicalSecurityeach fieldofficesetsitsownpoliciesandaccesscontrols

Finallyissuescon cerningthesecurityofapplicantsrsquophysicalcasefilesshouldbeconsideredaspartofaUSCIS riskmanagementstrategybyUSCIS

ControllingandMonitoringProperAccessAuthorization

USCIShandlesthephysicalsecurityandaccessauthorizationoffacilitiesdifferentlydepend ingonwherethefacilityislocatedThephysicalsecurityofNCRfacilitiesishandledbyone groupofUSCISpersonnelbutthephysicalsecurityoffieldofficesfallsundertheFieldSecu rityDivision(FSD)Insomecasesaphysicalsecurityrepresentativeisnotlocatedinafield officeatallWhenthisisthecasetheresponsibilityfallsonothermanagementpersonnel whomaynotbeequippedtohandletheseissuesproperlyandreporttheminatimelyman ner

In10casesdocumentedin


theCERTInsiderThreatCasedatabasetheinsiderwasabletocommitacrimefollowing terminationbecauseoffailuretonotifysecurityemployeesandbusinesspartnersofthe terminationTocontrolaccesstoUSCISfacilitiesitisimportantforUSCIStocomparecur rentemployeesandcontractorstotheauthorizedaccesslistineachfacilityrsquosaccesscontrol systemDisablingphysicalaccesstofacilitieswhenemployeesandcontractorsterminateis essentialtoprotectingUSCISemployeesandfacilities

SecurityofPhysicalCaseFiles

AttheVermontServiceCentertheassessmentteamobservedphysicalcasefilesofbenefit applicantsstackedincratesinthehallwaysCasefilesareassumedtobesecureoncethey arecontainedwithinaServiceCenterbuttheycouldbephysicallyalteredorstolenbyany onewithphysicalaccesstothefacilityOneintervieweestatedthatadjudicatorstypically have50to100filesscatteredaroundtheirofficesordesksSomearetrackedandsome maynotbeAdjudicatorsconductinterviewswithapplicantsintheirofficesandtheymay leaveapplicantsunescortedintheirofficeswiththecasefileswhenforinstancemaking copiesorattendingtootherUSCISbusinessAccordingtothesameintervieweeinonefield officenaturalizationcertificatespassportsandcreditcardinformationhavebeenfoundin garbagecansinthehallwayThirteeninsidersdocumentedintheCERTdatabasestole physicalpropertybelongingtotheirorganization

BusinessProcesses

AvarietyofcasesfromtheCERTInsiderThreatCasedatabasedocumentinsiderattacksin whichgapsinbusinessprocessesprovidedapathwayforattackEnforcingseparationof dutiesandtheprincipleofleastprivilegeareprovenmethodsforlimitingauthorizedaccess byinsidersIdeallyorganizationsshouldincludeseparationofdutiesinthedesignofkey businessprocessesandfunctionsandenforcethemviatechnicalandnontechnicalmeans Accesscontrolbasedonseparationofdutiesandleastprivilegeinboththephysicaland virtualenvironmentiscrucialtomitigatingtheriskofinsiderattackTheseconceptsalone willnoteliminatethethreatposedbyinsiderstheyarehoweveranotherlayerinthede fensivepostureofanorganization

BecauseofthesensitivenatureoftheUSCISmissionsomeofitsemployeesandcontractors havebeentargetsforrecruitmentfortheftorunauthorizedmodificationofUSCISdata TwentyninepercentoftheinsidersdocumentedintheCERTdatabasewererecruitedby outsiderstocommittheircrimesMostoftheseinsiderscommittedtheircrimesforfinan cialgainCriticalUSCISbusinessprocessesshouldincludetechnicalcontrolstoenforce separationofdutiesanddualcontroltoreducetheriskofinsiderfraudInadditionpoten tialvulnerabilitiessurroundtheuseoftheICEPasswordIssuanceandControlSystem(PICS) forauthorizationforcriticalUSCISsystemsAlthoughPICSisoutsidethecontrolofUSCIS


CERTrecommendsthatUSCISexplorethepossibilityofauditingandcontrollingauthoriza tionsinPICSforcriticalUSCISsystemsFinallyaccountmanagementissuesrelatedtocriti calsystemsshouldbeconsidered

VerificationInformationSystem

TheVerificationInformationSystem(VIS)providesimmigrantstatusinformationtoboth governmentagenciesandprivateemployersinordertoverifybenefitandemploymenteli gibilityBecausethesefunctionsrequiregrantingVISaccesstopartiesexternaltoUSCIS USCISmustissueaccountsandrequirethatthoseaccountsbeusedproperlyTwentyfour (6)oftheinsidersdocumentedintheCERTdatabasewereabletocarryouttheircrimes becauseinsiderssharedaccountandpasswordinformationoftentomaketheirjobseasier andtoincreaseproductivity

ModificationsbyVISuserstocriticaldataarelogged

CLAIMS3LAN

Currentlyalldeniedbenefitsapplicationsarereviewedbyasupervisoronlyasubsetofap provedapplicationsarereviewedAdiscrepancyaroseduringinterviewsadjudicatorssaid thatsupervisorsstoppedlookingatalldenialsbecausetheyaretoobusySupervisorsalso receiveareportofalladjudicationdecisionsenteredbyanadjudicatorforaformtypethat theadjudicatordoesnotnormallyapproveWhenadjudicatorsareintrainingwhichtakes placeforatleast6monthsonaspecifictypeofcasetheyareunder100reviewAquality assurance(QA)processisalsoinplaceOnepartofQAinvolvesasupervisorpulling10 casespermonthperadjudicatortoreviewThesupervisorexaminesadjudicativedecision securityandproceduralissuesInanotheraspectoftheQAotherldquosisterrdquoUSCISService CentersreviewarandomselectionofcasesTheprimarypurposeofQAistoidentifythe needforremedialtrainingratherthandeliberatefraudAuditingeverydeniedrequestindi catesthatthebiggestrisktoUSCISistoincorrectlydenyabenefittoanapplicantrather thantograntabenefittosomeonewhodoesnotdeserveit

FDNSDS


IncidentResponse

ThroughcaseanalysisCERThasnotedthatproceduresforrespondingtopotentialinsider incidentspresentuniquechallengesanincidentresponseplanforinsiderincidentsdiffers fromaresponseplanforincidentscausedbyanexternalattackerInadditioninadequate detectionandresponsetosecurityviolationscouldemboldentheinsidermakingtheor ganizationevenmorevulnerabletoaninsidercrimeInfactin18ofthecasesdocumented intheCERTInsiderThreatCasedatabasetheorganizationexperiencedrepeatinsiderinci dentsofasimilarnatureInsiderincidentmanagementshouldleverageexistingsecurity policiesandformalproceduresforhandlingpolicyviolationsSomeofthecasesfromthe CERTInsiderThreatCasedatabaseillustrateinsiderattacksinwhichanorganizationrsquoslackof incidentresponseprocedureslimiteditsabilitytomanageitsresponseeffortsometimes evenresultinginmultiplecriminalactsbythesameinsider

Furthermore81oftheinsidersdocumentedintheCERTInsiderThreatCasedatabasedis playedconcerningbehaviorsintheworkplacepriortoorwhilecarryingouttheircriminal activitiesonlineSupervisorsandemployeesshouldbetrainedtorecognizeandrespondto indicatorsofriskforviolencesabotagefraudtheftandothermaliciousinsideractsEvenif itisnotpossibletorequirenonsupervisorstoreportconcernsthistrainingmayincreasethe frequencyofreportingandthedeterrenceofinsideractions

IncidentManagement

USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductOrganizationsinvolved includetheOfficeofInvestigationswithintheOSILaborandEmployeeRelations(LER)HR ComputerSecurityIncidentResponseTeam(CSIRT)PERSECCounterintelligence(CI) COTRsOITDHSOIGPhysicalSecuritysupervisorsandpossiblydataownersandISSOs Manydifferentpartiesexplainedhowtheymightbeinvolvedinoneaspectofanincident butnosingledepartmentcoordinatestheseactivitiesorconductsaholisticriskanalysisof individualswhohavecommittedviolationsThiscomplexandwidelydistributedbusiness processhasresultedinasituationinwhichitisverydifficulttoobtainacompletepictureof anindividualrsquosinsiderthreatrisklevelConsequentlyanyefforttocoordinateaproactive


programforinsiderthreatmitigationwouldhavetocrosssignificantbureaucraticbounda rieswithinthesemyriaddepartmentsofUSCIS

SoftwareEngineering

CodeReviews

SomeUSCISsystemsadheretoaformalizedprocessofsoftwareengineeringusingcontrac torswithaspecifiedlevelofprocessmaturity(iecapabilitymaturitymodelintegration (CMMI)level3)

Therewasevenadocumentedcaseinwhichsourcecodecontainedsomethinginap propriateandwasonlydiscoveredonlyafterthecodewasturnedoverfromonecontractor toanother


Insidersinsertedmaliciouscodeintoanoperationalsystemin33casesdocumentedinthe CERTInsiderThreatCasedatabaseandintosourcecodein10casesThesetypesofcrimes canhaveseriousresultsenablinginsiderstoconcealtheiractionsoveranextendedperiod oftimeTheseactionshavebeenusedtocreatemechanismsforcommittingfraudwithout detectionandtosetupfutureITsabotageattacks

Codereviewscanbeverytimeconsumingbutmostmaliciousinsidersinsertmaliciouscode intoproductionsystemsoncetheyarestableandinthemaintenancephasewhenchanges arelessfrequentandlesssubstantial

InformationTechnology

AccountManagement

Researchhasdemonstratedthatifanorganizationrsquoscomputeraccountscanbecompro misedinsidershaveanopportunitytocircumventmanualandautomatedcontrolmecha nismsintendedtopreventinsiderattacksEffectivecomputeraccountandpasswordman agementpoliciesandpracticesarecriticaltoimpedeaninsiderrsquosabilitytousethe organizationrsquossystemsforillicitpurposesInavarietyofcasesdocumentedintheCERTIn siderThreatCasedatabaseinsidersexploitedpasswordvulnerabilitiessharedaccounts andbackdooraccountstocarryoutattacksItisimportantfororganizationstolimitcom puteraccountstothosethatareabsolutelynecessaryusingstrictproceduresandtechnical controlsthatfacilitateattributionofallonlineactivityassociatedwitheachaccounttoan individualuserFurthermoreanorganizationrsquosaccountandpasswordmanagementpolicies mustbeappliedconsistentlyacrosstheenterprisetoincludecontractorssubcontractors andvendorswhohaveaccesstotheorganizationrsquosinformationsystemsandornetworks

InsomeareascomputeraccountsaremanagedfairlywellatUSCISItisimplementing HomelandSecurityPresidentialDirective12(HSPD12)forphysicalandelectronicaccount managementInadditionmostsharedaccountsarecontrolledandallactionsperformed usingthoseaccountscanbeattributedtoasingleuserHoweversomeaccountmanage mentliesoutsidethecontrolofUSCISThispresentsahighdegreeofriskFirstofallac countsandaccessforFSNsshouldbeconsideredcarefullybyUSCISAlthoughFSNsmust submitpaperworkthroughproperchannelswhichrequiresauthorizationbytheCSOand CIOofDHSsuchpaperworkwasnotsubmittedconsistentlypriorto2007Asaresultthere maybeactiveaccountsforwhichthereislittletonoaccountingforthecreationoftheac count

Althoughaccountnamingconventionsaredictatedby DHSandtheUSDepartmentofStateUSCIScouldrequestanamingconventiontodiffer entiatebetweenFSNandUScitizenfederalemployeeaccountsInadditionUSCISshould consistentlytracktheauthorizationandcreationofallUSCISaccountsTodetermineifun


authorizedorlegacyaccountsexistUSCISshouldconsiderconductinganaccountauditwith theassistanceofUSDepartmentofStatepersonneltovalidateallexistingFSNaccounts

SecondaccesstosomecriticalUSCISsystemsiscontrolledbythePasswordIssuanceand ControlSystem(PICS)ThepurposeofPICSistofacilitatetheadministrationofusernames andpasswordstocertainICEandUSCISinformationsystemsOneareaofconcernregard ingPICSisthatitisadministeredbyICEandtherearemorethan2000LocalPICSOfficers (LPOs)acrossvariouscomponentsofDHSTheseLPOsusePICStograntauthorizedaccess toICEandUSCISsystemsforthepersonnelattheirrespectivesiteoragencysuchaslocal sheriffspetitionersCustomsandBorderPatrol(CBP)DepartmentofJustice(DOJ)Trans portationSecurityAdministration(TSA)TerrorismTaskForceandDHSOIGEachLPOcan grantaccesstoanysystemcontrolledbyPICSInotherwordsLPOsthroughoutUSCISand ICEcangrantaccessforanyoftheirstafftoanyUSCISsystemFurthermore

Giventhedistributednatureofaccountadmini strationitisverydifficultforUSCISdataownersandOITstafftomanageauthorizationof useraccountstoUSCIScriticalsystemsFinallytheprocessforcommunicatingchangesin employeestatusanddisablingaccountsvarieswidelyamongindividualfieldofficesService CentersandofficesintheNCR

TheapplicationofaccountmanagementpracticesunderthecontrolofUSCISisinconsistent Forexampledisablingorterminatingaccountsforemployeesisnotalwayscompletedina timelymannerupontheemployeersquoschangeinstatusThislackofconsistencyismade worsewhendecentralizedLPOsacrossUSCISdonotfollowthesameproceduresInother casesemployeesareretainingaccessafteratransferwhentheyshouldnotwhichrequires thelosingandgainingsupervisorstonotifyproperaccountmanagementpersonnel

AccessControl

Anorganizationrsquoslackofsufficientaccesscontrolmechanismswasacommonthemein manyoftheinsiderthreatcasesexaminedbyCERTInsidershavebeenabletoexploitex cessiveprivilegestogainaccesstosystemsandinformationtheyotherwisewouldnothave beenauthorizedtoaccessAdditionallyinsidershavebeenknowntouseremoteaccess afterterminationtoattackanorganizationrsquosinternalnetworkOrganizationsshouldensure networkmonitoringandloggingisenabledforexternalaccessMonitoringofnetworkactiv ityisextremelyimportantespeciallyintheperiodbetweenemployeeresignationandter mination

GiventhedistributednatureofaccessauthorizationviaPICSICEandtheUSDepartment ofStatenonUSCISemployeesandcontractorscouldbegrantedaccesstoUSCIScriticalsys temsItispossiblethatthenonUSCISemployeesandcontractorsparticularlythose


grantedaccessthroughtheUSDepartmentofStateforaccessfromembassiesoverseas havenotbeenthroughtherigorouspreemploymentscreeningrequiredofUSCISemploy eesandcontractorsUSCISshouldconsidertherisktheseinsidersposetotheprotectionof thecriticalUSCISdataandsystemsandimplementprotectionmechanismstolimitthe damagethattheseinsidersmightcause

OtheraccesscontrolissuesthatshouldbeconsideredbyUSCISincludeunrestrictedaccess tosomecriticalsystemsbyOITstafflackofconsistentprocessesformanagingemployee accessastheymovefromonedepartmenttothenextwithinUSCISabilitytousepersonal computersforUSCISworkandlackofmonitoringandcontrolsforsomecriticalsystemad ministrationfunctions

ProtectionofControlledInformation

Protectingcontrolledinformation(ieinformationthatisclassifiedsensitivebutunclassi fiedorproprietary)iscriticaltomitigatingtheinsiderthreatrisktoorganizationsAvariety ofinsiderthreatcasesstudiedbyCERTrevealedcircumstancesinwhichinsiderscarriedout anattackthroughtheunauthorizeddownloadofinformationtoportablemediaorexternal storagedevicesInsomeinstancesmaliciousinsidersusedemailtoplantheirattacksorto communicatesensitiveinformationtocompetitorsorconspiratorsOrganizationsmusten surethatemployeesunderstandpoliciesregardingwhatconstitutesacceptableuseofcom panyresourcesincludinginformationassetsandenforcecompliancethroughtechnical meansTheunauthorizedexfiltrationofcontrolledinformationbymaliciousinsiderscan havedevastatingeffectsonanorganizationProtectingcontrolledinformation(ieinfor mationthatisclassifiedsensitivebutunclassifiedorproprietary)iscriticaltomitigatingthe insiderthreatrisktoorganizations

USCIShasimplementednetworkmonitoringstrategiesthatwoulddetectlargeamountsof datadownloadedorananomalousincreaseinnetworktrafficeitherbytotalvolumeor typeoftraffic(egbyportorprotocol)Thoughmonitoringnetworktrafficmayhelppro tectcontrolledinformation


LoggingAuditingMonitoring

InsiderthreatresearchconductedbyCERThasshownthatloggingmonitoringandauditing employeeonlineactionscanprovideanorganizationtheopportunitytodiscoverandinves tigatesuspiciousinsideractivitybeforemoreseriousconsequencesensueOrganizations shouldleverageautomatedprocessesandtoolswheneverpossibleMoreovernetwork auditingshouldbeongoingandconductedrandomlyandemployeesshouldbeawarethat certainactivitiesareregularlymonitoredThisemployeeawarenesscanpotentiallyserveas adeterrenttoinsiderthreats

ThepreventionofinsiderattacksisthefirstlineofdefenseNonethelesseffectivebackup andrecoveryprocessesneedtobeinplaceandoperationallyeffectivesothatifacompro miseoccursbusinessoperationscanbesustainedwithminimalinterruptionInonecase documentedintheCERTInsiderThreatCasedatabaseaninsiderwasabletomagnifythe impactofhisattackbyaccessinganddestroyingbackupmediaOrganizationsneedtocon sidertheimportanceofbackupandrecoveryprocessesandcaremustbetakenthatback upsareperformedregularlyprotectedandtestedtoensurebusinesscontinuityinthe eventofdamagetoorlossofcentralizeddata

TechnicalSecurityVulnerabilities

Proactivelyaddressingknownsecurityvulnerabilitiesshouldbeapriorityforanyorganiza tionseekingtomitigatetheriskofinsiderthreatsaswellasexternalthreatsCasestudies haveshownthatmaliciousinsidersfollowingterminationwillsometimesexploitknown technicalsecurityvulnerabilitiesthattheyknowhavenotbeenpatchedtoobtainsystem accessandcarryoutanattackOrganizationsshouldhaveaprocesstoensurethatoperat ingsystemsandothersoftwarehavebeenhardenedorpatchedinatimelymannerwhen possibleFailuretoaddressknownvulnerabilitiesprovidesaninsiderampleopportunity andpathwaysforattackmakingitmoredifficultforanorganizationtoprotectitself


ThereisaprimaryconcerninthisareaatUSCISUSCISshouldconsiderthefrequencywith whichitscansitssystemsfortechnicalsecurityvulnerabilities

ThereisalsoanotherconcerninthisareaatUSCIS

ConfigurationManagement

Effectiveconfigurationmanagementhelpsensuretheaccuracyintegrityanddocumenta tionofallcomputerandnetworksystemconfigurationsAwidevarietyofcasesintheCERT InsiderThreatCasedatabasedocumentinsiderswhoreliedheavilyonthemisconfiguration ofsystemsTheyhighlighttheneedforstrongermoreeffectiveimplementationofauto matedconfigurationmanagementcontrolsOrganizationsshouldalsoconsiderconsistent definitionandenforcementofapprovedconfigurationsChangesordeviationsfromthe approvedconfigurationbaselineshouldbeloggedsotheycanbeinvestigatedforpotential maliciousintentConfigurationmanagementalsoappliestosoftwaresourcecodeandap plicationfilesOrganizationsthatdonotenforceconfigurationmanagementacrosstheen terpriseareopeningvulnerabilitiesforexploitbytechnicalinsiderswithsufficientmotiva tionandalackofethics

TheOIThasaconfigurationmanagementpolicythatprovidesbaselinesoftwareconfigura tionsforUSCISdesktopsandlaptopsTheOITscansforincorrectoutdatedorunpatched versionsofsoftwareontheapprovedsoftwarelistTheOITkeepstrackofdifferentbase linesfordifferentcontractsDespitetrackingandarigorousconfigurationmanagementpol icy

Roguesoftwareormalwareisoftendiscoveredthroughadeliberatemanual scanratherthanthroughanautomatedprocessTomakethistaskmoredifficultUSCIS employeeswithseniorityorinfluencehavebeenabletouselocaladministratorprivilegesto installsoftwareforthesakeofconvenienceConcernsregardingconfigurationmanagement surroundthedifficultyfortheOITtoadequatelypreventdetectandrespondtorogue softwareormalwareusingitscurrentproceduresWesuggestsomeconsiderationsforlev


eragingexistingdeploymentsandmodifyingincidentresponsepracticestoincreaseeffec tiveness


Recommendations

Thefollowing18recommendationspresentactionablestepsthatwillenableUSCIStoim proveitspostureagainstmaliciousinsiderthreatsThesehighlevelstrategiesshouldbe plannedandimplementedwiththeassistanceofthemanydiversedepartmentswithin USCISAppendixescontainmorespecificrecommendationsthatpertaintoaparticularde partment(egOITandHR)TheappendixesalsolisttherelevantpartiestoassistUSCISin reviewingeachissuemoregranularlyandtodecidewhetherUSCIShasresourcestoimple mentaparticularrecommendation

Recommendation1Instituteanenterpriseriskmanagementplan USCISmustensurethattheentireorganizationisriskawareandimplementaformalrisk managementprocesstoaddressriskconsistentlyandcontinuallyacrosstheenterprise Theredoesnotappeartobeaconsistentunderstandingofthebroadspectrumofrisksfac ingUSCISTheOITperformsriskmanagementforITandFinancialManagementperforms riskmanagementforfinancialmattersbutnoonewasawareofanyenterprisewideefforts InadditioneachfieldofficeandservicecenterappearstooperatefairlyindependentlyItis importantforthoseorganizationstoworktogethertoidentifyprioritizeandaddressrisk OngoingcommunicationbetweenallcomponentsofUSCISwillhelpensurethatnew threatsattackvectorsandcountermeasuresarecommunicatedandhandledeffectivelyby all

Recommendation2Incorporateinsiderthreatriskmitigation strategiesintotheTransformationeffort TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesRiskmanagementiswithinthescopeofTransformationbutonlyasitpertainsto automatedriskscoringofapplicantsandtoworkflowmanagementtooptimizeadjudicator workloadUSCISshouldincorporatecomprehensiveinsiderthreatriskmitigationrequire mentsintotheTransformationeffort

Recommendation3Centralizerecordsofmisconductandviola tionstobetterenableacoordinatedresponsetoinsiderthreats USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductThiscomplexandwidely distributedbusinessprocesshasresultedinasituationinwhichitisverydifficulttoobtaina completepictureofanindividualrsquosinsiderthreatrisklevelUSCISshouldcreateacentral repositoryofemployeeandcontractormisconductsecurityviolationsSignificantIncident Reports(SIRs)andothersuspiciousactivityreportssorepeatoffenderscanbeeasilyidenti



storesphysicalfilesforbenefitapplicantsintheVermontServiceCenterwithnophysical protectionbeyondtheexteriorbuildingandguardcontrolsUSCISshouldevaluatecurrent physicalaccessprocedurestodetermineiftheyadequatelyaddressriskandiftheyareen forcedconsistentlyacrosstheenterprise

Recommendation8Consistentlyenforceexitprocedures Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerandCOTRIt alsoappearsthatdifferentmanagersfollowdifferentprocedurestoensurethataccessis disabledandequipmentisreturnedasemployeesandcontractorsleaveUSCISThisgap maymanifestitselfintheinconsistentcollectionofbadgeslaptopsmobiledevicesand otherUSCISequipmentandimproperdisablingorterminationofaccessUSCISshould adoptanenterprisewideexitproceduretoensureconsistentterminationofallemployees andcontractors

Recommendation9ExamineHRscreeningproceduresforhighrisk positionsandFSNs ChangesshouldbemadetotheUSCIShiringprocessesforselecthighriskpositionsFor exampleUSCISshouldconsideradditionalscreeningforadjudicatorsUSCISshouldbe moreinvolvedindecidingwhoisgrantedauthorizedaccessbecauseofthesensitivenature ofthesystemsanddatathatUSCISmanages

Recommendation10Ensurethatphysicalandcomputeraccessis terminatedinatimelyfashion

USCISshouldautomatetherevocationofemployeeandcontractorphysicalaccesswhena terminationoccursTheterminationchecklistshouldincludeanotificationtoPhysicalSecu ritysophysicalaccesscanbedisabledinatimelymannerUSCISshouldalsoreviewaccount managementprocedurestoensurethatthestepstakentoremoveoralteraccountaccess arecompleteunderstoodbyallrelevantpartiesandconsistentlyfollowed


Recommendation11Enforcearequirementforindividualaccounts oncriticalsystems

InsomecasesUSCISisawareofaccountsharingtakingplaceatthirdpartyemployerswho useUSCISsystemstoverifyimmigrationstatusToconsistentlyidentifymaliciousinsider activityallactionsmustbeattributabletooneandonlyoneindividualUSCISshouldcon siderincreasingtheconsequencesforinfractionsandpossiblyimplementstrongerauthen ticationtomakesharingofaccountsmoredifficult

Recommendation12

Recommendation13Reducethenumberofprivilegedaccountsfor criticaldatasystems SomedatasystemsincludingFDNSDShaveahighnumberofprivilegedusersManyof theseusersdonotneedtheescalatedaccesstocompletetheirjobresponsibilitiesUSCIS shouldaudittheprivilegeduseraccountsandreducethoseaccountscommensuratewith jobresponsibilities

Recommendation14

Recommendation15Implementproceduralandtechnicalcontrols topreventsourcecodeunderdevelopmentfrombeingreleased withoutappropriatereview USCISshouldconsiderimplementingproceduralandtechnicalcontrolstoenforcesepara tionofdutiesbetweensoftwareengineersandthesystemadministratorsresponsiblefor


releasingchangesintoproductionsystemsUSCISshouldconsideridentifyinghighrisk criticalsoftwaremodulesthatcouldbeusedtocarryoutillicitactivityInadditionformal softwaredevelopmentpracticesshouldbefollowed

Recommendation16

Recommendation17

Recommendation18Periodicsecurityrefreshertrainingshouldbe regularlyconductedandrequiredforallemployees USCISshouldreinforcesecuritypracticesandproceduresforallemployeesespeciallythose assignedtosecurityrolesthroughInformationAssurancerefreshertrainingThoughannual refreshertrainingismandatedithasnotbeencompletedinatimelymannerforallroles USCISshouldensurethatthistrainingisadaptedtospecificrolesregularlyconductedand trackedandconsequencesimposedforthosewhohavenotcompletedthetraining


ManagementCommentsandOIGAnalysis

WeobtainedwrittencommentsonadraftofthisreportfromtheUSCISDeputyDirector WehaveincludedacopyofthecommentsinitsentiretyinappendixI

USCISconcurredwithourfindingsandrecommendationsandindicatedthatthereportwill beofgreatassistanceastheyseektofurtherstrengtheninternalcontrolsinthisareaInthe writtencommentsUSCISdidnotprovideinformationonhowitintendstoaddressourrec ommendationsThereforeweconsiderourrecommendationsunresolvedandopenpend ingourreviewofUSCIScorrectiveactionplans


Appendixes

ThefollowingpagescontainappendixesAthroughGthatcontainacompletedetailedlistof findingsfromtheassessment

Theappendixesareorganizedintothefollowingsections

AppendixAOrganizational

AppendixBHumanResources

AppendixCPhysicalSecurity

AppendixDBusinessProcess

AppendixEIncidentResponse

AppendixFSoftwareEngineering

AppendixGInformationTechnology

AppendixHAcronyms

AppendixIManagementCommentstotheDraftReport

AppendixJContributorstothisReport

AppendixKReportDistribution

EachsectioninappendixesAndashGcontainsabriefintroductionsummaryofthefindingsfor thatareaandatablelistingdetailedfindingsThetablesarestructuredasfollows

Areaof Responsible PolicyandorSecu PolicyorPrac SuggestedCounter Concern Personnel rityMeasure ticeGaps measures

EachrowrepresentsauniqueareaofconcernResponsiblePersonnelliststhegroups withinUSCISthatwouldberesponsibleforimplementingsuggestedcountermeasuresfor thatareaPolicyandorSecurityMeasurelistsinformationrelatedtothatareaofconcern specifictoUSCISobtainedininterviewsIfthatcolumnwasintentionallyleftblankitindi catesthatnoevidencewasprovidedfortheexistenceofapolicyandorsecuritymeasure PolicyorPracticeGapsdescribesgapsidentifiedbyintervieweesorgapsnotedbyCERT staffFinallySuggestedCountermeasuresdescribescountermeasuresthatUSCIScouldim plementtoaddressaparticularvulnerability

Itisimportanttonotethatallsuggestedcountermeasuresmustbeconsideredinthecon textofabroaderriskanalysisItisnotpracticalformostorganizationstoimplement100 protectionagainsteverythreattoeveryorganizationalresourceThereforeitisimportant toadequatelyprotectcriticalinformationandotherresourcesandnotdirectsignificantef forttowardprotectingrelativelyunimportantdataandresourcesArealisticandachievable


securitygoalistoprotectthoseassetsdeemedcriticaltotheorganizationrsquosmissionfrom bothexternalandinternalthreats

RiskisthecombinationofthreatvulnerabilityandmissionimpactSomecountermeasures inthisreportareintendedtohelpUSCISrecognizeandunderstandtheinsiderthreatOth ersfocusonclosinggapsthatleaveUSCISmorevulnerabletoinsiderattackMissionimpact cannotbeadequatelyassessedbyCERTthroughthisexercisebecauseitwillvarydepending onthecriticalityofsystemsandinformation

Theresultsofthisinsiderthreatvulnerabilityassessmentshouldbeusedtodeveloporre finetheorganizationrsquosoverallstrategyforsecuringitsnetworkedsystemsstrikingthe properbalancebetweencounteringthethreatandaccomplishingtheorganizationalmis sion

Manyofthefindingsinthisreportincludetherelativefrequencyoftheissueraisedinthe CERTInsiderThreatCasedatabaseAtthetimethisreportwaswrittentherewere386 casesofmaliciousinsideractivityagainstwhichthesuggestedcountermeasurepercentage iscalculatedSoifaparticularactivitywasseenin38ofourcaseswemayindicatethatit wasseenin10ofthecasesintheInsiderThreatCasedatabase


Ap

pen

dix

AO

rgan

izat

ion

al

Risk

Man

agem

ent

Co

mm

unic

atio

n

Secu

rity

Pro

cess

Impr

ovem

ent

USC

ISis

ina

diff

icul

tpos

ition

Pa

rto

fits

mis

sion

isto

pro

vide

cus

tom

ers

ervi

ceto

thos

ese

ekin

gim

mig

ratio

nan

dci

tizen

ship

ben

efits

from

the

US

Gov

ernm

ent

How

ever

iti

sch

alle

ngin

gto

opt

imiz

ebu

sine

ssp

roce

sses

for

cust

omer

ser

vice

whi

lea

tthe

sam

etim

eim

plem

entin

gpr

otec

tiv

em

easu

res

toc

ount

erth

eri

skp

osed

by

gran

ting

thos

eve

ryb

enef

its

Man

yU

SCIS

em

ploy

ees

inte

rvie

wed

for

this

ass

essm

enti

dent

ified

the

orga

niza

tionrsquo

spr

imar

yri

ska

sal

low

ing

the

next

terr

oris

tto

live

and

wor

kle

gally

inth

eU

nite

dSt

ates

Th

eyd

esir

ehe

lpin

iden

tifyi

nga

ndim

ple

men

ting

inte

rnal

con

trol

sto

cou

nter

that

ris

kS

ome

ofth

ein

terv

iew

ees

how

ever

mdashev

ens

ome

ofth

eIS

SOs

and

data

ow

ners

mdashfo

cuse

don

leak

ag

eof

PII

asth

eir

prim

ary

conc

ern

Aft

erd

elvi

ngin

toth

em

atte

rw

ithth

eas

sess

men

ttea

mt

hey

cam

eto

und

erst

and

the

risk

pos

edb

yex

po

sure

or

mis

use

ofc

ritic

ald

ata

asth

egr

eate

str

isk

face

dby

USC

ISp

rim

arily

bec

ause

suc

ha

secu

rity

bre

ach

coul

dre

sult

ina

llow

ing

ate

rror

isti

nto

the

coun

try

Ac

ritic

alis

sue

for

USC

ISis

ens

urin

gth

een

tire

orga

niza

tion

isr

isk

awar

ea

ndim

plem

entin

ga

form

alr

isk

man

agem

entp

roce

ssto

add

ress

ris

kco

nsis

tent

lya

ndc

ontin

ually

acr

oss

the

ente

rpri

se

Ther

edo

esn

ota

ppea

rto

be

aco

nsis

tent

und

erst

andi

ngo

fthe

bro

ads

pect

rum

ofr

isks

faci

ng

USC

IS

The

asse

ssm

entt

eam

was

told

ther

eis

no

ente

rpri

sew

ide

risk

man

agem

entp

rogr

ama

tUSC

IS

OIT

per

form

sri

skm

anag

emen

tfor

ITa

nd

Fina

ncia

lMan

agem

entp

erfo

rms

risk

man

agem

entf

orfi

nanc

ialm

atte

rsb

utn

oon

ew

asa

war

eof

any

ent

erpr

ise

wid

eef

fort

sI

nad

ditio

ne

ach

field

off

ice

and

serv

ice

cent

era

ppea

rsto

ope

rate

fair

lyin

depe

nden

tly

Itis

impo

rtan

tfor

thos

eor

gani

zatio

nsto

wor

kto

geth

erto

iden

tify

pri

or

itize

and

add

ress

ris

kO

ngoi

ngc

omm

unic

atio

nbe

twee

nal

lcom

pone

nts

ofU

SCIS

will

hel

pen

sure

that

new

thre

ats

att

ack

vect

ors

and

cou

nte

rmea

sure

sar

eco

mm

unic

ated

and

han

dled

eff

ectiv

ely

bya

ll

Ina

dditi

onU

SCIS

em

ploy

ees

and

cont

ract

ors

hold

the

keys

too

neo

fthe

wor

ldrsquos

mos

tcov

eted

kin

gdom

smdashU

Sc

itize

nshi

pT

his

mak

ese

mpl

oy

ees

and

cont

ract

ors

attr

activ

eta

rget

sfo

rre

crui

tmen

tB

ecau

seo

fthe

sen

sitiv

ena

ture

ofU

SCIS

mis

sion

som

eof

its

empl

oyee

san

dco

ntra

ctor

s


have

bee

nta

rget

sfo

rre

crui

tmen

tfor

thef

tor

unau

thor

ized

mod

ifica

tion

ofU

SCIS

dat

aA

llem

ploy

ees

shou

ldb

eaw

are

ofth

eco

nseq

uenc

eso

fpa

rtic

ipat

ing

infr

aud

agai

nstU

SCIS

Th

eys

houl

dal

sob

ein

stru

cted

on

how

tor

epor

tsol

icita

tions

mad

eto

com

mit

frau

d

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEn

terp

rise

Ris

kM

anag

emen

t

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Indi

vidu

alo

rgan

izat

ions

with

inU

SCIS

do

ris

km

anag

emen

trel

ated

toth

eir

part

icul

ard

omai

nF

orin

stan

ceI

Tdo

esr

isk

man

agem

entf

rom

an

IT

pers

pect

ive

and

the

Fina

ncia

lMan

ag

emen

tdoe

sfin

anci

alr

isk

man

ag

emen

t

USC

ISp

erso

nnel

sta

ted

ther

eis

no

ente

rpri

ser

isk

man

agem

entp

roce

ss

for

anal

yzin

gth

eor

gani

zatio

nrsquos

over

al

lris

k

We

sugg

estt

hatU

SCIS

inst

itute

an

ent

erpr

ise

risk

man

agem

ent

prog

ram

W

ithou

tac

omm

on

visi

onfo

rri

skm

anag

emen

tth

eIS

SOs

and

allo

rgan

izat

ions

w

ithin

USC

ISc

anno

teff

ectiv

ely

unde

rsta

ndth

eri

ske

nvir

onm

ent

and

wor

kto

geth

erto

eff

ectiv

ely

miti

gate

ris

k

Inin

terv

iew

ss

ome

USC

ISs

taff

in

clud

ing

som

eIS

SOs

dat

aow

ners

an

dO

ITs

taff

see

med

tov

iew

loss

of

PIIa

sth

em

osti

mpo

rtan

tins

ider

th

reat

ris

kA

llof

the

asse

ssm

ent

ques

tions

wer

ean

swer

edin

the

con

text

ofl

oss

ofP

II

Whe

nw

eas

ked

spec

ifica

llyw

hatt

hey

see

asth

ebi

gges

tins

ider

thre

atr

isk

ev

eryo

nes

eem

edto

agr

eeit

isc

rea

tion

ofr

ealc

itize

nshi

pdo

cum

ents

for

peop

lew

hos

houl

dno

thav

eth

em

In

fact

int

ervi

ewee

sat

the

Verm

ont

Serv

ice

Cent

erc

ateg

oriz

edth

efu

nc

tions

cha

ract

eriz

edb

yth

ehi

ghes

tris

kas

follo

ws

1)

Unl

awfu

lalie

nin

the

Uni

ted

Stat

es

gran

ted

non

imm

igra

nts

tatu

s

2)S

omeo

new

ithn

onim

mig

rant

st

atus

gra

nted

per

man

entr

esid

ency

w

hich

mea

nsh

eor

she

can

live

and

w

ork

inde

finite

lyin

the

Uni

ted

Stat

es

Aga

ina

nen

terp

rise

ris

km

an

agem

entp

rogr

amw

ille

nsur

eth

ate

very

one

acro

ssU

SCIS

is

wor

king

toge

ther

tom

itiga

teth

ehi

ghes

tpri

ority

ris

ks

Ther

ear

ere

gula

tions

and

law

ssu

rrou

nd

ing

prot

ectio

nof

PII

but

focu

sin

gpr

imar

ilyo

nth

atis

sue

can

lead

toa

fals

ese

nse

ofs

ecur

ity

ifot

her

mor

eim

port

antr

isk

ar

eas

are

give

nle

ssa

tten

tion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dal

soc

anp

etiti

onfo

rre

lativ

es

The

Verm

ontS

ervi

ceC

ente

ris

im

plem

entin

gse

para

tion

ofd

utie

sfo

rpe

rfor

min

gfu

nctio

ns

1an

d2

ab

ove

(gra

ntin

gno

nim

mig

rant

st

atus

and

mov

ing

som

eone

from

no

nim

mig

rant

sta

tus

top

erm

anen

tre

side

ncy)

so

that

one

USC

ISa

djud

ica

tor

alon

eca

nnot

take

an

appl

ican

tfr

omu

nlaw

fult

ope

rman

entr

esi

dent

Th

ese

two

func

tions

will

be

perf

orm

eda

tdiff

eren

tphy

sica

lloc

atio

ns2

9m

iles

apar

t

The

Verm

ontS

ervi

ceC

ente

rhas

not

ha

dan

adj

udic

ator

who

per

form

ed

both

func

tions

1

and

2fo

rth

esa

me

appl

ican

t

This

dec

isio

nde

mon

stra

tes

that

le

ader

ship

att

heV

erm

ontS

er

vice

Cen

terr

ecog

nize

sth

esi

gni

fican

tris

kof

cre

atin

gle

gal

citiz

ensh

ipd

ocum

ents

fori

llega

lal

iens

and

ista

king

ste

psto

m

itiga

teth

atr

isk

How

ever

our

in

side

rth

reat

ass

essm

enth

as

unco

vere

dot

her

issu

esth

at

coul

dbe

add

ress

edto

miti

gate

th

atr

isk

Aga

ina

form

alr

isk

anal

ysis

wou

lde

nabl

eU

SCIS

to

thor

ough

lye

xam

ine

the

issu

es

and

prio

ritiz

eco

unte

rmea

sure

sus

ing

afo

rmal

pro

cess

Fo

rex

am

ple

an

alte

rnat

ive

toth

eph

ysic

alm

ove

coul

dbe

toim

pl

emen

tan

audi

tmec

hani

smto

lo

okfo

rad

judi

cato

rsw

hop

er

form

edb

oth

func

tions

1

and

2

for

the

sam

eap

plic

ant

Ente

rpri

seW

ide

Com

mun

icat

ion

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ther

eis

no

cons

iste

ncy

ofc

ontr

ols

from

one

ser

vice

cen

ter

toth

ene

xt

We

wer

eto

ldth

eye

ach

oper

ate

fair

ly

inde

pend

ently

USC

ISw

ould

ben

efit

from

ong

oin

gco

mm

unic

atio

nsa

bout

ris

kba

sed

issu

esb

etw

een

the

ser

vice

cen

ters

Fo

rin

stan

ce

com

mun

icat

ions

con

cern

ing

prob

lem

se

ffec

tive

coun

ter

mea

sure

sm

odifi

catio

nsto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sbu

sine

ssp

roce

sses

or

idea

sfo

rco

unte

ring

incr

ease

dri

skc

ould

le

adto

an

impr

oved

ris

kpo

stur

efo

rth

een

tire

USC

ISe

nter

pris

e

Cont

inua

lSec

urit

yPr

oces

sIm

prov

em

ent

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

The

USC

ISC

onvi

ctio

nsT

ask

Forc

eis

an

exc

elle

ntfo

rum

for

anal

yzin

gpa

st

crim

inal

cas

esa

ndd

eter

min

ing

mea

sure

sth

ats

houl

dbe

inst

itute

dto

pre

vent

sim

ilar

crim

esin

the

fu

ture

Ther

eis

no

proc

ess

for

follo

win

gup

on

ac

ase

afte

rthe

Off

ice

ofS

peci

al

Inve

stig

atio

n(O

SI)f

inis

hes

anin

vest

iga

tion

Th

eCo

nvic

tions

Tas

kFo

rce

isth

eon

ly

proc

ess

we

foun

dfo

rfor

mal

trac

king

an

alys

isa

ndp

roce

ssim

prov

emen

tba

sed

ona

ctua

linc

iden

ts

The

as

sess

men

ttea

ma

sked

var

ious

gro

ups

ifth

ere

isa

nyfo

llow

up

toin

cide

nts

fo

rin

stan

ceim

plem

entin

gau

tom

ated

sc

ript

sor

con

trol

sto

det

ectt

hes

ame

inci

dent

inth

efu

ture

Th

ete

amc

ould

no

tfin

da

sing

lep

erso

nw

hok

now

sof

su

cha

nac

tivity

Man

yex

ampl

eso

fem

ploy

eem

isco

ndu

ctc

ited

toth

eas

sess

men

ttea

m

coul

dea

sily

hav

ebe

end

etec

ted

or

even

pre

vent

edv

iaa

utom

ated

con

tr

ols

In

add

ition

the

reis

no

mec

hani

smfo

rco

mm

unic

atin

gis

sues

out

side

ofa

In

nea

rly2

5(9

1)o

fthe

cas

esin

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

hein

side

rw

asa

ble

to

carr

you

tthe

cri

me

beca

use

of

inad

equa

tea

uditi

ngo

fcri

tical

pr

oces

ses

in2

8of

thes

eca

ses

it

was

bec

ause

ofi

nade

quat

eau

ditin

gof

irre

gula

rpr

oces

ses

In

29

ofth

eca

ses

the

orga

niza

tio

nha

dre

peat

edin

cide

nts

ofa

si

mila

rna

ture

A

utom

ated

sc

ript

sar

ean

exc

elle

ntm

echa

ni

smfo

rde

tect

ing

susp

icio

us

tran

sact

ions

as

wel

las

hone

st

mis

take

sU

SCIS

sho

uld

cons

ider

a

form

alp

roce

ssfo

ran

alys

iso

fth

eO

SIrsquos

find

ings

and

the

deve

lop

men

tofa

utom

ated

che

cks

impl

emen

ted

natio

nally


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sgi

ven

serv

ice

cent

er

U

SCIS

Em

ploy

ees

are

Pote

ntia

lTar

ge

tsfo

rRe

crui

tm

ent

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

No

evid

ence

pro

vide

d

Som

eU

SCIS

em

ploy

ees

inte

rvie

wed

ha

ver

ecei

ved

are

ques

tfor

ass

ista

nce

from

afr

iend

rel

ativ

eo

rst

rang

er

seek

ing

top

rom

ote

aca

sefo

rso

me

form

ofa

pplic

ant

One

adj

udic

ator

sa

idh

edo

esn

otte

llot

hers

who

he

wor

ksfo

rH

owev

ert

hed

istin

ctiv

egr

een

park

ing

stic

ker

onh

isc

arc

ould

in

as

mal

ltow

nlik

eBu

rlin

gton

VT

re

veal

the

iden

tity

ofh

ise

mpl

oyer

U

SCIS

per

sonn

ela

reth

eref

ore

unus

ual

lyv

ulne

rabl

eto

sol

icita

tion

byo

ut

side

rs

Twen

tyn

ine

perc

ento

fthe

in

side

rsin

the

CERT

Insi

der

Thre

at

Case

dat

abas

ew

ere

recr

uite

dby

ou

tsid

ers

toc

omm

itth

eir

crim

es

USC

ISs

houl

dco

nsid

er

incr

easi

ngth

ese

curi

tya

war

ene

sstr

aini

ngp

rovi

ded

toU

SCIS

em

ploy

ees

and

cont

ract

ors

The

tr

aini

ngs

houl

dbe

con

tinuo

us

incl

udin

gpo

rtio

nsin

tend

edto

ra

ise

awar

enes

sof

the

pote

ntia

lta

rget

that

USC

ISe

mpl

oyee

spr

esen

tA

llem

ploy

ees

shou

ld

bea

war

eof

the

cons

eque

nces

of

par

ticip

atin

gin

frau

dag

ains

tU

SCIS

as

wel

las

how

tor

epor

tso

licita

tions

mad

eto

com

mit

frau

d

Tran

sfor

mat

ion

USC

ISL

eade

rshi

p D

ata

Ow

ners

In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Tran

sfor

mat

ion

isa

larg

ebu

sine

ss

proc

ess

reen

gine

erin

gef

fort

inU

SCIS

th

atis

pri

mar

ilyfo

cuse

don

impr

oved

cu

stom

ers

ervi

cea

ndfr

aud

dete

ctio

nF

ore

xam

ple

the

asse

ssm

ent

team

was

told

that

Tra

nsfo

rmat

ion

will

aut

omat

ical

lyv

alid

ate

data

in

CLA

IMS

agai

nsto

ther

ext

erna

lsys

te

ms

(eg

IC

Ean

dFB

I)a

ndth

at

secu

rity

req

uire

men

tsa

ndc

ontr

ols

Tran

sfor

mat

ion

was

men

tione

din

m

osti

nter

view

sfo

rth

isa

sses

smen

t

Ita

ppea

rsth

atU

SCIS

isr

elyi

ngh

eavi

ly

upon

Tra

nsfo

rmat

ion

toc

orre

ctm

any

ofth

epr

oble

ms

resu

lting

from

lega

cy

syst

ems

How

ever

iti

sun

clea

rw

heth

erin

tern

alp

erso

nnel

sec

urity

an

din

form

atio

nse

curi

tyc

once

rns

will

bein

clud

edin

this

pro

gram

This

rel

ianc

eon

as

ingl

eef

fort

m

akes

the

effe

ctiv

enes

sof

this

ef

fort

ver

yim

port

ant

USC

IS

shou

ldc

onsi

der

the

Tran

sfor

ma

tion

proj

ectf

rom

an

ente

rpris

ew

ide

pers

pect

ive

Iti

sim

port

ant

for

itto

use

afo

rmal

req

uire

m

ents

gat

herin

gpr

oces

sin

or

der

toe

ffec

tivel

ym

itiga

teb

oth

inte

rnal

and

ext

erna

lthr

eats


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

veb

een

iden

tifie

dby

cur

rent

C3

LAN

dat

aow

ners

Read

ing

the

Tran

sfor

mat

ion

requ

ire

men

tsd

ocum

enta

tion

itis

not

cle

ar

that

insi

ders

are

con

side

red

inth

ese

curi

tyr

equi

rem

ents

for

prev

entio

nan

dde

tect

ion

offr

aud

orn

atio

nal

secu

rity

inU

SCIS

sys

tem

s

Pers

onne

lsec

urity

sho

uld

be

incl

uded

as

wel

las

info

rmat

ion

secu

rity

to

ensu

reth

atth

eap

pr

opri

ate

inte

rnal

con

trol

sar

ein

pl

ace

tor

educ

eth

eri

skp

osed

by

mal

icio

usin

side

rs


Trai

ning

and

Aw

aren

ess

Itis

ess

entia

ltha

tsec

urity

aw

aren

ess

trai

ning

be

cons

iste

ntly

pro

vide

dto

all

empl

oyee

sto

ens

ure

that

sec

urity

pol

icie

san

dpr

actic

esa

rein

stitu

tio

naliz

edth

roug

hout

an

orga

niza

tion

Man

ytim

esc

owor

kers

and

sup

ervi

sors

are

the

first

peo

ple

too

bser

vec

once

rnin

gbe

havi

ore

xhib

ited

by

mal

icio

usin

side

rs

Failu

reb

yco

wor

kers

or

othe

rsin

an

orga

niza

tion

tor

epor

tcon

cern

ing

beha

vior

was

ap

rim

ary

reas

onin

side

rsin

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

tos

etu

por

car

ryo

utth

eir

atta

cks

USC

ISs

houl

dco

ntin

ueto

pro

vide

sec

urity

aw

aren

ess

trai

ning

toa

llem

ploy

ees

and

cont

ract

ors

acro

ssth

egl

obe

Thi

str

aini

ngs

houl

dbe

con

sis

tent

lya

pplie

dto

eac

hsi

tew

itha

con

sist

entm

essa

geo

fsec

urity

ofU

SCIS

peo

ple

sys

tem

sa

ndd

ata

Iti

sim

pera

tive

that

all

USC

ISe

mpl

oyee

sbe

re

spon

sibl

efo

rac

hiev

ing

the

mis

sion

ofU

SCIS

and

pro

tect

ing

the

criti

cala

sset

sto

the

high

este

xten

tpos

sibl

e

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sTr

aini

ngo

rSk

ills

Requ

ired

ofT

hose

in

App

oint

edS

ecu

rity

Rol

es

USC

ISL

eade

rshi

p

USC

ISh

asa

trai

ning

pro

cess

thro

ugh

anin

form

atio

nsy

stem

sse

curi

ty

man

ager

(ISS

M)

USC

ISr

elie

she

av

ilyo

nco

ntra

ctor

sto

pro

vide

ade

qu

atel

ytr

aine

dst

aff

Man

yIS

SOs

are

notw

ellv

erse

din

se

curi

ty

ISSO

sar

ecu

rren

tlyin

an

educ

atio

npr

oces

sb

utIS

SOs

are

typi

ca

llyn

ots

ecur

ityw

atch

dogs

ISSO

sm

usth

ave

prop

ertr

aini

ng

ino

rder

tok

eep

upw

ithth

eev

erc

hang

ing

info

rmat

ion

secu

ri

tye

nvir

onm

enta

ndto

be

able

to

dea

lwith

the

myr

iad

tech

no

logi

esa

ndto

ols

avai

labl

eto

th

em

App

ropr

iate

bud

get

shou

ldb

eal

loca

ted

forI

SSO

tr

aini

ngi

nclu

ding

ven

dor

spec

ific

trai

ning

(eg

M

cAfe

ean

dCi

sco)

and

indu

stry

spe

cific

tr

aini

ng(e

g

SAN

S)


Ap

pen

dix

BH

um

anR

esou

rces

Empl

oyee

Issu

es

An

orga

niza

tionrsquo

sap

proa

chto

red

ucin

gin

side

rth

reat

sho

uld

focu

son

pro

activ

ely

man

agin

gem

ploy

eeis

sues

and

beh

avio

rs

This

con

cept

beg

ins

with

eff

ectiv

ehi

ring

pro

cess

esa

ndb

ackg

roun

din

vest

igat

ions

tos

cree

npo

tent

ialc

andi

date

sO

rgan

izat

ions

sho

uld

also

trai

nsu

perv

isor

sto

m

onito

ran

dre

spon

dto

beh

avio

rso

fcon

cern

by

curr

ente

mpl

oyee

sS

ome

case

sfr

omth

eCE

RTIn

sid e

rTh

reat

Cas

eda

taba

ser

evea

led

that

sus

pi

ciou

sac

tivity

was

not

iced

inth

ew

orkp

lace

but

not

act

edu

pon

Org

aniz

atio

nss

houl

des

tabl

ish

aw

ello

rgan

ized

and

pro

fess

iona

lmet

hod

for

hand

ling

nega

tive

empl

oym

enti

ssue

san

den

suri

ngth

ath

uman

res

ourc

epo

licy

viol

atio

nsa

rea

ddre

ssed

Org

aniz

atio

nali

ssue

sre

late

dto

func

tions

sha

red

byH

Ran

dse

curi

typ

erso

nnel

are

att

heh

eart

ofi

nsid

err

isk

man

agem

ent

Em

ploy

ees

cree

ning

an

dse

lect

ion

isv

italt

opr

even

ting

cand

idat

esw

ithk

now

nbe

havi

oral

ris

kfa

ctor

sfr

ome

nter

ing

the

orga

niza

tion

or

ifth

eyd

oe

nsur

ing

that

th

ese

risk

sar

eun

ders

tood

and

mon

itore

dC

lear

pol

icy

guid

elin

esa

ddre

ssin

gbo

thp

erm

itted

and

pro

hibi

ted

empl

oyee

beh

avio

rar

evi

talt

ori

sk

dete

ctio

nan

dm

onito

ring

and

cle

arr

equi

rem

ents

for

ensu

ring

em

ploy

eesrsquo

kno

wle

dge

ofth

ese

guid

elin

esa

ree

ssen

tialt

oth

eir

succ

ess

In

addi

tio

nr

epor

tso

fpol

icy

ques

tions

and

vio

latio

nsn

eed

tob

esy

stem

atic

ally

rec

orde

dso

that

man

agem

ent

HR

and

sec

urity

per

sonn

elc

ana

ppr

oach

cas

ede

cisi

ons

with

com

plet

eba

ckgr

ound

info

rmat

ion

Ana

lysi

sof

thes

ere

port

sac

ross

indi

vidu

als

and

depa

rtm

ents

can

sup

ply

vita

lkno

wle

dge

ofp

robl

ema

reas

bey

ond

indi

vidu

alc

ases

Re

latio

nshi

ps

inw

hich

HR

sec

urity

and

man

agem

entp

erso

nnel

col

labo

rate

as

educ

ator

san

dco

nsul

tant

sar

evi

talt

oea

rly

dete

ctio

nan

def

fect

ive

man

age

men

tofe

mpl

oyee

spo

sing

an

insi

der

risk

Th

ene

edfo

rcl

ear

polic

ies

com

plet

epe

rson

nelr

isk

data

and

clo

sem

anag

emen

tH

Rse

curi

tyc

olla

bo

ratio

nis

rar

ely

grea

ter

than

whe

nha

ndlin

gem

ploy

eete

rmin

atio

nis

sues

whe

ther

vol

unta

ryo

rin

volu

ntar

y

CERT

sug

gest

sen

hanc

emen

tsto

the

USC

ISh

irin

gan

dte

rmin

atio

npr

oces

ses

For

exa

mpl

eU

SCIS

sho

uld

cons

ider

add

ition

als

cree

ning

for

high

ri

skp

ositi

ons

suc

has

adj

udic

ator

sU

SCIS

sho

uld

als o

con

side

rbe

com

ing

mor

ein

volv

edin

vet

ting

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)p

rior

tog

rant


ing

them

acc

ess

toU

SCIS

cri

tical

sys

tem

san

dda

ta

Fina

llyU

SCIS

sho

uld

cons

ider

ado

ptin

gan

ent

erpr

ise

wid

eex

itpr

oced

ure

toe

nsur

eco

nsis

te

ntte

rmin

atio

nof

all

empl

oyee

san

dco

ntra

ctor

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPr

eEm

ploy

men

tSc

reen

ing

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

No

evid

ence

pro

vide

d

The

empl

oyee

scr

eeni

ngp

roce

ssla

cks

any

form

ofp

sych

olog

ical

scr

eeni

ng

for

ara

nge

ofp

ositi

ons

incl

udin

gad

ju

dica

tors

Five

per

cent

(18)

oft

hein

side

rs

inth

eCE

RTd

atab

ase

had

poss

ibl

eps

ycho

logi

cali

ssue

sU

SCIS

sh

ould

con

side

rin

clud

ing

psy

chol

ogic

alte

stin

gas

par

toft

h e

new

hir

epr

oces

sfo

rse

lect

pos

itio

nsi

nclu

ding

adj

udic

ator

s

Giv

enth

esi

gnifi

cant

soc

ialp

res

sure

son

adj

udic

ator

san

dth

ere

lativ

ela

cko

fmon

itori

ngfo

rin

side

rri

ski

tsee

ms

impo

rtan

tto

impr

ove

this

asp

ecto

fscr

een

ing

Hum

anR

esou

rces

App

lican

tsa

rea

ssig

ned

ara

ting

by

HR

the

ratin

gis

use

dto

ran

kap

pli

cant

s

Ther

eis

cur

rent

lyn

oau

ditl

ogth

at

wou

ldc

aptu

rein

stan

ces

inw

hich

so

meo

nein

HR

chan

ged

ara

ting

to

enab

les

omeo

neto

get

hir

edm

ore

easi

ly

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

udit

log

totr

a ck

the

cand

idat

era

tings

and

ale

rtw

hen

cand

idat

era

tings

are

cha

nged

by

som

eone

inH

R


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Ifa

pers

onal

issu

e(e

g

subs

tanc

eab

use

rel

ativ

ely

larg

efin

anci

alin

de

bted

ness

)aris

esd

urin

gPe

rson

nel

Secu

rity

rsquos(P

ERSE

Crsquos)

scr

eeni

ng

PERS

ECm

ayis

sue

ale

tter

ofa

dvis

em

entt

oth

eca

ndid

ate

and

clea

rth

at

pers

onfo

rhir

eP

ERSE

RCis

hes

itant

to

sha

ren

egat

ive

info

rmat

ion

abou

tap

plic

ants

with

USC

ISb

eca u

seo

fpr

ivac

yco

ncer

ns

Beca

use

ofth

ese

conc

erns

am

anag

erm

ayn

otk

now

th

ats

omeo

neis

com

ing

into

ap

osi

tion

with

ah

isto

ryo

falc

ohol

and

or

drug

abu

sef

inan

cial

inde

bted

ness

et

c

The

priv

acy

wal

lbet

wee

nPE

RSEC

and

fie

ldp

erso

nnel

con

cern

edw

ithh

irin

gis

trou

blin

gI

tis

diff

icul

tfor

PER

SEC

repr

esen

tativ

esto

indi

cate

thei

rco

nce

rns

abou

tpot

entia

lhir

esw

hoh

ave

risk

fact

ors

that

do

notc

ross

adj

udic

atio

ngu

idel

ines

for

disq

ualif

icat

ion

USC

ISs

houl

dco

nsid

era

dditi

onal

sc

reen

ing

for

adju

dica

tors

U

SCIS

sho

uld

bem

ore

invo

lved

in

dec

idin

gw

hois

gra

nted

au

thor

ized

acc

ess

beca

use

ofth

ese

nsiti

ven

atur

eof

the

syst

ems

and

data

tha t

USC

ISm

anag

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Each

fiel

dof

fice

dete

rmin

esw

heth

er

orn

otto

mee

tan

appl

ican

tfac

eto

fa

ceb

efor

ehi

ring

Ther

ew

asa

nim

pres

sion

ath

eadq

uar

ters

that

nea

rly1

00

oft

hose

hir

ed

bym

anag

ers

are

inte

rvie

wed

but

re

pres

enta

tives

inB

urlin

gton

Ver

m

ontt

old

uso

ther

wis

eT

his

gap

be

twee

npe

rcep

tion

(the

reis

not

ap

ol

icy

stat

ing

this

mus

tbe

done

)and

re

ality

iso

fcon

cern

Ther

eha

veb

een

know

nin

stan

ces

in

whi

cha

pplic

ants

wer

eon

lys

cree

ned

USC

ISs

houl

dre

quir

ein

terv

iew

sfo

ral

lpos

ition

sT

hein

terv

iew

sne

edto

be

cond

ucte

dby

som

eon

ein

volv

edin

the

day

tod

ay

supe

rvis

ion

ofth

epo

sitio

nto

be

fille

d


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

son

pap

ero

rove

rth

eph

one

befo

re

bein

ghi

red

Sta

ndar

dop

erat

ing

pro

cedu

res

are

notf

ollo

wed

ata

llfie

ld

offic

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

PERS

ECv

ets

fede

rale

mpl

oyee

san

dco

ntra

ctor

s(w

itha

min

imum

bac

kgr

ound

inve

stig

atio

n)

USC

ISr

elie

son

the

US

Dep

artm

ent

ofS

tate

tov

etfo

reig

nna

tiona

lem

pl

oyee

sw

how

ork

ate

mba

ssie

sor

co

nsul

ates

abr

oad

FSN

sin

som

ein

stan

ces

are

gra

nted

ac

coun

tso

nU

SCIS

info

rmat

ion

sys

tem

sI

fFSN

sne

eda

cces

sto

DH

Ssy

ste

ms

(incl

udin

gU

SCIS

)cur

rent

lyt

his

acce

ssm

ustb

eap

prov

edb

yth

eCS

O

and

CIO

for

DH

ST

his

prac

tice

was

no

talw

ays

follo

wed

con

sist

ently

in

the

past

so

ther

em

ayb

eFS

Ns

who

w

ere

gran

ted

acce

ssw

ithou

tall

the

curr

entv

ettin

gan

dap

prov

als

U

SCIS

sho

uld

cons

ider

be c

omin

gm

ore

invo

lved

inv

ettin

gof

FSN

spr

ior

tog

rant

ing

them

acc

ess

to

USC

ISs

yste

ms

In

addi

tion

U

SCIS

sho

uld

audi

tcur

rent

FSN

sw

itha

cces

sto

USC

ISs

yste

ms

and

ensu

reth

ata

ppro

pria

te

vett

ing

was

per

form

ed

Cand

idat

eCe

rtifi

ca

tion

Ver

ifica

tion

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

USC

ISd

oes

noth

ave

ast

anda

rdp

ro

cedu

refo

rve

rifyi

ngth

ece

rtifi

catio

ns

ofjo

bap

plic

ants

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ast

epin

the

new

hir

epr

oces

sto

ver

ifyc

ertif

icat

ions

of

allc

andi

date

sA

few

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eab

le


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sto

obt

ain

posi

tions

ino

rgan

iza

tions

by

prov

idin

gfa

lsifi

edc

erti

ficat

ions

Empl

oyee

and

Co

ntra

ctor

Ter

mi

nati

on

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Exit

proc

edur

esa

rer

ecen

tlyd

evel

op

eda

ndi

nso

me

case

ss

tillu

nder

de

velo

pmen

t(ie

fo

rmal

exi

tpro

ce

dure

sar

eex

pect

edto

be

rele

ased

in

3m

onth

s)

This

gap

may

man

ifest

itse

lfin

the

inco

nsis

tent

col

lect

ion

ofb

adge

sla

pto

psm

obile

dev

ices

and

oth

erU

SCIS

eq

uipm

ent

USC

ISs

houl

dco

nsid

era

dopt

ing

ane

nter

pris

ew

ide

exit

proc

edu

reto

ens

ure

cons

iste

ntte

rmi

natio

nof

all

empl

oyee

san

dco

ntr

acto

rs

Ita

ppea

rsth

ere

spon

sibi

lity

for

ensu

ring

that

em

ploy

ees

and

cont

ract

ors

are

term

inat

edr

ests

sol

ely

with

the

man

ager

It

als

oap

pear

sdi

ffer

en

tman

ager

sfo

llow

diff

eren

tpr

oced

ures

toe

nsur

eth

ata

cce

ssis

dis

able

dan

deq

uipm

ent

isr

etur

ned

ase

mpl

oyee

san

dco

ntra

ctor

sle

ave

USC

IS

Empl

oyee

and

Co

ntra

ctor

Man

da

tory

Dru

gTe

stin

g

Hum

anR

esou

rces

All

fede

ralp

ositi

ons

are

subj

ectt

odr

ugte

stin

gb

uto

nly

forn

ewh

ires

Acc

ordi

ngto

aU

SCIS

Con

vict

ions

Tas

kFo

rce

inve

stig

atio

nca

sec

all

cont

rac

tor

posi

tions

do

notr

equi

red

rug

test

in

g

Fift

een

insi

ders

doc

umen

ted

in

the

CERT

Insi

der

Thre

atC

ase

data

base

exh

ibite

dsu

bsta

nce

abus

eU

SCIS

sho

uld

cons

ider

im

plem

entin

gm

anda

tory

pos

thi

red

rug

test

ing

for

alle

mpl

oy

ees

and

cont

ract

ors


Ap

pen

dix

CP

hys

ical

Sec

uri

ty

Fiel

dof

fices

A

cces

sFo

llow

ing

Term

inat

ion

Se

curi

tyo

fPhy

sica

lCas

eFi

les

Som

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

exp

loite

dph

ysic

als

ecur

ityv

ulne

rabi

litie

s

Som

ew

ere

able

tog

ain

acce

ss

too

rgan

izat

ion

faci

litie

sou

tsid

eof

nor

mal

wor

king

hou

rsto

ste

alc

ontr

olle

din

form

atio

nor

toe

xact

rev

enge

on

the

orga

niza

tion

bys

abot

agin

gcr

itica

lope

ratio

ns

Phys

ical

sec

urity

can

als

opr

ovid

ean

othe

rla

yer

ofd

efen

sea

gain

stte

rmin

ated

insi

ders

who

wis

hto

reg

ain

phys

ical

acc

ess

to

atta

ck

Just

as

with

ele

ctro

nic

secu

rity

how

ever

for

mer

em

ploy

ees

have

bee

nsu

cces

sful

inw

orki

nga

roun

dth

eir

orga

niza

tionrsquo

sph

ysic

als

ecu

rity

mea

sure

sI

tis

impo

rtan

tfor

org

aniz

atio

nsto

man

age

phys

ical

sec

urity

for

full

time

par

ttim

ea

ndte

mpo

rary

em

ploy

ees

con

trac

tors

and

co

ntra

ctla

bore

rs

USC

ISP

hysi

calS

ecur

ityh

asm

ade

sign

ifica

ntp

rogr

ess

prot

ectin

gU

SCIS

faci

litie

san

das

sets

inth

ena

tiona

lcap

italr

egio

n(N

CR)s

ince

Janu

ary

2008

whe

nit

stoo

dup

an

ewp

hysi

cals

ecur

ityp

rogr

am

Alth

ough

phy

sica

lsec

urity

inth

eN

CRis

con

sist

ently

dir

ecte

dan

den

forc

edb

yPh

ysic

al

Secu

rity

eac

hfie

ldo

ffic

ese

tsit

sow

npo

licie

san

dac

cess

con

trol

sI

nad

ditio

ng

aps

inte

rmin

atio

npr

oced

ures

hav

ere

sulte

din

ong

oing

phy

sica

lac

cess

follo

win

gte

rmin

atio

nF

inal

lyi

ssue

sco

ncer

ning

the

secu

rity

ofp

hysi

calc

ase

files

sho

uld

bec

onsi

dere

das

par

tofa

USC

ISr

isk

man

age

men

tstr

ateg

y

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPh

ysic

alS

ecur

ity

ofF

ield

Off

ices

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

USC

ISis

inth

epr

oces

sof

put

ting

ane

wa

cces

sco

ntro

lsys

tem

inp

lace

fo

rth

eN

CR

Befo

reit

doe

sit

will

di

sabl

eac

cess

for

anyo

new

hoh

as

notu

sed

phys

ical

acc

ess

inm

ore

Each

USC

ISfa

cilit

yha

sits

ow

n

polic

ies

and

acce

ssc

ontr

ols

syst

ems

Som

efie

ldo

ffic

esw

ithin

USC

ISh

ave

acce

ss

cont

rols

yste

ms

oth

ers

don

ot

Not

al

loff

ices

inth

efie

ldh

ave

elec

tron

ic

Fort

yof

the

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

took

adv

an

tage

ofi

nade

quat

eph

ysic

als

ecu

rity

toc

arry

out

thei

rcr

imes

El

ectr

onic

acc

ess

cont

rols

pro

vide


Sugg

este

dCo

unte

rmea

sure

slo

gsth

atc

ould

be

usef

ulin

inve

s

tigat

ions

ofi

llici

tact

ivity

out

side

of

nor

mal

wor

king

hou

rs

USC

IS

shou

ldc

onsi

der

deve

lopi

nge

nte

rpri

sew

ide

phys

ical

sec

urity

pr

oced

ures

rol

ltho

seo

utto

ea

chfi

eld

offic

ea

ndr

equi

rea

ph

ysic

als

ecur

ityr

epre

sent

ativ

eat

eac

hsi

teto

ens

ure

cons

iste

nt

enfo

rcem

ento

fthe

pol

icie

s

USC

ISs

houl

dco

nsid

erp

rohi

bitin

gea

chfi

eld

offic

efr

omd

evel

opin

gsi

tes

peci

ficp

olic

ies

and

rem

ov

ing

enfo

rcem

entc

ontr

olfr

om

each

site

In1

0ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

follo

win

gte

rmin

atio

ndu

eto

fa

ilure

ton

otify

sec

urity

em

pl

oyee

san

dbu

sine

ssp

artn

ers

of

the

term

inat

ion

To

cont

rola

cce

ssto

USC

ISfa

cilit

ies

itis

im

port

antf

orU

SCIS

toc

ompa

re

curr

ente

mpl

oyee

san

dco

ntra

cto

rsto

the

auth

oriz

eda

cces

slis

t

Polic

yor

Pra

ctic

eG

aps

acce

ssc

ontr

ols

ndashso

me

only

hav

elo

cks

and

keys

N

ote

very

USC

ISs

iteh

asa

phy

sica

lse

curi

tyr

epre

sent

ativ

eW

here

no

re

pres

enta

tive

isp

rese

ntt

his

resp

on

sibi

lity

falls

on

othe

rm

anag

emen

t pe

rson

nelw

hom

ayn

otb

eeq

uipp

ed

toh

andl

eth

ese

issu

esp

rope

rly

and

repo

rtth

emin

ati

mel

ym

anne

r

So

me

man

ager

str

ack

who

acc

esse

s

wha

twhe

nan

dot

hers

do

not

Ac

cord

ing

toP

hysi

calS

ecur

ityin

Ver

m

ont

onl

y20

o

fvio

latio

nsa

reb

ein

gre

port

edto

sec

urity

Polic

yan

dor

Sec

urit

yM

easu

re

than

12

mon

ths

as

wel

las

anyo

ne

nolo

nger

em

ploy

edb

yU

SCIS

It

als

opl

ans

one

xam

inin

gal

lacc

ount

sth

at

have

not

use

dph

ysic

ala

cces

sin

m

ore

than

30

days

Se

curi

tyo

ffie

ldo

ffic

esfa

llsu

nder

th

eFi

eld

Secu

rity

Div

isio

n(F

SD)

The

O

ffic

eof

Sec

urity

and

Inte

grity

(OSI

)re

cent

lyd

evel

oped

an

insp

ectio

nw

orkb

ook

and

isfi

eld

test

ing

itw

ith

FSD

U

SCIS

Fie

ldS

ecur

ityD

ivis

ion

isp

lan

ning

top

uta

sec

urity

rep

rese

ntat

ive

ine

very

fiel

dof

fice

Ite

xpec

tstw

oto

thre

etim

esm

ore

repo

rts

ofv

iola

tio

nso

nce

itha

sa

repr

esen

tativ

ein

ever

ylo

catio

n

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

Phys

ical

Acc

ess

Follo

win

gTe

rmi

nati

on


Sugg

este

dCo

unte

rmea

sure

s

ine

ach

faci

lityrsquo

sac

cess

con

trol

syst

em

D

isab

ling

phys

ical

acc

ess

tofa

cili

ties

whe

nem

ploy

ees

and

con

trac

tors

term

inat

eis

ess

entia

lto

prot

ectin

gU

SCIS

em

ploy

ees

and

faci

litie

sU

SCIS

sho

uld

cons

ider

au

tom

atin

gth

ere

voca

tion

of

empl

oyee

and

con

trac

tor

phys

ica

lacc

ess

whe

na

term

inat

ion

occu

rs

The

term

inat

ion

chec

klis

tsh

ould

incl

ude

ano

tific

atio

nto

ph

ysic

als

ecur

itys

oph

ysic

ala

cce

ssc

anb

edi

sabl

ed

Cons

ider

con

sist

ente

nfor

cem

ent

and

inve

stig

atio

nof

USC

ISp

hysi

ca

lsec

urity

inci

dent

sA

llal

erts

sh

ould

be

inve

stig

ated

and

Polic

yor

Pra

ctic

eG

aps

Secu

rity

gua

rds

ats

itelo

catio

nsh

ave

on

occ

asio

nig

nore

ddo

orp

ropp

ed

open

ala

rms

beca

use

thef

thas

trad

itio

nally

bee

na

very

sm

allp

robl

ema

t

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

No

Two

Pers

on

Cont

rol


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sU

SCIS

docu

men

ted

ifth

eal

erti

sde

emed

unn

eces

sary

then

it

shou

ldb

edi

scon

tinue

dA

llse

cu

rity

vio

latio

nss

houl

dbe

trac

ked

ina

cen

tral

rep

osito

rys

oa

com

pl

ete

hist

ory

for

each

indi

vidu

alis

av

aila

ble

Aft

erH

ours

Acc

ess

Phys

ical

Sec

urit

y

Aut

hori

zed

Acc

ess

Mos

tacc

ess

is2

4ho

urs

ada

y7

days

a

wee

kndash

Tw

enty

nin

eof

the

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seu

sed

phys

ical

acc

ess

outs

ide

ofn

orm

alw

orki

ngh

ours

toa

tta

ck

USC

ISs

houl

dco

nsid

erim

pl

emen

ting

ana

cces

sco

ntro

lsy

stem

that

gra

nts

acce

ssc

om

men

sura

tew

ithth

epo

sitio

nan

em

ploy

eeo

rcon

trac

tor

fills

If

apo

sitio

ndo

esn

otr

equi

rea

cces

sou

tsid

eof

nor

mal

wor

king

hou

rs

the

acce

ssc

ontr

ols

yste

ms

houl

dpr

ohib

itsu

cha

cces

san

dlo

gun

su

cces

sful

acc

ess

atte

mpt

s

Secu

rity

ofP

hysi

ca

lCas

eFi

les

Phys

ical

Sec

urit

y

Prot

ectio

nof

USC

ISC

ase

File

Dat

a

Phys

ical

file

sw

ere

obse

rved

inc

rate

sst

acke

din

the

hallw

ays

inth

eVe

rm

ontS

ervi

ceC

ente

rA

ccor

ding

toa

nin

terv

iew

att

heS

ervi

ceC

ente

ra

ny

one

coul

dw

alk

outw

itha

ldquocr

ate

fullrdquo

of

file

saf

ter

hour

se

spec

ially

ify

ou

are

ate

lew

orke

r

USC

ISa

ssum

esit

sca

sefi

led

ata

is

secu

reb

ecau

seit

sem

ploy

ees

and

cont

ract

ors

have

ac

lear

ance

or

hav

eha

da

back

grou

ndc

heck

It

isim

port

antt

ono

teth

at4

9in

side

rsd

ocum

ente

din

the

CERT

da

taba

sev

iola

ted

need

to

know


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ca

sefi

les

are

assu

med

tob

ese

cure

on

ceth

eya

rec

onta

ined

with

ina

Ser

vi

ceC

ente

rb

utth

eyc

ould

be

phys

ica

llya

ltere

dor

sto

len

bya

nyon

ew

ith

phys

ical

acc

ess

toth

efa

cilit

y

One

inte

rvie

wee

sta

ted

that

adj

udic

ato

rsty

pica

llyh

ave

50to

100

file

ssc

at

tere

dar

ound

thei

rof

fice

ord

esk

So

me

are

trac

ked

and

som

em

ayn

ot

be

Adj

udic

ator

sco

nduc

tint

ervi

ews

with

app

lican

tsin

thei

rof

fices

and

th

eym

ight

leav

eap

plic

ants

une

sco

rted

inth

eir

offic

esw

ithth

eca

se

files

whe

nfo

rin

stan

cem

akin

gco

pie

sor

att

endi

ngto

oth

erU

SCIS

bus

ine

ss

Acc

ordi

ngto

the

sam

ein

terv

iew

eei

non

efie

ldo

ffic

en

atur

aliz

atio

nce

rtifi

ca

tes

pas

spor

tsa

ndc

redi

tcar

din

fo

rmat

ion

has

been

foun

din

gar

bage

ca

nsin

the

hallw

ay

Adj

udic

ator

spi

cku

pth

eir

case

sin

an

enve

lope

inth

eir

mai

lbox

D

urin

gth

esi

tev

isit

the

asse

ssm

entt

eam

ob

serv

edth

em

ailr

oom

att

heV

erm

ont

Serv

ice

Cent

eru

natt

ende

dbe

twee

n

polic

ies

inth

eco

mm

issi

ono

fth

eir

crim

es

Ther

efor

er

elyi

ng

onc

lear

ance

sal

one

can

bev

ery

dang

erou

s

Thir

teen

insi

ders

doc

umen

ted

in

the

CERT

dat

abas

est

ole

phys

ical

pr

oper

tyb

elon

ging

toth

eor

gani

za

tion

CER

Tsu

gges

tsU

SCIS

con

si

der

the

cons

eque

nces

oft

heft

or

una

utho

rize

dac

cess

top

hysi

ca

lcas

efil

esa

ndm

ake

ari

sk

base

dde

cisi

onr

egar

ding

pot

en

tialp

olic

yan

dpr

oced

ure

chan

ges

Th

ere

are

stan

dard

pol

icie

san

dpr

oced

ures

forh

andl

ing

sens

itive

in

form

atio

nb

uta

str

ong

educ

atio

nalc

ampa

ign

isn

eede

dto

en

sure

the

prot

ectio

nof

dat

a


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

ssh

ifts

(app

roxi

mat

ely

3p

m)

Whe

nad

judi

cato

rsfi

nish

with

afi

let

hey

retu

rnit

toa

dro

pof

fspo

tT

hea

sse

ssm

entt

eam

obs

erve

dth

ose

spot

s

whi

cha

rein

the

open

and

una

tte

nded

A

djud

icat

ors

may

kee

pca

ses

over

nigh

tand

usu

ally

ret

urn

them

w

ithin

1w

eek

Tele

wor

kers

at

Serv

ice

Cent

ers

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

One

hun

dred

eig

hty

nine

peo

ple

at

the

Verm

ontS

ervi

ceC

ente

rare

au

thor

ized

tow

ork

from

hom

eT

hese

em

ploy

ees

pick

up

files

att

heV

er

mon

tSer

vice

Cen

ter

and

take

them

ho

me

The

yw

ork

2da

ysp

erw

eek

in

the

Serv

ice

Cent

era

nd3

day

spe

rw

eek

ath

ome

USC

ISp

ays

anu

nan

noun

ced

visi

tto

allh

omes

toin

ven

tory

the

empl

oyee

srsquofi

les

atle

ast

quar

terl

yT

hese

em

ploy

ees

mus

tha

vea

lock

edfa

cilit

yin

thei

rho

me

and

mus

talw

ays

have

the

abili

tyto

re

turn

the

files

toth

eSe

rvic

eCe

nter

w

ithin

4h

ours

The

cont

rolo

fUSC

ISd

ata

whe

nit

leav

esth

eVe

rmon

tSer

vice

Cen

ter

is

diff

icul

tto

enfo

rce

Em

ploy

ees

mus

tha

vea

ppro

pria

tes

tora

gefa

cilit

ies

bu

tthe

yco

uld

easi

lyc

opy

USC

ISd

ata

and

shar

eit

with

una

utho

rize

din

di

vidu

als

Twen

tyn

ine

perc

ento

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

taba

sew

ere

recr

uite

dby

out

si

ders

toc

omm

itth

eir

crim

e

Mos

toft

hese

insi

ders

com

mitt

ed

the

crim

efo

rfin

anci

alg

ain

Iti

sim

port

antt

hatU

SCIS

rec

ogni

ze

the

pote

ntia

lfor

recr

uitm

ent

an

dth

ela

cko

fcon

trol

exe

rcis

ed

over

sen

sitiv

eda

taa

tadj

udic

ato

rsrsquor

esid

ence

s


Ap

pen

dix

DB

usi

nes

sP

roce

sses

Tech

nica

lCon

trol

s

Aut

hori

zati

onv

iaP

ICS

A

ccou

ntM

anag

emen

t

Av

arie

tyo

fcas

esfr

omth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sed

ocum

enti

nsid

era

ttac

ksw

here

gap

sin

bus

ines

spr

oces

ses

prov

ided

ap

athw

ay

for

atta

ck

Enfo

rcin

gse

para

tion

ofd

utie

san

dth

epr

inci

ple

ofle

astp

rivi

lege

are

pro

ven

met

hods

for

limiti

nga

utho

rize

dac

cess

by

insi

ders

Id

eal

lyo

rgan

izat

ions

sho

uld

incl

ude

sepa

ratio

nof

dut

ies

inth

ede

sign

ofk

eyb

usin

ess

proc

esse

san

dfu

nctio

nsa

nde

nfor

ceth

emv

iate

chni

cala

nd

nont

echn

ical

mea

ns

Acc

ess

cont

rolb

ased

on

sepa

ratio

nof

dut

ies

and

leas

tpri

vile

gei

nbo

thth

eph

ysic

ala

ndv

irtu

ale

nvir

onm

ents

is

cruc

ialt

om

itiga

ting

the

risk

ofi

nsid

era

ttac

kT

hese

con

cept

sal

one

will

not

elim

inat

eth

eth

reat

pos

edb

yin

side

rst

hey

are

how

ever

ano

ther

laye

rin

the

defe

nsiv

epo

stur

eof

an

orga

niza

tion

Beca

use

ofth

ese

nsiti

ven

atur

eof

the

USC

ISm

issi

ons

ome

ofit

sem

ploy

ees

and

cont

ract

ors

are

targ

ets

for

recr

uitm

entf

orth

efto

run

auth

or

ized

mod

ifica

tion

ofU

SCIS

dat

aT

wen

tyn

ine

perc

ento

fthe

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

we r

ere

crui

ted

byo

utsi

ders

toc

omm

itth

eir

crim

eM

osto

fthe

sein

side

rsc

omm

itted

the

crim

efo

rfin

anci

alg

ain

Cri

tical

USC

ISb

usin

ess

proc

esse

ssh

ould

incl

ude

tech

nica

lcon

trol

sto

en

forc

ese

para

tion

ofd

utie

san

ddu

alc

ontr

olto

red

uce

the

risk

ofi

nsid

erfr

aud

In

addi

tion

pot

entia

lvul

nera

bilit

ies

surr

ound

the

use

ofth

eIC

EPI

CSs

yste

mfo

rau

thor

izat

ion

for

criti

calU

SCIS

sys

tem

sA

lthou

ghP

ICS

iso

utsi

deth

eco

ntro

lofU

SCIS

CER

Tre

com

men

dsth

atU

SCIS

exp

lore

the

poss

ibili

tyo

faud

iting

and

con

trol

ling

auth

oriz

atio

nsin

PIC

Sfo

rcr

itica

lUSC

ISs

yste

ms

Fin

ally

acc

ount

man

agem

enti

ssue

sre

late

dto

cri

tical

sys

te

ms

shou

ldb

eco

nsid

ered

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

utho

riza

tion

for

USC

ISC

riti

calS

ys

tem

sth

roug

hP

ICS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Seve

ralc

ritic

alU

SCIS

sys

tem

sar

etie

dto

PIC

Sfo

raut

hent

icat

ion

whi

ch

isa

dmin

istr

ated

by

the

ICE

PI

CSlo

gsa

ccou

ntc

reat

ions

whe

nth

eac

coun

tsw

ere

crea

ted

wha

tro

les

appl

ied

toth

eac

coun

tse

tc

PICS

per

mits

use

rso

utsi

deo

fUSC

ISto

au

thor

ize

user

sfo

ran

yU

SCIS

app

lica

tion

tied

toP

ICS

Tw

oth

ousa

ndlo

cal

PICS

off

icer

s(L

POs)

inth

eIC

Ean

dU

SCIS

can

cre

ate

new

acc

ount

sin

PIC

Sfo

rem

ploy

ees

loca

ted

atth

eir

site

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

utho

riza

tion

proc

es

san

dsy

stem

that

ena

bles

itto

co

ntro

lwho

isg

rant

e da

cces

sto

U

SCIS

sys

tem

san

dda

ta


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLP

Os

cont

rola

cces

sfo

rshe

riff

sp

eti

tione

rsC

BPD

OJ

TSA

DH

SO

IGT

er

rori

smT

ask

Forc

ea

ndo

ther

s

Acc

ount

sar

eba

sed

onp

erso

nnel

re

cord

so

LPO

sca

nnot

cre

ate

acco

unts

fo

ran

yone

who

isn

ota

nem

ploy

eea

tth

eir

site

H

owev

erP

ICS

adm

inis

tra

tors

can

cre

ate

acco

unts

for

anyo

ne

wor

king

att

heir

site

for

any

syst

em

tied

toP

ICS

CERT

sug

gest

sth

atU

SCIS

val

ida

tec

urre

ntP

ICS

acco

unts

and

ro

les

agai

nstc

urre

nte

mpl

oyee

lis

ts

Ten

perc

ent(

37)o

fth e

in

side

rsd

ocum

ente

din

the

CERT

da

taba

seh

ade

xces

sive

pri

vi

lege

sw

hich

ena

bled

them

to

atta

ck

Ina

dditi

on

b

ecau

seldquo

priv

ilege

cr

eeprdquo

ena

bled

afe

w(s

ix)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

tab a

seto

car

ryo

utth

eir

crim

es


Sugg

este

dCo

unte

rmea

sure

s

Twen

tyfo

ur(6

per

cent

)oft

he

insi

ders

doc

umen

ted

inth

eCE

RT

data

base

wer

eab

leto

car

ryo

ut

thei

rcr

imes

bec

ause

insi

ders

sh

ared

acc

ount

and

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bse

asie

ran

dto

incr

ease

pro

du

ctiv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tio

nsa

ndp

ossi

bly

impl

emen

tst

rong

era

uthe

ntic

atio

nto

ma k

esh

arin

gac

coun

tsm

ore

diff

icul

t

Polic

yor

Pra

ctic

eG

aps

VIS

adm

inis

trat

ors

ine

xter

nalc

ompa

ni

eso

rag

enci

esh

ave

been

cau

ght

le

ttin

gm

ultip

lee

mpl

oyee

sus

eth

e

sa

me

VIS

acco

unt

but

USC

ISh

asn

o ab

ility

tota

kea

nya

ctio

nT

hea

cco

unts

ena

ble

empl

oyee

sto

val

idat

ePI

Iand

citi

zens

hip

info

rmat

ion

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

Mod

ifica

tions

by

VIS

user

sto

cri

tical

da

taa

relo

gged

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

VIS

Ac

coun

ts

Logg

ing

Aud

itin

g

and

Ale

rtin

gin

VIS

Ver

ifica

tion

Info

rmat

ion

Syst

em(V

IS) CERT | SOFTWARE ENGINEERING INSTITUTE | 50

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Com

pute

rLi

nked

App

licat

ion

Info

rmat

ion

Man

agem

ent

Syst

em(C

LAIM

S)3

LA

N

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Su

gges

ted

Coun

term

easu

res

Self

Sele

ctio

nof

A

djud

icat

ion

Case

s

ISSO

s D

ata

Ow

ners

Adj

udic

ator

sca

nse

lfse

lect

cas

es

(acc

ordi

ngto

an

inte

rvie

wc

once

rn

ing

anin

tern

alin

cide

ntth

ato

ccur

red

atth

eU

SCIS

and

inte

rvie

ws

with

da

tao

wne

rsa

tthe

Ver

mon

tSer

vice

Ce

nter

)

With

inth

eSe

rvic

eCe

nter

sa

djud

ica

tors

hav

evi

rtua

llyu

nlim

ited

acce

ssto

ap

plic

antf

ilesmdash

ther

ear

eno

nee

dto

kn

owli

mita

tions

or

cont

rols

top

re

vent

an

adju

dica

tor

from

acc

essi

ng

sens

itive

info

rmat

ion

and

repo

rtin

git

too

utsi

ders

or

mod

ifyin

ga

file

(ent

er

ing

anin

valid

dec

isio

n)

Adj

udic

ator

sca

nal

soa

ppro

vea

cas

eth

atis

not

ass

igne

dto

them

Th

ere

is

noti

ebe

twee

nth

eca

sem

anag

emen

tsy

stem

(ie

N

atio

nalF

ileT

rack

ing

Syst

emo

rN

FTS)

and

the

case

adj

udi

catio

nsy

stem

(ie

CL

AIM

S)

Inth

ein

tern

alc

ase

that

occ

urre

dat

U

SCIS

the

per

petr

ator

cir

cum

vent

ed

the

inte

rvie

wp

roce

ssfo

r14

mon

ths

ndash

USC

ISs

houl

dco

nsid

erim

ple

men

ting

tech

nica

lcon

trol

sto

pr

ohib

itad

judi

cato

rsfr

oms

elf

sele

ctin

gca

ses

toa

djud

icat

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

she

app

rove

dldquon

osh

owrdquo

case

sT

here

w

ere

noc

ontr

ols

tod

etec

tthi

s

Ina

dditi

ona

djud

icat

ors

can

adju

di

cate

any

type

ofc

ase

eve

nth

ough

th

eya

ree

ach

assi

gned

cer

tain

type

sof

ben

efits

cas

esfo

rad

judi

catio

n

Emph

asis

on

Cus

tom

erS

ervi

ceO

ver

Risk

Dat

aO

wne

rs

No

evid

ence

pro

vide

d

One

inte

rvie

wee

att

heV

erm

ontD

ata

Cent

ers

aid

that

ldquost

atsrdquo

can

be

ast

rain

esp

ecia

llyfo

rne

wh

ires

al

thou

ghth

eyd

oge

ta9

0da

ygr

ace

peri

od

USC

ISs

houl

dus

eca

utio

nin

em

ph

asiz

ing

cust

omer

ser

vice

as

the

only

per

form

ance

met

ric

beca

use

this

cou

lde

ncou

rage

la

cko

fatt

entio

nto

ris

kre

late

dac

tiviti

es(s

uch

asa

ccur

ate

adju

di

catio

nde

cisi

ons)

Lack

ofS

epar

atio

nof

Dut

ies

in

CLA

IMS

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Curr

ently

all

decl

ined

req

uest

sfo

rbe

nefit

sar

ere

view

edb

ya

supe

rvi

sor

H

owev

ert

here

was

ad

iscr

ep

ancy

dur

ing

inte

rvie

ws

adj

udic

ator

ssa

idth

ats

uper

viso

rss

topp

edlo

okin

gat

all

deni

als

beca

use

they

are

too

busy

Su

perv

isor

sal

sor

ecei

vea

rep

orto

fal

ladj

udic

atio

nde

cisi

ons

ente

red

by

ana

djud

icat

orfo

ra

form

type

that

th

ead

judi

cato

rdo

esn

otn

orm

ally

ap

prov

e

Onl

ya

rand

oms

ampl

eof

app

rove

dad

judi

catio

nde

cisi

ons

isr

evie

wed

For

som

eca

ses

(for

inst

ance

vic

tims

case

s)a

sen

ior

adju

dica

tor

has

to

revi

ewth

ede

cisi

ona

fter

the

adju

dica

to

ren

ters

itt

hen

the

supe

rvis

orr

evi

ews

itT

his

isa

man

ually

enf

orce

dpr

oces

s

Ther

ew

asa

noth

erd

iscr

epan

cy

in

inte

rvie

ws

the

adju

dica

tors

sai

dth

at

USC

ISs

houl

dco

nsid

erim

ple

men

ting

auto

mat

edp

roce

sses

to

prev

enta

ndd

etec

tfra

ud

Man

ag

emen

tind

icat

edit

wou

ldli

ke

tos

eea

utom

ated

tech

nica

len

forc

emen

toft

her

evie

wa

nd

appr

oval

pro

cess

Inn

earl y

ten

perc

ent(

39)o

fthe

ca

ses

docu

men

ted

inth

eCE

RT

data

base

ins

ider

sto

oka

dvan


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s W

hen

adju

dica

tors

are

intr

aini

ng

they

are

und

er1

00

rev

iew

Th

ey

are

intr

aini

ngo

na

spec

ific

type

of

case

for

atle

ast6

mon

ths

A

uditi

ngfo

rim

prop

erly

gra

nted

be

nefit

sis

bas

edo

nsa

mpl

ing

and

or

blin

dqu

ality

ass

uran

ce(Q

A)a

ccor

din

gldquot

oA

rmy

stan

dard

srdquoa

fter

the

fact

A

rand

omly

sel

ecte

d30

cas

es

per

quar

ter

are

also

rev

iew

edb

yldquos

iste

rce

nter

srdquo

QA

pro

cess

var

ies

offic

eby

off

ice

(no

natio

nalp

roce

ss)

Th

isQ

Ah

asb

een

done

fort

hep

ast

year

and

ah

alf

Inth

eVe

rmon

tfie

ld

offic

ee

ach

supe

rvis

orp

ulls

atl

east

10

cas

esp

era

djud

icat

orp

erm

onth

Th

eyr

evie

wd

ecis

ion

rela

ted

issu

es

secu

rity

rel

ated

issu

esa

ndp

roce

du

rali

ssue

s(d

idth

eyfo

llow

the

righ

tst

eps

)T

hey

also

look

for

less

ons

lear

ned

The

pri

mar

ypu

rpos

eof

QA

is

toid

entif

yth

ene

edfo

rre

med

ial

trai

ning

rath

erth

and

elib

erat

efr

aud

So

me

case

sar

em

ore

than

10

00

page

ss

oev

ery

deta

ilca

nnot

be

prac

tical

lyr

evie

wed

for

ever

yca

se

cler

ksp

ullc

ases

ac

oupl

eof

tim

esp

er

mon

thndash

ac

erta

inn

umbe

rof

cas

es

per

empl

oyee

Th

ose

case

sar

epa

ssed

toQ

Aw

hor

evie

ws

the

case

s

QA

then

sen

dsfe

edba

ckto

the

supe

rvi

sor

and

adju

dica

tor

ifth

eyfi

nd

som

ethi

ngth

atd

oes

notl

ook

righ

t

tage

ofi

nsuf

ficie

nts

epar

atio

nof

du

ties

toc

arr y

out

thei

rcr

imes

U

SCIS

sho

uld

care

fully

con

side

rth

ebi

gges

tris

kto

the

orga

niza

tio

nM

any

ofth

eU

SCIS

em

pl

oyee

sin

terv

iew

edfo

rth

isa

sse

ssm

enti

dent

ified

the

prim

ary

risk

for

the

orga

niza

tion

asa

llo

win

gth

ene

xtte

rror

istt

oliv

ean

dw

ork

lega

llyin

the

Uni

ted

Stat

es

They

des

ire

assi

stan

cein

id

entif

ying

and

impl

emen

ting

inte

rnal

con

trol

sto

cou

nter

that

ri

sk

Aud

iting

eve

ryd

enie

dre

ques

tin

dica

tes

that

the

bigg

estr

isk

to

USC

ISis

toin

corr

ectly

den

ya

bene

fitto

an

appl

ican

trat

her

than

tog

rant

ab

enef

itto

som

eon

ew

hod

oes

notd

eser

veit

IfU

SCIS

agr

ees

that

gra

ntin

gle

gald

ocum

ents

toil

lega

lapp

lica

nts

iso

neo

fthe

big

gest

ris

ks

toth

eor

gani

zatio

nth

enit

sh

ould

con

side

rre

quir

ing

dual


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sau

thor

izat

ion

for

thes

ead

judi

ca

tion

deci

sion

s

Lack

ofA

utom

ated

Ch

ecks

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Verm

ontI

Tha

sdo

ned

ata

swee

ps

afte

rit

foun

dso

met

hing

sus

pici

ous

W

hen

itha

sdo

nes

oit

has

foun

dm

ore

ofth

esa

me

activ

ity

Ther

ear

eno

aut

omat

edc

heck

s(t

here

w

illb

ein

Tra

nsfo

rmat

ion)

Chec

ksth

atd

oex

ista

rem

anag

eda

tth

elo

call

evel

rat

her

than

ale

rtin

gto

th

ehe

adqu

arte

rsle

vel

Inn

early

twen

tyf

ive

perc

ent

(91)

ofc

ases

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

ca

rry

outt

hec

rim

ebe

caus

eof

in

adeq

uate

aud

iting

ofc

ritic

al

proc

esse

sin

28

case

sit

was

be

caus

eof

inad

equa

tea

uditi

ng

ofir

regu

lar

proc

esse

sI

n29

of

the

case

sth

eor

gani

zatio

nha

dre

peat

edin

cide

nts

ofa

sim

ilar

natu

re

Aut

omat

eds

crip

tsa

re

ane

xcel

lent

mec

hani

smfo

rde

te

ctin

gsu

spic

ious

tran

sact

ions

as

wel

las

hone

stm

ista

kes

U

SCIS

sho

uld

cons

ider

afo

rmal

pr

oces

sfo

ran

alyz

ing

the

OSI

rsquos

findi

ngs

and

deve

lopi

nga

uto

mat

edc

heck

sth

ata

rer

olle

dou

tna

tiona

lly

Phys

ical

Sec

urit

yof

Ca

seF

iles

Dat

aO

wne

rs

Adj

udic

ator

s

No

evid

ence

pro

vide

d

The

NFT

Str

acks

mill

ions

off

iles

It

was

des

crib

edh

owev

era

sa

very

la

rge

war

ehou

sew

here

file

sdo

occ

a

Ten

perc

ent(

40)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

sec

arri

edo

utth

eir

crim

esb

y


C

ER

T | S

OFT

WA

RE

EN

GIN

EE

RIN

G IN

STI

TUTE

| 55

Sugg

este

dCo

unte

rmea

sure

s

the

sam

eap

plic

ant

C3LA

Nw

illb

ere

tired

as

part

of

Tran

sfor

mat

ion

C4

will

als

obe

re

tired

A

cop

yof

sec

urity

con

tr

ols

and

requ

irem

ents

has

bee

npr

ovid

edb

yC3

LAN

dat

aow

ners

to

Tra

nsfo

rmat

ion

Iti

sim

por

tant

for

the

Tran

sfor

mat

ion

team

tom

ake

risk

bas

edd

eci

sion

sin

Tra

nsfo

rmat

ion

desi

gn

and

deve

lopm

ent

Polic

yor

Pra

ctic

eG

aps

T

hen

ewH

Rfo

rmh

asn

otb

een

soci

aliz

edo

rw

idel

yad

vert

ised

It

is

upto

the

COTR

san

dsu

perv

isor

sto

co

nsis

tent

lyr

eque

stth

ata

cces

sbe

di

sabl

edw

hen

ane

mpl

oyee

or

con

trac

tor

nolo

nger

nee

dsa

cces

s

Polic

yan

dor

Sec

urit

yM

easu

re

Curr

ently

eve

rym

onth

USC

ISc

om

pare

sth

eH

uman

Res

ourc

esa

ttri

tion

lista

gain

stth

eC3

LA

Na

ccou

ntli

st

and

disa

bles

inac

tive

empl

oyee

ac

coun

ts

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

cces

sto

CL

AIM

S


Are

aof

Con

cern

Non

Att

ribu

tion

fo

rD

BAA

ccou

nts

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Pend

ing

Redu

ctio

nin

For

cefo

rD

ata

Entr

yCl

erks

Dat

aO

wne

rs

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

Dat

aen

try

cler

ksw

illb

elo

sing

thei

rjo

bsw

hen

they

mov

eto

Loc

kBox

w

hich

will

take

ove

rth

efu

nctio

nal

ityo

facc

eptin

gre

mitt

ance

sfo

rbe

nefit

app

lican

ts

Itw

ass

tate

dth

atth

eda

tae

ntry

cle

rks

mig

htb

ehi

red

away

tow

ork

atth

eor

gani

za

tion

whi

chp

erfo

rms

that

func

tio

n

USC

ISs

houl

dbe

aw

are

ofth

ein

crea

sed

insi

der

risk

inth

efa

ce

ofn

egat

ive

orga

niza

tiona

lev

ents

like

this

It

sho

uld

con

side

rpr

oact

ive

step

sto

dec

reas

est

ress

inth

ew

orkp

lace

and

to

ease

pot

entia

lfin

anci

alb

urde

ns

that

cou

ldm

ake

empl

oyee

sm

ore

susc

eptib

leto

rec

ruitm

ent

byo

utsi

ders

Shar

ing

Acc

ount

sin

CLA

IMS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aEn

try

Cler

ks

The

NFT

Sw

illn

otle

tcle

rks

log

inif

th

eyh

ave

notu

sed

the

syst

emfo

ra

cert

ain

num

ber

ofd

ays

Ac

lerk

rsquosc

ube

mat

ew

illlo

gin

for

thei

rcu

bem

ate

ifit

isth

een

dof

the

day

and

ITh

asg

one

hom

efo

rthe

day

Twen

tyf

our

(6

)oft

hein

side

rs

docu

men

ted

inth

eCE

RTd

ata

base

wer

eab

leto

car

ryo

utth

eir

crim

esb

ecau

sein

side

rss

hare

dac

coun

tand

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bs

easi

era

ndto

incr

ease

pro

duct

iv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tions

an

dpo

ssib

lyim

plem

ents

tron

ger

auth

entic

atio

nto

mak

eac

coun

tsh

arin

gm

ore

diff

icul

t


Sugg

este

dCo

unte

rmea

sure

s

Ten

perc

ent(

39)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seto

oka

dvan

tage

ofi

nsuf

fici

enta

cces

sco

ntro

ls

USC

IS

shou

ldc

onsi

der

redu

cing

the

num

ber

ofp

rivi

lege

dac

coun

ts

with

acc

ess

toth

eFD

NS

DS

If

the

num

ber

ofs

uper

user

ac

coun

tsw

ere

redu

ced

then

en

hanc

eda

uditi

ngc

ould

be

em

ploy

edo

ntr

ansa

ctio

ns

cond

ucte

dus

ing

thos

eac

coun

ts

Polic

yor

Pra

ctic

eG

aps

b

ut

ther

ear

ena

tiona

lcon

trol

sto

ens

ure

th

atc

eleb

ritie

srsquofi

les

are

notb

eing

ac

cess

ed

Ther

eis

ala

rge

supe

ruse

rco

mm

unity

m

ore

than

thirt

ype

rcen

tofa

llFD

NS

DS

user

sw

itha

cces

sto

the

FDN

SD

S

Thes

eac

coun

tsh

ave

exte

nsiv

epo

wer

a

mal

icio

uss

uper

user

can

com

plet

ely

dele

tea

rec

ord

orm

odify

the

sum

m

ary

offi

ndin

gs

Polic

yan

dor

Sec

urit

yM

easu

re

The

FDN

SD

Sis

ac

entr

alr

epos

itory

of

frau

dan

dna

tiona

lsec

urity

inve

stig

atio

ns

This

sys

tem

hol

dsa

ppli

cant

san

dpe

titio

ners

as

wel

las

PII

Th

ere

isa

lso

ana

tiona

lsec

urity

tab

N

oev

iden

cep

rovi

ded

nnel

logy

logy

sibl

ePe

rso

wne

rs

tion

Tec

hno

wne

rs

tion

Tec

hno

Resp

onD

ata

O In

form

a

Dat

aO

Info

rma

rn

sac

ges

eCo

ncn e

Priv

ilD

S

Are

aof

ng

oLo

ggi

fTra

tion

s

Elev

ated

N

Sto

FD

Frau

dD

etec

tion

and

Nat

ural

izat

ion

Syst

emndash

Dat

aSy

stem

(FD

NS

DS)


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Unk

now

n

Conn

ecti

ons

to

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Failu

reto

Add

ress

Kn

own

Secu

rity

V

ulne

rabi

litie

s

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Ther

eis

no

auto

mat

edp

atch

ing

be

caus

eof

the

age

ofth

ese

rver

san

dth

eap

plic

atio

nO

nly

criti

calp

atch

es

are

appl

ied

forf

ear

ofc

rash

ing

the

serv

ers

Thir

teen

insi

ders

inth

eCE

RT

data

base

exp

loite

dkn

own

secu

ri

tyv

ulne

rabi

litie

sth

atw

ere

not

addr

esse

dby

the

orga

niza

tion

U

SCIS

sho

uld

cons

ider

upg

radi

ng

the

FDN

SD

Ssi

nce

thes

evu

lner

ab

ilitie

sin

crea

ser

isk

ofa

ttac

kfr

omo

utsi

dea

ndin

side

Prod

ucti

onD

ata

Ava

ilabl

eto

Con

tr

acto

rsin

Dev

el

opm

ent

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

CSC

has

prod

uctio

nda

tain

the

deve

lop

men

tenv

iron

men

te

ven

thou

ghit

sh

ould

not

hav

eac

cess

top

rodu

ctio

nda

ta

Onl

yon

ein

side

rdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

ses

tole

pro

duct

ion

data

th

ats

houl

dno

thav

ebe

ena

vail

able

tod

evel

oper

sin

the

deve

lop

men

tenv

iron

men

tH

owev

er

itw

ase

xtre

mel

yse

nsiti

ved

ata

with

ver

yst

rict

con

trol

sin

the

prod

uctio

nen

viro

nmen

ta

nd

was

not

sub

ject

toth

ose

sam

eco

ntro

lsin

the

deve

lopm

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sen

viro

nmen

tT

his

isv

ery

sim

ilar

toth

esi

tuat

ion

atU

SCIS

U

SCIS

sh

ould

exa

min

eda

tab

eing

use

din

the

rem

ote

con

trac

tor

owne

dde

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

vel

ofs

ecur

ityc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data

Conf

igur

atio

nM

anag

emen

tan

dor

Cha

nge

Cont

rolP

roce

ss

Not

Enf

orce

d

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Dev

elop

ers

cann

otr

elea

sen

ewe

xec

utab

les

as

epar

ate

syst

ema

dmin

is

trat

orh

asto

pus

hth

emo

ut

Cont

ract

ors

som

etim

esr

elea

sec

ode

tofi

xpr

oble

ms

with

outf

ollo

win

gth

ech

ange

man

agem

entp

roce

ss

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

ofl

ack

ofa

de

quat

eco

nfig

urat

ion

man

age

men

tU

SCIS

has

afo

rmal

con

fig

urat

ion

man

agem

entp

roce

ss

Itis

impo

rtan

tto

enfo

rce

itsu

se

for

alle

mpl

oyee

san

dco

ntra

cto

rs

Oth

erw

ise

itw

illb

eex

tr

emel

ydi

ffic

ultt

oin

vest

igat

ea

crim

eco

mm

itted

usi

ngfl

aws

inte

ntio

nally

inje

cted

into

sou

rce

code

by

aco

ntra

ctor


Ap

pen

dix

EI

nci

den

tR

esp

onse

Inci

dent

Man

agem

ent

Se

curi

tyA

war

enes

s

Conc

erni

ngB

ehav

iors

Thro

ugh

case

ana

lysi

sC

ERT

has

note

dth

atp

roce

dure

sfo

rre

spon

ding

top

oten

tiali

nsid

erin

cide

nts

pres

entu

niqu

ech

alle

nges

an

inci

dent

re

spon

sep

lan

for

insi

der

inci

dent

sdi

ffer

sfr

oma

res

pons

epl

anfo

rin

cide

nts

caus

edb

yan

ext

erna

latt

acke

rI

nad

ditio

nin

adeq

uate

det

ectio

nan

dre

spon

seto

sec

urity

vio

latio

nsc

ould

em

bold

enth

ein

side

rm

akin

gth

eor

gani

zatio

nev

enm

ore

vuln

erab

leto

an

insi

der

crim

eI

nfa

cti

n18

of

the

case

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

the

org

aniz

atio

nex

peri

ence

dre

peat

insi

der

inci

dent

sof

as

imila

rna

ture

In

si

der

inci

dent

man

agem

ents

houl

dle

vera

gee

xist

ing

secu

rity

pol

icie

san

dfo

rmal

pro

cedu

res

for

hand

ling

polic

yvi

olat

ions

So

me

ofth

eca

ses

from

the

CERT

Insi

d er

Thre

atC

ase

data

base

illu

stra

tein

side

rat

tack

sin

whi

cha

nor

gani

zatio

nrsquos

lack

ofi

ncid

entr

espo

nse

proc

edur

esli

mite

dits

ab

ility

tom

anag

eits

res

pons

eef

fort

som

etim

ese

ven

resu

lting

inm

ultip

lec

rim

inal

act

sby

the

sam

ein

side

r

USC

ISis

ac

ompl

exo

rgan

izat

ion

with

man

ydi

ffer

entc

ompo

nent

sin

volv

edin

det

ectin

gtr

acki

ngi

nves

tigat

ing

and

follo

win

gup

on

empl

oyee

m

isco

nduc

tT

his

com

plex

itya

ndw

idel

ydi

stri

bute

dfu

nctio

ncr

eate

sa

situ

atio

nin

whi

chit

isv

ery

diff

icul

tto

obta

ina

com

plet

epi

ctur

eof

an

in

divi

dual

rsquosin

side

rth

reat

ris

kle

vel

Bec

ause

oft

his

itis

pra

ctic

ally

impo

ssib

lefo

rU

SCIS

toim

plem

enta

pro

activ

epr

ogra

mto

miti

gate

insi

der

thre

at

CERT

str

ongl

yre

com

men

dsth

atU

SCIS

cre

ate

ace

ntra

lrep

osito

ryo

fem

ploy

eem

isco

nduc

tso

itca

nde

tect

indi

cato

rso

finc

reas

ing

in

side

rth

reat

ris

kan

dm

itiga

teth

ema

squ

ickl

yas

pos

sibl

e

Furt

herm

ore

81

ofth

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

edc

once

rnin

gbe

havi

ors

inth

ew

orkp

lace

pri

orto

or

whi

lec

arry

ing

out

thei

rcr

imin

ala

ctiv

ities

onl

ine

Sup

ervi

sors

and

em

ploy

ees

shou

ldb

etr

aine

dto

rec

ogni

zea

ndr

espo

ndto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

and

oth

erm

alic

ious

insi

der

acts

Ev

enif

itis

not

pos

sibl

eto

req

uire

non

sup

ervi

sors

to

repo

rtc

o nce

rns

this

tr

aini

ngm

ayin

crea

seth

efr

eque

ncy

ofr

epor

ting

and

the

dete

rren

ceo

fins

ider

act

ions


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLa

cko

fCen

tral

Re

posi

tory

ofE

m

ploy

eeM

isco

nduc

t

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

IfFi

eld

Secu

rity

rec

eive

sa

Sign

ifica

nt

Inci

dent

Rep

ort(

SIR)

the

nit

inve

sti

gate

sE

mpl

oyee

mis

cond

ucti

sth

en

repo

rted

toO

ffic

eof

Sec

urity

and

In

tegr

ity(O

SI)

Ifth

eO

SIin

vest

igat

ion

subs

tant

iate

san

em

ploy

eersquos

mis

con

duct

itp

rovi

des

Coun

teri

ntel

ligen

ce

(CI)

am

onth

lyr

epor

tI

tals

opr

ovid

es

the

empl

oyee

rsquosm

anag

emen

tac

opy

CI

iss

tart

ing

tog

etm

ore

repo

rts

of

acce

ptab

leu

sev

iola

tions

and

sec

urity

vi

olat

ions

It

trac

kse

very

thin

gin

a

file

for

late

rus

ein

rei

nves

tigat

ions

La

bor

Empl

oyee

Rel

atio

ns(L

ER)h

asa

re

cord

oft

here

port

sit

rece

ives

of

mis

cond

uct

com

plai

nts

agai

nsta

nem

ploy

eer

ule

viol

atio

nsa

nds

oon

H

Rm

aint

ains

the

Off

icia

lPer

sonn

el

File

whi

chc

onta

ins

reco

rds

ofs

us

pens

ions

etc

LE

Rco

ntac

tsH

Ron

ly

for

thos

ety

pes

ofa

ctio

ns

Th

eO

SIe

valu

ates

all

com

plai

nts

itre

ceiv

esa

ndlo

gsth

emin

toth

eca

se

man

agem

ents

yste

m

Ita

ssig

nsth

em

toa

fiel

dof

fice

Att

hatp

oint

any

co

mpl

aint

sar

eth

ere

spon

sibi

lity

of

the

spec

iala

gent

inc

harg

eat

the

field

of

fice

The

fiel

dof

fice

inve

stig

ates

Ther

eis

no

sing

lep

lace

tog

ofo

ran

em

ploy

eersquos

dis

cipl

inar

yre

cord

sT

he

num

ber

ofo

rgan

izat

ions

invo

lved

an

dm

anag

emen

tofr

ecor

dsis

ver

yco

mpl

exa

ndd

istr

ibut

edth

roug

hout

th

eor

gani

zatio

n

Acc

ordi

ngto

Phy

sica

lSec

urity

the

fie

ldo

ffic

edo

esn

otte

llth

eO

SI

abou

tpro

blem

sndashth

eO

SIfi

nds

out

whe

nit

ldquohits

the

pres

srdquo

For

exa

m

ple

the

OSI

isn

otin

form

edo

fad

is

grun

tled

syst

ema

dmin

istr

ator

who

is

exhi

bitin

gco

ncer

ning

beh

avio

rs

USC

ISs

houl

dco

nsid

err

equi

ring

m

anda

tory

rep

ortin

gof

all

inci

de

nts

toth

eO

SI

This

com

mu

nica

tion

stre

amw

illa

llow

the

OSI

tog

etin

volv

eda

sea

rly

as

poss

ible

and

tod

ocum

enta

nd

mai

ntai

na

cent

ralr

epos

itory

of

alli

ncid

ents

Th

isc

entr

alr

epo

sito

ryis

cri

tical

for

ade

quat

ely

man

agin

gin

side

rth

reat

sin

USC

IS


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dse

nds

the

case

for

corr

ectiv

eac

tio

nto

the

regi

onal

dir

ecto

rin

the

chai

nof

com

man

da

ndth

enth

ere

gi

onal

dir

ecto

rret

urns

am

anag

emen

tre

port

ofa

ctio

nto

the

spec

iala

gent

in

cha

rge

Th

eO

SIc

onta

cts

the

DH

SO

IGfo

rpo

te

ntia

llyc

rim

inal

beh

avio

ror

ser

ious

m

isco

nduc

tI

fthe

DH

SO

IGtu

rns

the

case

dow

nth

enit

iss

entt

oth

efie

ld

offic

eor

tola

we

nfor

cem

ent

Th

ePe

rson

nelS

ecur

ityd

ivis

ion

(PER

SEC)

not

ifies

the

OSI

mon

thly

of

arre

sts

(tra

cked

inth

eca

sem

anag

em

ents

yste

m)a

ndth

eO

SIn

otifi

es

PERS

ECo

finv

estig

atio

ns

Trac

king

ofO

nlin

eIn

cide

nts

Info

rmat

ion

Tech

nolo

gy

Com

pute

ror

net

wor

kvi

olat

ion

inci

de

nts

are

trac

ked

bya

Rem

edy

sys

tem

tied

toa

uni

que

com

pute

rid

enti

fier

rath

erth

ana

use

rin

an

atte

mpt

to

kee

pPI

Iout

oft

heti

cket

Itis

diff

icul

tto

tiea

nev

entt

oa

par

ticul

arp

erso

nE

ven

ifth

eid

entit

yof

an

off

ende

ris

know

nr

epea

toff

end

ers

are

nott

rack

edin

any

aut

omat

ed

orc

orre

late

dw

ay

USC

ISs

houl

dco

nsid

erin

clud

ing

user

info

rmat

ion

for

each

inci

de

nts

oth

atr

epea

toff

ende

rs

can

bee

asily

iden

tifie

da

sre

pe

ato

ffen

ses

coul

din

dica

tea

nin

side

rof

hig

her

risk

Cons

iste

ncy

inR

esp

onse

toS

ecur

ity

Vio

lati

ons

and

Con

cern

ing

Beha

vior

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

eis

no

requ

ired

trai

ning

for

su

perv

isor

son

how

tor

espo

ndto

a

rang

eof

beh

avio

rsa

ssoc

iate

dw

ith

man

yfo

rms

ofin

side

rri

sk

Co

mpu

ter

use

viol

atio

nsa

ren

ot

Eigh

tyo

neo

fthe

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

ed

conc

erni

ngb

ehav

iors

pri

orto

or

whi

lec

arry

ing

outt

heir

cri

min

al

activ

ities

Em

ploy

ees

shou

ldb

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

ndle

dco

nsis

tent

lya

cros

sde

part

m

ents

sup

ervi

sors

and

type

ofe

m

ploy

ee

Egre

giou

svi

olat

ions

are

re

ferr

edto

the

OSI

for

afu

llin

vest

igat

ion

but

the

crite

rion

for

deci

ding

whe

nth

atis

war

rant

edis

a

gutr

eact

ion

trai

ned

tor

ecog

nize

and

re

spon

dto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

an

dot

her

insi

der

acts

Ev

enif

it

isn

otp

ossi

ble

tor

equi

ren

on

supe

rvis

ors

tor

epor

tcon

cern

s

this

trai

ning

may

incr

ease

the

freq

uenc

yof

repo

rtin

gan

dde

te

rren

ceo

fins

ider

act

ions

US

Dep

artm

ento

fSt

ate

Inve

stig

atio

ns

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

OSI

Inve

stig

atio

nsh

ave

been

sub

ject

to

alle

gatio

nso

fvio

latio

nsin

volv

ing

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)

but

the

OIS

rel

ies

onth

eU

SD

epar

tmen

tof

Sta

teto

inve

stig

ate

USC

ISh

asn

ovi

sibi

lity

into

US

De

part

men

tofS

tate

inve

stig

atio

ns

FSN

sw

hoh

ave

acce

ssto

USC

IS

syst

ems

and

data

sho

uld

be

incl

uded

ina

nin

side

rth

reat

risk

m

itiga

tion

stra

tegy

Prep

arat

ion

for

Neg

ativ

eW

ork

Rela

ted

Even

ts

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

edo

not

app

ear

tob

ean

ygu

ide

lines

tra

inin

go

rpe

rson

nela

vaila

ble

toe

valu

ate

empl

oyee

insi

der

risk

be

fore

or

afte

rfre

quen

tlyp

reci

pita

tin

gev

ents

suc

has

term

inat

ion

de

mot

ions

tra

nsfe

rso

rot

her

disa

ppo

intm

ents

or

unm

ete

xpec

tatio

ns

Ther

eal

sod

oes

nota

ppea

rto

bea

gr

oup

char

ged

with

eva

luat

ing

in

side

rri

skfr

omo

rgan

izat

iona

leve

nts

ord

evel

opm

ents

aff

ectin

ggr

oups

of

empl

oyee

ss

uch

asr

eloc

atio

nsc

on

trac

tcha

nges

lay

offs

and

reo

rgan

iza

tions

Fift

yfiv

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

had

neg

ativ

eem

pl

oym

enti

ssue

sN

inet

yfo

ur

had

ach

ange

ine

mpl

oym

ent

stat

usp

rior

toth

eir

atta

cks

20

had

com

pens

atio

nor

ben

efit

issu

esa

nd6

5w

ere

disg

runt

led

Su

perv

isor

ssh

ould

be

trai

ned

in

thes

eri

skin

dica

tors

Th

ere

shou

lda

lso

bea

nav

aila

ble

pane

lofs

peci

alis

tsfr

omth

eO

SI

orth

eLa

bor

Empl

oyee

Rel

atio

ns(L

ER)t

rain

edto

ass

ess

such

ris

k


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Si

mila

rsp

ecia

lists

sho

uld

be

avai

labl

eto

par

ticip

ate

inp

lan

ning

and

exe

cutio

nof

res

pons

epl

ans

inp

repa

ratio

nfo

rne

ga

tive

wor

kpla

cee

vent

sth

atp

ote

ntia

llyc

ould

lead

tod

isgr

un

tlem

enta

mon

gth

ew

orkf

orce

at

USC

IS

Cont

ract

orM

an

agem

ent

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Hum

anR

esou

rces

Pers

onne

lscr

eeni

ngp

roce

dure

sfo

rco

ntra

ctor

sar

esi

mila

rto

thos

efo

rem

ploy

ees

Cont

ract

ing

com

pani

esa

rer

equi

red

tor

epor

tany

adv

erse

info

rmat

ion

rega

rdin

gth

eir

empl

oyee

sim

med

iat

ely

(ina

llco

ntra

cts)

LER

has

noin

volv

emen

twith

con

tr

acto

rs

They

hav

eno

rec

ord

of

cont

ract

orm

isbe

havi

ors

orc

om

plai

nts

agai

nstc

ontr

acto

rs

Supe

rvis

ors

the

OSI

LER

and

oth

ers

conc

erne

dw

itho

rgan

izat

iona

lsec

uri

tym

ayb

ela

rgel

yun

awar

eof

in

side

rri

sks

rela

ted

toc

ontr

acto

rs

Cont

ract

ors

are

nots

ubje

ctto

gov

er

nmen

tmon

itori

ngo

rris

kas

sess

m

ent

Ac

ontr

acto

ron

ac

ritic

als

ys

tem

may

dev

elop

or

have

sig

nific

ant

insi

der

risk

fact

ors

that

may

rem

ain

unkn

own

tog

over

nmen

tem

ploy

ees

due

tola

cko

frep

ortin

gre

quir

em

ents

Sixt

ytw

oof

the

insi

ders

doc

um

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eco

ntr

acto

rs

USC

ISc

ontr

actm

an

agem

ents

taff

sho

uld

cons

ider

th

ene

edfo

rre

port

ing

ara

nge

ofp

oten

tiali

ndic

ator

sof

insi

der

risk

am

ong

cont

ract

sta

ff

Inci

de

ntr

espo

nse

plan

ssh

ould

in

clud

ere

spon

seto

em

ploy

ee

and

cont

ract

oris

sues

Empl

oyee

or

Con

trac

tor

Conc

erni

ng

Beha

vior

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Byp

olic

yit

ise

very

em

ploy

eersquos

re

spon

sibi

lity

tor

epor

tsus

pici

ous

be

havi

oro

rm

isco

nduc

tS

uper

viso

rs

Self

repo

rted

dru

gus

ea

rres

ta

nd

asso

ciat

ions

with

fore

ign

natio

nals

du

ring

em

ploy

men

tare

sen

tto

the

Supe

rvis

ors

need

tob

eno

tifie

dim

med

iate

lyw

hen

ane

mpl

oyee

re

port

sdr

ugu

sea

rres

tso

r


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Labo

rEm

ploy

eeR

elat

ions

who

obs

erve

con

cern

ing

ors

uspi

ciou

sbe

havi

orr

epor

titt

oLE

Ror

the

OSI

Fo

rlo

wle

velm

isco

nduc

tL

ERa

dvis

es

the

field

off

ice

man

agem

ento

nha

ndl

ing

the

mat

ter

LER

rep

orts

mor

ese

riou

sm

isco

nduc

twith

mor

ese

vere

co

nseq

uenc

esto

HR

M

isco

nduc

tcan

als

obe

rep

orte

dvi

aSi

gnifi

cant

Inci

dent

Rep

orts

(SIR

s)

SIRs

are

sen

tto

Phys

ical

Sec

urity

or

to

the

OSI

for

inve

stig

atio

n

IfCI

dis

cove

rss

omet

hing

sus

pici

ous

duri

nga

rei

nves

tigat

ion

itin

form

sth

eem

ploy

eersquos

sup

ervi

sor

The

su

perv

isor

wor

ksw

ithL

ERa

ndc

ouns

el

tod

ecid

eon

follo

wu

pac

tions

OSI

Th

eO

SIs

ends

res

ults

tos

uper

vi

sor

follo

win

gin

vest

igat

ion

asso

ciat

ion

with

fore

ign

natio

nal

ss

oth

eyh

ave

ana

ccur

ate

perc

eptio

nof

the

risk

ass

oci

ated

with

eac

hof

thei

rem

ploy

ee

sI

nad

ditio

n1

8of

the

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se

had

poss

ible

psy

chol

ogic

alis

su

es

Inc

olla

bora

tion

with

the

OSI

and

LER

sup

ervi

sors

con

fr

ontin

gem

ploy

ees

who

dis

play

co

ncer

ning

beh

avio

rss

houl

dha

veth

eab

ility

tor

emov

eth

em

from

the

wor

kfor

cep

endi

nga

m

edic

alo

rps

ycho

logi

cal

eval

uatio

nto

det

erm

ine

whe

ther

they

hav

ea

diso

rder

or

illne

ssth

atm

ayim

pair

thei

rtr

ustw

orth

ines

sor

judg

men

tor

mak

eth

ema

dan

gert

oth

em

selv

eso

rot

hers

Si

mila

rly

em

po

wer

ing

supe

rvis

ors

tom

ake

ane

mpl

oyee

ass

ista

nce

pro

gram

ref

erra

land

eva

luat

ion

man

dato

ryi

nco

llabo

ratio

nw

ithL

ERo

rth

eO

SIm

ight

hel

pre

mov

eat

ris

kin

divi

dual

sfr

om

the

wor

kfor

ceu

ntil

they

can

sa

fely

and

sec

urel

yre

turn


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEl

ectr

onic

Inve

sti

gati

ons

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Mos

talle

gatio

nsr

epor

ted

toth

eO

SI

are

notv

ery

tech

nica

lth

eO

ITp

ro

vide

sfo

rens

ics

uppo

rtfo

rin

vest

iga

tions

(pri

mar

ilyd

atab

ase

tran

sac

tions

)

PERS

ECh

asn

ever

ask

edth

eO

ITto

re

view

au

serrsquo

son

line

activ

ity

Onl

yon

epe

rson

inO

SIis

qua

lifie

dto

do

afo

rens

icin

spec

tion

USC

ISs

houl

dco

nsid

erin

clud

ing

the

OIT

inin

vest

igat

ions

ofs

us

pici

ous

activ

ity

CERT

rsquosin

side

rth

reat

res

earc

hha

ssh

own

that

no

ntec

hnic

alc

once

rnin

gbe

hav

iors

can

be

asso

ciat

edw

ith

onlin

ecr

imin

ala

ctiv

ity

It

wou

ldb

ebe

nefic

ialt

och

eck

for

past

tech

nica

lsec

urity

vio

la

tions

and

hav

eth

eO

ITa

naly

ze

curr

ento

nlin

eac

tivity

as

part

of

the

OSI

inve

stig

atio

ns


t

efe

w de ti

nth

eca

ses

docu

men

ted

inth

eCE

RTd

atab

ase

inje

cted

cod

ein

tos

ourc

eco

deto

faci

lita

but

ina

ase

the

coo

utb

yso

f

L

oggi

ng

Cri

tica

lDat

aCo

ntro

ls

urce

cod

ew

ere

inte

nded

tos

abot

age

the

orga

niza

tionrsquo

ssy

stem

sc

ases

the

code

n

ino

nec

was

set

toe

xecu

tefo

llow

ing

the

insi

derrsquo

ste

rmin

atio

SCIS

rec

ogni

zeth

epo

dbe

car

ried

tent

iali

llici

tact

ivity

that

cou

lr

the

mos

tcri

tical

sys

tem

san

dsy

stem

com

pone

nts

Cod

eRe

view

s

Conf

igur

atio

nM

anag

emen

t

side

rsb

oth

empl

oyee

san

dco

ntra

ctor

snd

ITs

abot

age

In

mos

tcas

est

hem

odifi

catio

nsto

so

faci

litat

efr

aud

In

man

yde

was

use

dto

impo

rtan

ttha

tUfo

ra

year

bef

ore

final

lye

xecu

ting

Iti

ser

sa

ndim

plem

enta

ppro

pria

tec

ontr

ols

par

ticul

arly

fo

ciou

sin

frau

da

sth

eco

plan

ted

eng

ine

Mal

ibo

thca

sew

as

war

e

Ap

pen

dix

FS

oftw

are

Engi

nee

rin

g CERT | SOFTWARE ENGINEERING INSTITUTE | 69

Are

aof

Con

cern

C

ode

Re

view

s

Resp

onsi

ble

Pers

onne

lIS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Cont

ract

ors

are

requ

ired

tom

aint

ain

ace

rtai

nle

velo

fpro

cess

mat

urity

(C

MM

ILev

el3

)to

bein

com

plia

nce

with

USC

ISp

olic

ies

So

urce

cod

eis

res

tric

ted

toth

ose

with

the

need

tok

now

Ve

rsio

nM

anag

eris

use

dto

con

trol

an

dtr

ack

chan

ges

tos

ourc

eco

de

Sepa

ratio

nof

dut

ies

isim

plem

ente

din

the

soft

war

ere

leas

epr

oces

sC

SC

chec

ksn

ews

ourc

eco

dein

toV

ersi

on

Man

ager

aU

SCIS

em

ploy

eec

heck

sou

tthe

sou

rce

code

and

rel

ease

sit

into

pro

duct

ion

Th

eU

SCIS

DBA

mov

esn

ewd

atab

ase

obje

cts

into

the

prod

uctio

nda

ta

base

Polic

yor

Pra

ctic

eG

aps

Ano

ther

inte

rvie

wee

men

tione

dth

at

anldquo

East

ere

ggrdquo

was

foun

din

sou

rce

code

aft

erth

eco

ntra

ctw

asg

iven

toa

ne

wc

ompa

ny4

Sugg

este

dCo

unte

rmea

sure

s

4 Av

irtu

alE

aste

reg

gis

an

inte

ntio

nalh

idde

nm

essa

gej

oke

orfe

atur

ein

ap

rogr

amm

ovie

boo

ke

tc


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

and

orC

hang

eCo

ntro

lPro

cess

N

otE

nfor

ced

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

No

evid

ence

pro

vide

d

Whe

nco

ntra

ctor

sde

velo

pso

ftw

are

rem

otel

yth

eya

res

uppo

sed

tor

egis

te

rco

dein

Ver

sion

Man

ager

but

this

is

not

alw

ays

done

con

sist

ently

Co

ntra

ctor

sso

met

imes

rel

ease

cod

eto

fix

prob

lem

sw

ithou

tfol

low

ing

the

chan

gem

anag

emen

tpro

cess

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

oft

hela

cko

fade

qu

ate

conf

igur

atio

nm

anag

emen

t

Soft

war

eEn

gine

er

ing

Cont

rols

inth

eSe

rvic

eCe

nter

s

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

ISSO

s

No

evid

ence

pro

vide

d

Soft

war

eis

bei

ngd

evel

oped

inth

eSe

rvic

eCe

nter

sw

ithou

tcon

sist

ently

en

forc

ing

the

sam

ech

ange

man

age

men

tpro

cess

ese

nfor

ced

atth

ena

tio

nal(

ente

rpris

e)le

vel

The

cen

ters

us

ea

code

rep

osito

ryb

utn

otV

ersi

on

Man

ager

to

trac

kso

ftw

are

chan

ges

Th

eyd

ope

err

evie

ws

ofc

ode

and

belie

veth

ate

nter

pris

eco

ntro

lsfo

rco

der

evie

wa

rem

ore

deta

iled

(al

thou

ghth

atb

elie

fapp

ears

tob

efa

lse

ac

cord

ing

toin

terv

iew

sat

hea

dqua

rte

rs)

USC

ISs

houl

dco

nsid

erc

onsi

sten

tpo

licie

san

dpr

oced

ures

for

soft

w

are

engi

neer

ing

for

the

entir

een

terp

rise

inc

ludi

ngth

eSe

rvic

eCe

nter

s

Mos

tins

ider

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data


A

rea

ofC

once

rn

Resp

onsi

ble

Pers

onne

lPo

licy

and

orS

ecur

ity

Mea

sure

Po

licy

orP

ract

ice

Gap

sSu

gges

ted

Coun

term

easu

res

Dat

aO

wne

rs

ba

sew

ere

dete

cted

or

iden

tifie

d

usin

gso

me

kind

ofs

yste

mlo

g

Info

rmat

ion

Tech

nolo

gy

Lo

gsu

sed

incl

ude

data

base

logs

appl

icat

ion

logs

sys

tem

logs

re

mot

eac

cess

logs

and

man

y

othe

rs

Prod

ucti

onD

ata

in

ISSO

sD

evel

opm

enta

ndp

rodu

ctio

nsy

sIn

som

eca

ses

con

trac

tors

hav

eac

O

nly

one

insi

der

docu

men

ted

in

Dev

elop

men

tEnv

i

tem

ssh

ould

be

sepa

rate

inte

rms

of

cess

tob

oth

syst

ems

incl

udin

gpr

oth

eCE

RTIn

side

rTh

reat

Cas

eda


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sro

nmen

t

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

data

sha

ring

and

acc

ess

cont

rol

duct

ion

data

inth

ede

velo

pmen

ten

viro

nmen

t

taba

ses

tole

pro

duct

ion

data

that

sh

ould

not

hav

ebe

ena

vaila

ble

to

deve

lope

rsin

the

deve

lopm

ent

envi

ronm

ent

How

ever

itw

as

extr

emel

yse

nsiti

ved

ata

with

ve

rys

tric

tcon

trol

sin

the

prod

uc

tion

envi

ronm

ent

and

was

not

su

bjec

tto

thos

esa

me

cont

rols

in

the

deve

lopm

ente

nvir

onm

ent

Th

isis

ver

ysi

mila

rto

the

situ

atio

nat

USC

IS

USC

ISs

houl

dex

am

ine

data

bei

ngu

sed

inth

ede

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

velo

fse

curi

tyc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Ap

pen

dix

GI

nfo

rmat

ion

Tec

hn

olog

y

Acc

ount

Man

agem

ent

Rese

arch

has

dem

onst

rate

dth

atif

an

orga

niza

tionrsquo

sco

mpu

ter

acco

unts

can

be

com

prom

ised

ins

ider

sha

vea

nop

port

unity

toc

ircu

mve

ntm

an

uala

nda

utom

ated

con

trol

mec

hani

sms

inte

nded

top

reve

ntin

side

rat

tack

sE

ffec

tive

com

pute

rac

coun

tand

pas

swor

dm

anag

emen

tpol

icie

san

dpr

actic

esa

rec

ritic

alto

impe

dea

nin

side

rrsquos

abili

tyto

use

the

orga

niza

tionrsquo

ssy

stem

sfo

rill

icit

purp

oses

In

av

arie

tyo

fcas

esd

ocum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sei

nsid

ers

expl

oite

dpa

ssw

ord

vuln

erab

ilitie

ss

hare

dac

coun

tsa

ndb

ackd

oor

acco

unts

toc

arry

out

att

acks

It

isim

port

antf

oro

rgan

izat

ions

toli

mit

com

pute

rac

coun

tsto

thos

eth

ata

rea

bsol

utel

yne

cess

ary

usi

ngs

tric

tpro

cedu

res

and

tech

nica

lcon

trol

sth

atfa

cilit

ate

attr

ibut

ion

ofa

llon

line

activ

itya

ssoc

iate

dw

ithe

a ch

acco

untt

oan

indi

vidu

alu

ser

Fur

ther

mor

ea

nor

gani

zatio

nrsquos

acco

unta

nd

pass

wor

dm

anag

emen

tpol

icie

sm

ustb

eap

plie

dco

nsis

tent

lya

cros

sth

een

terp

rise

toin

clud

eco

ntra

ctor

ss

ubco

ntra

ctor

sa

ndv

endo

rsw

hoh

ave

acce

ssto

the

orga

niza

tionrsquo

sin

form

atio

nsy

stem

sor

net

wor

ks

Ins

ome

area

sc

ompu

ter

acco

unts

are

man

aged

fair

lyw

ella

tUSC

IS

USC

ISis

impl

emen

ting

Hom

elan

dSe

curi

tyP

resi

dent

ialD

irec

tive

12(H

SPD

12

)for

phy

sica

land

ele

ctro

nic

acco

untm

anag

emen

tI

nad

ditio

nm

osts

hare

dac

coun

tsa

rec

ontr

olle

dan

dal

lact

ions

per

form

edu

sing

thos

eac

coun

tsc

anb

eat

trib

uted

toa

sin

gle

user

H

owev

ers

ome

acco

untm

anag

emen

tlie

sou

tsid

eth

eco

ntro

lofU

SCIS

Th

i sp

rese

nts

ahi

ghd

egre

eof

ris

kF

irst

ofa

lla

ccou

nts

and

acce

ssfo

rFS

Ns

shou

ldb

eco

nsid

ered

car

eful

lyb

yU

SCIS

A

lthou

ghF

SNs

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

ch

anne

lsw

hich

req

uire

sau

thor

izat

ion

byth

eCS

Oa

ndC

IOo

fDH

Ss

uch

pape

rwor

kw

asn

ots

ubm

itted

con

sist

ently

pri

orto

200

7A

sa

resu

lt

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

tF

urth

erm

ore

an

FSN

acc

ount

and

aU

S

citiz

enfe

dera

lem

ploy

eea

ccou

ntc

anno

tbe

dist

ingu

ishe

don

ceit

isc

reat

ed

Alth

ough

acc

ount

nam

ing

conv

entio

nsa

red

icta

ted

byD

HS

and

the

US

Dep

artm

ento

fSta

teU

SCIS

cou

ldr

eque

sta

nam

ing

conv

entio

nto

diff

eren

tiate

bet

wee

nFS

Na

ndU

Sc

itize

nfe

dera

lem

ploy

eea

ccou

nts

In

addi

tion

USC

ISs

houl

dco

nsis

tent

lytr

ack

the

auth

oriz

atio

nan

dcr

eatio

nof

all

USC

ISa

ccou

nts

To

dete

rmin

eif

unau

thor

ized

or

lega

cya

ccou

nts

exis

tU

SCIS

sho

uld

cons

ider

con

duct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSta

tep

erso

nnel

tov

alid

ate

alle

xist

ing

FSN

ac

coun

ts


Seco

nda

cces

sto

som

ecr

itica

lUSC

ISs

yste

ms

isc

ontr

olle

dby

the

Pass

wor

dIs

suan

cea

ndC

ontr

olS

yste

m(P

ICS)

Th

epu

rpos

eof

PIC

Sis

tofa

cili

tate

the

adm

inis

trat

ion

ofu

sern

ames

and

pas

swor

dsto

cer

tain

ICE

and

USC

ISin

form

atio

nsy

stem

sO

nea

rea

ofc

once

rnr

egar

ding

PIC

Sis

that

it

isa

dmin

iste

red

byIC

Ea

ndth

ere

are

mor

eth

an2

000

Loc

alP

ICS

Off

icer

s(L

POs)

acr

oss

vari

ous

com

pone

nts

ofD

HS

The

seL

POs

use

PICS

to

gran

taut

hori

zed

acce

ssto

ICE

and

USC

ISs

yste

ms

for

the

pers

onne

latt

heir

res

pect

ive

site

or

agen

cys

uch

aslo

cals

heri

ffs

pet

ition

ers

Cus

tom

san

dBo

rder

Pat

rol(

CBP)

Dep

artm

ento

fJus

tice

(DO

J)T

rans

port

atio

nSe

curi

tyA

dmin

istr

atio

n(T

SA)

Terr

oris

mT

ask

Forc

ea

ndD

HS

OIG

Ea

ch

LPO

can

gra

nta

cces

sto

any

sys

tem

con

trol

led

byP

ICS

In

othe

rw

ords

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

rany

oft

heir

sta

ffto

an

yU

SCIS

sys

tem

Fu

rthe

rmor

eU

SCIS

has

no

visi

bilit

yin

tow

hoh

asa

cces

sto

its

syst

ems

Giv

enth

edi

stri

bute

dna

ture

ofa

ccou

nta

dmin

istr

atio

nit

isv

ery

diff

icul

tfor

USC

ISd

ata

owne

rsa

ndO

ITs

taff

tom

anag

eau

thor

izat

ion

ofu

ser

acco

unts

toU

SCIS

cri

tical

sys

tem

sF

inal

lyt

hep

roc

ess

for

com

mun

icat

ing

chan

ges

ine

mpl

oyee

sta

tus

and

disa

blin

gac

coun

tsv

arie

sw

idel

yam

ong

indi

vidu

alfi

eld

offic

esS

ervi

ceC

ente

rsa

ndo

ffic

esin

the

NCR

D

orm

anta

ccou

nts

prov

ide

aco

nven

ient

unk

now

nac

cess

pat

hfo

rcu

rren

tand

form

ere

mpl

oyee

sto

use

for

illic

itac

tivity

Ala

cko

fcon

sist

ency

exi

sts

inth

eap

plic

atio

nof

acc

ount

man

agem

entp

ract

ices

und

erth

eco

ntro

lofU

SCIS

Fo

rex

ampl

ed

isab

ling

orte

rmin

at

ing

acco

unts

for

empl

oyee

sis

not

alw

ays

com

plet

edin

ati

mel

ym

anne

rup

onth

eem

ploy

eersquos

cha

nge

ins

tatu

sT

his

lack

ofc

onsi

sten

cyis

mad

ew

orse

whe

nde

cent

raliz

edL

POs

acro

ssU

SCIS

do

notf

ollo

wth

esa

me

proc

edur

es

Ino

ther

cas

ese

mpl

oyee

sar

ere

tain

ing

acce

ssa

fter

atr

ansf

er

whe

nth

eys

houl

dno

tw

hich

req

uire

sth

elo

sing

and

gai

ning

sup

e rvi

sors

ton

otify

pro

per

acco

untm

anag

emen

tper

sonn

el

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

ccou

ntE

stab

lis

hmen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ino

rder

for

FSN

sto

gai

nac

cess

to

USC

ISs

yste

ms

they

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

cha

nnel

s

whi

che

vent

ually

req

uire

sau

thor

iza

tion

byth

eCS

Oa

ndC

IOo

fDH

S

Prio

rto

200

7w

aive

rpa

perw

ork

for

FSN

sre

ques

ting

acco

unta

cces

sw

as

nots

ubm

itted

con

sist

ently

A

sa

re

sult

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

t

USC

ISs

houl

dco

nsid

erc

ondu

ct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSt

ate

pers

onne

lto

valid

ate

all

exis

ting

FSN

acc

ount

s

Info

rmat

ion

Tech

nolo

gy

Diff

eren

tper

sonn

ela

rer

espo

nsib

le

for

acco

untc

reat

ion

and

dele

tion

acro

ssth

een

tire

ente

rpri

sed

epe

ndin

gon

the

syst

emo

rne

twor

kin

Dat

abas

ead

min

istr

ator

sm

ayb

eab

le

toc

reat

ean

dde

lete

dat

abas

ean

dap

plic

atio

nac

coun

tsw

ithou

tas

ec

ond

pers

onv

erify

ing

that

act

ion

Beca

use

data

base

adm

inis

trat

ors

have

acc

ess

tos

uch

criti

cald

ata

U

SCIS

sho

uld

cons

ider

sep

arat

ing

the

task

ofa

utho

rizi

nga

cces

sto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

squ

estio

n

USC

ISd

atab

ases

from

the

task

of

man

agin

gth

eda

tain

the

data

ba

ses

Thi

sse

para

tion

ofd

utie

sm

ayr

educ

eth

eri

sko

fad

ata

base

adm

inis

trat

orc

reat

ing

an

unau

thor

ized

acc

ount

and

usi

ng

that

acc

ount

toc

arry

out

am

ali

ciou

sac

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ac

ompu

ter

acco

unti

ses

tabl

ishe

don

lya

fter

an

umbe

rof

cri

teri

aha

ve

been

met

inc

ludi

ngs

ecur

itya

war

ene

sstr

aini

ng

Ina

dditi

onto

the

step

sre

quire

dof

al

lper

sonn

elfo

rac

coun

tacc

ess

co

ntra

ctor

sha

veto

go

thro

ugh

extr

ast

eps

som

eof

whi

chin

clud

eve

rifi

catio

nby

the

COTR

Com

pute

racc

ount

acc

ess

iss

ome

times

gra

nted

bef

ore

secu

rity

aw

are

ness

trai

ning

isc

ompl

eted

Th

isp

rac

tice

may

be

true

esp

ecia

llyfo

rco

ntra

ctor

ss

ince

the

onb

oard

ing

proc

ess

depe

nds

onth

eco

ntra

ctin

gag

ency

and

the

COTR

tov

erify

that

th

etr

aini

ngis

com

plet

ed

USC

ISs

houl

dco

nsid

err

equi

ring

co

mpu

ter

secu

rity

aw

aren

ess

trai

ning

for

allp

erso

nnel

ndashfu

lltim

eem

ploy

ees

par

ttim

eem

pl

oyee

sa

ndc

ontr

acto

rsndash

and

ve

rify

that

itis

com

plet

ebe

fore

cr

eatin

gan

ysy

stem

acc

ount

sfo

rth

ese

pers

onne

l

Acc

ount

Man

age

men

tG

ener

al

Info

rmat

ion

Tech

nolo

gy

PICS

isa

dmin

iste

red

byIC

Ew

hich

ha

sov

er2

000

LPO

sac

ross

var

ious

co

mpo

nent

sof

DH

ST

hese

LPO

sar

ere

spon

sibl

efo

rgra

ntin

gau

thor

ized

ac

cess

toP

ICS

for

the

pers

onne

lat

thei

rre

spec

tive

wor

ksi

tes

Eac

hLP

Oc

ang

rant

acc

ess

toa

nys

yste

m

cont

rolle

dby

PIC

SI

not

her

wor

ds

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

ran

yof

thei

rst

afft

o

Alth

ough

the

PICS

acc

ount

pro

cess

re

quir

esth

eac

coun

tto

beli

nked

toa

va

lide

mpl

oyee

PIC

Sad

min

istr

ator

sco

uld

crea

teu

naut

hori

zed

acco

unts

in

the

nam

eof

val

ide

mpl

oyee

sw

ith

outt

heir

kno

wle

dge

Inv

alid

acc

ount

sar

ety

pica

llyfl

agge

don

lyw

hen

the

acco

unti

sdo

rman

tfor

ac

erta

inp

eri

odo

ftim

eA

nLP

Oc

ana

lso

assi

gn

righ

tsfo

ran

ysy

stem

con

trol

led

by

In1

2of

the

case

sdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

ins

uffic

ient

acc

ount

m

anag

emen

tena

bled

the

insi

der

sto

com

mit

thei

rcr

imes

U

SCIS

sho

uld

cons

ider

con

duct

in

gac

coun

taud

itsa

tthe

loca

lsi

tele

vel

whi

chw

ould

allo

wth

eva

lidat

ion

ofc

urre

ntP

ICS

ac

coun

tsa

ndr

oles

ver

sus

curr

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

yU

SCIS

sys

tem

PICS

empl

oyee

list

s

Furt

herm

ore

ICE

adm

inis

ters

this

USC

ISs

houl

dex

plor

ea

mea

nso

fsy

stem

and

cou

lda

ffec

tUSC

ISr

e

segr

egat

ing

acco

untm

anag

eco

rds

unbe

know

nstt

oU

SCIS

men

tin

PICS

so

that

LPO

sca

nad

min

iste

rac

coun

tso

nly

for

thei

row

nor

gani

zatio

nrsquos

syst

ems

In

oth

erw

ords

USC

ISL

POs

wou

ldo

nly

bea

ble

toa

dmin

iste

rau

thor

izat

ions

for

USC

ISs

yste

ms

inP

ICS

and

ICE

LPO

sw

ould

onl

ybe

abl

eto

adm

inis

ter

auth

oriz

atio

nsfo

rIC

Esy

stem

s

Info

rmat

ion

Tech

nolo

gy

Acc

ount

man

agem

enti

sha

ndle

dby

a

num

ber

ofd

iffer

entg

roup

sac

ross

U

SCIS

A

lthou

ghth

ere

isa

nef

fort

to

cent

raliz

eac

coun

tman

agem

ent

lo

cala

ndr

egio

nalo

ffic

eso

fUSC

IS

have

his

tori

cally

don

eth

eir

own

ac

coun

tman

agem

ent

Ifan

acc

ount

has

not

bee

nus

edfo

ra

cert

ain

peri

odo

ftim

eit

isa

uto

mat

ical

lyd

isab

led

The

tim

epe

riod

st

ated

by

vari

ous

inte

rvie

wee

sva

rie

dfr

om3

06

0o

r90

days


Sugg

este

dCo

unte

rmea

sure

s

Six

insi

ders

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

wer

eab

leto

car

ryo

utth

eir

illeg

ala

ctiv

ities

bec

ause

ofldquo

priv

ile

gec

reep

rdquoU

SCIS

sho

uld

revi

ew

acco

untm

anag

emen

tpro

ce

dure

sto

ens

ure

that

the

step

scu

rren

tlyta

ken

tor

emov

eor

al

ter

acco

unta

cces

sar

eco

m

plet

ean

dbe

ing

cons

iste

ntly

fol

low

ed

Inp

artic

ular

the

pro

ce

dure

sus

edw

hen

som

eone

ch

ange

slo

catio

nso

rde

part

m

ents

with

inU

SCIS

sho

uld

be

exam

ined

A

sem

ploy

ees

tran

sfe

rth

roug

hout

an

agen

cyt

hey

shou

ldn

otb

eac

cum

ulat

ing

priv

ile

ges

The

ysh

ould

onl

yre

tain

pr

ivile

ges

com

men

sura

tew

ith

thei

rjo

bre

spon

sibi

litie

s

Twel

vep

erce

nt(4

6)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

seu

sed

syst

ema

dmin

istr

ator

pri

vile

ges

tos

abot

age

syst

ems

ord

ata

sh

ared

acc

ount

sw

ere

used

by

insi

ders

follo

win

gte

rmin

atio

nin

Polic

yor

Pra

ctic

eG

aps

The

issu

eof

acc

ount

man

agem

entf

or

empl

oyee

tran

sfer

sis

not

bei

nga

d

dres

sed

ina

con

sist

entm

anne

rT

he

O

ITr

elie

son

not

ifica

tion

bye

ither

the

ne

wo

rol

dsu

perv

isor

whe

nan

em

ploy

eetr

ansf

ers

but

ther

eha

veb

een

ca

ses

inU

SCIS

inw

hich

em

ploy

ees

have

ret

aine

dac

cess

whe

nth

ey

shou

ldn

oth

ave

Th

ough

itw

ould

req

uire

phy

sica

lac

cess

toa

USC

ISm

achi

net

hatf

orm

er

Polic

yan

dor

Sec

urit

yM

easu

re

Whe

nan

em

ploy

eem

oves

from

one

po

sitio

nto

ano

ther

or

tran

sfer

sto

an

othe

rdep

artm

ent

the

man

age

men

tin

thos

ede

part

men

tsm

ust

initi

ate

the

requ

ired

com

pute

rac

coun

tcha

nges

Ther

ear

eop

erat

ing

syst

emim

ages

us

edth

roug

hout

USC

ISth

atp

erm

itan

adm

inis

trat

orto

inst

alla

sta

nda

rdc

onfig

urat

ion

ofa

nop

erat

ing

syst

ema

nda

ccom

pany

ing

soft

war

e

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Chan

ging

Pas

sw

ord

ofS

hare

dA

ccou

ntU

pon

Term

inat

ion


Sugg

este

dCo

unte

rmea

sure

s

14c

ases

A

lthou

gha

nad

min

is

trat

orw

ould

nee

dph

ysic

ala

cce

ssto

ap

iece

ofe

quip

men

t

The

lack

ofc

onsi

sten

cya

nd

awar

enes

sof

the

stan

dard

pro

ce

dure

sm

ayp

erm

itth

eac

coun

tof

an

insi

der

tob

eus

edfo

llow

ing

term

inat

ion

Term

inat

ing

acco

unts

eve

n2

wee

ksfo

llow

ing

term

inat

ion

may

Polic

yor

Pra

ctic

eG

aps

adm

inis

trat

orw

ould

hav

ead

min

istr

ato

rri

ghts

toG

FE

Itis

cle

arfr

omin

terv

iew

sw

ithU

SCIS

pe

rson

nelt

hata

sin

gle

proc

ess

isn

ei

ther

und

erst

ood

norf

ollo

wed

for

dis

ab

ling

acco

unts

follo

win

gan

em

pl

oyee

orc

ontr

acto

rte

rmin

atio

n

The

proc

edur

esu

sed

are

notc

onsi

ste

ntb

etw

een

supe

rvis

ors

orfi

eld

of

fices

and

for

fede

rale

mpl

oyee

sve

rsu

sco

ntra

ctor

sS

omet

imes

the

exit

clea

ranc

efo

rmm

akes

itto

the

OIT

an

dso

met

imes

itd

oes

not

The

OIT

rsquos

task

ism

ade

even

mor

edi

ffic

ultb

yth

efa

ctth

atit

wou

ldn

eed

tok

now

ex

actly

whi

cha

ccou

nts

anin

divi

dual

ha

sac

cess

to

Thou

ghth

isp

roce

ssis

fair

lye

ffec

tive

it

pote

ntia

llya

llow

sun

auth

oriz

ed

Polic

yan

dor

Sec

urit

yM

easu

re

The

OIT

typi

cally

isn

otifi

edo

fan

acco

untt

erm

inat

ion

ino

neo

fthr

ee

way

s

1)A

sta

ndar

dfo

rmc

alle

dan

exi

tcl

eara

nce

form

is

dist

ribu

ted

and

sign

edb

yot

her

part

ies

suc

has

Hu

man

Res

ourc

esa

ndth

eO

ffic

eof

Se

curi

tya

ndIn

tegr

ity(O

SI)

Thi

sfo

rmle

tsth

eO

ITk

now

that

an

em

ploy

eersquos

acc

ount

ssh

ould

be

dis

able

dor

term

inat

ed

2)T

hes

uper

viso

rof

the

depa

rtin

gem

ploy

eec

onta

cts

the

OIT

dire

ctly

an

din

form

sth

emo

fthe

em

ploy

eersquos

de

part

ure

3)

Whe

na

cont

ract

oris

invo

lved

it

is

the

resp

onsi

bilit

yof

the

COTR

to

info

rmth

eO

IT

The

OIT

rec

eive

san

ldquoat

triti

onli

strdquo

ever

y2

wee

ks

Whe

nth

isli

stis

re

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Upo

nEm

ploy

ee

Term

inat

ion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sH

uman

Res

ourc

es

ceiv

eda

man

ualc

heck

isd

one

to

ensu

reth

ate

mpl

oyee

sw

hoh

ave

depa

rted

inth

ela

st2

wee

ksh

ave

thei

rac

coun

tacc

ess

dele

ted

acce

ssfo

r2

wee

ksfo

llow

ing

term

ina

tion

Bec

ause

this

isa

man

ualp

roc

ess

ther

eis

cur

rent

lyn

oau

tom

atic

w

ayto

ens

ure

that

ith

appe

ns

USC

IS

pers

onne

lcite

dan

inst

ance

inw

hich

th

ese

proc

edur

esfa

iled

for

ane

m

ploy

eew

how

aste

rmin

ated

as

aco

ntr

acto

ran

dla

ter

hire

das

afe

dera

lem

ploy

ee

notb

een

ough

top

reve

ntu

nau

thor

ized

orc

rimin

ala

ctiv

ity

As

soon

as

HR

isa

war

eof

the

chan

gea

mor

eau

tom

ated

m

echa

nism

ofd

elet

ing

thes

eac

coun

tss

houl

dbe

impl

em

ente

d

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Dur

ing

Empl

oyee

Le

ave

ofA

bsen

ces

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

LPO

sw

ork

inth

eir

resp

ectiv

ere

gion

sor

off

ices

and

are

dec

entr

aliz

edb

yna

ture

Th

epo

licie

san

dpr

oced

ures

fo

llow

edo

ften

dep

end

onh

ow

thin

gsh

ave

been

don

ehi

stor

ical

lyin

th

atp

artic

ular

off

ice

Beca

use

acco

unta

utho

riza

tion

pro

cedu

res

are

nots

tand

ardi

zed

thro

ugho

uta

llor

gani

zatio

nsu

sing

the

PICS

sL

POs

acro

ssth

een

tire

USC

IS

ente

rpri

seh

ave

notb

een

cons

iste

nt

inh

owth

eyh

ave

hand

led

acco

unt

dele

tion

follo

win

gem

ploy

eete

rmin

atio

n

Ther

eis

no

offic

ialg

uida

nce

orp

rac

tice

inth

epr

oper

way

tos

uspe

nd

acce

ssfo

ran

em

ploy

eeo

na

leav

eof

ab

senc

eI

non

eca

sep

rovi

ded

by

USC

ISa

nem

ploy

eer

etai

ned

acce

ss

toc

ritic

als

yste

ms

even

aft

erb

eing

pl

aced

on

ana

dmin

istr

ativ

ele

ave

of

abse

nce

USC

ISs

houl

dco

ntin

ueit

sef

fort

sto

cen

tral

ize

orr

educ

eth

enu

m

ber

ofL

POs

ino

rder

for

stan

dard

pr

oced

ures

tob

efo

llow

ed

Ifth

isc

anno

tbe

acco

mpl

ishe

d

stan

dard

pro

cedu

res

shou

ldb

epu

blis

hed

inst

ruct

eda

ndc

onsi

ste

ntly

enf

orce

d

Afe

win

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

ser

etai

ned

acce

ssto

org

aniz

atio

nsy

stem

sw

hile

on

ale

ave

of

abse

nce

and

used

that

acc

ess

to

stea

linf

orm

atio

nor

com

mit

frau

dU

SCIS

sho

uld

impl

emen

ta

polic

yto

out

line

exac

tlyw

hat

shou

ldb

edo

new

hen

ago

vern

m

ente

mpl

oyee

or

cont

ract

or

goes

on

ale

ave

ofa

bsen

cec

on


Sugg

este

dCo

unte

rmea

sure

ssi

deri

ngth

eri

sks

vers

usb

enef

its

ofa

llow

ing

syst

ema

cces

s

Acc

ess

toth

ese

acco

unts

sho

uld

bec

aref

ully

doc

umen

ted

and

trac

ked

soth

atc

rede

ntia

lsc

an

bec

hang

edif

som

eone

inth

at

rest

rict

edg

roup

no

long

erw

ar

rant

sac

cess

Polic

yor

Pra

ctic

eG

aps

Alth

ough

con

cern

has

bee

nex

pres

sed

ab

outt

hee

xist

ence

oft

hese

ac

co

unts

the

bus

ines

sju

stifi

catio

nha

sta

ken

prec

eden

ceo

vert

her

isk

bein

g

assu

med

Polic

yan

dor

Sec

urit

yM

easu

re

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

Acc

ount

an

dPa

ssw

ord

In

form

atio

n

Acc

ess

Cont

rol

An

orga

niza

tionrsquo

sla

cko

fsuf

ficie

nta

cces

sco

ntro

lmec

hani

sms

was

ac

omm

onth

eme

inm

any

ofth

ein

side

rth

reat

cas

ese

xam

ined

by

CERT

In

si

ders

hav

ebe

ena

ble

toe

xplo

itex

cess

ive

priv

ilege

sto

gai

nac

cess

tos

yste

ms

and

info

rmat

ion

they

oth

erw

ise

wou

ldn

oth

ave

been

aut

hori

zed

toa

cces

sA

dditi

onal

lyi

nsid

ers

have

bee

nkn

own

tou

ser

emot

eac

cess

aft

erte

rmin

atio

nto

att

ack

ano

rgan

izat

ionrsquo

sin

tern

aln

etw

ork

Org

ani

zatio

nss

houl

den

sure

that

net

wor

km

onito

ring

and

logg

ing

ise

nabl

edfo

rex

tern

ala

cces

sM

onito

ring

ofn

etw

ork

activ

ityis

ext

rem

ely

impo

rta

nte

spec

ially

inth

epe

riod

bet

wee

nem

ploy

eer

esig

natio

nan

dte

rmin

atio

n

Giv

enth

edi

stri

bute

dna

ture

ofa

cces

sau

thor

izat

ion

via

PICS

ICE

and

the

US

Dep

artm

ento

fSta

ten

onU

SCIS

em

ploy

ees

and

cont

ract

ors

coul

dbe

gra

nted

acc

ess

toU

SCIS

cri

tical

sys

tem

sI

tis

poss

ible

that

the

non

USC

ISe

mpl

oyee

san

dco

ntra

ctor

sha

ven

otb

een

thro

ugh

the

rigo

rous

pr

eem

ploy

men

tscr

eeni

ngr

equi

red

ofU

SCIS

em

ploy

ees

and

cont

ract

ors

par

ticul

arly

thos

egr

ante

dac

cess

thro

ugh

the

US

Dep

artm

ento

fSta

te

for

acce

ssfr

ome

mba

ssie

sov

erse

as

USC

ISs

houl

dco

nsid

erth

eri

skth

ese

insi

ders

pos

eto

the

prot

ectio

nof

the

criti

calU

SCIS

dat

aan

dsy

stem

s

and

impl

emen

tpro

tect

ion

mec

hani

sms

toli

mit

the

dam

age

that

thes

ein

side

rsm

ight

cau

se


Oth

era

cces

sco

ntro

liss

ues

that

sho

uld

bec

onsi

dere

din

clud

eun

rest

rict

eda

cces

sto

som

ecr

itica

lsys

tem

sby

OIT

sta

ffl

ack

ofc

onsi

sten

tpro

ces

ses

for

man

agin

gem

ploy

eea

cces

sas

they

mov

efr

omo

ned

epar

tmen

tto

the

next

with

inU

SCIS

abi

lity

tou

sep

erso

nalc

ompu

ters

for

USC

IS

wor

ka

ndla

cko

fmon

itori

nga

ndc

ontr

ols

for

som

ecr

itica

lsys

tem

adm

inis

trat

ion

func

tions

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

cces

sCo

ntro

l

Fore

ign

Serv

ice

Nat

iona

ls

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

O

ffic

eof

Sec

urit

yan

dIn

te

grit

y

Curr

ently

aF

orei

gnS

ervi

ceN

atio

nal

(FSN

)req

uiri

nga

cces

sto

USC

ISs

ys

tem

ssu

bmits

pap

erw

ork

incl

udin

ga

wai

ver

thro

ugh

the

USC

ISd

irec

tor

and

the

CIO

and

CSO

ofD

HS

Alth

ough

the

asse

ssm

entt

eam

was

ab

leto

get

lim

ited

visi

bilit

yin

toth

is

prac

tice

its

eem

sto

be

alig

ned

with

th

epo

licy

Ift

rue

ith

asg

iven

USC

IS

and

DH

Sbe

tter

vis

ibili

tyin

toth

isa

ctiv

ity

The

prac

tice

shou

ldb

eco

ntin

ued

and

expa

nded

as

need

edto

in

form

all

rele

vant

USC

ISp

erso

nne

l

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

Pe

rson

nelS

ecur

ity

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Whe

nFS

Ns

requ

ire

acce

ssto

USC

IS

syst

ems

ine

mba

ssie

san

dco

nsul

ates

ab

road

the

yar

eve

tted

by

the

US

D

epar

tmen

tofS

tate

Beca

use

the

US

Dep

artm

ento

fSta

te

isp

erfo

rmin

gth

eve

ttin

gpr

oces

s

USC

ISh

asv

ery

little

con

trol

or

visi

bil

ityin

toth

epr

oces

sfo

rgr

antin

gFS

Ns

acce

ssto

USC

ISs

yste

ms

and

net

wor

ks

Inte

rvie

wee

sst

ated

that

in

som

eca

ses

FSN

sha

vea

dmin

istr

ativ

eco

ntro

love

rso

me

syst

ems

and

that

in

oth

erc

ases

the

yar

ese

rvin

gas

in

form

atio

nsy

stem

sec

urity

off

icer

s(IS

SOs)

USC

ISs

houl

dga

ina

bet

ter

un

ders

tand

ing

ofth

eU

SD

epar

tm

ento

fSta

tersquos

vet

ting

proc

ess

and

clar

ifyit

sow

nre

quir

emen

ts

for

gran

ting

and

trac

king

acc

ess

for

FSN

sto

USC

ISs

yste

ms

If

cont

inue

dac

cess

isr

equi

red

the

proc

edur

esto

doc

umen

tand

co

ntro

ltha

tacc

ess

shou

ldb

ene

gotia

ted

with

the

US

De

part

men

tofS

tate

and

con

sis

tent

lye

nfor

ced

Info

rmat

ion

Tech

nolo

gy

Onc

ea

trad

ition

alu

ser

acco

unti

scr

eate

dth

ere

isli

ttle

ton

ow

ayto

di

stin

guis

han

FSN

acc

ount

from

one

be

long

ing

toa

US

citi

zen

Beca

use

anF

SNa

ccou

ntis

not

dis

tin

guis

habl

efr

omo

ther

acc

ount

sit

w

ould

be

extr

emel

ydi

ffic

ultt

oas

so

ciat

esp

ecifi

con

line

activ

ities

with

ac

coun

tsb

elon

ging

toF

SNs

Em

ail

USC

ISs

houl

dco

nsid

erw

heth

er

orn

otit

wan

tsth

eab

ility

tod

is

tingu

ish

wha

tonl

ine

activ

ities

an

dac

cess

esF

SNs

are

enga

ging

in

If

soi

tsho

uld

inco

rpor

ate


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sad

dres

ses

appe

arth

esa

me

and

viol

atio

nac

tiviti

esw

ould

not

eas

ilyb

eat

trib

uted

toa

nFS

N

thos

est

eps

into

the

proc

edur

es

men

tione

dab

ove

Info

rmat

ion

Tech

nolo

gy

DH

Sis

inth

epr

oces

sof

bui

ldin

ga

secu

rein

tran

etc

alle

dO

neN

et

whi

chw

illb

ette

ren

able

info

rmat

ion

shar

ing

amon

gD

HS

com

pone

nts

Th

isp

roje

ctw

illb

een

able

dby

inte

rco

nnec

tion

agre

emen

tsb

etw

een

segm

ents

Onc

eth

eap

prop

riat

ein

terc

onne

ctio

nag

reem

ents

are

inp

lace

itw

illb

eha

rder

tor

estr

icta

cces

sfo

rFSN

sto

sp

ecifi

csy

stem

s(e

g

Shar

ePoi

nt)

USC

ISs

houl

dm

ake

ade

term

ina

tion

abou

twhe

ther

or

notF

SN

acce

sss

houl

dbe

any

diff

eren

tfr

omo

ther

sim

ilar

acco

unts

of

US

citi

zens

If

the

lack

ofr

est

rict

ions

isu

nacc

epta

ble

that

is

sue

shou

ldb

ebr

ough

tto

DH

Spe

rson

nelr

espo

nsib

lefo

rim

pl

emen

ting

the

One

Net

sol

utio

n

Acc

ess

cont

rols

Ther

ear

ebu

sine

ssp

roce

ssa

ndr

eso

urce

s(e

g

PICS

CLA

IMS

3a

nd

CLA

IMS

4)th

ata

res

hare

dw

ithIC

E

This

par

tner

ship

isa

nar

tifac

toft

he

past

and

cur

rent

rel

atio

nshi

psb

etw

een

depa

rtm

ents

with

inD

HS

For

thes

esh

ared

res

ourc

esto

func

tio

npr

oper

lyt

hey

requ

ire

care

ful

coor

dina

tion

whi

chd

oes

nott

ake

plac

ein

all

case

sF

ore

xam

ple

USC

IS

does

not

rec

eive

ac

opy

ofth

efo

rmal

ac

cess

req

uest

sub

mitt

edto

ICE

for

anIC

Eem

ploy

eeto

acc

ess

aU

SCIS

sy

stem

USC

ISs

houl

dca

refu

llyd

ocum

ent

wha

tacc

ess

isb

eing

gra

nted

to

any

part

ies

exte

rnal

toU

SCIS

If

addi

tiona

lcoo

rdin

atio

nis

re

quir

edi

tsho

uld

bed

one

with

th

ere

leva

ntd

epar

tmen

tso

fD

HS

For

cert

ain

info

rmat

ion

syst

ems

lo

cala

ndr

emot

elo

gins

are

not

per

m

itted

bet

wee

nth

eho

urs

of1

130

p

ma

nd6

00

am

Th

isp

ract

ice

clos

ely

adhe

res

toth

epo

licy

for

spec

ific

syst

ems

Enfo

rcin

ga

man

dato

rya

cces

spe

riod

may

hel

pen

sure

that

a

mal

icio

usin

side

ris

not

usi

ngs

ys

tem

sw

hen

supe

rvis

ion

isle

ss

ened

Ei

ghtp

erce

nt(2

9)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sus

eda

cces

sou

tsid

eof

nor

mal

w

orki

ngh

ours

toc

arry

out

thei

rill

icit

activ

ities

Whe

nan

em

ploy

eea

ttem

pts

tolo

gin

toa

res

tric

ted

syst

emd

urin

gof

fpe

akh

ours

an

auto

mat

ice

mai

lno

tice

iss

entb

yth

eO

ITto

per

sons

in

the

empl

oyee

rsquosm

anag

emen

tch

ain

ofc

omm

and

This

pra

ctic

eis

not

con

sist

enta

cros

sal

lsys

tem

san

dis

not

par

tofo

ther

in

cide

ntr

espo

nse

proc

edur

es

USC

ISs

houl

dco

nsid

erim

ple

men

ting

this

pra

ctic

ein

toth

ela

rger

sys

tem

ofi

ncid

entr

esp

onse

to

incl

ude

corr

elat

ion

with

oth

ere

vent

san

dov

era

pe

riod

oft

ime

Acc

ess

Priv

ilege

sndash

Gen

eral

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Att

heV

erm

ontS

ervi

ceC

ente

rO

IT

staf

fare

the

only

one

spr

esen

tlat

eat

nig

ht

As

part

oft

heir

dut

ies

they

al

soh

ave

elec

tron

ica

cces

sto

the

CLA

IMS3

info

rmat

ion

syst

em

As

afu

nctio

nof

the

elec

tron

ica

cces

san

dth

eph

ysic

alla

yout

oft

heS

ervi

ce

Cent

erO

ITp

erso

nnel

hav

eac

cess

to

CLA

IMS3

as

wel

las

the

phys

ical

file

sin

the

build

ing

U

SCIS

sho

uld

cons

ider

the

min

im

umle

velo

facc

ess

(leas

tpriv

ile

ge)n

eede

dfo

ral

lper

sonn

elto

ac

com

plis

hth

eir

job

dutie

sT

hir

teen

per

cent

(49)

oft

hein

side

rs

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sev

iola

ted

ane

edto

kno

win

ord

erto

per

pe

trat

eth

eir

crim

esi

nclu

ding

st

ealin

gPI

Iand

pro

prie

tary

in

form

atio

nI

nad

ditio

ns

ever

al

insi

ders

com

mitt

edth

eir

crim

es

whi

lew

orki

ngo

nth

eni

ghts

hift

w

here

they

enj

oyed

ar

educ

ed

leve

lofs

crut

iny

Unr

estr

icte

del

ectr

onic

and

phy

sica

lacc

ess

to

such

hig

hri

skd

ata

and

syst

ems

outs

ide

ofn

orm

alw

orki

ngh

ours

pr

esen

tsa

hig

hde

gree

ofr

isk

to


Sugg

este

dCo

unte

rmea

sure

s

USC

IS

Sinc

eU

SCIS

can

notd

eter

min

ew

hata

cces

sth

eU

SD

epar

tmen

tof

Sta

teg

rant

sto

FSN

son

its

sys

tem

sU

SCIS

sho

uld

cont

inue

to

use

tech

nica

lmea

sure

sto

pre

ve

ntu

naut

hori

zed

acce

ssw

hile

w

orki

ngw

ithc

ount

erin

telli

genc

epe

rson

nelt

ode

alw

iths

uspe

cted

fo

reig

nag

ents

wor

king

aro

und

US

gov

ernm

entf

acili

ties

A

few

insi

ders

inth

eca

ses

ana

lyze

dby

CER

Tus

edth

eir

un

revo

ked

acce

ssto

the

orga

niza

Polic

yor

Pra

ctic

eG

aps

Acc

ordi

ngto

one

inte

rvie

wee

som

eFS

Ns

onth

eCo

nsul

arA

ffai

rsn

etw

ork

are

susp

ecte

dto

be

wor

king

for

arm

sof

fore

ign

inte

llige

nce

ors

ecur

ity

agen

cies

U

SCIS

has

use

dte

chni

cal

met

hods

(eg

fir

ewal

ls)t

oen

sure

th

atU

SCIS

sys

tem

sar

epr

otec

ted

from

any

inte

rcon

nect

ions

with

the

US

Dep

artm

ento

fSta

tersquos

net

wor

ks

This

sin

gle

poin

toff

ailu

rem

akes

it

diff

icul

tto

reco

ver

from

am

alic

ious

ac

ton

this

par

ticul

ars

yste

m

Polic

yan

dor

Sec

urit

yM

easu

re

The

US

Dep

artm

ento

fSta

teC

onsu

la

rA

ffai

rsn

etw

ork

gran

tsa

cces

sto

FSN

sw

orki

ngin

em

bass

ies

and

con

su

late

san

dit

conn

ects

toU

SCIS

sys

te

ms

Ther

eis

as

ingl

epe

rson

who

has

the

know

ledg

eof

and

res

pons

ibili

tyfo

rad

min

iste

ring

the

voic

emai

lsys

tem

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Are

aof

Con

cern

Acc

ess

Priv

ilege

sndash

Syst

emA

dmin

is

trat

or


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sfo

rU

SCIS

tionrsquo

sph

one

syst

emto

har

mth

eor

gani

zatio

nI

non

eca

set

he

entir

ecu

stom

ers

ervi

cev

oice

m

ails

yste

mw

asr

edir

ecte

dto

a

porn

ogra

phic

pho

nes

ite

Ina

not

her

der

ogat

ory

com

men

ts

abou

tthe

org

aniz

atio

nw

ere

re

cord

eda

ndp

laye

dfo

rev

ery

voic

em

ailb

ox

USC

ISs

houl

dpl

ace

addi

tiona

lst

affi

nth

ero

leo

fadm

inis

trat

ors

for

the

USC

ISv

oice

mai

lsys

tem

Th

isw

ould

allo

wU

SCIS

toim

pl

emen

tsom

efo

rmo

fsep

ara

tion

ofd

utie

so

rat

the

very

le

ast

min

imal

che

cks

and

bal

ance

sto

pre

vent

tam

peri

ngw

ith

the

voic

emai

lsys

tem

U

SCIS

sho

uld

ensu

reth

atit

man

ag

esa

ccou

nts

and

pass

wor

dsfo

rin

tern

als

yste

ms

such

as

voic

em

ail

asw

ella

sex

tern

ala

cco

unts

O

nein

side

rdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

cha

nged

the

dom

ain

nam

esy

stem

reg

istr

yfo

rhis

or

gani

zatio

nrsquos

web

site

so

that

vis

ito

rsw

ere

sent

toa

por

nogr

aphi

c


Sugg

este

dCo

unte

rmea

sure

sw

ebsi

te

Thes

ety

pes

ofa

ccou

nts

are

used

ver

yin

freq

uent

lya

nd

are

ofte

nno

tinc

lude

din

form

al

term

inat

ion

proc

edur

es

USC

ISs

houl

dco

ordi

nate

with

D

HS

pers

onne

lto

ensu

reth

at

desi

red

USC

ISs

ecur

ityp

olic

ies

are

enfo

rced

for

pers

onne

lac

cess

ing

USC

ISs

yste

ms

and

data

Se

ven

perc

ent(

26)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

toa

ttac

kin

par

tbec

ause

of

insu

ffic

ient

mon

itori

ngo

fext

er

nala

cces

s

Polic

yor

Pra

ctic

eG

aps

A

lthou

ghc

onne

ctin

ga

pers

onal

lap

top

toa

USC

ISn

etw

ork

via

are

mot

eco

nnec

tion

may

or

may

not

be

bloc

ked

the

SNO

Cw

asn

otc

onfid

ent

itw

ould

be

bloc

ked

beca

use

itdo

es

notc

ontr

olth

ata

cces

sI

tis

poss

ible

th

ata

use

rco

uld

conn

ectw

itha

per

so

nalm

achi

neif

DH

Sal

low

edit

Polic

yan

dor

Sec

urit

yM

easu

re

Port

sec

urity

wou

ldp

reve

nta

use

rfr

omc

onne

ctin

ga

pers

onal

mac

hine

di

rect

lyto

aU

SCIS

net

wor

kT

his

secu

rity

mec

hani

smis

han

dled

by

the

SNO

C

Rem

ote

acce

sso

nth

eot

herh

and

is

hand

led

byD

HS

USC

ISh

asa

cces

sto

ve

ryli

mite

din

form

atio

nin

clud

ing

logs

for

rem

ote

conn

ectio

nsb

eca

use

ofc

ontr

acts

tipul

atio

nsw

ith

Spri

nt

The

asse

ssm

entt

eam

re

ceiv

edc

onfli

ctin

gop

inio

nsa

bout

w

heth

era

per

sona

lmac

hine

cou

ld

bec

onne

cted

with

ar

emot

eac

coun

t

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Secu

rity

Net

wor

kO

pera

ti

ons

Cent

er

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Man

agem

ento

fRe

mot

eA

cces

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

The

cont

ract

ors

resp

onsi

ble

for

VIS

have

impl

emen

ted

ast

rict

acc

ess

cont

rols

olut

ion

with

Fir

epas

san

dit

appe

ars

toa

ccom

plis

hits

goa

lofe

nsu

ring

that

onl

yth

epr

oper

per

sonn

el

are

gran

ted

acce

ssa

ndth

atth

eyp

er

form

aut

hori

zed

actio

nso

nce

they

ar

eco

nnec

ted

Unf

ortu

nate

lyt

hey

are

the

only

con

trac

tors

and

sys

tem

us

ing

Fire

pass

and

itw

illn

otb

eus

ed

once

the

mov

eis

mad

eto

Ste

nnis

Sp

ace

Cent

er

They

are

uns

ure

of

wha

tcon

trol

sw

illb

eus

eda

tSte

nnis

Sugg

este

dCo

unte

rmea

sure

s

Impl

emen

ting

aFi

repa

sss

olut

ion

for

allU

SCIS

sys

tem

sm

ight

not

be

cos

tef

fect

ive

USC

ISm

an

agem

ents

houl

dat

leas

texa

min

eth

eri

skp

osed

toth

em

ostc

ritic

al

syst

ems

and

impl

emen

taF

ire

pass

like

sol

utio

nfo

rth

ose

that

re

quir

ere

mot

eac

cess

A

sst

ated

ab

ove

one

inte

nin

side

rsd

ocu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

seu

sed

the

crea

tion

ofu

nkno

wn

path

sin

to

orga

niza

tion

syst

ems

pro

per

mea

sure

sm

ight

hav

epr

even

ted

man

yof

thos

ein

stan

ces


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Non

Sys

tem

Ad

USC

ISL

eade

rshi

pA

ccor

ding

too

nein

terv

iew

eeF

SNs

An

FSN

who

isa

sys

tem

adm

inis

trat

or

Ten

perc

ent(

39)o

fins

ider

sm

inis

trat

ors

Wit

h

are

syst

ema

dmin

istr

ator

son

som

efo

rU

SD

epar

tmen

tofS

tate

sys

tem

sdo

cum

ente

din

the

CERT

Insi

der

A

utho

rize

dA

cces

sIn

form

atio

nTe

chno

logy

U

SD

epar

tmen

tofS

tate

sys

tem

sin

do

esn

otn

eces

sari

lyh

ave

adm

inis

tra

Thre

atC

ase

data

base

took

ad

toA

dmin

istr

ator

em

bass

ies

orc

onsu

late

sab

road

to

rri

ghts

on

USC

ISs

yste

ms

One

in

vant

age

ofin

suff

icie

nta

cces

sA

ccou

nts

The

US

Dep

artm

ento

fSta

teh

as

terv

iew

eee

xpre

ssed

con

cern

how

co

ntro

lsto

con

duct

thei

rcr

imes

au

thor

ized

acc

ess

for

som

eFS

Ns

to

ever

tha

tan

adm

inis

trat

orw

hois

a

USC

ISs

houl

dex

amin

eU

SCIS

sys

so

me

USC

ISs

yste

ms

need

edfo

rth

eci

tizen

ofa

fore

ign

coun

try

coul

des

te

ma

cces

sfo

rU

SD

epar

tmen

tpe

rfor

man

ceo

fthe

ird

utie

s

cala

tep

rivi

lege

sor

use

soc

iale

ngi

ofS

tate

sys

tem

adm

inis

trat

ors

ne

erin

gta

ctic

sto

gai

nun

auth

oriz

ed

asw

ella

sho

wth

ose

conn

ectio

ns

acce

ssto

USC

ISs

yste

ms

ar

em

onito

red

orlo

gged

Th

ey

sh

ould

als

ow

ork

with

the

US

Dep

artm

ento

fSta

teto

und

er

stan

dits

pro

cess

esfo

rgr

antin

g

FSN

sac

cess

toU

SD

epar

tmen

t

ofS

tate

sys

tem

s


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

Lea

ders

hip

Ther

ear

ecu

rren

tlyn

olim

itso

nTh

ela

cko

flim

itsp

lace

don

req

uest

Th

ere

shou

ldb

elo

gica

lcon

trol

s

w

hich

Af

iles

ana

djud

icat

orc

anr

ein

gA

file

sin

NFT

Sm

aya

llow

adj

udi

tod

etec

tldquoex

trao

rdin

aryrdquo

or

sus

Info

rmat

ion

Tech

nolo

gy

ques

tin

the

Nat

iona

lFile

Tra

ckin

gca

tors

tor

eque

sta

file

by

nam

eev

en

pici

ous

file

tran

sfer

req

uest

sI

n

Syst

em(N

FTS)

if

they

sho

uld

notb

eac

cess

ing

that

on

eU

SCIS

cas

eth

ein

side

rre

fil

e

ques

ted

afil

etr

ansf

erto

ar

egio

nfo

ran

indi

vidu

alw

hose

file

sw

ere

ina

noth

err

egio

nan

dw

hose

form

sha

dbe

enp

revi

ousl

yde

ni

ed


cri

tilt

om

itiga

ting

the

insi

der

rsc

arri

edo

uta

nat

tack

ta

nce

mal

icio

usin

side

rsu

sed

uste

nsur

end

enf

orce

cn

have

dev

eff

ects

on

ano

ras

tatin

gta

r

nom

alou

sin

crea

sein

net

ay

Sugg

este

dCo

unte

rmea

sure

s

ca sn

toc

ompe

titor

sor

con

spir

ator

sO

rgan

izat

ions

mth

ate

mpl

oyee

sr

esou

rces

inc

ludi

ngin

form

atio

nas

sets

aom

plia

nce

sen

sitiv

ebu

tunc

lass

ified

or

prop

rie

y)is

cri

tical

tom

itiga

ting

an

am

onito

ring

net

wor

ktr

affic

mh

elp

prot

ectc

ontr

olle

d

side

unc

lass

ified

or

prop

riet

ary)

isea

led

circ

umst

ance

sin

whi

chin

tern

ales

In

som

ein

ss

tora

ged

evic

tion

mal

icio

usin

side

rsc

ab

y

mou

nts

ofd

ata

dow

nloa

ded

orou

ghT

h

Polic

yor

Pra

ctic

eG

aps

a re

ono

fCon

trol

led

Info

rmat

ion

ntro

lled

info

rmat

ion

(ie

inf

orm

atio

nth

atis

cla

ssifi

eds

ensi

tive

but

CER

Tr

thre

atr

isk

too

rgan

izat

ions

A

var

iety

ofi

nsid

erth

reat

cas

ess

tudi

edb

yev

thro

ugh

thd

ownl

oad

ofin

form

atio

nto

por

tabl

em

edia

or

exe

unau

thor

ized

ptt

acks

or

toc

omm

unic

ate

sens

itive

info

rmat

ioun

ders

tan

tcon

stitu

tes

acce

ptab

leu

seo

fcom

pany

dpo

licie

sre

gard

ing

wha

thro

ugh

teed

info

rma

chni

calm

eans

Th

eun

auth

oriz

ede

xfilt

ratio

nof

con

trol

l(i

ei

nfor

mat

ion

that

isc

lass

ifie

gani

zatio

nP

rote

ctin

gco

ntro

lled

info

rmat

ion

dth

reat

ris

kto

org

aniz

atio

ns

impl

emen

ted

netw

ork

mon

itori

ngs

trat

egie

sth

atw

ould

det

ectl

arge

wor

ktr

affi

by

tota

lvol

ume

orty

peo

ftra

ffic

(eg

by

ce

ither

por

tor

prot

ocol

)n

Polic

yan

dor

Sec

urit

yM

easu

Resp

onsi

ble

Pers

onne

lIn

form

atio

nTe

chno

logy

ncer

nlo

adto

Prot

ecti

Prot

ectin

gco

emai

lto

lan

thei

ra

the

insi

der

USC

ISh

as

info

rmat

io

Are

aof

Co

Dat

aD

own

Med

ia


sure

s

po

1

pria

yte

lld

be

func

he

T ed

s

ecu

itted

em

os

ogs

el

vity

by

org

za

ani

ot

sbe

nter

mea

side

rtw

o

hori

zed

inap

pro

uev

ices

co

bite

dfr

omsy

stem

s

bit

epr

ohi fa

hec

ont

oc

gn

are

per

m hus

eso

fta

ndth

cti

ciou

sa

ngth

es

her

exhi

bitin

glm

alic

iou

Cou

uld

con

ora

ut ed

thes

ed

pro

hi SSC

Iy

ar

rity

aw

aren

ess

ampa

i

evic

es lb

elo

gged

uspi

ted

for

ss

leav

i

ntia

te

Sugg

este

d

Ss

o

ptf

1)E

xce

ces

that

ar

ete

chni

cally

Ung

in

that

the

shou

nte

ldb

et

2)If

USB

dfo

ru

nal

set

held

empl

oyee pl

tion

em

oyee

sign

sof

po c

ore

t

USC

Ih

tions

stan

trac

k

tioni

fact

shou

audi

havi

ns

ider

un

t

of

wor

k

ssed

de

s

onvi

ctio ns

tne

i eng

tel

He

acce

rder

to

Prac

tice

Gap

mth

eU

SCIS

CTa

skF

orc

sho

wed

tha

oe d

ant

pe

rfor

me

sig

nific

aam

oof

ficia

lbus

ines

sin

clud

ill

apto

p

sona

mai

lin

ond

e

Polic

yor

Ac

ase

fro

onh

isp

ersy

stem

sa

sure

pmen

tSC

IS

gov

(G

FE)

orS

ecur

ity

Mea

per

aga

inst

usi

ng

son

ompu

ter

equi

cial

dut

ies

for

Ub

edo

new

ithm

entf

urni

shed

ent

ern

quip

me

Polic

yan

d

Ther

eis

ap

olic

yd

cal

lyo

wne

top

erfo

rmo

ffi

Tele

wor

ksh

ould

on

ly

nel

ble

Pers

on

Resp

onsi

o

ern

Are

aof

Con

c dt

Dat

aD

ownl

oaor

Fro

mH

ome


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sve

lop

asy

stem

that

he

was

rew

arde

d

fo

rpr

oduc

ing

The

rea

ren

ote

chni

cal

co

ntro

lsto

cat

chth

isa

ctiv

ityu

nles

s

the

devi

ceis

phy

sica

llyp

lugg

edin

to

the

netw

ork

Prot

ecti

ngC

riti

cal

Info

rmat

ion

Tech

nolo

gy

The

SNO

Cre

spon

dsto

spi

llso

fPII

USC

ISr

espo

nds

toP

IIsp

illag

es

Fi

les

whi

cho

ccur

on

aw

eekl

yba

sis

The

ofte

nen

ough

that

its

staf

fis

wel

l

info

rmat

ion

abou

tthe

inci

dent

is

ve

rsed

inr

espo

nse

proc

edur

es

tran

sfer

red

from

the

data

ow

ner

U

nfor

tuna

tely

the

freq

uenc

yto

w

hob

ecom

esa

war

eof

the

spill

to

w

hich

inci

dent

soc

cur

and

the

the

OSI

whi

chc

reat

esa

Ser

ious

In

re

spon

sep

roce

dure

sin

pla

ced

o

cide

ntR

epor

t(SI

R)th

atit

forw

ards

nots

eem

tor

educ

eth

enu

mbe

rto

the

Priv

acy

Off

icer

and

fina

llyto

Th

ere

spon

see

ffor

tto

aPI

Ispi

llage

of

inci

dent

sor

pro

vide

aut

oth

eSN

OC

in

volv

esm

any

part

ies

and

appe

ars

to

mat

edd

etec

tion

whe

nsp

illag

ebe

ac

ompl

icat

edp

roce

ssfo

ran

eve

nt

occu

rs

that

hap

pens

on

aw

eekl

yba

sis

Thou

ghth

ese

spill

ages

are

acc

iden

tal

even

ts


Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

sho

uld

cont

inue

this

pra

ctic

eas

par

tofi

tsin

cide

ntr

esp

onse

pro

cedu

res

Inc

orpo

rat

ing

ana

ppro

pria

tele

velo

fm

onito

ring

wou

lda

lso

bea

pru

de

ntm

easu

re

Polic

yor

Pra

ctic

eG

aps

This

pra

ctic

eap

pear

sto

be

done

con

si

sten

tly

Polic

yan

dor

Sec

urit

yM

easu

re

Acc

ess

ton

etw

ork

reso

urce

sis

ter

min

ated

imm

edia

tely

whe

na

spill

or

mis

cond

ucti

ssu

spec

ted

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Aud

it

Mon

itor

B

acku

p

Reco

very

Insi

der

thre

atr

esea

rch

cond

ucte

dby

CER

Tha

ssh

own

that

logg

ing

mon

itori

nga

nda

uditi

nge

mpl

oyee

onl

ine

actio

nsc

anp

rovi

dea

nor

gani

za

tion

the

oppo

rtun

ityto

dis

cove

ran

din

vest

igat

esu

spic

ious

insi

der

activ

ityb

efor

em

ore

seri

ous

cons

eque

nces

ens

ue

Org

aniz

atio

nss

houl

dle

ver

age

auto

mat

edp

roce

sses

and

tool

sw

hene

ver

poss

ible

M

oreo

ver

net

wor

kau

ditin

gsh

ould

be

ongo

ing

and

cond

ucte

dra

ndom

lya

nde

m

ploy

ees

shou

ldb

eaw

are

that

cer

tain

act

iviti

esa

rer

egul

arly

mon

itore

dT

his

empl

oyee

aw

aren

ess

can

pote

ntia

llys

erve

as

ade

terr

entt

oin

side

rth

reat

s

Prev

entin

gin

side

rat

tack

sis

the

first

line

ofd

efen

se

Non

ethe

less

eff

ectiv

eba

ckup

and

rec

over

ypr

oces

ses

need

tob

ein

pla

cea

ndo

pera

tion

ally

eff

ectiv

eso

that

ifa

co m

prom

ise

occu

rsb

usin

ess

oper

atio

nsc

anb

esu

stai

ned

with

min

imal

inte

rrup

tion

In

one

case

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sea

nin

side

rw

asa

ble

tom

agni

fyth

eim

pact

ofh

isa

ttac

kby

acc

essi

nga

ndd

estr

oyin

gba

ckup

med

ia

Org

aniz

a


Ina

dditi

ont

heS

NO

Cla

cks

the

reso

urce

sto

focu

son

mon

itori

ngfo

rsu

spic

ious

insi

der

activ

ityf

ocus

ing

inst

ead

prim

arily

on

prot

ectio

nfr

om

exte

rnal

inci

dent

s

Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sM

odifi

cati

on

In

form

atio

nTe

chno

logy

Lo

gfil

esa

rea

cces

sibl

eby

the

do

D

isab

ling

Log

File

sm

ain

adm

inis

trat

ors

and

syst

em

adm

inis

trat

ors

ofe

ach

resp

ectiv

e

syst

em

USC

ISs

houl

dse

ndc

ritic

allo

gsto

a

cent

raliz

edlo

gse

rver

and

pro

te

ctth

elo

gfil

esto

per

mit

afo

re

nsic

rec

onst

r uct

ion

ofn

etw

ork

orh

ost

base

dev

ents

In

form

atio

nTe

chno

logy

Th

ela

cko

fcon

sist

ency

for

wha

tis

Alth

ough

six

per

cent

(23)

oft

he

logg

eda

cros

sU

SCIS

ser

vers

sys

tem

s

insi

ders

doc

umen

ted

inth

eCE

RT

appl

icat

ions

and

wor

ksta

tions

isc

on

Insi

der

Thre

atC

ase

data

base

cern

ing

Sev

eral

par

ties

addr

esse

dw

ere

able

tom

odify

ord

isab

le


tions

nee

dto

con

side

rth

eim

port

ance

ofb

acku

pan

dre

cove

ryp

roce

sses

and

car

em

ustb

eta

ken

that

bac

kups

are

per

form

edr

egul

arly

pro

te

cted

and

test

edto

ens

ure

busi

ness

con

tinui

tyin

the

even

tofd

amag

eto

or

loss

ofc

entr

aliz

edd

ata

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

slo

gfil

es

Mon

itor

ing

Susp

ici

ous

Act

ivit

y

Info

rmat

ion

Tech

nolo

gy

are

som

etim

esli

mite

dto

24

hour

sor

less

ofc

olle

ctio

n

the

fact

that

ITp

erso

nnel

mus

tbe

able

top

hysi

cally

rea

cha

mac

hine

in

atim

ely

fash

ion

ifth

eyh

ope

toc

ap

ture

logs

rel

ated

toa

nin

cide

nt

This

as

sum

ptio

nm

akes

itli

kely

that

cri

tica

llog

info

rmat

ion

will

be

mis

sed


Sugg

este

dCo

unte

rmea

sure

s

Polic

yor

Pra

ctic

eG

aps

Polic

yan

dor

Sec

urit

yM

easu

re

Dat

abas

ead

min

istr

ator

sar

ere

spon

si

ble

for

mon

itori

nga

nda

lert

ing

whe

nda

taa

cces

sat

tem

pts

are

mad

eto

cri

tical

dat

ain

USC

ISd

ata

base

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

sU

SCIS

sho

uld

cons

ider

cle

arly

de

finin

gth

ere

spon

sibi

lity

ofd

ata

base

adm

inis

trat

ors

and

the

SNO

Cfo

rm

onito

ring

ale

rtin

g

and

resp

ondi

ngto

una

utho

rize

dda

taa

cces

sO

nce

the

resp

onsi

bi

lity

isa

ssig

ned

the

appr

opri

ate

grou

psh

ould

dili

gent

lyp

reve

nt

dete

cta

ndr

espo

ndto

una

utho

riz

edd

ata

acce

ssm

odifi

catio

n

and

exfil

trat

ion

atte

mpt

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

mon

itors

and

filte

rs

inbo

und

and

outb

ound

net

wor

ktr

affic

Th

iss

trat

egy

may

pre

ve

nto

rde

tect

the

unau

thor

ized

tr

ansf

ero

fUSC

ISd

ata

outs

ide

the

orga

niza

tion

Man

yin

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

sew

ere

able

toc

omm

itth

eir

mal

icio

usa

ctiv

ities

usi

ngla

ptop

s

Polic

yor

Pra

ctic

eG

aps

Net

wor

ktr

affic

filte

ring

ish

appe

ning

on

lyo

nin

boun

dtr

affic

not

out

boun

dtr

affic

Th

ere

sour

ces

don

ote

xist

toe

xam

ine

ou

tbou

ndtr

affic

onl

yin

boun

dtr

affic

Fu

rthe

rmor

eth

ein

trus

ion

dete

ctio

nsy

stem

sar

eno

topt

imiz

edto

det

ect

secu

rity

eve

nts

Polic

yan

dor

Sec

urit

yM

easu

re

USC

ISh

asth

eab

ility

toc

reat

ein

bo

und

firew

allr

ules

tofi

lter

pote

ntia

llym

alic

ious

net

wor

ktr

affic

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

incl

udes

fore

nsic

to

ols

toa

idin

vest

igat

ions

Ins

ixp

erce

nt(2

2)o

fthe

cas

es

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

heim

pact

of

the

crim

ew

asm

agni

fied

be

caus

eof

insu

ffic

ient

bac

kups

Polic

yor

Pra

ctic

eG

aps

The

SNO

Cha

sha

dpr

oble

ms

iden

tify

ing

the

root

cau

seo

fan

affe

cted

w

orks

tatio

nor

use

rbe

caus

eof

the

lack

ofn

etw

ork

fore

nsic

app

licat

ions

Id

eally

the

SN

OC

shou

ldb

eab

leto

tr

ace

netw

ork

traf

ficfr

oms

ourc

eto

de

stin

atio

nan

dw

atch

act

ivity

It

has

a

stan

dal

one

fore

nsic

cap

abili

tyb

ut

noth

ing

onth

ene

twor

k

Tabl

etop

exe

rcis

esm

ayn

otg

ive

USC

ISa

true

indi

catio

nof

its

abili

tyto

re

cove

rfr

oma

sys

tem

icfa

ilure

W

hen

poss

ible

bac

kups

sho

uld

be

impl

emen

ted

ons

imila

rha

rdw

are

to

ensu

reth

atth

eba

ckup

tape

isfu

nc

tiona

land

the

back

upis

ope

ratio

nal

Polic

yan

dor

Sec

urit

yM

easu

re

The

SNO

Cis

res

pons

ible

for

dete

rm

inin

gth

ero

otc

ause

ofa

nin

cide

nt

incl

udin

gus

ing

fore

nsic

tool

sto

id

entif

yaf

fect

edw

orks

tatio

nsd

esk

tops

and

lapt

ops

Ba

ckup

test

ing

for

man

ysy

stem

soc

curs

onc

epe

rye

ar

Ins

ome

case

s

the

back

ups

are

only

test

edw

itha

ta

blet

ope

xerc

ise

and

don

otu

se

sim

ilar

orid

entic

alh

ardw

are

toth

at

used

inth

epr

oduc

tion

envi

ronm

ent

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Back

ups


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Info

rmat

ion

Tech

nolo

gy

Year

sof

bac

kup

tape

sar

eke

pto

nsi

tea

tthe

Ver

mon

tSer

vice

Cen

ter

an

dsy

stem

adm

inis

trat

ors

have

ac

cess

toth

ese

back

upfi

les

Adm

inis

trat

ors

who

hav

eac

cess

to

the

back

upta

pes

wou

ldb

eab

leto

Back

upm

edia

sho

uld

bec

on

trol

led

care

fully

doc

umen

ted

an

dst

ored

off

site

with

lim

ited

acce

ss

With

outt

hose

con

trol

s

USC

ISc

anno

tbe

sure

its

back

ups

will

giv

eit

the

abili

tyto

rec

over

ss

ecur

ity o wn

Proa

ctiv

ely

addr

essi

ngk

now

nse

curi

tyv

ulne

rabi

litie

ssh

ould

be

apr

iori

tyfo

ran

yor

gani

zatio

nse

ekin

gto

miti

gate

the

risk

ofi

nsid

erth

reat

sa

wel

las

exte

rnal

thre

ats

Cas

est

udie

sha

ves

how

nth

atm

alic

ious

insi

ders

fol

low

ing

term

inat

ion

will

som

etim

ese

xplo

itkn

own

tech

nica

lho

uld

have

ap

roce

sst

vuln

erab

ilitie

sth

atth

eyk

now

hav

eno

tbee

npa

tche

dto

obt

ain

syst

ema

cces

san

dca

rry

outa

nat

tack

O

rgan

izat

ions

sdr

ess

kno

ensu

reth

ato

pera

ting

syst

ems

and

othe

rso

ftw

are

have

bee

nha

rden

edo

rpa

tche

din

ati

mel

ym

anne

rw

hen

poss

ible

Fa

ilure

toa

dvu

lner

abili

ties

prov

ides

an

insi

der

ampl

eop

port

unity

and

pat

hway

sfo

rat

tack

mak

ing

itm

ore

diff

icul

tfor

an

orga

niza

tion

top

rote

ctit

self

Tech

nica

lSec

urit

yV

ulne

rabi

litie

s


ount

erm

easu

res

Sugg

este

dC

CERT | SOFTW ARE ENGINE ERING INSTITUTE |102

ceG

aps

Polic

yor

Pra

cti

The

pres

ence

of

host

pe

rim

eter

and

m

prot

ectio

nfo

rCI

Sin

al

war

epu

tsU

Sa

rela

tivel

yse

curd

ing

rep

ositi

onr

ega

oads

m

alic

ious

dow

nl

Polic

yan

dor

Se

easu

re

curi

tyM

Th

eO

ITr

elie

son

tan

ism

sto

w

om

ech

wnl

ode

tect

the

doad

of

licio

us

ma

code

1)

DH

S

nte

mon

itors

the

Ig

atrn

etw

aya

nd

e

2)

orks

ta

age

nto

nw

tio

ns

ale

rts

mm

edi

the

OIT

iat

ely

upon

dis

cov

wn

mal

er

yof

kno

war

eT

heO

ITs

hth

epo

rt

uts

dow

n

tob

lock

mal

ici

ere

ap

ous

code

wh

prop

riat

e

sin

stal

la

als

ode

tect

nel

Resp

onsi

ble

Pers

onog

yIn

form

atio

nTe

chno

l ogy

Info

rmat

ion

Tech

nol

Are

ac

ofC

oner

ne

Add

rss

ino

wn

ngK

Secu

rer

it

yV

uln

ies

abili

t

eA

ddr

ssi

now

nng

KSe

cur

er

ity

Vul

nie

sab

ilit

Sugg

este

dCo

unte

rmea

sure

s

Tw

elve

per

cent

(46)

oft

hec

ases

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

invo

lve

user

sab

usin

gad

min

istr

ator

pri

vi

lege

sto

sab

otag

esy

stem

sor

da

ta

Alth

ough

USC

ISu

sers

nee

dfo

rad

min

istr

ator

righ

tsto

inst

allo

rru

nau

thor

ized

sof

twar

eth

eO

IT

shou

ldc

onsi

der

givi

ngu

sers

se

para

tea

dmin

istr

ator

acc

ount

sfo

rth

ese

expl

icit

purp

oses

U

sers

co

uld

then

use

non

adm

inis

trat

or

acco

unts

for

thei

rda

ilyw

ork

Th

isw

ould

gre

atly

min

imiz

eth

eri

sko

fmal

war

eco

mpr

omis

e

Polic

yor

Pra

ctic

eG

aps

Am

itiga

ting

fact

or

is

that

the

depa

rtin

gem

ploy

eew

ould

ne

edp

hysi

cala

cces

sto

the

syst

emto

lo

gin

A

use

rw

itha

dmin

istr

ator

pri

vile

ges

mus

tnot

rel

yso

lely

on

auto

mat

ic

mec

hani

sms

tos

afeg

uard

his

or

her

com

pute

rA

dmin

istr

ator

rig

hts

give

in

adve

rten

tlyd

ownl

oade

dm

alw

are

the

abili

tyto

com

plet

ely

com

prom

ise

asy

stem

som

etim

esw

ithou

tthe

kn

owle

dge

ofth

eus

er

Polic

yan

dor

Sec

urit

yM

easu

re

tion

ofm

alic

ious

cod

efr

omU

SBs

and

othe

rm

edia

USC

ISu

sers

hav

elo

cala

dmin

istr

ator

ri

ghts

on

thei

row

nm

achi

nes

Thi

sal

low

sus

ers

toin

stal

lsof

twar

eon

th

eirs

yste

ms

So

me

auth

oriz

eds

oftw

are

does

re

quir

ead

min

istr

ator

rig

hts

toin

stal

l

Som

eap

plic

atio

nsa

ctua

llyr

equi

re

adm

inis

trat

orri

ghts

tor

un

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Unm

anag

edS

ys

tem

s


Conf

igur

atio

nM

anag

emen

t

Effe

ctiv

eco

nfig

urat

ion

man

agem

enth

elps

ens

ure

the

accu

racy

int

egri

tya

ndd

ocum

enta

tion

ofa

llco

mpu

ter

and

netw

ork

syst

emc

onfig

ura

tions

A

wid

eva

riet

yof

cas

esin

the

CERT

Insi

der

Thre

atC

ase

data

base

doc

umen

tins

ider

sw

hor

elie

dhe

avily

on

the

mis

conf

igur

atio

nof

sys

te

ms

The

yhi

ghlig

htth

ene

edfo

rst

rong

erm

ore

effe

ctiv

eim

plem

enta

tion

ofa

utom

ated

con

figur

atio

nm

anag

emen

tcon

trol

sO

rgan

izat

ions

sh

ould

als

oco

nsid

erc

onsi

sten

tdef

initi

ona

nde

nfor

cem

ento

fapp

rove

dco

nfig

urat

ions

Ch

ange

sor

dev

iatio

nsfr

omth

eap

prov

edc

onfig

urat

ion

base

line

shou

ldb

elo

gged

so

they

can

be

inve

stig

ated

for

pote

ntia

lmal

icio

usin

tent

Co

nfig

urat

ion

man

agem

enta

lso

appl

ies

tos

oftw

are

sou

rce

code

and

app

licat

ion

files

O

rgan

izat

ions

that

do

note

nfor

cec

onfig

urat

ion

ma n

agem

enta

cros

sth

een

terp

rise

are

ope

ning

vul

nera

bilit

ies

for

expl

oitb

yte

chni

cali

nsid

ers

with

suf

ficie

ntm

otiv

atio

nan

da

lack

ofe

thic

s

The

OIT

has

ac

onfig

urat

ion

man

agem

entp

olic

yth

atp

rovi

des

base

line

soft

war

eco

nfig

urat

ions

for

USC

ISd

eskt

ops

and

lapt

ops

The

OIT

sca

ns

for

inco

rrec

to

utda

ted

or

unp

atch

edv

ersi

ons

ofs

oftw

are

onth

eap

prov

eds

oftw

are

list

The

OIT

kee

pstr

ack

ofd

iffer

entb

asel

ines

for

diff

er

entc

ontr

acts

D

espi

tetr

acki

nga

nda

rig

orou

sco

nfig

urat

ion

man

agem

entp

olic

yth

eO

ITh

asd

iffic

ulty

kee

ping

trac

kof

the

901

50d

iffer

ents

ys

tem

imag

esin

the

USC

ISe

nvir

onm

ent

Rog

ues

oftw

are

orm

alw

are

iso

ften

dis

cove

red

thro

ugh

ade

liber

ate

man

uals

can

rat

her

than

thro

ugh

ana

utom

ated

pro

cess

To

mak

eth

ista

skm

ore

diff

icul

tth

ere

have

bee

nU

SCIS

em

ploy

ees

with

sen

iori

tyo

rin

fluen

cew

hoa

rea

ble

tou

selo

cal

adm

inis

trat

orp

rivi

lege

sto

inst

alls

oftw

are

for

the

sake

ofc

onve

nien

ce

Conc

erns

reg

ardi

ngc

onfig

urat

ion

man

agem

entm

ake

itdi

ffic

ultf

orth

eO

ITto

ad e

quat

ely

prev

ent

det

ect

and

res

pond

tor

ogue

sof

twar

eor

m

alw

are

usin

gits

cur

rent

pro

cedu

res

We

sugg

ests

ome

cons

ider

atio

nsfo

rle

vera

ging

exi

stin

gde

ploy

men

tsa

ndm

odify

ing

inci

dent

res

pons

epr

actic

esto

incr

ease

eff

ectiv

enes

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

The

OIT

has

ac

onfig

urat

ion

man

ag

emen

tpol

icy

for

soft

war

eco

nfig

ura

tion

base

lines

Th

eO

ITs

cans

for

inco

rrec

to

utda

ted

or

unpa

tche

dve

rsio

nso

fsof

twar

eon

the

ap

Des

pite

rig

orou

sco

nfig

urat

ion

man

ag

emen

tpol

icy

the

OIT

has

diff

icul

ty

keep

ing

trac

kof

the

90to

150

diff

er

ents

yste

mim

ages

inth

eU

SCIS

env

iro

nmen

tR

ogue

sof

twar

eor

mal

war

e

Seve

ntee

nca

ses

docu

men

ted

in

the

CERT

Insi

der

Thre

atC

ase

da

taba

sein

volv

eus

ers

expl

oitin

gth

ela

cko

rw

eakn

ess

ofa

con

fig

urat

ion

man

agem

ents

yste

m


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

spr

oved

sof

twar

elis

tT

heO

ITk

eeps

tr

ack

ofd

iffer

entb

asel

ines

for

dif

fere

ntc

ontr

acts

iso

ften

dis

cove

red

thro

ugh

ade

liber

at

em

anua

lsca

nra

ther

than

thro

ugh

ana

utom

ated

pro

cess

toc

arry

out

thei

rat

tack

s

The

OIT

cou

ldle

vera

geth

eex

ist

ing

ePO

dep

loym

entt

oco

mpl

em

enti

tsc

onfig

urat

ion

man

age

men

teff

orts

eP

Oc

and

efin

ea

base

line

for

soft

war

eap

plic

atio

ns

and

aler

ton

any

devi

atio

nsfr

om

that

bas

elin

e

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ins

ome

case

sin

divi

dual

sw

iths

en

iori

tyo

rin

fluen

cea

rea

ble

tou

se

adm

inis

trat

orp

rivi

lege

sto

inst

all

soft

war

efo

rth

esa

keo

fcon

veni

ence

USC

ISs

houl

den

sure

that

con

fig

urat

ion

polic

yis

con

sist

ently

co

mm

unic

ated

and

enf

orce

dth

roug

hout

the

orga

niza

tion

Ev

ens

enio

rle

ader

ship

sho

uld

notb

eab

leto

cas

ually

cir

cum

ve

ntth

ese

polic

ies

with

outg

oing

th

roug

hth

epr

oper

cha

nnel

sas

de

fined

by

the

conf

igur

atio

nm

anag

emen

tpol

icy

Conf

igur

atio

nM

anag

emen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Serv

ice

Cent

ers

are

resp

onsi

ble

for

lock

ing

dow

nde

skto

psto

pre

vent

un

auth

oriz

eds

oftw

are

from

runn

ing

The

lock

dow

npr

oces

sre

lies

onh

um

anin

terv

entio

nI

fcal

lvol

ume

to

the

Serv

ice

Cent

eris

hea

vyt

his

may

in

crea

ser

espo

nse

time

toa

nun

ac

cept

able

leve

l

The

OIT

sho

uld

expl

ore

way

sto

au

tom

ate

lock

dow

nof

pot

en

tially

com

prom

ised

sys

tem

sT

his

wou

ldr

equi

rea

car

eful

bal

ance

of

ser

vice

ver

sus

secu

rity

O

nth

ese

rvic

esi

ded

elay

edr

espo

nse

by

the

Serv

ice

Cent

erm

ayr

esul

tin

loss

ofp

rodu

ctiv

ity

On

the

secu

ri

tys

ide

del

ayed

res

pons

eco

uld


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sle

adto

sys

tem

com

prom

ise

M

anag

emen

tsho

uld

eval

uate

the

risk

sof

ac

ompr

omis

ean

dw

eigh

th

ose

risk

sag

ains

tthe

pot

entia

lco

nseq

uenc

eso

fser

vice

dis

rup

tion


Appendix H Acronyms

C3-LAN CBP CI CIO CLAIMS CMMI COTR CSC CSIRT CSO CMU DBA DHS DOJ FBI FDNS-DS FISMA FSD FSN GFE HR HSPD-12 ICE ISSO IT LER LPO NCR NFTS ODBC OIG OIT OSI PERSEC PICS PII QA SEI SIEM SIR SNOC TSA USB

CLAIMS 3 ndash Local Area Network Customs and Border Protection Counterintelligence Chief Information Officer Computer Linked Application Information Management System Capability Maturity Model Integration Contracting Officerrsquos Technical Representative Computer Sciences Corporation Computer Security Incident Response Team Chief Security Officer Carnegie Mellon University Database Administrator Department of Homeland Security Department of Justice Federal Bureau of Investigation Fraud Detection and National Security Data System Federal Information Security Management Act Field Security Division Foreign Service National Government-furnished Equipment Human Resources Homeland Security Presidential Directive 12 Immigration and Customs Enforcement Information System Security Officer Information Technology Labor and Employee Relations Local PICS Officer National Capital Region National File Tracking System Open Database Connectivity Office of Inspector General Office of Information Technology Office of Security and Integrity Personnel Security Password Issuance and Control System Personally Identifiable Information Quality Assurance Software Engineering Institute Security Information and Event Management Significant Incident Report Security Network Operations Center Transportation Security Administration Universal Serial Bus

107

Appendix H Acronyms

USCIS US Citizenship and Immigration Services VIS Verification Information System

108

Appendix I Management Comments to the Draft Report

109

Appendix J Contributors to this Report

Software Engineering Institute Carnegie Mellon University



Richard Saunders Director Advanced Technology Division Steve Matthews IT Audit Manager Advanced Technology Division Philip Greene IT AuditorTeam Lead Advanced Technology Division

110

Appendix K Report Distribution

Department of Homeland Security

Secretary Deputy Secretary Chief of Staff Deputy Chiefs of Staff General Counsel Executive Secretariat Director GAOOIG Liaison Office Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs Chief Information Officer Chief Information Security Officer USCIS Chief Information Officer USCIS Chief Information Security Officer USCIS Audit Liaison Office

Office of Management and Budget

Chief Homeland Security Branch DHS OIG Budget Examiner

Congress

Congressional Oversight and Appropriations Committees as appropriate

111

ADDITIONAL INFORMATION AND COPIES

To obtain additional copies of this report please call the Office of Inspector General (OIG) at (202) 254-4100 fax your request to (202) 254-4305 or visit the OIG web site at wwwdhsgovoig

OIG HOTLINE

To report alleged fraud waste abuse or mismanagement or any other kind of criminal or noncriminal misconduct relative to department programs or operations

bull Call our Hotline at 1-800-323-8603

bull Fax the complaint directly to us at (202) 254-4292

bull Email us at DHSOIGHOTLINEdhsgov or

bull Write to us at DHS Office of Inspector GeneralMAIL STOP 2600 Attention Office of Investigations - Hotline 245 Murray Drive SW Building 410 Washington DC 20528

The OIG seeks to protect the identity of each writer and caller

Examining Insider Threat Risk at the

US Citizenship and Immigration Services

PreparedforDepartmentofHomelandSecurity

OfficeofInspectorGeneral

bytheSoftwareEngineeringInstituteatCarnegieMellonUniversity


December 2010

NOWARRANTY



TableofContents

ExecutiveSummary 1



Background 2

Objective 3

Scope 3



Organizational 7

HumanResources 9

PhysicalSecurity 11


IncidentResponse 14






Recommendation4 23









24

fashion 24

25


Recommendation12 25


25

Recommendation14 25


Recommendation16 26

Recommendation17 26







Appendixes 28









ExecutiveSummary







Background









Objective






Scope


































Transformation








HumanResources











ExitProcedures




PhysicalSecurity











BusinessProcesses








CLAIMS3LAN


FDNSDS


IncidentResponse



IncidentManagement




SoftwareEngineering

CodeReviews







AccountManagement









AccessControl

























Recommendations















Recommendation12


Recommendation14




Recommendation16

Recommendation17







Appendixes










AppendixHAcronyms














Ap

pen

dix

AO

rgan

izat

ion

al

Risk

Man

agem

ent

Co

mm

unic

atio

n

Secu

rity

Pro

cess

Impr

ovem

ent

USC

ISis

ina

diff

icul

tpos

ition

Pa

rto

fits

mis

sion

isto

pro

vide

cus

tom

ers

ervi

ceto

thos

ese

ekin

gim

mig

ratio

nan

dci

tizen

ship

ben

efits

from

the

US

Gov

ernm

ent

How

ever

iti

sch

alle

ngin

gto

opt

imiz

ebu

sine

ssp

roce

sses

for

cust

omer

ser

vice

whi

lea

tthe

sam

etim

eim

plem

entin

gpr

otec

tiv

em

easu

res

toc

ount

erth

eri

skp

osed

by

gran

ting

thos

eve

ryb

enef

its

Man

yU

SCIS

em

ploy

ees

inte

rvie

wed

for

this

ass

essm

enti

dent

ified

the

orga

niza

tionrsquo

spr

imar

yri

ska

sal

low

ing

the

next

terr

oris

tto

live

and

wor

kle

gally

inth

eU

nite

dSt

ates

Th

eyd

esir

ehe

lpin

iden

tifyi

nga

ndim

ple

men

ting

inte

rnal

con

trol

sto

cou

nter

that

ris

kS

ome

ofth

ein

terv

iew

ees

how

ever

mdashev

ens

ome

ofth

eIS

SOs

and

data

ow

ners

mdashfo

cuse

don

leak

ag

eof

PII

asth

eir

prim

ary

conc

ern

Aft

erd

elvi

ngin

toth

em

atte

rw

ithth

eas

sess

men

ttea

mt

hey

cam

eto

und

erst

and

the

risk

pos

edb

yex

po

sure

or

mis

use

ofc

ritic

ald

ata

asth

egr

eate

str

isk

face

dby

USC

ISp

rim

arily

bec

ause

suc

ha

secu

rity

bre

ach

coul

dre

sult

ina

llow

ing

ate

rror

isti

nto

the

coun

try

Ac

ritic

alis

sue

for

USC

ISis

ens

urin

gth

een

tire

orga

niza

tion

isr

isk

awar

ea

ndim

plem

entin

ga

form

alr

isk

man

agem

entp

roce

ssto

add

ress

ris

kco

nsis

tent

lya

ndc

ontin

ually

acr

oss

the

ente

rpri

se

Ther

edo

esn

ota

ppea

rto

be

aco

nsis

tent

und

erst

andi

ngo

fthe

bro

ads

pect

rum

ofr

isks

faci

ng

USC

IS

The

asse

ssm

entt

eam

was

told

ther

eis

no

ente

rpri

sew

ide

risk

man

agem

entp

rogr

ama

tUSC

IS

OIT

per

form

sri

skm

anag

emen

tfor

ITa

nd

Fina

ncia

lMan

agem

entp

erfo

rms

risk

man

agem

entf

orfi

nanc

ialm

atte

rsb

utn

oon

ew

asa

war

eof

any

ent

erpr

ise

wid

eef

fort

sI

nad

ditio

ne

ach

field

off

ice

and

serv

ice

cent

era

ppea

rsto

ope

rate

fair

lyin

depe

nden

tly

Itis

impo

rtan

tfor

thos

eor

gani

zatio

nsto

wor

kto

geth

erto

iden

tify

pri

or

itize

and

add

ress

ris

kO

ngoi

ngc

omm

unic

atio

nbe

twee

nal

lcom

pone

nts

ofU

SCIS

will

hel

pen

sure

that

new

thre

ats

att

ack

vect

ors

and

cou

nte

rmea

sure

sar

eco

mm

unic

ated

and

han

dled

eff

ectiv

ely

bya

ll

Ina

dditi

onU

SCIS

em

ploy

ees

and

cont

ract

ors

hold

the

keys

too

neo

fthe

wor

ldrsquos

mos

tcov

eted

kin

gdom

smdashU

Sc

itize

nshi

pT

his

mak

ese

mpl

oy

ees

and

cont

ract

ors

attr

activ

eta

rget

sfo

rre

crui

tmen

tB

ecau

seo

fthe

sen

sitiv

ena

ture

ofU

SCIS

mis

sion

som

eof

its

empl

oyee

san

dco

ntra

ctor

s


have

bee

nta

rget

sfo

rre

crui

tmen

tfor

thef

tor

unau

thor

ized

mod

ifica

tion

ofU

SCIS

dat

aA

llem

ploy

ees

shou

ldb

eaw

are

ofth

eco

nseq

uenc

eso

fpa

rtic

ipat

ing

infr

aud

agai

nstU

SCIS

Th

eys

houl

dal

sob

ein

stru

cted

on

how

tor

epor

tsol

icita

tions

mad

eto

com

mit

frau

d

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEn

terp

rise

Ris

kM

anag

emen

t

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Indi

vidu

alo

rgan

izat

ions

with

inU

SCIS

do

ris

km

anag

emen

trel

ated

toth

eir

part

icul

ard

omai

nF

orin

stan

ceI

Tdo

esr

isk

man

agem

entf

rom

an

IT

pers

pect

ive

and

the

Fina

ncia

lMan

ag

emen

tdoe

sfin

anci

alr

isk

man

ag

emen

t

USC

ISp

erso

nnel

sta

ted

ther

eis

no

ente

rpri

ser

isk

man

agem

entp

roce

ss

for

anal

yzin

gth

eor

gani

zatio

nrsquos

over

al

lris

k

We

sugg

estt

hatU

SCIS

inst

itute

an

ent

erpr

ise

risk

man

agem

ent

prog

ram

W

ithou

tac

omm

on

visi

onfo

rri

skm

anag

emen

tth

eIS

SOs

and

allo

rgan

izat

ions

w

ithin

USC

ISc

anno

teff

ectiv

ely

unde

rsta

ndth

eri

ske

nvir

onm

ent

and

wor

kto

geth

erto

eff

ectiv

ely

miti

gate

ris

k

Inin

terv

iew

ss

ome

USC

ISs

taff

in

clud

ing

som

eIS

SOs

dat

aow

ners

an

dO

ITs

taff

see

med

tov

iew

loss

of

PIIa

sth

em

osti

mpo

rtan

tins

ider

th

reat

ris

kA

llof

the

asse

ssm

ent

ques

tions

wer

ean

swer

edin

the

con

text

ofl

oss

ofP

II

Whe

nw

eas

ked

spec

ifica

llyw

hatt

hey

see

asth

ebi

gges

tins

ider

thre

atr

isk

ev

eryo

nes

eem

edto

agr

eeit

isc

rea

tion

ofr

ealc

itize

nshi

pdo

cum

ents

for

peop

lew

hos

houl

dno

thav

eth

em

In

fact

int

ervi

ewee

sat

the

Verm

ont

Serv

ice

Cent

erc

ateg

oriz

edth

efu

nc

tions

cha

ract

eriz

edb

yth

ehi

ghes

tris

kas

follo

ws

1)

Unl

awfu

lalie

nin

the

Uni

ted

Stat

es

gran

ted

non

imm

igra

nts

tatu

s

2)S

omeo

new

ithn

onim

mig

rant

st

atus

gra

nted

per

man

entr

esid

ency

w

hich

mea

nsh

eor

she

can

live

and

w

ork

inde

finite

lyin

the

Uni

ted

Stat

es

Aga

ina

nen

terp

rise

ris

km

an

agem

entp

rogr

amw

ille

nsur

eth

ate

very

one

acro

ssU

SCIS

is

wor

king

toge

ther

tom

itiga

teth

ehi

ghes

tpri

ority

ris

ks

Ther

ear

ere

gula

tions

and

law

ssu

rrou

nd

ing

prot

ectio

nof

PII

but

focu

sin

gpr

imar

ilyo

nth

atis

sue

can

lead

toa

fals

ese

nse

ofs

ecur

ity

ifot

her

mor

eim

port

antr

isk

ar

eas

are

give

nle

ssa

tten

tion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dal

soc

anp

etiti

onfo

rre

lativ

es

The

Verm

ontS

ervi

ceC

ente

ris

im

plem

entin

gse

para

tion

ofd

utie

sfo

rpe

rfor

min

gfu

nctio

ns

1an

d2

ab

ove

(gra

ntin

gno

nim

mig

rant

st

atus

and

mov

ing

som

eone

from

no

nim

mig

rant

sta

tus

top

erm

anen

tre

side

ncy)

so

that

one

USC

ISa

djud

ica

tor

alon

eca

nnot

take

an

appl

ican

tfr

omu

nlaw

fult

ope

rman

entr

esi

dent

Th

ese

two

func

tions

will

be

perf

orm

eda

tdiff

eren

tphy

sica

lloc

atio

ns2

9m

iles

apar

t

The

Verm

ontS

ervi

ceC

ente

rhas

not

ha

dan

adj

udic

ator

who

per

form

ed

both

func

tions

1

and

2fo

rth

esa

me

appl

ican

t

This

dec

isio

nde

mon

stra

tes

that

le

ader

ship

att

heV

erm

ontS

er

vice

Cen

terr

ecog

nize

sth

esi

gni

fican

tris

kof

cre

atin

gle

gal

citiz

ensh

ipd

ocum

ents

fori

llega

lal

iens

and

ista

king

ste

psto

m

itiga

teth

atr

isk

How

ever

our

in

side

rth

reat

ass

essm

enth

as

unco

vere

dot

her

issu

esth

at

coul

dbe

add

ress

edto

miti

gate

th

atr

isk

Aga

ina

form

alr

isk

anal

ysis

wou

lde

nabl

eU

SCIS

to

thor

ough

lye

xam

ine

the

issu

es

and

prio

ritiz

eco

unte

rmea

sure

sus

ing

afo

rmal

pro

cess

Fo

rex

am

ple

an

alte

rnat

ive

toth

eph

ysic

alm

ove

coul

dbe

toim

pl

emen

tan

audi

tmec

hani

smto

lo

okfo

rad

judi

cato

rsw

hop

er

form

edb

oth

func

tions

1

and

2

for

the

sam

eap

plic

ant

Ente

rpri

seW

ide

Com

mun

icat

ion

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ther

eis

no

cons

iste

ncy

ofc

ontr

ols

from

one

ser

vice

cen

ter

toth

ene

xt

We

wer

eto

ldth

eye

ach

oper

ate

fair

ly

inde

pend

ently

USC

ISw

ould

ben

efit

from

ong

oin

gco

mm

unic

atio

nsa

bout

ris

kba

sed

issu

esb

etw

een

the

ser

vice

cen

ters

Fo

rin

stan

ce

com

mun

icat

ions

con

cern

ing

prob

lem

se

ffec

tive

coun

ter

mea

sure

sm

odifi

catio

nsto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sbu

sine

ssp

roce

sses

or

idea

sfo

rco

unte

ring

incr

ease

dri

skc

ould

le

adto

an

impr

oved

ris

kpo

stur

efo

rth

een

tire

USC

ISe

nter

pris

e

Cont

inua

lSec

urit

yPr

oces

sIm

prov

em

ent

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

The

USC

ISC

onvi

ctio

nsT

ask

Forc

eis

an

exc

elle

ntfo

rum

for

anal

yzin

gpa

st

crim

inal

cas

esa

ndd

eter

min

ing

mea

sure

sth

ats

houl

dbe

inst

itute

dto

pre

vent

sim

ilar

crim

esin

the

fu

ture

Ther

eis

no

proc

ess

for

follo

win

gup

on

ac

ase

afte

rthe

Off

ice

ofS

peci

al

Inve

stig

atio

n(O

SI)f

inis

hes

anin

vest

iga

tion

Th

eCo

nvic

tions

Tas

kFo

rce

isth

eon

ly

proc

ess

we

foun

dfo

rfor

mal

trac

king

an

alys

isa

ndp

roce

ssim

prov

emen

tba

sed

ona

ctua

linc

iden

ts

The

as

sess

men

ttea

ma

sked

var

ious

gro

ups

ifth

ere

isa

nyfo

llow

up

toin

cide

nts

fo

rin

stan

ceim

plem

entin

gau

tom

ated

sc

ript

sor

con

trol

sto

det

ectt

hes

ame

inci

dent

inth

efu

ture

Th

ete

amc

ould

no

tfin

da

sing

lep

erso

nw

hok

now

sof

su

cha

nac

tivity

Man

yex

ampl

eso

fem

ploy

eem

isco

ndu

ctc

ited

toth

eas

sess

men

ttea

m

coul

dea

sily

hav

ebe

end

etec

ted

or

even

pre

vent

edv

iaa

utom

ated

con

tr

ols

In

add

ition

the

reis

no

mec

hani

smfo

rco

mm

unic

atin

gis

sues

out

side

ofa

In

nea

rly2

5(9

1)o

fthe

cas

esin

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

hein

side

rw

asa

ble

to

carr

you

tthe

cri

me

beca

use

of

inad

equa

tea

uditi

ngo

fcri

tical

pr

oces

ses

in2

8of

thes

eca

ses

it

was

bec

ause

ofi

nade

quat

eau

ditin

gof

irre

gula

rpr

oces

ses

In

29

ofth

eca

ses

the

orga

niza

tio

nha

dre

peat

edin

cide

nts

ofa

si

mila

rna

ture

A

utom

ated

sc

ript

sar

ean

exc

elle

ntm

echa

ni

smfo

rde

tect

ing

susp

icio

us

tran

sact

ions

as

wel

las

hone

st

mis

take

sU

SCIS

sho

uld

cons

ider

a

form

alp

roce

ssfo

ran

alys

iso

fth

eO

SIrsquos

find

ings

and

the

deve

lop

men

tofa

utom

ated

che

cks

impl

emen

ted

natio

nally


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sgi

ven

serv

ice

cent

er

U

SCIS

Em

ploy

ees

are

Pote

ntia

lTar

ge

tsfo

rRe

crui

tm

ent

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

No

evid

ence

pro

vide

d

Som

eU

SCIS

em

ploy

ees

inte

rvie

wed

ha

ver

ecei

ved

are

ques

tfor

ass

ista

nce

from

afr

iend

rel

ativ

eo

rst

rang

er

seek

ing

top

rom

ote

aca

sefo

rso

me

form

ofa

pplic

ant

One

adj

udic

ator

sa

idh

edo

esn

otte

llot

hers

who

he

wor

ksfo

rH

owev

ert

hed

istin

ctiv

egr

een

park

ing

stic

ker

onh

isc

arc

ould

in

as

mal

ltow

nlik

eBu

rlin

gton

VT

re

veal

the

iden

tity

ofh

ise

mpl

oyer

U

SCIS

per

sonn

ela

reth

eref

ore

unus

ual

lyv

ulne

rabl

eto

sol

icita

tion

byo

ut

side

rs

Twen

tyn

ine

perc

ento

fthe

in

side

rsin

the

CERT

Insi

der

Thre

at

Case

dat

abas

ew

ere

recr

uite

dby

ou

tsid

ers

toc

omm

itth

eir

crim

es

USC

ISs

houl

dco

nsid

er

incr

easi

ngth

ese

curi

tya

war

ene

sstr

aini

ngp

rovi

ded

toU

SCIS

em

ploy

ees

and

cont

ract

ors

The

tr

aini

ngs

houl

dbe

con

tinuo

us

incl

udin

gpo

rtio

nsin

tend

edto

ra

ise

awar

enes

sof

the

pote

ntia

lta

rget

that

USC

ISe

mpl

oyee

spr

esen

tA

llem

ploy

ees

shou

ld

bea

war

eof

the

cons

eque

nces

of

par

ticip

atin

gin

frau

dag

ains

tU

SCIS

as

wel

las

how

tor

epor

tso

licita

tions

mad

eto

com

mit

frau

d

Tran

sfor

mat

ion

USC

ISL

eade

rshi

p D

ata

Ow

ners

In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Tran

sfor

mat

ion

isa

larg

ebu

sine

ss

proc

ess

reen

gine

erin

gef

fort

inU

SCIS

th

atis

pri

mar

ilyfo

cuse

don

impr

oved

cu

stom

ers

ervi

cea

ndfr

aud

dete

ctio

nF

ore

xam

ple

the

asse

ssm

ent

team

was

told

that

Tra

nsfo

rmat

ion

will

aut

omat

ical

lyv

alid

ate

data

in

CLA

IMS

agai

nsto

ther

ext

erna

lsys

te

ms

(eg

IC

Ean

dFB

I)a

ndth

at

secu

rity

req

uire

men

tsa

ndc

ontr

ols

Tran

sfor

mat

ion

was

men

tione

din

m

osti

nter

view

sfo

rth

isa

sses

smen

t

Ita

ppea

rsth

atU

SCIS

isr

elyi

ngh

eavi

ly

upon

Tra

nsfo

rmat

ion

toc

orre

ctm

any

ofth

epr

oble

ms

resu

lting

from

lega

cy

syst

ems

How

ever

iti

sun

clea

rw

heth

erin

tern

alp

erso

nnel

sec

urity

an

din

form

atio

nse

curi

tyc

once

rns

will

bein

clud

edin

this

pro

gram

This

rel

ianc

eon

as

ingl

eef

fort

m

akes

the

effe

ctiv

enes

sof

this

ef

fort

ver

yim

port

ant

USC

IS

shou

ldc

onsi

der

the

Tran

sfor

ma

tion

proj

ectf

rom

an

ente

rpris

ew

ide

pers

pect

ive

Iti

sim

port

ant

for

itto

use

afo

rmal

req

uire

m

ents

gat

herin

gpr

oces

sin

or

der

toe

ffec

tivel

ym

itiga

teb

oth

inte

rnal

and

ext

erna

lthr

eats


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

veb

een

iden

tifie

dby

cur

rent

C3

LAN

dat

aow

ners

Read

ing

the

Tran

sfor

mat

ion

requ

ire

men

tsd

ocum

enta

tion

itis

not

cle

ar

that

insi

ders

are

con

side

red

inth

ese

curi

tyr

equi

rem

ents

for

prev

entio

nan

dde

tect

ion

offr

aud

orn

atio

nal

secu

rity

inU

SCIS

sys

tem

s

Pers

onne

lsec

urity

sho

uld

be

incl

uded

as

wel

las

info

rmat

ion

secu

rity

to

ensu

reth

atth

eap

pr

opri

ate

inte

rnal

con

trol

sar

ein

pl

ace

tor

educ

eth

eri

skp

osed

by

mal

icio

usin

side

rs


Trai

ning

and

Aw

aren

ess

Itis

ess

entia

ltha

tsec

urity

aw

aren

ess

trai

ning

be

cons

iste

ntly

pro

vide

dto

all

empl

oyee

sto

ens

ure

that

sec

urity

pol

icie

san

dpr

actic

esa

rein

stitu

tio

naliz

edth

roug

hout

an

orga

niza

tion

Man

ytim

esc

owor

kers

and

sup

ervi

sors

are

the

first

peo

ple

too

bser

vec

once

rnin

gbe

havi

ore

xhib

ited

by

mal

icio

usin

side

rs

Failu

reb

yco

wor

kers

or

othe

rsin

an

orga

niza

tion

tor

epor

tcon

cern

ing

beha

vior

was

ap

rim

ary

reas

onin

side

rsin

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

tos

etu

por

car

ryo

utth

eir

atta

cks

USC

ISs

houl

dco

ntin

ueto

pro

vide

sec

urity

aw

aren

ess

trai

ning

toa

llem

ploy

ees

and

cont

ract

ors

acro

ssth

egl

obe

Thi

str

aini

ngs

houl

dbe

con

sis

tent

lya

pplie

dto

eac

hsi

tew

itha

con

sist

entm

essa

geo

fsec

urity

ofU

SCIS

peo

ple

sys

tem

sa

ndd

ata

Iti

sim

pera

tive

that

all

USC

ISe

mpl

oyee

sbe

re

spon

sibl

efo

rac

hiev

ing

the

mis

sion

ofU

SCIS

and

pro

tect

ing

the

criti

cala

sset

sto

the

high

este

xten

tpos

sibl

e

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sTr

aini

ngo

rSk

ills

Requ

ired

ofT

hose

in

App

oint

edS

ecu

rity

Rol

es

USC

ISL

eade

rshi

p

USC

ISh

asa

trai

ning

pro

cess

thro

ugh

anin

form

atio

nsy

stem

sse

curi

ty

man

ager

(ISS

M)

USC

ISr

elie

she

av

ilyo

nco

ntra

ctor

sto

pro

vide

ade

qu

atel

ytr

aine

dst

aff

Man

yIS

SOs

are

notw

ellv

erse

din

se

curi

ty

ISSO

sar

ecu

rren

tlyin

an

educ

atio

npr

oces

sb

utIS

SOs

are

typi

ca

llyn

ots

ecur

ityw

atch

dogs

ISSO

sm

usth

ave

prop

ertr

aini

ng

ino

rder

tok

eep

upw

ithth

eev

erc

hang

ing

info

rmat

ion

secu

ri

tye

nvir

onm

enta

ndto

be

able

to

dea

lwith

the

myr

iad

tech

no

logi

esa

ndto

ols

avai

labl

eto

th

em

App

ropr

iate

bud

get

shou

ldb

eal

loca

ted

forI

SSO

tr

aini

ngi

nclu

ding

ven

dor

spec

ific

trai

ning

(eg

M

cAfe

ean

dCi

sco)

and

indu

stry

spe

cific

tr

aini

ng(e

g

SAN

S)


Ap

pen

dix

BH

um

anR

esou

rces

Empl

oyee

Issu

es

An

orga

niza

tionrsquo

sap

proa

chto

red

ucin

gin

side

rth

reat

sho

uld

focu

son

pro

activ

ely

man

agin

gem

ploy

eeis

sues

and

beh

avio

rs

This

con

cept

beg

ins

with

eff

ectiv

ehi

ring

pro

cess

esa

ndb

ackg

roun

din

vest

igat

ions

tos

cree

npo

tent

ialc

andi

date

sO

rgan

izat

ions

sho

uld

also

trai

nsu

perv

isor

sto

m

onito

ran

dre

spon

dto

beh

avio

rso

fcon

cern

by

curr

ente

mpl

oyee

sS

ome

case

sfr

omth

eCE

RTIn

sid e

rTh

reat

Cas

eda

taba

ser

evea

led

that

sus

pi

ciou

sac

tivity

was

not

iced

inth

ew

orkp

lace

but

not

act

edu

pon

Org

aniz

atio

nss

houl

des

tabl

ish

aw

ello

rgan

ized

and

pro

fess

iona

lmet

hod

for

hand

ling

nega

tive

empl

oym

enti

ssue

san

den

suri

ngth

ath

uman

res

ourc

epo

licy

viol

atio

nsa

rea

ddre

ssed

Org

aniz

atio

nali

ssue

sre

late

dto

func

tions

sha

red

byH

Ran

dse

curi

typ

erso

nnel

are

att

heh

eart

ofi

nsid

err

isk

man

agem

ent

Em

ploy

ees

cree

ning

an

dse

lect

ion

isv

italt

opr

even

ting

cand

idat

esw

ithk

now

nbe

havi

oral

ris

kfa

ctor

sfr

ome

nter

ing

the

orga

niza

tion

or

ifth

eyd

oe

nsur

ing

that

th

ese

risk

sar

eun

ders

tood

and

mon

itore

dC

lear

pol

icy

guid

elin

esa

ddre

ssin

gbo

thp

erm

itted

and

pro

hibi

ted

empl

oyee

beh

avio

rar

evi

talt

ori

sk

dete

ctio

nan

dm

onito

ring

and

cle

arr

equi

rem

ents

for

ensu

ring

em

ploy

eesrsquo

kno

wle

dge

ofth

ese

guid

elin

esa

ree

ssen

tialt

oth

eir

succ

ess

In

addi

tio

nr

epor

tso

fpol

icy

ques

tions

and

vio

latio

nsn

eed

tob

esy

stem

atic

ally

rec

orde

dso

that

man

agem

ent

HR

and

sec

urity

per

sonn

elc

ana

ppr

oach

cas

ede

cisi

ons

with

com

plet

eba

ckgr

ound

info

rmat

ion

Ana

lysi

sof

thes

ere

port

sac

ross

indi

vidu

als

and

depa

rtm

ents

can

sup

ply

vita

lkno

wle

dge

ofp

robl

ema

reas

bey

ond

indi

vidu

alc

ases

Re

latio

nshi

ps

inw

hich

HR

sec

urity

and

man

agem

entp

erso

nnel

col

labo

rate

as

educ

ator

san

dco

nsul

tant

sar

evi

talt

oea

rly

dete

ctio

nan

def

fect

ive

man

age

men

tofe

mpl

oyee

spo

sing

an

insi

der

risk

Th

ene

edfo

rcl

ear

polic

ies

com

plet

epe

rson

nelr

isk

data

and

clo

sem

anag

emen

tH

Rse

curi

tyc

olla

bo

ratio

nis

rar

ely

grea

ter

than

whe

nha

ndlin

gem

ploy

eete

rmin

atio

nis

sues

whe

ther

vol

unta

ryo

rin

volu

ntar

y

CERT

sug

gest

sen

hanc

emen

tsto

the

USC

ISh

irin

gan

dte

rmin

atio

npr

oces

ses

For

exa

mpl

eU

SCIS

sho

uld

cons

ider

add

ition

als

cree

ning

for

high

ri

skp

ositi

ons

suc

has

adj

udic

ator

sU

SCIS

sho

uld

als o

con

side

rbe

com

ing

mor

ein

volv

edin

vet

ting

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)p

rior

tog

rant


ing

them

acc

ess

toU

SCIS

cri

tical

sys

tem

san

dda

ta

Fina

llyU

SCIS

sho

uld

cons

ider

ado

ptin

gan

ent

erpr

ise

wid

eex

itpr

oced

ure

toe

nsur

eco

nsis

te

ntte

rmin

atio

nof

all

empl

oyee

san

dco

ntra

ctor

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPr

eEm

ploy

men

tSc

reen

ing

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

No

evid

ence

pro

vide

d

The

empl

oyee

scr

eeni

ngp

roce

ssla

cks

any

form

ofp

sych

olog

ical

scr

eeni

ng

for

ara

nge

ofp

ositi

ons

incl

udin

gad

ju

dica

tors

Five

per

cent

(18)

oft

hein

side

rs

inth

eCE

RTd

atab

ase

had

poss

ibl

eps

ycho

logi

cali

ssue

sU

SCIS

sh

ould

con

side

rin

clud

ing

psy

chol

ogic

alte

stin

gas

par

toft

h e

new

hir

epr

oces

sfo

rse

lect

pos

itio

nsi

nclu

ding

adj

udic

ator

s

Giv

enth

esi

gnifi

cant

soc

ialp

res

sure

son

adj

udic

ator

san

dth

ere

lativ

ela

cko

fmon

itori

ngfo

rin

side

rri

ski

tsee

ms

impo

rtan

tto

impr

ove

this

asp

ecto

fscr

een

ing

Hum

anR

esou

rces

App

lican

tsa

rea

ssig

ned

ara

ting

by

HR

the

ratin

gis

use

dto

ran

kap

pli

cant

s

Ther

eis

cur

rent

lyn

oau

ditl

ogth

at

wou

ldc

aptu

rein

stan

ces

inw

hich

so

meo

nein

HR

chan

ged

ara

ting

to

enab

les

omeo

neto

get

hir

edm

ore

easi

ly

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

udit

log

totr

a ck

the

cand

idat

era

tings

and

ale

rtw

hen

cand

idat

era

tings

are

cha

nged

by

som

eone

inH

R


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Ifa

pers

onal

issu

e(e

g

subs

tanc

eab

use

rel

ativ

ely

larg

efin

anci

alin

de

bted

ness

)aris

esd

urin

gPe

rson

nel

Secu

rity

rsquos(P

ERSE

Crsquos)

scr

eeni

ng

PERS

ECm

ayis

sue

ale

tter

ofa

dvis

em

entt

oth

eca

ndid

ate

and

clea

rth

at

pers

onfo

rhir

eP

ERSE

RCis

hes

itant

to

sha

ren

egat

ive

info

rmat

ion

abou

tap

plic

ants

with

USC

ISb

eca u

seo

fpr

ivac

yco

ncer

ns

Beca

use

ofth

ese

conc

erns

am

anag

erm

ayn

otk

now

th

ats

omeo

neis

com

ing

into

ap

osi

tion

with

ah

isto

ryo

falc

ohol

and

or

drug

abu

sef

inan

cial

inde

bted

ness

et

c

The

priv

acy

wal

lbet

wee

nPE

RSEC

and

fie

ldp

erso

nnel

con

cern

edw

ithh

irin

gis

trou

blin

gI

tis

diff

icul

tfor

PER

SEC

repr

esen

tativ

esto

indi

cate

thei

rco

nce

rns

abou

tpot

entia

lhir

esw

hoh

ave

risk

fact

ors

that

do

notc

ross

adj

udic

atio

ngu

idel

ines

for

disq

ualif

icat

ion

USC

ISs

houl

dco

nsid

era

dditi

onal

sc

reen

ing

for

adju

dica

tors

U

SCIS

sho

uld

bem

ore

invo

lved

in

dec

idin

gw

hois

gra

nted

au

thor

ized

acc

ess

beca

use

ofth

ese

nsiti

ven

atur

eof

the

syst

ems

and

data

tha t

USC

ISm

anag

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Each

fiel

dof

fice

dete

rmin

esw

heth

er

orn

otto

mee

tan

appl

ican

tfac

eto

fa

ceb

efor

ehi

ring

Ther

ew

asa

nim

pres

sion

ath

eadq

uar

ters

that

nea

rly1

00

oft

hose

hir

ed

bym

anag

ers

are

inte

rvie

wed

but

re

pres

enta

tives

inB

urlin

gton

Ver

m

ontt

old

uso

ther

wis

eT

his

gap

be

twee

npe

rcep

tion

(the

reis

not

ap

ol

icy

stat

ing

this

mus

tbe

done

)and

re

ality

iso

fcon

cern

Ther

eha

veb

een

know

nin

stan

ces

in

whi

cha

pplic

ants

wer

eon

lys

cree

ned

USC

ISs

houl

dre

quir

ein

terv

iew

sfo

ral

lpos

ition

sT

hein

terv

iew

sne

edto

be

cond

ucte

dby

som

eon

ein

volv

edin

the

day

tod

ay

supe

rvis

ion

ofth

epo

sitio

nto

be

fille

d


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

son

pap

ero

rove

rth

eph

one

befo

re

bein

ghi

red

Sta

ndar

dop

erat

ing

pro

cedu

res

are

notf

ollo

wed

ata

llfie

ld

offic

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

PERS

ECv

ets

fede

rale

mpl

oyee

san

dco

ntra

ctor

s(w

itha

min

imum

bac

kgr

ound

inve

stig

atio

n)

USC

ISr

elie

son

the

US

Dep

artm

ent

ofS

tate

tov

etfo

reig

nna

tiona

lem

pl

oyee

sw

how

ork

ate

mba

ssie

sor

co

nsul

ates

abr

oad

FSN

sin

som

ein

stan

ces

are

gra

nted

ac

coun

tso

nU

SCIS

info

rmat

ion

sys

tem

sI

fFSN

sne

eda

cces

sto

DH

Ssy

ste

ms

(incl

udin

gU

SCIS

)cur

rent

lyt

his

acce

ssm

ustb

eap

prov

edb

yth

eCS

O

and

CIO

for

DH

ST

his

prac

tice

was

no

talw

ays

follo

wed

con

sist

ently

in

the

past

so

ther

em

ayb

eFS

Ns

who

w

ere

gran

ted

acce

ssw

ithou

tall

the

curr

entv

ettin

gan

dap

prov

als

U

SCIS

sho

uld

cons

ider

be c

omin

gm

ore

invo

lved

inv

ettin

gof

FSN

spr

ior

tog

rant

ing

them

acc

ess

to

USC

ISs

yste

ms

In

addi

tion

U

SCIS

sho

uld

audi

tcur

rent

FSN

sw

itha

cces

sto

USC

ISs

yste

ms

and

ensu

reth

ata

ppro

pria

te

vett

ing

was

per

form

ed

Cand

idat

eCe

rtifi

ca

tion

Ver

ifica

tion

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

USC

ISd

oes

noth

ave

ast

anda

rdp

ro

cedu

refo

rve

rifyi

ngth

ece

rtifi

catio

ns

ofjo

bap

plic

ants

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ast

epin

the

new

hir

epr

oces

sto

ver

ifyc

ertif

icat

ions

of

allc

andi

date

sA

few

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eab

le


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sto

obt

ain

posi

tions

ino

rgan

iza

tions

by

prov

idin

gfa

lsifi

edc

erti

ficat

ions

Empl

oyee

and

Co

ntra

ctor

Ter

mi

nati

on

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Exit

proc

edur

esa

rer

ecen

tlyd

evel

op

eda

ndi

nso

me

case

ss

tillu

nder

de

velo

pmen

t(ie

fo

rmal

exi

tpro

ce

dure

sar

eex

pect

edto

be

rele

ased

in

3m

onth

s)

This

gap

may

man

ifest

itse

lfin

the

inco

nsis

tent

col

lect

ion

ofb

adge

sla

pto

psm

obile

dev

ices

and

oth

erU

SCIS

eq

uipm

ent

USC

ISs

houl

dco

nsid

era

dopt

ing

ane

nter

pris

ew

ide

exit

proc

edu

reto

ens

ure

cons

iste

ntte

rmi

natio

nof

all

empl

oyee

san

dco

ntr

acto

rs

Ita

ppea

rsth

ere

spon

sibi

lity

for

ensu

ring

that

em

ploy

ees

and

cont

ract

ors

are

term

inat

edr

ests

sol

ely

with

the

man

ager

It

als

oap

pear

sdi

ffer

en

tman

ager

sfo

llow

diff

eren

tpr

oced

ures

toe

nsur

eth

ata

cce

ssis

dis

able

dan

deq

uipm

ent

isr

etur

ned

ase

mpl

oyee

san

dco

ntra

ctor

sle

ave

USC

IS

Empl

oyee

and

Co

ntra

ctor

Man

da

tory

Dru

gTe

stin

g

Hum

anR

esou

rces

All

fede

ralp

ositi

ons

are

subj

ectt

odr

ugte

stin

gb

uto

nly

forn

ewh

ires

Acc

ordi

ngto

aU

SCIS

Con

vict

ions

Tas

kFo

rce

inve

stig

atio

nca

sec

all

cont

rac

tor

posi

tions

do

notr

equi

red

rug

test

in

g

Fift

een

insi

ders

doc

umen

ted

in

the

CERT

Insi

der

Thre

atC

ase

data

base

exh

ibite

dsu

bsta

nce

abus

eU

SCIS

sho

uld

cons

ider

im

plem

entin

gm

anda

tory

pos

thi

red

rug

test

ing

for

alle

mpl

oy

ees

and

cont

ract

ors


Ap

pen

dix

CP

hys

ical

Sec

uri

ty

Fiel

dof

fices

A

cces

sFo

llow

ing

Term

inat

ion

Se

curi

tyo

fPhy

sica

lCas

eFi

les

Som

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

exp

loite

dph

ysic

als

ecur

ityv

ulne

rabi

litie

s

Som

ew

ere

able

tog

ain

acce

ss

too

rgan

izat

ion

faci

litie

sou

tsid

eof

nor

mal

wor

king

hou

rsto

ste

alc

ontr

olle

din

form

atio

nor

toe

xact

rev

enge

on

the

orga

niza

tion

bys

abot

agin

gcr

itica

lope

ratio

ns

Phys

ical

sec

urity

can

als

opr

ovid

ean

othe

rla

yer

ofd

efen

sea

gain

stte

rmin

ated

insi

ders

who

wis

hto

reg

ain

phys

ical

acc

ess

to

atta

ck

Just

as

with

ele

ctro

nic

secu

rity

how

ever

for

mer

em

ploy

ees

have

bee

nsu

cces

sful

inw

orki

nga

roun

dth

eir

orga

niza

tionrsquo

sph

ysic

als

ecu

rity

mea

sure

sI

tis

impo

rtan

tfor

org

aniz

atio

nsto

man

age

phys

ical

sec

urity

for

full

time

par

ttim

ea

ndte

mpo

rary

em

ploy

ees

con

trac

tors

and

co

ntra

ctla

bore

rs

USC

ISP

hysi

calS

ecur

ityh

asm

ade

sign

ifica

ntp

rogr

ess

prot

ectin

gU

SCIS

faci

litie

san

das

sets

inth

ena

tiona

lcap

italr

egio

n(N

CR)s

ince

Janu

ary

2008

whe

nit

stoo

dup

an

ewp

hysi

cals

ecur

ityp

rogr

am

Alth

ough

phy

sica

lsec

urity

inth

eN

CRis

con

sist

ently

dir

ecte

dan

den

forc

edb

yPh

ysic

al

Secu

rity

eac

hfie

ldo

ffic

ese

tsit

sow

npo

licie

san

dac

cess

con

trol

sI

nad

ditio

ng

aps

inte

rmin

atio

npr

oced

ures

hav

ere

sulte

din

ong

oing

phy

sica

lac

cess

follo

win

gte

rmin

atio

nF

inal

lyi

ssue

sco

ncer

ning

the

secu

rity

ofp

hysi

calc

ase

files

sho

uld

bec

onsi

dere

das

par

tofa

USC

ISr

isk

man

age

men

tstr

ateg

y

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPh

ysic

alS

ecur

ity

ofF

ield

Off

ices

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

USC

ISis

inth

epr

oces

sof

put

ting

ane

wa

cces

sco

ntro

lsys

tem

inp

lace

fo

rth

eN

CR

Befo

reit

doe

sit

will

di

sabl

eac

cess

for

anyo

new

hoh

as

notu

sed

phys

ical

acc

ess

inm

ore

Each

USC

ISfa

cilit

yha

sits

ow

n

polic

ies

and

acce

ssc

ontr

ols

syst

ems

Som

efie

ldo

ffic

esw

ithin

USC

ISh

ave

acce

ss

cont

rols

yste

ms

oth

ers

don

ot

Not

al

loff

ices

inth

efie

ldh

ave

elec

tron

ic

Fort

yof

the

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

took

adv

an

tage

ofi

nade

quat

eph

ysic

als

ecu

rity

toc

arry

out

thei

rcr

imes

El

ectr

onic

acc

ess

cont

rols

pro

vide


Sugg

este

dCo

unte

rmea

sure

slo

gsth

atc

ould

be

usef

ulin

inve

s

tigat

ions

ofi

llici

tact

ivity

out

side

of

nor

mal

wor

king

hou

rs

USC

IS

shou

ldc

onsi

der

deve

lopi

nge

nte

rpri

sew

ide

phys

ical

sec

urity

pr

oced

ures

rol

ltho

seo

utto

ea

chfi

eld

offic

ea

ndr

equi

rea

ph

ysic

als

ecur

ityr

epre

sent

ativ

eat

eac

hsi

teto

ens

ure

cons

iste

nt

enfo

rcem

ento

fthe

pol

icie

s

USC

ISs

houl

dco

nsid

erp

rohi

bitin

gea

chfi

eld

offic

efr

omd

evel

opin

gsi

tes

peci

ficp

olic

ies

and

rem

ov

ing

enfo

rcem

entc

ontr

olfr

om

each

site

In1

0ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

follo

win

gte

rmin

atio

ndu

eto

fa

ilure

ton

otify

sec

urity

em

pl

oyee

san

dbu

sine

ssp

artn

ers

of

the

term

inat

ion

To

cont

rola

cce

ssto

USC

ISfa

cilit

ies

itis

im

port

antf

orU

SCIS

toc

ompa

re

curr

ente

mpl

oyee

san

dco

ntra

cto

rsto

the

auth

oriz

eda

cces

slis

t

Polic

yor

Pra

ctic

eG

aps

acce

ssc

ontr

ols

ndashso

me

only

hav

elo

cks

and

keys

N

ote

very

USC

ISs

iteh

asa

phy

sica

lse

curi

tyr

epre

sent

ativ

eW

here

no

re

pres

enta

tive

isp

rese

ntt

his

resp

on

sibi

lity

falls

on

othe

rm

anag

emen

t pe

rson

nelw

hom

ayn

otb

eeq

uipp

ed

toh

andl

eth

ese

issu

esp

rope

rly

and

repo

rtth

emin

ati

mel

ym

anne

r

So

me

man

ager

str

ack

who

acc

esse

s

wha

twhe

nan

dot

hers

do

not

Ac

cord

ing

toP

hysi

calS

ecur

ityin

Ver

m

ont

onl

y20

o

fvio

latio

nsa

reb

ein

gre

port

edto

sec

urity

Polic

yan

dor

Sec

urit

yM

easu

re

than

12

mon

ths

as

wel

las

anyo

ne

nolo

nger

em

ploy

edb

yU

SCIS

It

als

opl

ans

one

xam

inin

gal

lacc

ount

sth

at

have

not

use

dph

ysic

ala

cces

sin

m

ore

than

30

days

Se

curi

tyo

ffie

ldo

ffic

esfa

llsu

nder

th

eFi

eld

Secu

rity

Div

isio

n(F

SD)

The

O

ffic

eof

Sec

urity

and

Inte

grity

(OSI

)re

cent

lyd

evel

oped

an

insp

ectio

nw

orkb

ook

and

isfi

eld

test

ing

itw

ith

FSD

U

SCIS

Fie

ldS

ecur

ityD

ivis

ion

isp

lan

ning

top

uta

sec

urity

rep

rese

ntat

ive

ine

very

fiel

dof

fice

Ite

xpec

tstw

oto

thre

etim

esm

ore

repo

rts

ofv

iola

tio

nso

nce

itha

sa

repr

esen

tativ

ein

ever

ylo

catio

n

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

Phys

ical

Acc

ess

Follo

win

gTe

rmi

nati

on


Sugg

este

dCo

unte

rmea

sure

s

ine

ach

faci

lityrsquo

sac

cess

con

trol

syst

em

D

isab

ling

phys

ical

acc

ess

tofa

cili

ties

whe

nem

ploy

ees

and

con

trac

tors

term

inat

eis

ess

entia

lto

prot

ectin

gU

SCIS

em

ploy

ees

and

faci

litie

sU

SCIS

sho

uld

cons

ider

au

tom

atin

gth

ere

voca

tion

of

empl

oyee

and

con

trac

tor

phys

ica

lacc

ess

whe

na

term

inat

ion

occu

rs

The

term

inat

ion

chec

klis

tsh

ould

incl

ude

ano

tific

atio

nto

ph

ysic

als

ecur

itys

oph

ysic

ala

cce

ssc

anb

edi

sabl

ed

Cons

ider

con

sist

ente

nfor

cem

ent

and

inve

stig

atio

nof

USC

ISp

hysi

ca

lsec

urity

inci

dent

sA

llal

erts

sh

ould

be

inve

stig

ated

and

Polic

yor

Pra

ctic

eG

aps

Secu

rity

gua

rds

ats

itelo

catio

nsh

ave

on

occ

asio

nig

nore

ddo

orp

ropp

ed

open

ala

rms

beca

use

thef

thas

trad

itio

nally

bee

na

very

sm

allp

robl

ema

t

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

No

Two

Pers

on

Cont

rol


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sU

SCIS

docu

men

ted

ifth

eal

erti

sde

emed

unn

eces

sary

then

it

shou

ldb

edi

scon

tinue

dA

llse

cu

rity

vio

latio

nss

houl

dbe

trac

ked

ina

cen

tral

rep

osito

rys

oa

com

pl

ete

hist

ory

for

each

indi

vidu

alis

av

aila

ble

Aft

erH

ours

Acc

ess

Phys

ical

Sec

urit

y

Aut

hori

zed

Acc

ess

Mos

tacc

ess

is2

4ho

urs

ada

y7

days

a

wee

kndash

Tw

enty

nin

eof

the

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seu

sed

phys

ical

acc

ess

outs

ide

ofn

orm

alw

orki

ngh

ours

toa

tta

ck

USC

ISs

houl

dco

nsid

erim

pl

emen

ting

ana

cces

sco

ntro

lsy

stem

that

gra

nts

acce

ssc

om

men

sura

tew

ithth

epo

sitio

nan

em

ploy

eeo

rcon

trac

tor

fills

If

apo

sitio

ndo

esn

otr

equi

rea

cces

sou

tsid

eof

nor

mal

wor

king

hou

rs

the

acce

ssc

ontr

ols

yste

ms

houl

dpr

ohib

itsu

cha

cces

san

dlo

gun

su

cces

sful

acc

ess

atte

mpt

s

Secu

rity

ofP

hysi

ca

lCas

eFi

les

Phys

ical

Sec

urit

y

Prot

ectio

nof

USC

ISC

ase

File

Dat

a

Phys

ical

file

sw

ere

obse

rved

inc

rate

sst

acke

din

the

hallw

ays

inth

eVe

rm

ontS

ervi

ceC

ente

rA

ccor

ding

toa

nin

terv

iew

att

heS

ervi

ceC

ente

ra

ny

one

coul

dw

alk

outw

itha

ldquocr

ate

fullrdquo

of

file

saf

ter

hour

se

spec

ially

ify

ou

are

ate

lew

orke

r

USC

ISa

ssum

esit

sca

sefi

led

ata

is

secu

reb

ecau

seit

sem

ploy

ees

and

cont

ract

ors

have

ac

lear

ance

or

hav

eha

da

back

grou

ndc

heck

It

isim

port

antt

ono

teth

at4

9in

side

rsd

ocum

ente

din

the

CERT

da

taba

sev

iola

ted

need

to

know


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ca

sefi

les

are

assu

med

tob

ese

cure

on

ceth

eya

rec

onta

ined

with

ina

Ser

vi

ceC

ente

rb

utth

eyc

ould

be

phys

ica

llya

ltere

dor

sto

len

bya

nyon

ew

ith

phys

ical

acc

ess

toth

efa

cilit

y

One

inte

rvie

wee

sta

ted

that

adj

udic

ato

rsty

pica

llyh

ave

50to

100

file

ssc

at

tere

dar

ound

thei

rof

fice

ord

esk

So

me

are

trac

ked

and

som

em

ayn

ot

be

Adj

udic

ator

sco

nduc

tint

ervi

ews

with

app

lican

tsin

thei

rof

fices

and

th

eym

ight

leav

eap

plic

ants

une

sco

rted

inth

eir

offic

esw

ithth

eca

se

files

whe

nfo

rin

stan

cem

akin

gco

pie

sor

att

endi

ngto

oth

erU

SCIS

bus

ine

ss

Acc

ordi

ngto

the

sam

ein

terv

iew

eei

non

efie

ldo

ffic

en

atur

aliz

atio

nce

rtifi

ca

tes

pas

spor

tsa

ndc

redi

tcar

din

fo

rmat

ion

has

been

foun

din

gar

bage

ca

nsin

the

hallw

ay

Adj

udic

ator

spi

cku

pth

eir

case

sin

an

enve

lope

inth

eir

mai

lbox

D

urin

gth

esi

tev

isit

the

asse

ssm

entt

eam

ob

serv

edth

em

ailr

oom

att

heV

erm

ont

Serv

ice

Cent

eru

natt

ende

dbe

twee

n

polic

ies

inth

eco

mm

issi

ono

fth

eir

crim

es

Ther

efor

er

elyi

ng

onc

lear

ance

sal

one

can

bev

ery

dang

erou

s

Thir

teen

insi

ders

doc

umen

ted

in

the

CERT

dat

abas

est

ole

phys

ical

pr

oper

tyb

elon

ging

toth

eor

gani

za

tion

CER

Tsu

gges

tsU

SCIS

con

si

der

the

cons

eque

nces

oft

heft

or

una

utho

rize

dac

cess

top

hysi

ca

lcas

efil

esa

ndm

ake

ari

sk

base

dde

cisi

onr

egar

ding

pot

en

tialp

olic

yan

dpr

oced

ure

chan

ges

Th

ere

are

stan

dard

pol

icie

san

dpr

oced

ures

forh

andl

ing

sens

itive

in

form

atio

nb

uta

str

ong

educ

atio

nalc

ampa

ign

isn

eede

dto

en

sure

the

prot

ectio

nof

dat

a


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

ssh

ifts

(app

roxi

mat

ely

3p

m)

Whe

nad

judi

cato

rsfi

nish

with

afi

let

hey

retu

rnit

toa

dro

pof

fspo

tT

hea

sse

ssm

entt

eam

obs

erve

dth

ose

spot

s

whi

cha

rein

the

open

and

una

tte

nded

A

djud

icat

ors

may

kee

pca

ses

over

nigh

tand

usu

ally

ret

urn

them

w

ithin

1w

eek

Tele

wor

kers

at

Serv

ice

Cent

ers

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

One

hun

dred

eig

hty

nine

peo

ple

at

the

Verm

ontS

ervi

ceC

ente

rare

au

thor

ized

tow

ork

from

hom

eT

hese

em

ploy

ees

pick

up

files

att

heV

er

mon

tSer

vice

Cen

ter

and

take

them

ho

me

The

yw

ork

2da

ysp

erw

eek

in

the

Serv

ice

Cent

era

nd3

day

spe

rw

eek

ath

ome

USC

ISp

ays

anu

nan

noun

ced

visi

tto

allh

omes

toin

ven

tory

the

empl

oyee

srsquofi

les

atle

ast

quar

terl

yT

hese

em

ploy

ees

mus

tha

vea

lock

edfa

cilit

yin

thei

rho

me

and

mus

talw

ays

have

the

abili

tyto

re

turn

the

files

toth

eSe

rvic

eCe

nter

w

ithin

4h

ours

The

cont

rolo

fUSC

ISd

ata

whe

nit

leav

esth

eVe

rmon

tSer

vice

Cen

ter

is

diff

icul

tto

enfo

rce

Em

ploy

ees

mus

tha

vea

ppro

pria

tes

tora

gefa

cilit

ies

bu

tthe

yco

uld

easi

lyc

opy

USC

ISd

ata

and

shar

eit

with

una

utho

rize

din

di

vidu

als

Twen

tyn

ine

perc

ento

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

taba

sew

ere

recr

uite

dby

out

si

ders

toc

omm

itth

eir

crim

e

Mos

toft

hese

insi

ders

com

mitt

ed

the

crim

efo

rfin

anci

alg

ain

Iti

sim

port

antt

hatU

SCIS

rec

ogni

ze

the

pote

ntia

lfor

recr

uitm

ent

an

dth

ela

cko

fcon

trol

exe

rcis

ed

over

sen

sitiv

eda

taa

tadj

udic

ato

rsrsquor

esid

ence

s


Ap

pen

dix

DB

usi

nes

sP

roce

sses

Tech

nica

lCon

trol

s

Aut

hori

zati

onv

iaP

ICS

A

ccou

ntM

anag

emen

t

Av

arie

tyo

fcas

esfr

omth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sed

ocum

enti

nsid

era

ttac

ksw

here

gap

sin

bus

ines

spr

oces

ses

prov

ided

ap

athw

ay

for

atta

ck

Enfo

rcin

gse

para

tion

ofd

utie

san

dth

epr

inci

ple

ofle

astp

rivi

lege

are

pro

ven

met

hods

for

limiti

nga

utho

rize

dac

cess

by

insi

ders

Id

eal

lyo

rgan

izat

ions

sho

uld

incl

ude

sepa

ratio

nof

dut

ies

inth

ede

sign

ofk

eyb

usin

ess

proc

esse

san

dfu

nctio

nsa

nde

nfor

ceth

emv

iate

chni

cala

nd

nont

echn

ical

mea

ns

Acc

ess

cont

rolb

ased

on

sepa

ratio

nof

dut

ies

and

leas

tpri

vile

gei

nbo

thth

eph

ysic

ala

ndv

irtu

ale

nvir

onm

ents

is

cruc

ialt

om

itiga

ting

the

risk

ofi

nsid

era

ttac

kT

hese

con

cept

sal

one

will

not

elim

inat

eth

eth

reat

pos

edb

yin

side

rst

hey

are

how

ever

ano

ther

laye

rin

the

defe

nsiv

epo

stur

eof

an

orga

niza

tion

Beca

use

ofth

ese

nsiti

ven

atur

eof

the

USC

ISm

issi

ons

ome

ofit

sem

ploy

ees

and

cont

ract

ors

are

targ

ets

for

recr

uitm

entf

orth

efto

run

auth

or

ized

mod

ifica

tion

ofU

SCIS

dat

aT

wen

tyn

ine

perc

ento

fthe

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

we r

ere

crui

ted

byo

utsi

ders

toc

omm

itth

eir

crim

eM

osto

fthe

sein

side

rsc

omm

itted

the

crim

efo

rfin

anci

alg

ain

Cri

tical

USC

ISb

usin

ess

proc

esse

ssh

ould

incl

ude

tech

nica

lcon

trol

sto

en

forc

ese

para

tion

ofd

utie

san

ddu

alc

ontr

olto

red

uce

the

risk

ofi

nsid

erfr

aud

In

addi

tion

pot

entia

lvul

nera

bilit

ies

surr

ound

the

use

ofth

eIC

EPI

CSs

yste

mfo

rau

thor

izat

ion

for

criti

calU

SCIS

sys

tem

sA

lthou

ghP

ICS

iso

utsi

deth

eco

ntro

lofU

SCIS

CER

Tre

com

men

dsth

atU

SCIS

exp

lore

the

poss

ibili

tyo

faud

iting

and

con

trol

ling

auth

oriz

atio

nsin

PIC

Sfo

rcr

itica

lUSC

ISs

yste

ms

Fin

ally

acc

ount

man

agem

enti

ssue

sre

late

dto

cri

tical

sys

te

ms

shou

ldb

eco

nsid

ered

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

utho

riza

tion

for

USC

ISC

riti

calS

ys

tem

sth

roug

hP

ICS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Seve

ralc

ritic

alU

SCIS

sys

tem

sar

etie

dto

PIC

Sfo

raut

hent

icat

ion

whi

ch

isa

dmin

istr

ated

by

the

ICE

PI

CSlo

gsa

ccou

ntc

reat

ions

whe

nth

eac

coun

tsw

ere

crea

ted

wha

tro

les

appl

ied

toth

eac

coun

tse

tc

PICS

per

mits

use

rso

utsi

deo

fUSC

ISto

au

thor

ize

user

sfo

ran

yU

SCIS

app

lica

tion

tied

toP

ICS

Tw

oth

ousa

ndlo

cal

PICS

off

icer

s(L

POs)

inth

eIC

Ean

dU

SCIS

can

cre

ate

new

acc

ount

sin

PIC

Sfo

rem

ploy

ees

loca

ted

atth

eir

site

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

utho

riza

tion

proc

es

san

dsy

stem

that

ena

bles

itto

co

ntro

lwho

isg

rant

e da

cces

sto

U

SCIS

sys

tem

san

dda

ta


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLP

Os

cont

rola

cces

sfo

rshe

riff

sp

eti

tione

rsC

BPD

OJ

TSA

DH

SO

IGT

er

rori

smT

ask

Forc

ea

ndo

ther

s

Acc

ount

sar

eba

sed

onp

erso

nnel

re

cord

so

LPO

sca

nnot

cre

ate

acco

unts

fo

ran

yone

who

isn

ota

nem

ploy

eea

tth

eir

site

H

owev

erP

ICS

adm

inis

tra

tors

can

cre

ate

acco

unts

for

anyo

ne

wor

king

att

heir

site

for

any

syst

em

tied

toP

ICS

CERT

sug

gest

sth

atU

SCIS

val

ida

tec

urre

ntP

ICS

acco

unts

and

ro

les

agai

nstc

urre

nte

mpl

oyee

lis

ts

Ten

perc

ent(

37)o

fth e

in

side

rsd

ocum

ente

din

the

CERT

da

taba

seh

ade

xces

sive

pri

vi

lege

sw

hich

ena

bled

them

to

atta

ck

Ina

dditi

on

b

ecau

seldquo

priv

ilege

cr

eeprdquo

ena

bled

afe

w(s

ix)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

tab a

seto

car

ryo

utth

eir

crim

es


Sugg

este

dCo

unte

rmea

sure

s

Twen

tyfo

ur(6

per

cent

)oft

he

insi

ders

doc

umen

ted

inth

eCE

RT

data

base

wer

eab

leto

car

ryo

ut

thei

rcr

imes

bec

ause

insi

ders

sh

ared

acc

ount

and

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bse

asie

ran

dto

incr

ease

pro

du

ctiv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tio

nsa

ndp

ossi

bly

impl

emen

tst

rong

era

uthe

ntic

atio

nto

ma k

esh

arin

gac

coun

tsm

ore

diff

icul

t

Polic

yor

Pra

ctic

eG

aps

VIS

adm

inis

trat

ors

ine

xter

nalc

ompa

ni

eso

rag

enci

esh

ave

been

cau

ght

le

ttin

gm

ultip

lee

mpl

oyee

sus

eth

e

sa

me

VIS

acco

unt

but

USC

ISh

asn

o ab

ility

tota

kea

nya

ctio

nT

hea

cco

unts

ena

ble

empl

oyee

sto

val

idat

ePI

Iand

citi

zens

hip

info

rmat

ion

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

Mod

ifica

tions

by

VIS

user

sto

cri

tical

da

taa

relo

gged

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

VIS

Ac

coun

ts

Logg

ing

Aud

itin

g

and

Ale

rtin

gin

VIS

Ver

ifica

tion

Info

rmat

ion

Syst

em(V


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Com

pute

rLi

nked

App

licat

ion

Info

rmat

ion

Man

agem

ent

Syst

em(C

LAIM

S)3

LA

N

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Su

gges

ted

Coun

term

easu

res

Self

Sele

ctio

nof

A

djud

icat

ion

Case

s

ISSO

s D

ata

Ow

ners

Adj

udic

ator

sca

nse

lfse

lect

cas

es

(acc

ordi

ngto

an

inte

rvie

wc

once

rn

ing

anin

tern

alin

cide

ntth

ato

ccur

red

atth

eU

SCIS

and

inte

rvie

ws

with

da

tao

wne

rsa

tthe

Ver

mon

tSer

vice

Ce

nter

)

With

inth

eSe

rvic

eCe

nter

sa

djud

ica

tors

hav

evi

rtua

llyu

nlim

ited

acce

ssto

ap

plic

antf

ilesmdash

ther

ear

eno

nee

dto

kn

owli

mita

tions

or

cont

rols

top

re

vent

an

adju

dica

tor

from

acc

essi

ng

sens

itive

info

rmat

ion

and

repo

rtin

git

too

utsi

ders

or

mod

ifyin

ga

file

(ent

er

ing

anin

valid

dec

isio

n)

Adj

udic

ator

sca

nal

soa

ppro

vea

cas

eth

atis

not

ass

igne

dto

them

Th

ere

is

noti

ebe

twee

nth

eca

sem

anag

emen

tsy

stem

(ie

N

atio

nalF

ileT

rack

ing

Syst

emo

rN

FTS)

and

the

case

adj

udi

catio

nsy

stem

(ie

CL

AIM

S)

Inth

ein

tern

alc

ase

that

occ

urre

dat

U

SCIS

the

per

petr

ator

cir

cum

vent

ed

the

inte

rvie

wp

roce

ssfo

r14

mon

ths

ndash

USC

ISs

houl

dco

nsid

erim

ple

men

ting

tech

nica

lcon

trol

sto

pr

ohib

itad

judi

cato

rsfr

oms

elf

sele

ctin

gca

ses

toa

djud

icat

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

she

app

rove

dldquon

osh

owrdquo

case

sT

here

w

ere

noc

ontr

ols

tod

etec

tthi

s

Ina

dditi

ona

djud

icat

ors

can

adju

di

cate

any

type

ofc

ase

eve

nth

ough

th

eya

ree

ach

assi

gned

cer

tain

type

sof

ben

efits

cas

esfo

rad

judi

catio

n

Emph

asis

on

Cus

tom

erS

ervi

ceO

ver

Risk

Dat

aO

wne

rs

No

evid

ence

pro

vide

d

One

inte

rvie

wee

att

heV

erm

ontD

ata

Cent

ers

aid

that

ldquost

atsrdquo

can

be

ast

rain

esp

ecia

llyfo

rne

wh

ires

al

thou

ghth

eyd

oge

ta9

0da

ygr

ace

peri

od

USC

ISs

houl

dus

eca

utio

nin

em

ph

asiz

ing

cust

omer

ser

vice

as

the

only

per

form

ance

met

ric

beca

use

this

cou

lde

ncou

rage

la

cko

fatt

entio

nto

ris

kre

late

dac

tiviti

es(s

uch

asa

ccur

ate

adju

di

catio

nde

cisi

ons)

Lack

ofS

epar

atio

nof

Dut

ies

in

CLA

IMS

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Curr

ently

all

decl

ined

req

uest

sfo

rbe

nefit

sar

ere

view

edb

ya

supe

rvi

sor

H

owev

ert

here

was

ad

iscr

ep

ancy

dur

ing

inte

rvie

ws

adj

udic

ator

ssa

idth

ats

uper

viso

rss

topp

edlo

okin

gat

all

deni

als

beca

use

they

are

too

busy

Su

perv

isor

sal

sor

ecei

vea

rep

orto

fal

ladj

udic

atio

nde

cisi

ons

ente

red

by

ana

djud

icat

orfo

ra

form

type

that

th

ead

judi

cato

rdo

esn

otn

orm

ally

ap

prov

e

Onl

ya

rand

oms

ampl

eof

app

rove

dad

judi

catio

nde

cisi

ons

isr

evie

wed

For

som

eca

ses

(for

inst

ance

vic

tims

case

s)a

sen

ior

adju

dica

tor

has

to

revi

ewth

ede

cisi

ona

fter

the

adju

dica

to

ren

ters

itt

hen

the

supe

rvis

orr

evi

ews

itT

his

isa

man

ually

enf

orce

dpr

oces

s

Ther

ew

asa

noth

erd

iscr

epan

cy

in

inte

rvie

ws

the

adju

dica

tors

sai

dth

at

USC

ISs

houl

dco

nsid

erim

ple

men

ting

auto

mat

edp

roce

sses

to

prev

enta

ndd

etec

tfra

ud

Man

ag

emen

tind

icat

edit

wou

ldli

ke

tos

eea

utom

ated

tech

nica

len

forc

emen

toft

her

evie

wa

nd

appr

oval

pro

cess

Inn

earl y

ten

perc

ent(

39)o

fthe

ca

ses

docu

men

ted

inth

eCE

RT

data

base

ins

ider

sto

oka

dvan


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s W

hen

adju

dica

tors

are

intr

aini

ng

they

are

und

er1

00

rev

iew

Th

ey

are

intr

aini

ngo

na

spec

ific

type

of

case

for

atle

ast6

mon

ths

A

uditi

ngfo

rim

prop

erly

gra

nted

be

nefit

sis

bas

edo

nsa

mpl

ing

and

or

blin

dqu

ality

ass

uran

ce(Q

A)a

ccor

din

gldquot

oA

rmy

stan

dard

srdquoa

fter

the

fact

A

rand

omly

sel

ecte

d30

cas

es

per

quar

ter

are

also

rev

iew

edb

yldquos

iste

rce

nter

srdquo

QA

pro

cess

var

ies

offic

eby

off

ice

(no

natio

nalp

roce

ss)

Th

isQ

Ah

asb

een

done

fort

hep

ast

year

and

ah

alf

Inth

eVe

rmon

tfie

ld

offic

ee

ach

supe

rvis

orp

ulls

atl

east

10

cas

esp

era

djud

icat

orp

erm

onth

Th

eyr

evie

wd

ecis

ion

rela

ted

issu

es

secu

rity

rel

ated

issu

esa

ndp

roce

du

rali

ssue

s(d

idth

eyfo

llow

the

righ

tst

eps

)T

hey

also

look

for

less

ons

lear

ned

The

pri

mar

ypu

rpos

eof

QA

is

toid

entif

yth

ene

edfo

rre

med

ial

trai

ning

rath

erth

and

elib

erat

efr

aud

So

me

case

sar

em

ore

than

10

00

page

ss

oev

ery

deta

ilca

nnot

be

prac

tical

lyr

evie

wed

for

ever

yca

se

cler

ksp

ullc

ases

ac

oupl

eof

tim

esp

er

mon

thndash

ac

erta

inn

umbe

rof

cas

es

per

empl

oyee

Th

ose

case

sar

epa

ssed

toQ

Aw

hor

evie

ws

the

case

s

QA

then

sen

dsfe

edba

ckto

the

supe

rvi

sor

and

adju

dica

tor

ifth

eyfi

nd

som

ethi

ngth

atd

oes

notl

ook

righ

t

tage

ofi

nsuf

ficie

nts

epar

atio

nof

du

ties

toc

arr y

out

thei

rcr

imes

U

SCIS

sho

uld

care

fully

con

side

rth

ebi

gges

tris

kto

the

orga

niza

tio

nM

any

ofth

eU

SCIS

em

pl

oyee

sin

terv

iew

edfo

rth

isa

sse

ssm

enti

dent

ified

the

prim

ary

risk

for

the

orga

niza

tion

asa

llo

win

gth

ene

xtte

rror

istt

oliv

ean

dw

ork

lega

llyin

the

Uni

ted

Stat

es

They

des

ire

assi

stan

cein

id

entif

ying

and

impl

emen

ting

inte

rnal

con

trol

sto

cou

nter

that

ri

sk

Aud

iting

eve

ryd

enie

dre

ques

tin

dica

tes

that

the

bigg

estr

isk

to

USC

ISis

toin

corr

ectly

den

ya

bene

fitto

an

appl

ican

trat

her

than

tog

rant

ab

enef

itto

som

eon

ew

hod

oes

notd

eser

veit

IfU

SCIS

agr

ees

that

gra

ntin

gle

gald

ocum

ents

toil

lega

lapp

lica

nts

iso

neo

fthe

big

gest

ris

ks

toth

eor

gani

zatio

nth

enit

sh

ould

con

side

rre

quir

ing

dual


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sau

thor

izat

ion

for

thes

ead

judi

ca

tion

deci

sion

s

Lack

ofA

utom

ated

Ch

ecks

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Verm

ontI

Tha

sdo

ned

ata

swee

ps

afte

rit

foun

dso

met

hing

sus

pici

ous

W

hen

itha

sdo

nes

oit

has

foun

dm

ore

ofth

esa

me

activ

ity

Ther

ear

eno

aut

omat

edc

heck

s(t

here

w

illb

ein

Tra

nsfo

rmat

ion)

Chec

ksth

atd

oex

ista

rem

anag

eda

tth

elo

call

evel

rat

her

than

ale

rtin

gto

th

ehe

adqu

arte

rsle

vel

Inn

early

twen

tyf

ive

perc

ent

(91)

ofc

ases

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

ca

rry

outt

hec

rim

ebe

caus

eof

in

adeq

uate

aud

iting

ofc

ritic

al

proc

esse

sin

28

case

sit

was

be

caus

eof

inad

equa

tea

uditi

ng

ofir

regu

lar

proc

esse

sI

n29

of

the

case

sth

eor

gani

zatio

nha

dre

peat

edin

cide

nts

ofa

sim

ilar

natu

re

Aut

omat

eds

crip

tsa

re

ane

xcel

lent

mec

hani

smfo

rde

te

ctin

gsu

spic

ious

tran

sact

ions

as

wel

las

hone

stm

ista

kes

U

SCIS

sho

uld

cons

ider

afo

rmal

pr

oces

sfo

ran

alyz

ing

the

OSI

rsquos

findi

ngs

and

deve

lopi

nga

uto

mat

edc

heck

sth

ata

rer

olle

dou

tna

tiona

lly

Phys

ical

Sec

urit

yof

Ca

seF

iles

Dat

aO

wne

rs

Adj

udic

ator

s

No

evid

ence

pro

vide

d

The

NFT

Str

acks

mill

ions

off

iles

It

was

des

crib

edh

owev

era

sa

very

la

rge

war

ehou

sew

here

file

sdo

occ

a

Ten

perc

ent(

40)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

sec

arri

edo

utth

eir

crim

esb

y


C

ER

T | S

OFT

WA

RE

EN

GIN

EE

RIN

G IN

STI

TUTE

| 55

Sugg

este

dCo

unte

rmea

sure

s

the

sam

eap

plic

ant

C3LA

Nw

illb

ere

tired

as

part

of

Tran

sfor

mat

ion

C4

will

als

obe

re

tired

A

cop

yof

sec

urity

con

tr

ols

and

requ

irem

ents

has

bee

npr

ovid

edb

yC3

LAN

dat

aow

ners

to

Tra

nsfo

rmat

ion

Iti

sim

por

tant

for

the

Tran

sfor

mat

ion

team

tom

ake

risk

bas

edd

eci

sion

sin

Tra

nsfo

rmat

ion

desi

gn

and

deve

lopm

ent

Polic

yor

Pra

ctic

eG

aps

T

hen

ewH

Rfo

rmh

asn

otb

een

soci

aliz

edo

rw

idel

yad

vert

ised

It

is

upto

the

COTR

san

dsu

perv

isor

sto

co

nsis

tent

lyr

eque

stth

ata

cces

sbe

di

sabl

edw

hen

ane

mpl

oyee

or

con

trac

tor

nolo

nger

nee

dsa

cces

s

Polic

yan

dor

Sec

urit

yM

easu

re

Curr

ently

eve

rym

onth

USC

ISc

om

pare

sth

eH

uman

Res

ourc

esa

ttri

tion

lista

gain

stth

eC3

LA

Na

ccou

ntli

st

and

disa

bles

inac

tive

empl

oyee

ac

coun

ts

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

cces

sto

CL

AIM

S


Are

aof

Con

cern

Non

Att

ribu

tion

fo

rD

BAA

ccou

nts

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Pend

ing

Redu

ctio

nin

For

cefo

rD

ata

Entr

yCl

erks

Dat

aO

wne

rs

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

Dat

aen

try

cler

ksw

illb

elo

sing

thei

rjo

bsw

hen

they

mov

eto

Loc

kBox

w

hich

will

take

ove

rth

efu

nctio

nal

ityo

facc

eptin

gre

mitt

ance

sfo

rbe

nefit

app

lican

ts

Itw

ass

tate

dth

atth

eda

tae

ntry

cle

rks

mig

htb

ehi

red

away

tow

ork

atth

eor

gani

za

tion

whi

chp

erfo

rms

that

func

tio

n

USC

ISs

houl

dbe

aw

are

ofth

ein

crea

sed

insi

der

risk

inth

efa

ce

ofn

egat

ive

orga

niza

tiona

lev

ents

like

this

It

sho

uld

con

side

rpr

oact

ive

step

sto

dec

reas

est

ress

inth

ew

orkp

lace

and

to

ease

pot

entia

lfin

anci

alb

urde

ns

that

cou

ldm

ake

empl

oyee

sm

ore

susc

eptib

leto

rec

ruitm

ent

byo

utsi

ders

Shar

ing

Acc

ount

sin

CLA

IMS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aEn

try

Cler

ks

The

NFT

Sw

illn

otle

tcle

rks

log

inif

th

eyh

ave

notu

sed

the

syst

emfo

ra

cert

ain

num

ber

ofd

ays

Ac

lerk

rsquosc

ube

mat

ew

illlo

gin

for

thei

rcu

bem

ate

ifit

isth

een

dof

the

day

and

ITh

asg

one

hom

efo

rthe

day

Twen

tyf

our

(6

)oft

hein

side

rs

docu

men

ted

inth

eCE

RTd

ata

base

wer

eab

leto

car

ryo

utth

eir

crim

esb

ecau

sein

side

rss

hare

dac

coun

tand

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bs

easi

era

ndto

incr

ease

pro

duct

iv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tions

an

dpo

ssib

lyim

plem

ents

tron

ger

auth

entic

atio

nto

mak

eac

coun

tsh

arin

gm

ore

diff

icul

t


Sugg

este

dCo

unte

rmea

sure

s

Ten

perc

ent(

39)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seto

oka

dvan

tage

ofi

nsuf

fici

enta

cces

sco

ntro

ls

USC

IS

shou

ldc

onsi

der

redu

cing

the

num

ber

ofp

rivi

lege

dac

coun

ts

with

acc

ess

toth

eFD

NS

DS

If

the

num

ber

ofs

uper

user

ac

coun

tsw

ere

redu

ced

then

en

hanc

eda

uditi

ngc

ould

be

em

ploy

edo

ntr

ansa

ctio

ns

cond

ucte

dus

ing

thos

eac

coun

ts

Polic

yor

Pra

ctic

eG

aps

b

ut

ther

ear

ena

tiona

lcon

trol

sto

ens

ure

th

atc

eleb

ritie

srsquofi

les

are

notb

eing

ac

cess

ed

Ther

eis

ala

rge

supe

ruse

rco

mm

unity

m

ore

than

thirt

ype

rcen

tofa

llFD

NS

DS

user

sw

itha

cces

sto

the

FDN

SD

S

Thes

eac

coun

tsh

ave

exte

nsiv

epo

wer

a

mal

icio

uss

uper

user

can

com

plet

ely

dele

tea

rec

ord

orm

odify

the

sum

m

ary

offi

ndin

gs

Polic

yan

dor

Sec

urit

yM

easu

re

The

FDN

SD

Sis

ac

entr

alr

epos

itory

of

frau

dan

dna

tiona

lsec

urity

inve

stig

atio

ns

This

sys

tem

hol

dsa

ppli

cant

san

dpe

titio

ners

as

wel

las

PII

Th

ere

isa

lso

ana

tiona

lsec

urity

tab

N

oev

iden

cep

rovi

ded

nnel

logy

logy

sibl

ePe

rso

wne

rs

tion

Tec

hno

wne

rs

tion

Tec

hno

Resp

onD

ata

O In

form

a

Dat

aO

Info

rma

rn

sac

ges

eCo

ncn e

Priv

ilD

S

Are

aof

ng

oLo

ggi

fTra

tion

s

Elev

ated

N

Sto

FD

Frau

dD

etec

tion

and

Nat

ural

izat

ion

Syst

emndash

Dat

aSy

stem

(FD

NS

DS)


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Unk

now

n

Conn

ecti

ons

to

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Failu

reto

Add

ress

Kn

own

Secu

rity

V

ulne

rabi

litie

s

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Ther

eis

no

auto

mat

edp

atch

ing

be

caus

eof

the

age

ofth

ese

rver

san

dth

eap

plic

atio

nO

nly

criti

calp

atch

es

are

appl

ied

forf

ear

ofc

rash

ing

the

serv

ers

Thir

teen

insi

ders

inth

eCE

RT

data

base

exp

loite

dkn

own

secu

ri

tyv

ulne

rabi

litie

sth

atw

ere

not

addr

esse

dby

the

orga

niza

tion

U

SCIS

sho

uld

cons

ider

upg

radi

ng

the

FDN

SD

Ssi

nce

thes

evu

lner

ab

ilitie

sin

crea

ser

isk

ofa

ttac

kfr

omo

utsi

dea

ndin

side

Prod

ucti

onD

ata

Ava

ilabl

eto

Con

tr

acto

rsin

Dev

el

opm

ent

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

CSC

has

prod

uctio

nda

tain

the

deve

lop

men

tenv

iron

men

te

ven

thou

ghit

sh

ould

not

hav

eac

cess

top

rodu

ctio

nda

ta

Onl

yon

ein

side

rdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

ses

tole

pro

duct

ion

data

th

ats

houl

dno

thav

ebe

ena

vail

able

tod

evel

oper

sin

the

deve

lop

men

tenv

iron

men

tH

owev

er

itw

ase

xtre

mel

yse

nsiti

ved

ata

with

ver

yst

rict

con

trol

sin

the

prod

uctio

nen

viro

nmen

ta

nd

was

not

sub

ject

toth

ose

sam

eco

ntro

lsin

the

deve

lopm

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sen

viro

nmen

tT

his

isv

ery

sim

ilar

toth

esi

tuat

ion

atU

SCIS

U

SCIS

sh

ould

exa

min

eda

tab

eing

use

din

the

rem

ote

con

trac

tor

owne

dde

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

vel

ofs

ecur

ityc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data

Conf

igur

atio

nM

anag

emen

tan

dor

Cha

nge

Cont

rolP

roce

ss

Not

Enf

orce

d

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Dev

elop

ers

cann

otr

elea

sen

ewe

xec

utab

les

as

epar

ate

syst

ema

dmin

is

trat

orh

asto

pus

hth

emo

ut

Cont

ract

ors

som

etim

esr

elea

sec

ode

tofi

xpr

oble

ms

with

outf

ollo

win

gth

ech

ange

man

agem

entp

roce

ss

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

ofl

ack

ofa

de

quat

eco

nfig

urat

ion

man

age

men

tU

SCIS

has

afo

rmal

con

fig

urat

ion

man

agem

entp

roce

ss

Itis

impo

rtan

tto

enfo

rce

itsu

se

for

alle

mpl

oyee

san

dco

ntra

cto

rs

Oth

erw

ise

itw

illb

eex

tr

emel

ydi

ffic

ultt

oin

vest

igat

ea

crim

eco

mm

itted

usi

ngfl

aws

inte

ntio

nally

inje

cted

into

sou

rce

code

by

aco

ntra

ctor


Ap

pen

dix

EI

nci

den

tR

esp

onse

Inci

dent

Man

agem

ent

Se

curi

tyA

war

enes

s

Conc

erni

ngB

ehav

iors

Thro

ugh

case

ana

lysi

sC

ERT

has

note

dth

atp

roce

dure

sfo

rre

spon

ding

top

oten

tiali

nsid

erin

cide

nts

pres

entu

niqu

ech

alle

nges

an

inci

dent

re

spon

sep

lan

for

insi

der

inci

dent

sdi

ffer

sfr

oma

res

pons

epl

anfo

rin

cide

nts

caus

edb

yan

ext

erna

latt

acke

rI

nad

ditio

nin

adeq

uate

det

ectio

nan

dre

spon

seto

sec

urity

vio

latio

nsc

ould

em

bold

enth

ein

side

rm

akin

gth

eor

gani

zatio

nev

enm

ore

vuln

erab

leto

an

insi

der

crim

eI

nfa

cti

n18

of

the

case

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

the

org

aniz

atio

nex

peri

ence

dre

peat

insi

der

inci

dent

sof

as

imila

rna

ture

In

si

der

inci

dent

man

agem

ents

houl

dle

vera

gee

xist

ing

secu

rity

pol

icie

san

dfo

rmal

pro

cedu

res

for

hand

ling

polic

yvi

olat

ions

So

me

ofth

eca

ses

from

the

CERT

Insi

d er

Thre

atC

ase

data

base

illu

stra

tein

side

rat

tack

sin

whi

cha

nor

gani

zatio

nrsquos

lack

ofi

ncid

entr

espo

nse

proc

edur

esli

mite

dits

ab

ility

tom

anag

eits

res

pons

eef

fort

som

etim

ese

ven

resu

lting

inm

ultip

lec

rim

inal

act

sby

the

sam

ein

side

r

USC

ISis

ac

ompl

exo

rgan

izat

ion

with

man

ydi

ffer

entc

ompo

nent

sin

volv

edin

det

ectin

gtr

acki

ngi

nves

tigat

ing

and

follo

win

gup

on

empl

oyee

m

isco

nduc

tT

his

com

plex

itya

ndw

idel

ydi

stri

bute

dfu

nctio

ncr

eate

sa

situ

atio

nin

whi

chit

isv

ery

diff

icul

tto

obta

ina

com

plet

epi

ctur

eof

an

in

divi

dual

rsquosin

side

rth

reat

ris

kle

vel

Bec

ause

oft

his

itis

pra

ctic

ally

impo

ssib

lefo

rU

SCIS

toim

plem

enta

pro

activ

epr

ogra

mto

miti

gate

insi

der

thre

at

CERT

str

ongl

yre

com

men

dsth

atU

SCIS

cre

ate

ace

ntra

lrep

osito

ryo

fem

ploy

eem

isco

nduc

tso

itca

nde

tect

indi

cato

rso

finc

reas

ing

in

side

rth

reat

ris

kan

dm

itiga

teth

ema

squ

ickl

yas

pos

sibl

e

Furt

herm

ore

81

ofth

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

edc

once

rnin

gbe

havi

ors

inth

ew

orkp

lace

pri

orto

or

whi

lec

arry

ing

out

thei

rcr

imin

ala

ctiv

ities

onl

ine

Sup

ervi

sors

and

em

ploy

ees

shou

ldb

etr

aine

dto

rec

ogni

zea

ndr

espo

ndto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

and

oth

erm

alic

ious

insi

der

acts

Ev

enif

itis

not

pos

sibl

eto

req

uire

non

sup

ervi

sors

to

repo

rtc

o nce

rns

this

tr

aini

ngm

ayin

crea

seth

efr

eque

ncy

ofr

epor

ting

and

the

dete

rren

ceo

fins

ider

act

ions


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLa

cko

fCen

tral

Re

posi

tory

ofE

m

ploy

eeM

isco

nduc

t

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

IfFi

eld

Secu

rity

rec

eive

sa

Sign

ifica

nt

Inci

dent

Rep

ort(

SIR)

the

nit

inve

sti

gate

sE

mpl

oyee

mis

cond

ucti

sth

en

repo

rted

toO

ffic

eof

Sec

urity

and

In

tegr

ity(O

SI)

Ifth

eO

SIin

vest

igat

ion

subs

tant

iate

san

em

ploy

eersquos

mis

con

duct

itp

rovi

des

Coun

teri

ntel

ligen

ce

(CI)

am

onth

lyr

epor

tI

tals

opr

ovid

es

the

empl

oyee

rsquosm

anag

emen

tac

opy

CI

iss

tart

ing

tog

etm

ore

repo

rts

of

acce

ptab

leu

sev

iola

tions

and

sec

urity

vi

olat

ions

It

trac

kse

very

thin

gin

a

file

for

late

rus

ein

rei

nves

tigat

ions

La

bor

Empl

oyee

Rel

atio

ns(L

ER)h

asa

re

cord

oft

here

port

sit

rece

ives

of

mis

cond

uct

com

plai

nts

agai

nsta

nem

ploy

eer

ule

viol

atio

nsa

nds

oon

H

Rm

aint

ains

the

Off

icia

lPer

sonn

el

File

whi

chc

onta

ins

reco

rds

ofs

us

pens

ions

etc

LE

Rco

ntac

tsH

Ron

ly

for

thos

ety

pes

ofa

ctio

ns

Th

eO

SIe

valu

ates

all

com

plai

nts

itre

ceiv

esa

ndlo

gsth

emin

toth

eca

se

man

agem

ents

yste

m

Ita

ssig

nsth

em

toa

fiel

dof

fice

Att

hatp

oint

any

co

mpl

aint

sar

eth

ere

spon

sibi

lity

of

the

spec

iala

gent

inc

harg

eat

the

field

of

fice

The

fiel

dof

fice

inve

stig

ates

Ther

eis

no

sing

lep

lace

tog

ofo

ran

em

ploy

eersquos

dis

cipl

inar

yre

cord

sT

he

num

ber

ofo

rgan

izat

ions

invo

lved

an

dm

anag

emen

tofr

ecor

dsis

ver

yco

mpl

exa

ndd

istr

ibut

edth

roug

hout

th

eor

gani

zatio

n

Acc

ordi

ngto

Phy

sica

lSec

urity

the

fie

ldo

ffic

edo

esn

otte

llth

eO

SI

abou

tpro

blem

sndashth

eO

SIfi

nds

out

whe

nit

ldquohits

the

pres

srdquo

For

exa

m

ple

the

OSI

isn

otin

form

edo

fad

is

grun

tled

syst

ema

dmin

istr

ator

who

is

exhi

bitin

gco

ncer

ning

beh

avio

rs

USC

ISs

houl

dco

nsid

err

equi

ring

m

anda

tory

rep

ortin

gof

all

inci

de

nts

toth

eO

SI

This

com

mu

nica

tion

stre

amw

illa

llow

the

OSI

tog

etin

volv

eda

sea

rly

as

poss

ible

and

tod

ocum

enta

nd

mai

ntai

na

cent

ralr

epos

itory

of

alli

ncid

ents

Th

isc

entr

alr

epo

sito

ryis

cri

tical

for

ade

quat

ely

man

agin

gin

side

rth

reat

sin

USC

IS


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dse

nds

the

case

for

corr

ectiv

eac

tio

nto

the

regi

onal

dir

ecto

rin

the

chai

nof

com

man

da

ndth

enth

ere

gi

onal

dir

ecto

rret

urns

am

anag

emen

tre

port

ofa

ctio

nto

the

spec

iala

gent

in

cha

rge

Th

eO

SIc

onta

cts

the

DH

SO

IGfo

rpo

te

ntia

llyc

rim

inal

beh

avio

ror

ser

ious

m

isco

nduc

tI

fthe

DH

SO

IGtu

rns

the

case

dow

nth

enit

iss

entt

oth

efie

ld

offic

eor

tola

we

nfor

cem

ent

Th

ePe

rson

nelS

ecur

ityd

ivis

ion

(PER

SEC)

not

ifies

the

OSI

mon

thly

of

arre

sts

(tra

cked

inth

eca

sem

anag

em

ents

yste

m)a

ndth

eO

SIn

otifi

es

PERS

ECo

finv

estig

atio

ns

Trac

king

ofO

nlin

eIn

cide

nts

Info

rmat

ion

Tech

nolo

gy

Com

pute

ror

net

wor

kvi

olat

ion

inci

de

nts

are

trac

ked

bya

Rem

edy

sys

tem

tied

toa

uni

que

com

pute

rid

enti

fier

rath

erth

ana

use

rin

an

atte

mpt

to

kee

pPI

Iout

oft

heti

cket

Itis

diff

icul

tto

tiea

nev

entt

oa

par

ticul

arp

erso

nE

ven

ifth

eid

entit

yof

an

off

ende

ris

know

nr

epea

toff

end

ers

are

nott

rack

edin

any

aut

omat

ed

orc

orre

late

dw

ay

USC

ISs

houl

dco

nsid

erin

clud

ing

user

info

rmat

ion

for

each

inci

de

nts

oth

atr

epea

toff

ende

rs

can

bee

asily

iden

tifie

da

sre

pe

ato

ffen

ses

coul

din

dica

tea

nin

side

rof

hig

her

risk

Cons

iste

ncy

inR

esp

onse

toS

ecur

ity

Vio

lati

ons

and

Con

cern

ing

Beha

vior

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

eis

no

requ

ired

trai

ning

for

su

perv

isor

son

how

tor

espo

ndto

a

rang

eof

beh

avio

rsa

ssoc

iate

dw

ith

man

yfo

rms

ofin

side

rri

sk

Co

mpu

ter

use

viol

atio

nsa

ren

ot

Eigh

tyo

neo

fthe

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

ed

conc

erni

ngb

ehav

iors

pri

orto

or

whi

lec

arry

ing

outt

heir

cri

min

al

activ

ities

Em

ploy

ees

shou

ldb

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

ndle

dco

nsis

tent

lya

cros

sde

part

m

ents

sup

ervi

sors

and

type

ofe

m

ploy

ee

Egre

giou

svi

olat

ions

are

re

ferr

edto

the

OSI

for

afu

llin

vest

igat

ion

but

the

crite

rion

for

deci

ding

whe

nth

atis

war

rant

edis

a

gutr

eact

ion

trai

ned

tor

ecog

nize

and

re

spon

dto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

an

dot

her

insi

der

acts

Ev

enif

it

isn

otp

ossi

ble

tor

equi

ren

on

supe

rvis

ors

tor

epor

tcon

cern

s

this

trai

ning

may

incr

ease

the

freq

uenc

yof

repo

rtin

gan

dde

te

rren

ceo

fins

ider

act

ions

US

Dep

artm

ento

fSt

ate

Inve

stig

atio

ns

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

OSI

Inve

stig

atio

nsh

ave

been

sub

ject

to

alle

gatio

nso

fvio

latio

nsin

volv

ing

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)

but

the

OIS

rel

ies

onth

eU

SD

epar

tmen

tof

Sta

teto

inve

stig

ate

USC

ISh

asn

ovi

sibi

lity

into

US

De

part

men

tofS

tate

inve

stig

atio

ns

FSN

sw

hoh

ave

acce

ssto

USC

IS

syst

ems

and

data

sho

uld

be

incl

uded

ina

nin

side

rth

reat

risk

m

itiga

tion

stra

tegy

Prep

arat

ion

for

Neg

ativ

eW

ork

Rela

ted

Even

ts

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

edo

not

app

ear

tob

ean

ygu

ide

lines

tra

inin

go

rpe

rson

nela

vaila

ble

toe

valu

ate

empl

oyee

insi

der

risk

be

fore

or

afte

rfre

quen

tlyp

reci

pita

tin

gev

ents

suc

has

term

inat

ion

de

mot

ions

tra

nsfe

rso

rot

her

disa

ppo

intm

ents

or

unm

ete

xpec

tatio

ns

Ther

eal

sod

oes

nota

ppea

rto

bea

gr

oup

char

ged

with

eva

luat

ing

in

side

rri

skfr

omo

rgan

izat

iona

leve

nts

ord

evel

opm

ents

aff

ectin

ggr

oups

of

empl

oyee

ss

uch

asr

eloc

atio

nsc

on

trac

tcha

nges

lay

offs

and

reo

rgan

iza

tions

Fift

yfiv

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

had

neg

ativ

eem

pl

oym

enti

ssue

sN

inet

yfo

ur

had

ach

ange

ine

mpl

oym

ent

stat

usp

rior

toth

eir

atta

cks

20

had

com

pens

atio

nor

ben

efit

issu

esa

nd6

5w

ere

disg

runt

led

Su

perv

isor

ssh

ould

be

trai

ned

in

thes

eri

skin

dica

tors

Th

ere

shou

lda

lso

bea

nav

aila

ble

pane

lofs

peci

alis

tsfr

omth

eO

SI

orth

eLa

bor

Empl

oyee

Rel

atio

ns(L

ER)t

rain

edto

ass

ess

such

ris

k


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Si

mila

rsp

ecia

lists

sho

uld

be

avai

labl

eto

par

ticip

ate

inp

lan

ning

and

exe

cutio

nof

res

pons

epl

ans

inp

repa

ratio

nfo

rne

ga

tive

wor

kpla

cee

vent

sth

atp

ote

ntia

llyc

ould

lead

tod

isgr

un

tlem

enta

mon

gth

ew

orkf

orce

at

USC

IS

Cont

ract

orM

an

agem

ent

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Hum

anR

esou

rces

Pers

onne

lscr

eeni

ngp

roce

dure

sfo

rco

ntra

ctor

sar

esi

mila

rto

thos

efo

rem

ploy

ees

Cont

ract

ing

com

pani

esa

rer

equi

red

tor

epor

tany

adv

erse

info

rmat

ion

rega

rdin

gth

eir

empl

oyee

sim

med

iat

ely

(ina

llco

ntra

cts)

LER

has

noin

volv

emen

twith

con

tr

acto

rs

They

hav

eno

rec

ord

of

cont

ract

orm

isbe

havi

ors

orc

om

plai

nts

agai

nstc

ontr

acto

rs

Supe

rvis

ors

the

OSI

LER

and

oth

ers

conc

erne

dw

itho

rgan

izat

iona

lsec

uri

tym

ayb

ela

rgel

yun

awar

eof

in

side

rri

sks

rela

ted

toc

ontr

acto

rs

Cont

ract

ors

are

nots

ubje

ctto

gov

er

nmen

tmon

itori

ngo

rris

kas

sess

m

ent

Ac

ontr

acto

ron

ac

ritic

als

ys

tem

may

dev

elop

or

have

sig

nific

ant

insi

der

risk

fact

ors

that

may

rem

ain

unkn

own

tog

over

nmen

tem

ploy

ees

due

tola

cko

frep

ortin

gre

quir

em

ents

Sixt

ytw

oof

the

insi

ders

doc

um

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eco

ntr

acto

rs

USC

ISc

ontr

actm

an

agem

ents

taff

sho

uld

cons

ider

th

ene

edfo

rre

port

ing

ara

nge

ofp

oten

tiali

ndic

ator

sof

insi

der

risk

am

ong

cont

ract

sta

ff

Inci

de

ntr

espo

nse

plan

ssh

ould

in

clud

ere

spon

seto

em

ploy

ee

and

cont

ract

oris

sues

Empl

oyee

or

Con

trac

tor

Conc

erni

ng

Beha

vior

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Byp

olic

yit

ise

very

em

ploy

eersquos

re

spon

sibi

lity

tor

epor

tsus

pici

ous

be

havi

oro

rm

isco

nduc

tS

uper

viso

rs

Self

repo

rted

dru

gus

ea

rres

ta

nd

asso

ciat

ions

with

fore

ign

natio

nals

du

ring

em

ploy

men

tare

sen

tto

the

Supe

rvis

ors

need

tob

eno

tifie

dim

med

iate

lyw

hen

ane

mpl

oyee

re

port

sdr

ugu

sea

rres

tso

r


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Labo

rEm

ploy

eeR

elat

ions

who

obs

erve

con

cern

ing

ors

uspi

ciou

sbe

havi

orr

epor

titt

oLE

Ror

the

OSI

Fo

rlo

wle

velm

isco

nduc

tL

ERa

dvis

es

the

field

off

ice

man

agem

ento

nha

ndl

ing

the

mat

ter

LER

rep

orts

mor

ese

riou

sm

isco

nduc

twith

mor

ese

vere

co

nseq

uenc

esto

HR

M

isco

nduc

tcan

als

obe

rep

orte

dvi

aSi

gnifi

cant

Inci

dent

Rep

orts

(SIR

s)

SIRs

are

sen

tto

Phys

ical

Sec

urity

or

to

the

OSI

for

inve

stig

atio

n

IfCI

dis

cove

rss

omet

hing

sus

pici

ous

duri

nga

rei

nves

tigat

ion

itin

form

sth

eem

ploy

eersquos

sup

ervi

sor

The

su

perv

isor

wor

ksw

ithL

ERa

ndc

ouns

el

tod

ecid

eon

follo

wu

pac

tions

OSI

Th

eO

SIs

ends

res

ults

tos

uper

vi

sor

follo

win

gin

vest

igat

ion

asso

ciat

ion

with

fore

ign

natio

nal

ss

oth

eyh

ave

ana

ccur

ate

perc

eptio

nof

the

risk

ass

oci

ated

with

eac

hof

thei

rem

ploy

ee

sI

nad

ditio

n1

8of

the

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se

had

poss

ible

psy

chol

ogic

alis

su

es

Inc

olla

bora

tion

with

the

OSI

and

LER

sup

ervi

sors

con

fr

ontin

gem

ploy

ees

who

dis

play

co

ncer

ning

beh

avio

rss

houl

dha

veth

eab

ility

tor

emov

eth

em

from

the

wor

kfor

cep

endi

nga

m

edic

alo

rps

ycho

logi

cal

eval

uatio

nto

det

erm

ine

whe

ther

they

hav

ea

diso

rder

or

illne

ssth

atm

ayim

pair

thei

rtr

ustw

orth

ines

sor

judg

men

tor

mak

eth

ema

dan

gert

oth

em

selv

eso

rot

hers

Si

mila

rly

em

po

wer

ing

supe

rvis

ors

tom

ake

ane

mpl

oyee

ass

ista

nce

pro

gram

ref

erra

land

eva

luat

ion

man

dato

ryi

nco

llabo

ratio

nw

ithL

ERo

rth

eO

SIm

ight

hel

pre

mov

eat

ris

kin

divi

dual

sfr

om

the

wor

kfor

ceu

ntil

they

can

sa

fely

and

sec

urel

yre

turn


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEl

ectr

onic

Inve

sti

gati

ons

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Mos

talle

gatio

nsr

epor

ted

toth

eO

SI

are

notv

ery

tech

nica

lth

eO

ITp

ro

vide

sfo

rens

ics

uppo

rtfo

rin

vest

iga

tions

(pri

mar

ilyd

atab

ase

tran

sac

tions

)

PERS

ECh

asn

ever

ask

edth

eO

ITto

re

view

au

serrsquo

son

line

activ

ity

Onl

yon

epe

rson

inO

SIis

qua

lifie

dto

do

afo

rens

icin

spec

tion

USC

ISs

houl

dco

nsid

erin

clud

ing

the

OIT

inin

vest

igat

ions

ofs

us

pici

ous

activ

ity

CERT

rsquosin

side

rth

reat

res

earc

hha

ssh

own

that

no

ntec

hnic

alc

once

rnin

gbe

hav

iors

can

be

asso

ciat

edw

ith

onlin

ecr

imin

ala

ctiv

ity

It

wou

ldb

ebe

nefic

ialt

och

eck

for

past

tech

nica

lsec

urity

vio

la

tions

and

hav

eth

eO

ITa

naly

ze

curr

ento

nlin

eac

tivity

as

part

of

the

OSI

inve

stig

atio

ns


t

efe

w de ti

nth

eca

ses

docu

men

ted

inth

eCE

RTd

atab

ase

inje

cted

cod

ein

tos

ourc

eco

deto

faci

lita

but

ina

ase

the

coo

utb

yso

f

L

oggi

ng

Cri

tica

lDat

aCo

ntro

ls

urce

cod

ew

ere

inte

nded

tos

abot

age

the

orga

niza

tionrsquo

ssy

stem

sc

ases

the

code

n

ino

nec

was

set

toe

xecu

tefo

llow

ing

the

insi

derrsquo

ste

rmin

atio

SCIS

rec

ogni

zeth

epo

dbe

car

ried

tent

iali

llici

tact

ivity

that

cou

lr

the

mos

tcri

tical

sys

tem

san

dsy

stem

com

pone

nts

Cod

eRe

view

s

Conf

igur

atio

nM

anag

emen

t

side

rsb

oth

empl

oyee

san

dco

ntra

ctor

snd

ITs

abot

age

In

mos

tcas

est

hem

odifi

catio

nsto

so

faci

litat

efr

aud

In

man

yde

was

use

dto

impo

rtan

ttha

tUfo

ra

year

bef

ore

final

lye

xecu

ting

Iti

ser

sa

ndim

plem

enta

ppro

pria

tec

ontr

ols

par

ticul

arly

fo

ciou

sin

frau

da

sth

eco

plan

ted

eng

ine

Mal

ibo

thca

sew

as

war

e

Ap

pen

dix

FS

oftw

are

Engi

nee

rin


Are

aof

Con

cern

C

ode

Re

view

s

Resp

onsi

ble

Pers

onne

lIS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Cont

ract

ors

are

requ

ired

tom

aint

ain

ace

rtai

nle

velo

fpro

cess

mat

urity

(C

MM

ILev

el3

)to

bein

com

plia

nce

with

USC

ISp

olic

ies

So

urce

cod

eis

res

tric

ted

toth

ose

with

the

need

tok

now

Ve

rsio

nM

anag

eris

use

dto

con

trol

an

dtr

ack

chan

ges

tos

ourc

eco

de

Sepa

ratio

nof

dut

ies

isim

plem

ente

din

the

soft

war

ere

leas

epr

oces

sC

SC

chec

ksn

ews

ourc

eco

dein

toV

ersi

on

Man

ager

aU

SCIS

em

ploy

eec

heck

sou

tthe

sou

rce

code

and

rel

ease

sit

into

pro

duct

ion

Th

eU

SCIS

DBA

mov

esn

ewd

atab

ase

obje

cts

into

the

prod

uctio

nda

ta

base

Polic

yor

Pra

ctic

eG

aps

Ano

ther

inte

rvie

wee

men

tione

dth

at

anldquo

East

ere

ggrdquo

was

foun

din

sou

rce

code

aft

erth

eco

ntra

ctw

asg

iven

toa

ne

wc

ompa

ny4

Sugg

este

dCo

unte

rmea

sure

s

4 Av

irtu

alE

aste

reg

gis

an

inte

ntio

nalh

idde

nm

essa

gej

oke

orfe

atur

ein

ap

rogr

amm

ovie

boo

ke

tc


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

and

orC

hang

eCo

ntro

lPro

cess

N

otE

nfor

ced

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

No

evid

ence

pro

vide

d

Whe

nco

ntra

ctor

sde

velo

pso

ftw

are

rem

otel

yth

eya

res

uppo

sed

tor

egis

te

rco

dein

Ver

sion

Man

ager

but

this

is

not

alw

ays

done

con

sist

ently

Co

ntra

ctor

sso

met

imes

rel

ease

cod

eto

fix

prob

lem

sw

ithou

tfol

low

ing

the

chan

gem

anag

emen

tpro

cess

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

oft

hela

cko

fade

qu

ate

conf

igur

atio

nm

anag

emen

t

Soft

war

eEn

gine

er

ing

Cont

rols

inth

eSe

rvic

eCe

nter

s

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

ISSO

s

No

evid

ence

pro

vide

d

Soft

war

eis

bei

ngd

evel

oped

inth

eSe

rvic

eCe

nter

sw

ithou

tcon

sist

ently

en

forc

ing

the

sam

ech

ange

man

age

men

tpro

cess

ese

nfor

ced

atth

ena

tio

nal(

ente

rpris

e)le

vel

The

cen

ters

us

ea

code

rep

osito

ryb

utn

otV

ersi

on

Man

ager

to

trac

kso

ftw

are

chan

ges

Th

eyd

ope

err

evie

ws

ofc

ode

and

belie

veth

ate

nter

pris

eco

ntro

lsfo

rco

der

evie

wa

rem

ore

deta

iled

(al

thou

ghth

atb

elie

fapp

ears

tob

efa

lse

ac

cord

ing

toin

terv

iew

sat

hea

dqua

rte

rs)

USC

ISs

houl

dco

nsid

erc

onsi

sten

tpo

licie

san

dpr

oced

ures

for

soft

w

are

engi

neer

ing

for

the

entir

een

terp

rise

inc

ludi

ngth

eSe

rvic

eCe

nter

s

Mos

tins

ider

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data


A

rea

ofC

once

rn

Resp

onsi

ble

Pers

onne

lPo

licy

and

orS

ecur

ity

Mea

sure

Po

licy

orP

ract

ice

Gap

sSu

gges

ted

Coun

term

easu

res

Dat

aO

wne

rs

ba

sew

ere

dete

cted

or

iden

tifie

d

usin

gso

me

kind

ofs

yste

mlo

g

Info

rmat

ion

Tech

nolo

gy

Lo

gsu

sed

incl

ude

data

base

logs

appl

icat

ion

logs

sys

tem

logs

re

mot

eac

cess

logs

and

man

y

othe

rs

Prod

ucti

onD

ata

in

ISSO

sD

evel

opm

enta

ndp

rodu

ctio

nsy

sIn

som

eca

ses

con

trac

tors

hav

eac

O

nly

one

insi

der

docu

men

ted

in

Dev

elop

men

tEnv

i

tem

ssh

ould

be

sepa

rate

inte

rms

of

cess

tob

oth

syst

ems

incl

udin

gpr

oth

eCE

RTIn

side

rTh

reat

Cas

eda


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sro

nmen

t

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

data

sha

ring

and

acc

ess

cont

rol

duct

ion

data

inth

ede

velo

pmen

ten

viro

nmen

t

taba

ses

tole

pro

duct

ion

data

that

sh

ould

not

hav

ebe

ena

vaila

ble

to

deve

lope

rsin

the

deve

lopm

ent

envi

ronm

ent

How

ever

itw

as

extr

emel

yse

nsiti

ved

ata

with

ve

rys

tric

tcon

trol

sin

the

prod

uc

tion

envi

ronm

ent

and

was

not

su

bjec

tto

thos

esa

me

cont

rols

in

the

deve

lopm

ente

nvir

onm

ent

Th

isis

ver

ysi

mila

rto

the

situ

atio

nat

USC

IS

USC

ISs

houl

dex

am

ine

data

bei

ngu

sed

inth

ede

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

velo

fse

curi

tyc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Ap

pen

dix

GI

nfo

rmat

ion

Tec

hn

olog

y

Acc

ount

Man

agem

ent

Rese

arch

has

dem

onst

rate

dth

atif

an

orga

niza

tionrsquo

sco

mpu

ter

acco

unts

can

be

com

prom

ised

ins

ider

sha

vea

nop

port

unity

toc

ircu

mve

ntm

an

uala

nda

utom

ated

con

trol

mec

hani

sms

inte

nded

top

reve

ntin

side

rat

tack

sE

ffec

tive

com

pute

rac

coun

tand

pas

swor

dm

anag

emen

tpol

icie

san

dpr

actic

esa

rec

ritic

alto

impe

dea

nin

side

rrsquos

abili

tyto

use

the

orga

niza

tionrsquo

ssy

stem

sfo

rill

icit

purp

oses

In

av

arie

tyo

fcas

esd

ocum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sei

nsid

ers

expl

oite

dpa

ssw

ord

vuln

erab

ilitie

ss

hare

dac

coun

tsa

ndb

ackd

oor

acco

unts

toc

arry

out

att

acks

It

isim

port

antf

oro

rgan

izat

ions

toli

mit

com

pute

rac

coun

tsto

thos

eth

ata

rea

bsol

utel

yne

cess

ary

usi

ngs

tric

tpro

cedu

res

and

tech

nica

lcon

trol

sth

atfa

cilit

ate

attr

ibut

ion

ofa

llon

line

activ

itya

ssoc

iate

dw

ithe

a ch

acco

untt

oan

indi

vidu

alu

ser

Fur

ther

mor

ea

nor

gani

zatio

nrsquos

acco

unta

nd

pass

wor

dm

anag

emen

tpol

icie

sm

ustb

eap

plie

dco

nsis

tent

lya

cros

sth

een

terp

rise

toin

clud

eco

ntra

ctor

ss

ubco

ntra

ctor

sa

ndv

endo

rsw

hoh

ave

acce

ssto

the

orga

niza

tionrsquo

sin

form

atio

nsy

stem

sor

net

wor

ks

Ins

ome

area

sc

ompu

ter

acco

unts

are

man

aged

fair

lyw

ella

tUSC

IS

USC

ISis

impl

emen

ting

Hom

elan

dSe

curi

tyP

resi

dent

ialD

irec

tive

12(H

SPD

12

)for

phy

sica

land

ele

ctro

nic

acco

untm

anag

emen

tI

nad

ditio

nm

osts

hare

dac

coun

tsa

rec

ontr

olle

dan

dal

lact

ions

per

form

edu

sing

thos

eac

coun

tsc

anb

eat

trib

uted

toa

sin

gle

user

H

owev

ers

ome

acco

untm

anag

emen

tlie

sou

tsid

eth

eco

ntro

lofU

SCIS

Th

i sp

rese

nts

ahi

ghd

egre

eof

ris

kF

irst

ofa

lla

ccou

nts

and

acce

ssfo

rFS

Ns

shou

ldb

eco

nsid

ered

car

eful

lyb

yU

SCIS

A

lthou

ghF

SNs

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

ch

anne

lsw

hich

req

uire

sau

thor

izat

ion

byth

eCS

Oa

ndC

IOo

fDH

Ss

uch

pape

rwor

kw

asn

ots

ubm

itted

con

sist

ently

pri

orto

200

7A

sa

resu

lt

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

tF

urth

erm

ore

an

FSN

acc

ount

and

aU

S

citiz

enfe

dera

lem

ploy

eea

ccou

ntc

anno

tbe

dist

ingu

ishe

don

ceit

isc

reat

ed

Alth

ough

acc

ount

nam

ing

conv

entio

nsa

red

icta

ted

byD

HS

and

the

US

Dep

artm

ento

fSta

teU

SCIS

cou

ldr

eque

sta

nam

ing

conv

entio

nto

diff

eren

tiate

bet

wee

nFS

Na

ndU

Sc

itize

nfe

dera

lem

ploy

eea

ccou

nts

In

addi

tion

USC

ISs

houl

dco

nsis

tent

lytr

ack

the

auth

oriz

atio

nan

dcr

eatio

nof

all

USC

ISa

ccou

nts

To

dete

rmin

eif

unau

thor

ized

or

lega

cya

ccou

nts

exis

tU

SCIS

sho

uld

cons

ider

con

duct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSta

tep

erso

nnel

tov

alid

ate

alle

xist

ing

FSN

ac

coun

ts


Seco

nda

cces

sto

som

ecr

itica

lUSC

ISs

yste

ms

isc

ontr

olle

dby

the

Pass

wor

dIs

suan

cea

ndC

ontr

olS

yste

m(P

ICS)

Th

epu

rpos

eof

PIC

Sis

tofa

cili

tate

the

adm

inis

trat

ion

ofu

sern

ames

and

pas

swor

dsto

cer

tain

ICE

and

USC

ISin

form

atio

nsy

stem

sO

nea

rea

ofc

once

rnr

egar

ding

PIC

Sis

that

it

isa

dmin

iste

red

byIC

Ea

ndth

ere

are

mor

eth

an2

000

Loc

alP

ICS

Off

icer

s(L

POs)

acr

oss

vari

ous

com

pone

nts

ofD

HS

The

seL

POs

use

PICS

to

gran

taut

hori

zed

acce

ssto

ICE

and

USC

ISs

yste

ms

for

the

pers

onne

latt

heir

res

pect

ive

site

or

agen

cys

uch

aslo

cals

heri

ffs

pet

ition

ers

Cus

tom

san

dBo

rder

Pat

rol(

CBP)

Dep

artm

ento

fJus

tice

(DO

J)T

rans

port

atio

nSe

curi

tyA

dmin

istr

atio

n(T

SA)

Terr

oris

mT

ask

Forc

ea

ndD

HS

OIG

Ea

ch

LPO

can

gra

nta

cces

sto

any

sys

tem

con

trol

led

byP

ICS

In

othe

rw

ords

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

rany

oft

heir

sta

ffto

an

yU

SCIS

sys

tem

Fu

rthe

rmor

eU

SCIS

has

no

visi

bilit

yin

tow

hoh

asa

cces

sto

its

syst

ems

Giv

enth

edi

stri

bute

dna

ture

ofa

ccou

nta

dmin

istr

atio

nit

isv

ery

diff

icul

tfor

USC

ISd

ata

owne

rsa

ndO

ITs

taff

tom

anag

eau

thor

izat

ion

ofu

ser

acco

unts

toU

SCIS

cri

tical

sys

tem

sF

inal

lyt

hep

roc

ess

for

com

mun

icat

ing

chan

ges

ine

mpl

oyee

sta

tus

and

disa

blin

gac

coun

tsv

arie

sw

idel

yam

ong

indi

vidu

alfi

eld

offic

esS

ervi

ceC

ente

rsa

ndo

ffic

esin

the

NCR

D

orm

anta

ccou

nts

prov

ide

aco

nven

ient

unk

now

nac

cess

pat

hfo

rcu

rren

tand

form

ere

mpl

oyee

sto

use

for

illic

itac

tivity

Ala

cko

fcon

sist

ency

exi

sts

inth

eap

plic

atio

nof

acc

ount

man

agem

entp

ract

ices

und

erth

eco

ntro

lofU

SCIS

Fo

rex

ampl

ed

isab

ling

orte

rmin

at

ing

acco

unts

for

empl

oyee

sis

not

alw

ays

com

plet

edin

ati

mel

ym

anne

rup

onth

eem

ploy

eersquos

cha

nge

ins

tatu

sT

his

lack

ofc

onsi

sten

cyis

mad

ew

orse

whe

nde

cent

raliz

edL

POs

acro

ssU

SCIS

do

notf

ollo

wth

esa

me

proc

edur

es

Ino

ther

cas

ese

mpl

oyee

sar

ere

tain

ing

acce

ssa

fter

atr

ansf

er

whe

nth

eys

houl

dno

tw

hich

req

uire

sth

elo

sing

and

gai

ning

sup

e rvi

sors

ton

otify

pro

per

acco

untm

anag

emen

tper

sonn

el

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

ccou

ntE

stab

lis

hmen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ino

rder

for

FSN

sto

gai

nac

cess

to

USC

ISs

yste

ms

they

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

cha

nnel

s

whi

che

vent

ually

req

uire

sau

thor

iza

tion

byth

eCS

Oa

ndC

IOo

fDH

S

Prio

rto

200

7w

aive

rpa

perw

ork

for

FSN

sre

ques

ting

acco

unta

cces

sw

as

nots

ubm

itted

con

sist

ently

A

sa

re

sult

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

t

USC

ISs

houl

dco

nsid

erc

ondu

ct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSt

ate

pers

onne

lto

valid

ate

all

exis

ting

FSN

acc

ount

s

Info

rmat

ion

Tech

nolo

gy

Diff

eren

tper

sonn

ela

rer

espo

nsib

le

for

acco

untc

reat

ion

and

dele

tion

acro

ssth

een

tire

ente

rpri

sed

epe

ndin

gon

the

syst

emo

rne

twor

kin

Dat

abas

ead

min

istr

ator

sm

ayb

eab

le

toc

reat

ean

dde

lete

dat

abas

ean

dap

plic

atio

nac

coun

tsw

ithou

tas

ec

ond

pers

onv

erify

ing

that

act

ion

Beca

use

data

base

adm

inis

trat

ors

have

acc

ess

tos

uch

criti

cald

ata

U

SCIS

sho

uld

cons

ider

sep

arat

ing

the

task

ofa

utho

rizi

nga

cces

sto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

squ

estio

n

USC

ISd

atab

ases

from

the

task

of

man

agin

gth

eda

tain

the

data

ba

ses

Thi

sse

para

tion

ofd

utie

sm

ayr

educ

eth

eri

sko

fad

ata

base

adm

inis

trat

orc

reat

ing

an

unau

thor

ized

acc

ount

and

usi

ng

that

acc

ount

toc

arry

out

am

ali

ciou

sac

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ac

ompu

ter

acco

unti

ses

tabl

ishe

don

lya

fter

an

umbe

rof

cri

teri

aha

ve

been

met

inc

ludi

ngs

ecur

itya

war

ene

sstr

aini

ng

Ina

dditi

onto

the

step

sre

quire

dof

al

lper

sonn

elfo

rac

coun

tacc

ess

co

ntra

ctor

sha

veto

go

thro

ugh

extr

ast

eps

som

eof

whi

chin

clud

eve

rifi

catio

nby

the

COTR

Com

pute

racc

ount

acc

ess

iss

ome

times

gra

nted

bef

ore

secu

rity

aw

are

ness

trai

ning

isc

ompl

eted

Th

isp

rac

tice

may

be

true

esp

ecia

llyfo

rco

ntra

ctor

ss

ince

the

onb

oard

ing

proc

ess

depe

nds

onth

eco

ntra

ctin

gag

ency

and

the

COTR

tov

erify

that

th

etr

aini

ngis

com

plet

ed

USC

ISs

houl

dco

nsid

err

equi

ring

co

mpu

ter

secu

rity

aw

aren

ess

trai

ning

for

allp

erso

nnel

ndashfu

lltim

eem

ploy

ees

par

ttim

eem

pl

oyee

sa

ndc

ontr

acto

rsndash

and

ve

rify

that

itis

com

plet

ebe

fore

cr

eatin

gan

ysy

stem

acc

ount

sfo

rth

ese

pers

onne

l

Acc

ount

Man

age

men

tG

ener

al

Info

rmat

ion

Tech

nolo

gy

PICS

isa

dmin

iste

red

byIC

Ew

hich

ha

sov

er2

000

LPO

sac

ross

var

ious

co

mpo

nent

sof

DH

ST

hese

LPO

sar

ere

spon

sibl

efo

rgra

ntin

gau

thor

ized

ac

cess

toP

ICS

for

the

pers

onne

lat

thei

rre

spec

tive

wor

ksi

tes

Eac

hLP

Oc

ang

rant

acc

ess

toa

nys

yste

m

cont

rolle

dby

PIC

SI

not

her

wor

ds

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

ran

yof

thei

rst

afft

o

Alth

ough

the

PICS

acc

ount

pro

cess

re

quir

esth

eac

coun

tto

beli

nked

toa

va

lide

mpl

oyee

PIC

Sad

min

istr

ator

sco

uld

crea

teu

naut

hori

zed

acco

unts

in

the

nam

eof

val

ide

mpl

oyee

sw

ith

outt

heir

kno

wle

dge

Inv

alid

acc

ount

sar

ety

pica

llyfl

agge

don

lyw

hen

the

acco

unti

sdo

rman

tfor

ac

erta

inp

eri

odo

ftim

eA

nLP

Oc

ana

lso

assi

gn

righ

tsfo

ran

ysy

stem

con

trol

led

by

In1

2of

the

case

sdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

ins

uffic

ient

acc

ount

m

anag

emen

tena

bled

the

insi

der

sto

com

mit

thei

rcr

imes

U

SCIS

sho

uld

cons

ider

con

duct

in

gac

coun

taud

itsa

tthe

loca

lsi

tele

vel

whi

chw

ould

allo

wth

eva

lidat

ion

ofc

urre

ntP

ICS

ac

coun

tsa

ndr

oles

ver

sus

curr

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

yU

SCIS

sys

tem

PICS

empl

oyee

list

s

Furt

herm

ore

ICE

adm

inis

ters

this

USC

ISs

houl

dex

plor

ea

mea

nso

fsy

stem

and

cou

lda

ffec

tUSC

ISr

e

segr

egat

ing

acco

untm

anag

eco

rds

unbe

know

nstt

oU

SCIS

men

tin

PICS

so

that

LPO

sca

nad

min

iste

rac

coun

tso

nly

for

thei

row

nor

gani

zatio

nrsquos

syst

ems

In

oth

erw

ords

USC

ISL

POs

wou

ldo

nly

bea

ble

toa

dmin

iste

rau

thor

izat

ions

for

USC

ISs

yste

ms

inP

ICS

and

ICE

LPO

sw

ould

onl

ybe

abl

eto

adm

inis

ter

auth

oriz

atio

nsfo

rIC

Esy

stem

s

Info

rmat

ion

Tech

nolo

gy

Acc

ount

man

agem

enti

sha

ndle

dby

a

num

ber

ofd

iffer

entg

roup

sac

ross

U

SCIS

A

lthou

ghth

ere

isa

nef

fort

to

cent

raliz

eac

coun

tman

agem

ent

lo

cala

ndr

egio

nalo

ffic

eso

fUSC

IS

have

his

tori

cally

don

eth

eir

own

ac

coun

tman

agem

ent

Ifan

acc

ount

has

not

bee

nus

edfo

ra

cert

ain

peri

odo

ftim

eit

isa

uto

mat

ical

lyd

isab

led

The

tim

epe

riod

st

ated

by

vari

ous

inte

rvie

wee

sva

rie

dfr

om3

06

0o

r90

days


Sugg

este

dCo

unte

rmea

sure

s

Six

insi

ders

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

wer

eab

leto

car

ryo

utth

eir

illeg

ala

ctiv

ities

bec

ause

ofldquo

priv

ile

gec

reep

rdquoU

SCIS

sho

uld

revi

ew

acco

untm

anag

emen

tpro

ce

dure

sto

ens

ure

that

the

step

scu

rren

tlyta

ken

tor

emov

eor

al

ter

acco

unta

cces

sar

eco

m

plet

ean

dbe

ing

cons

iste

ntly

fol

low

ed

Inp

artic

ular

the

pro

ce

dure

sus

edw

hen

som

eone

ch

ange

slo

catio

nso

rde

part

m

ents

with

inU

SCIS

sho

uld

be

exam

ined

A

sem

ploy

ees

tran

sfe

rth

roug

hout

an

agen

cyt

hey

shou

ldn

otb

eac

cum

ulat

ing

priv

ile

ges

The

ysh

ould

onl

yre

tain

pr

ivile

ges

com

men

sura

tew

ith

thei

rjo

bre

spon

sibi

litie

s

Twel

vep

erce

nt(4

6)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

seu

sed

syst

ema

dmin

istr

ator

pri

vile

ges

tos

abot

age

syst

ems

ord

ata

sh

ared

acc

ount

sw

ere

used

by

insi

ders

follo

win

gte

rmin

atio

nin

Polic

yor

Pra

ctic

eG

aps

The

issu

eof

acc

ount

man

agem

entf

or

empl

oyee

tran

sfer

sis

not

bei

nga

d

dres

sed

ina

con

sist

entm

anne

rT

he

O

ITr

elie

son

not

ifica

tion

bye

ither

the

ne

wo

rol

dsu

perv

isor

whe

nan

em

ploy

eetr

ansf

ers

but

ther

eha

veb

een

ca

ses

inU

SCIS

inw

hich

em

ploy

ees

have

ret

aine

dac

cess

whe

nth

ey

shou

ldn

oth

ave

Th

ough

itw

ould

req

uire

phy

sica

lac

cess

toa

USC

ISm

achi

net

hatf

orm

er

Polic

yan

dor

Sec

urit

yM

easu

re

Whe

nan

em

ploy

eem

oves

from

one

po

sitio

nto

ano

ther

or

tran

sfer

sto

an

othe

rdep

artm

ent

the

man

age

men

tin

thos

ede

part

men

tsm

ust

initi

ate

the

requ

ired

com

pute

rac

coun

tcha

nges

Ther

ear

eop

erat

ing

syst

emim

ages

us

edth

roug

hout

USC

ISth

atp

erm

itan

adm

inis

trat

orto

inst

alla

sta

nda

rdc

onfig

urat

ion

ofa

nop

erat

ing

syst

ema

nda

ccom

pany

ing

soft

war

e

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Chan

ging

Pas

sw

ord

ofS

hare

dA

ccou

ntU

pon

Term

inat

ion


Sugg

este

dCo

unte

rmea

sure

s

14c

ases

A

lthou

gha

nad

min

is

trat

orw

ould

nee

dph

ysic

ala

cce

ssto

ap

iece

ofe

quip

men

t

The

lack

ofc

onsi

sten

cya

nd

awar

enes

sof

the

stan

dard

pro

ce

dure

sm

ayp

erm

itth

eac

coun

tof

an

insi

der

tob

eus

edfo

llow

ing

term

inat

ion

Term

inat

ing

acco

unts

eve

n2

wee

ksfo

llow

ing

term

inat

ion

may

Polic

yor

Pra

ctic

eG

aps

adm

inis

trat

orw

ould

hav

ead

min

istr

ato

rri

ghts

toG

FE

Itis

cle

arfr

omin

terv

iew

sw

ithU

SCIS

pe

rson

nelt

hata

sin

gle

proc

ess

isn

ei

ther

und

erst

ood

norf

ollo

wed

for

dis

ab

ling

acco

unts

follo

win

gan

em

pl

oyee

orc

ontr

acto

rte

rmin

atio

n

The

proc

edur

esu

sed

are

notc

onsi

ste

ntb

etw

een

supe

rvis

ors

orfi

eld

of

fices

and

for

fede

rale

mpl

oyee

sve

rsu

sco

ntra

ctor

sS

omet

imes

the

exit

clea

ranc

efo

rmm

akes

itto

the

OIT

an

dso

met

imes

itd

oes

not

The

OIT

rsquos

task

ism

ade

even

mor

edi

ffic

ultb

yth

efa

ctth

atit

wou

ldn

eed

tok

now

ex

actly

whi

cha

ccou

nts

anin

divi

dual

ha

sac

cess

to

Thou

ghth

isp

roce

ssis

fair

lye

ffec

tive

it

pote

ntia

llya

llow

sun

auth

oriz

ed

Polic

yan

dor

Sec

urit

yM

easu

re

The

OIT

typi

cally

isn

otifi

edo

fan

acco

untt

erm

inat

ion

ino

neo

fthr

ee

way

s

1)A

sta

ndar

dfo

rmc

alle

dan

exi

tcl

eara

nce

form

is

dist

ribu

ted

and

sign

edb

yot

her

part

ies

suc

has

Hu

man

Res

ourc

esa

ndth

eO

ffic

eof

Se

curi

tya

ndIn

tegr

ity(O

SI)

Thi

sfo

rmle

tsth

eO

ITk

now

that

an

em

ploy

eersquos

acc

ount

ssh

ould

be

dis

able

dor

term

inat

ed

2)T

hes

uper

viso

rof

the

depa

rtin

gem

ploy

eec

onta

cts

the

OIT

dire

ctly

an

din

form

sth

emo

fthe

em

ploy

eersquos

de

part

ure

3)

Whe

na

cont

ract

oris

invo

lved

it

is

the

resp

onsi

bilit

yof

the

COTR

to

info

rmth

eO

IT

The

OIT

rec

eive

san

ldquoat

triti

onli

strdquo

ever

y2

wee

ks

Whe

nth

isli

stis

re

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Upo

nEm

ploy

ee

Term

inat

ion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sH

uman

Res

ourc

es

ceiv

eda

man

ualc

heck

isd

one

to

ensu

reth

ate

mpl

oyee

sw

hoh

ave

depa

rted

inth

ela

st2

wee

ksh

ave

thei

rac

coun

tacc

ess

dele

ted

acce

ssfo

r2

wee

ksfo

llow

ing

term

ina

tion

Bec

ause

this

isa

man

ualp

roc

ess

ther

eis

cur

rent

lyn

oau

tom

atic

w

ayto

ens

ure

that

ith

appe

ns

USC

IS

pers

onne

lcite

dan

inst

ance

inw

hich

th

ese

proc

edur

esfa

iled

for

ane

m

ploy

eew

how

aste

rmin

ated

as

aco

ntr

acto

ran

dla

ter

hire

das

afe

dera

lem

ploy

ee

notb

een

ough

top

reve

ntu

nau

thor

ized

orc

rimin

ala

ctiv

ity

As

soon

as

HR

isa

war

eof

the

chan

gea

mor

eau

tom

ated

m

echa

nism

ofd

elet

ing

thes

eac

coun

tss

houl

dbe

impl

em

ente

d

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Dur

ing

Empl

oyee

Le

ave

ofA

bsen

ces

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

LPO

sw

ork

inth

eir

resp

ectiv

ere

gion

sor

off

ices

and

are

dec

entr

aliz

edb

yna

ture

Th

epo

licie

san

dpr

oced

ures

fo

llow

edo

ften

dep

end

onh

ow

thin

gsh

ave

been

don

ehi

stor

ical

lyin

th

atp

artic

ular

off

ice

Beca

use

acco

unta

utho

riza

tion

pro

cedu

res

are

nots

tand

ardi

zed

thro

ugho

uta

llor

gani

zatio

nsu

sing

the

PICS

sL

POs

acro

ssth

een

tire

USC

IS

ente

rpri

seh

ave

notb

een

cons

iste

nt

inh

owth

eyh

ave

hand

led

acco

unt

dele

tion

follo

win

gem

ploy

eete

rmin

atio

n

Ther

eis

no

offic

ialg

uida

nce

orp

rac

tice

inth

epr

oper

way

tos

uspe

nd

acce

ssfo

ran

em

ploy

eeo

na

leav

eof

ab

senc

eI

non

eca

sep

rovi

ded

by

USC

ISa

nem

ploy

eer

etai

ned

acce

ss

toc

ritic

als

yste

ms

even

aft

erb

eing

pl

aced

on

ana

dmin

istr

ativ

ele

ave

of

abse

nce

USC

ISs

houl

dco

ntin

ueit

sef

fort

sto

cen

tral

ize

orr

educ

eth

enu

m

ber

ofL

POs

ino

rder

for

stan

dard

pr

oced

ures

tob

efo

llow

ed

Ifth

isc

anno

tbe

acco

mpl

ishe

d

stan

dard

pro

cedu

res

shou

ldb

epu

blis

hed

inst

ruct

eda

ndc

onsi

ste

ntly

enf

orce

d

Afe

win

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

ser

etai

ned

acce

ssto

org

aniz

atio

nsy

stem

sw

hile

on

ale

ave

of

abse

nce

and

used

that

acc

ess

to

stea

linf

orm

atio

nor

com

mit

frau

dU

SCIS

sho

uld

impl

emen

ta

polic

yto

out

line

exac

tlyw

hat

shou

ldb

edo

new

hen

ago

vern

m

ente

mpl

oyee

or

cont

ract

or

goes

on

ale

ave

ofa

bsen

cec

on


Sugg

este

dCo

unte

rmea

sure

ssi

deri

ngth

eri

sks

vers

usb

enef

its

ofa

llow

ing

syst

ema

cces

s

Acc

ess

toth

ese

acco

unts

sho

uld

bec

aref

ully

doc

umen

ted

and

trac

ked

soth

atc

rede

ntia

lsc

an

bec

hang

edif

som

eone

inth

at

rest

rict

edg

roup

no

long

erw

ar

rant

sac

cess

Polic

yor

Pra

ctic

eG

aps

Alth

ough

con

cern

has

bee

nex

pres

sed

ab

outt

hee

xist

ence

oft

hese

ac

co

unts

the

bus

ines

sju

stifi

catio

nha

sta

ken

prec

eden

ceo

vert

her

isk

bein

g

assu

med

Polic

yan

dor

Sec

urit

yM

easu

re

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

Acc

ount

an

dPa

ssw

ord

In

form

atio

n

Acc

ess

Cont

rol

An

orga

niza

tionrsquo

sla

cko

fsuf

ficie

nta

cces

sco

ntro

lmec

hani

sms

was

ac

omm

onth

eme

inm

any

ofth

ein

side

rth

reat

cas

ese

xam

ined

by

CERT

In

si

ders

hav

ebe

ena

ble

toe

xplo

itex

cess

ive

priv

ilege

sto

gai

nac

cess

tos

yste

ms

and

info

rmat

ion

they

oth

erw

ise

wou

ldn

oth

ave

been

aut

hori

zed

toa

cces

sA

dditi

onal

lyi

nsid

ers

have

bee

nkn

own

tou

ser

emot

eac

cess

aft

erte

rmin

atio

nto

att

ack

ano

rgan

izat

ionrsquo

sin

tern

aln

etw

ork

Org

ani

zatio

nss

houl

den

sure

that

net

wor

km

onito

ring

and

logg

ing

ise

nabl

edfo

rex

tern

ala

cces

sM

onito

ring

ofn

etw

ork

activ

ityis

ext

rem

ely

impo

rta

nte

spec

ially

inth

epe

riod

bet

wee

nem

ploy

eer

esig

natio

nan

dte

rmin

atio

n

Giv

enth

edi

stri

bute

dna

ture

ofa

cces

sau

thor

izat

ion

via

PICS

ICE

and

the

US

Dep

artm

ento

fSta

ten

onU

SCIS

em

ploy

ees

and

cont

ract

ors

coul

dbe

gra

nted

acc

ess

toU

SCIS

cri

tical

sys

tem

sI

tis

poss

ible

that

the

non

USC

ISe

mpl

oyee

san

dco

ntra

ctor

sha

ven

otb

een

thro

ugh

the

rigo

rous

pr

eem

ploy

men

tscr

eeni

ngr

equi

red

ofU

SCIS

em

ploy

ees

and

cont

ract

ors

par

ticul

arly

thos

egr

ante

dac

cess

thro

ugh

the

US

Dep

artm

ento

fSta

te

for

acce

ssfr

ome

mba

ssie

sov

erse

as

USC

ISs

houl

dco

nsid

erth

eri

skth

ese

insi

ders

pos

eto

the

prot

ectio

nof

the

criti

calU

SCIS

dat

aan

dsy

stem

s

and

impl

emen

tpro

tect

ion

mec

hani

sms

toli

mit

the

dam

age

that

thes

ein

side

rsm

ight

cau

se


Oth

era

cces

sco

ntro

liss

ues

that

sho

uld

bec

onsi

dere

din

clud

eun

rest

rict

eda

cces

sto

som

ecr

itica

lsys

tem

sby

OIT

sta

ffl

ack

ofc

onsi

sten

tpro

ces

ses

for

man

agin

gem

ploy

eea

cces

sas

they

mov

efr

omo

ned

epar

tmen

tto

the

next

with

inU

SCIS

abi

lity

tou

sep

erso

nalc

ompu

ters

for

USC

IS

wor

ka

ndla

cko

fmon

itori

nga

ndc

ontr

ols

for

som

ecr

itica

lsys

tem

adm

inis

trat

ion

func

tions

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

cces

sCo

ntro

l

Fore

ign

Serv

ice

Nat

iona

ls

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

O

ffic

eof

Sec

urit

yan

dIn

te

grit

y

Curr

ently

aF

orei

gnS

ervi

ceN

atio

nal

(FSN

)req

uiri

nga

cces

sto

USC

ISs

ys

tem

ssu

bmits

pap

erw

ork

incl

udin

ga

wai

ver

thro

ugh

the

USC

ISd

irec

tor

and

the

CIO

and

CSO

ofD

HS

Alth

ough

the

asse

ssm

entt

eam

was

ab

leto

get

lim

ited

visi

bilit

yin

toth

is

prac

tice

its

eem

sto

be

alig

ned

with

th

epo

licy

Ift

rue

ith

asg

iven

USC

IS

and

DH

Sbe

tter

vis

ibili

tyin

toth

isa

ctiv

ity

The

prac

tice

shou

ldb

eco

ntin

ued

and

expa

nded

as

need

edto

in

form

all

rele

vant

USC

ISp

erso

nne

l

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

Pe

rson

nelS

ecur

ity

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Whe

nFS

Ns

requ

ire

acce

ssto

USC

IS

syst

ems

ine

mba

ssie

san

dco

nsul

ates

ab

road

the

yar

eve

tted

by

the

US

D

epar

tmen

tofS

tate

Beca

use

the

US

Dep

artm

ento

fSta

te

isp

erfo

rmin

gth

eve

ttin

gpr

oces

s

USC

ISh

asv

ery

little

con

trol

or

visi

bil

ityin

toth

epr

oces

sfo

rgr

antin

gFS

Ns

acce

ssto

USC

ISs

yste

ms

and

net

wor

ks

Inte

rvie

wee

sst

ated

that

in

som

eca

ses

FSN

sha

vea

dmin

istr

ativ

eco

ntro

love

rso

me

syst

ems

and

that

in

oth

erc

ases

the

yar

ese

rvin

gas

in

form

atio

nsy

stem

sec

urity

off

icer

s(IS

SOs)

USC

ISs

houl

dga

ina

bet

ter

un

ders

tand

ing

ofth

eU

SD

epar

tm

ento

fSta

tersquos

vet

ting

proc

ess

and

clar

ifyit

sow

nre

quir

emen

ts

for

gran

ting

and

trac

king

acc

ess

for

FSN

sto

USC

ISs

yste

ms

If

cont

inue

dac

cess

isr

equi

red

the

proc

edur

esto

doc

umen

tand

co

ntro

ltha

tacc

ess

shou

ldb

ene

gotia

ted

with

the

US

De

part

men

tofS

tate

and

con

sis

tent

lye

nfor

ced

Info

rmat

ion

Tech

nolo

gy

Onc

ea

trad

ition

alu

ser

acco

unti

scr

eate

dth

ere

isli

ttle

ton

ow

ayto

di

stin

guis

han

FSN

acc

ount

from

one

be

long

ing

toa

US

citi

zen

Beca

use

anF

SNa

ccou

ntis

not

dis

tin

guis

habl

efr

omo

ther

acc

ount

sit

w

ould

be

extr

emel

ydi

ffic

ultt

oas

so

ciat

esp

ecifi

con

line

activ

ities

with

ac

coun

tsb

elon

ging

toF

SNs

Em

ail

USC

ISs

houl

dco

nsid

erw

heth

er

orn

otit

wan

tsth

eab

ility

tod

is

tingu

ish

wha

tonl

ine

activ

ities

an

dac

cess

esF

SNs

are

enga

ging

in

If

soi

tsho

uld

inco

rpor

ate


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sad

dres

ses

appe

arth

esa

me

and

viol

atio

nac

tiviti

esw

ould

not

eas

ilyb

eat

trib

uted

toa

nFS

N

thos

est

eps

into

the

proc

edur

es

men

tione

dab

ove

Info

rmat

ion

Tech

nolo

gy

DH

Sis

inth

epr

oces

sof

bui

ldin

ga

secu

rein

tran

etc

alle

dO

neN

et

whi

chw

illb

ette

ren

able

info

rmat

ion

shar

ing

amon

gD

HS

com

pone

nts

Th

isp

roje

ctw

illb

een

able

dby

inte

rco

nnec

tion

agre

emen

tsb

etw

een

segm

ents

Onc

eth

eap

prop

riat

ein

terc

onne

ctio

nag

reem

ents

are

inp

lace

itw

illb

eha

rder

tor

estr

icta

cces

sfo

rFSN

sto

sp

ecifi

csy

stem

s(e

g

Shar

ePoi

nt)

USC

ISs

houl

dm

ake

ade

term

ina

tion

abou

twhe

ther

or

notF

SN

acce

sss

houl

dbe

any

diff

eren

tfr

omo

ther

sim

ilar

acco

unts

of

US

citi

zens

If

the

lack

ofr

est

rict

ions

isu

nacc

epta

ble

that

is

sue

shou

ldb

ebr

ough

tto

DH

Spe

rson

nelr

espo

nsib

lefo

rim

pl

emen

ting

the

One

Net

sol

utio

n

Acc

ess

cont

rols

Ther

ear

ebu

sine

ssp

roce

ssa

ndr

eso

urce

s(e

g

PICS

CLA

IMS

3a

nd

CLA

IMS

4)th

ata

res

hare

dw

ithIC

E

This

par

tner

ship

isa

nar

tifac

toft

he

past

and

cur

rent

rel

atio

nshi

psb

etw

een

depa

rtm

ents

with

inD

HS

For

thes

esh

ared

res

ourc

esto

func

tio

npr

oper

lyt

hey

requ

ire

care

ful

coor

dina

tion

whi

chd

oes

nott

ake

plac

ein

all

case

sF

ore

xam

ple

USC

IS

does

not

rec

eive

ac

opy

ofth

efo

rmal

ac

cess

req

uest

sub

mitt

edto

ICE

for

anIC

Eem

ploy

eeto

acc

ess

aU

SCIS

sy

stem

USC

ISs

houl

dca

refu

llyd

ocum

ent

wha

tacc

ess

isb

eing

gra

nted

to

any

part

ies

exte

rnal

toU

SCIS

If

addi

tiona

lcoo

rdin

atio

nis

re

quir

edi

tsho

uld

bed

one

with

th

ere

leva

ntd

epar

tmen

tso

fD

HS

For

cert

ain

info

rmat

ion

syst

ems

lo

cala

ndr

emot

elo

gins

are

not

per

m

itted

bet

wee

nth

eho

urs

of1

130

p

ma

nd6

00

am

Th

isp

ract

ice

clos

ely

adhe

res

toth

epo

licy

for

spec

ific

syst

ems

Enfo

rcin

ga

man

dato

rya

cces

spe

riod

may

hel

pen

sure

that

a

mal

icio

usin

side

ris

not

usi

ngs

ys

tem

sw

hen

supe

rvis

ion

isle

ss

ened

Ei

ghtp

erce

nt(2

9)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sus

eda

cces

sou

tsid

eof

nor

mal

w

orki

ngh

ours

toc

arry

out

thei

rill

icit

activ

ities

Whe

nan

em

ploy

eea

ttem

pts

tolo

gin

toa

res

tric

ted

syst

emd

urin

gof

fpe

akh

ours

an

auto

mat

ice

mai

lno

tice

iss

entb

yth

eO

ITto

per

sons

in

the

empl

oyee

rsquosm

anag

emen

tch

ain

ofc

omm

and

This

pra

ctic

eis

not

con

sist

enta

cros

sal

lsys

tem

san

dis

not

par

tofo

ther

in

cide

ntr

espo

nse

proc

edur

es

USC

ISs

houl

dco

nsid

erim

ple

men

ting

this

pra

ctic

ein

toth

ela

rger

sys

tem

ofi

ncid

entr

esp

onse

to

incl

ude

corr

elat

ion

with

oth

ere

vent

san

dov

era

pe

riod

oft

ime

Acc

ess

Priv

ilege

sndash

Gen

eral

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Att

heV

erm

ontS

ervi

ceC

ente

rO

IT

staf

fare

the

only

one

spr

esen

tlat

eat

nig

ht

As

part

oft

heir

dut

ies

they

al

soh

ave

elec

tron

ica

cces

sto

the

CLA

IMS3

info

rmat

ion

syst

em

As

afu

nctio

nof

the

elec

tron

ica

cces

san

dth

eph

ysic

alla

yout

oft

heS

ervi

ce

Cent

erO

ITp

erso

nnel

hav

eac

cess

to

CLA

IMS3

as

wel

las

the

phys

ical

file

sin

the

build

ing

U

SCIS

sho

uld

cons

ider

the

min

im

umle

velo

facc

ess

(leas

tpriv

ile

ge)n

eede

dfo

ral

lper

sonn

elto

ac

com

plis

hth

eir

job

dutie

sT

hir

teen

per

cent

(49)

oft

hein

side

rs

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sev

iola

ted

ane

edto

kno

win

ord

erto

per

pe

trat

eth

eir

crim

esi

nclu

ding

st

ealin

gPI

Iand

pro

prie

tary

in

form

atio

nI

nad

ditio

ns

ever

al

insi

ders

com

mitt

edth

eir

crim

es

whi

lew

orki

ngo

nth

eni

ghts

hift

w

here

they

enj

oyed

ar

educ

ed

leve

lofs

crut

iny

Unr

estr

icte

del

ectr

onic

and

phy

sica

lacc

ess

to

such

hig

hri

skd

ata

and

syst

ems

outs

ide

ofn

orm

alw

orki

ngh

ours

pr

esen

tsa

hig

hde

gree

ofr

isk

to


Sugg

este

dCo

unte

rmea

sure

s

USC

IS

Sinc

eU

SCIS

can

notd

eter

min

ew

hata

cces

sth

eU

SD

epar

tmen

tof

Sta

teg

rant

sto

FSN

son

its

sys

tem

sU

SCIS

sho

uld

cont

inue

to

use

tech

nica

lmea

sure

sto

pre

ve

ntu

naut

hori

zed

acce

ssw

hile

w

orki

ngw

ithc

ount

erin

telli

genc

epe

rson

nelt

ode

alw

iths

uspe

cted

fo

reig

nag

ents

wor

king

aro

und

US

gov

ernm

entf

acili

ties

A

few

insi

ders

inth

eca

ses

ana

lyze

dby

CER

Tus

edth

eir

un

revo

ked

acce

ssto

the

orga

niza

Polic

yor

Pra

ctic

eG

aps

Acc

ordi

ngto

one

inte

rvie

wee

som

eFS

Ns

onth

eCo

nsul

arA

ffai

rsn

etw

ork

are

susp

ecte

dto

be

wor

king

for

arm

sof

fore

ign

inte

llige

nce

ors

ecur

ity

agen

cies

U

SCIS

has

use

dte

chni

cal

met

hods

(eg

fir

ewal

ls)t

oen

sure

th

atU

SCIS

sys

tem

sar

epr

otec

ted

from

any

inte

rcon

nect

ions

with

the

US

Dep

artm

ento

fSta

tersquos

net

wor

ks

This

sin

gle

poin

toff

ailu

rem

akes

it

diff

icul

tto

reco

ver

from

am

alic

ious

ac

ton

this

par

ticul

ars

yste

m

Polic

yan

dor

Sec

urit

yM

easu

re

The

US

Dep

artm

ento

fSta

teC

onsu

la

rA

ffai

rsn

etw

ork

gran

tsa

cces

sto

FSN

sw

orki

ngin

em

bass

ies

and

con

su

late

san

dit

conn

ects

toU

SCIS

sys

te

ms

Ther

eis

as

ingl

epe

rson

who

has

the

know

ledg

eof

and

res

pons

ibili

tyfo

rad

min

iste

ring

the

voic

emai

lsys

tem

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Are

aof

Con

cern

Acc

ess

Priv

ilege

sndash

Syst

emA

dmin

is

trat

or


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sfo

rU

SCIS

tionrsquo

sph

one

syst

emto

har

mth

eor

gani

zatio

nI

non

eca

set

he

entir

ecu

stom

ers

ervi

cev

oice

m

ails

yste

mw

asr

edir

ecte

dto

a

porn

ogra

phic

pho

nes

ite

Ina

not

her

der

ogat

ory

com

men

ts

abou

tthe

org

aniz

atio

nw

ere

re

cord

eda

ndp

laye

dfo

rev

ery

voic

em

ailb

ox

USC

ISs

houl

dpl

ace

addi

tiona

lst

affi

nth

ero

leo

fadm

inis

trat

ors

for

the

USC

ISv

oice

mai

lsys

tem

Th

isw

ould

allo

wU

SCIS

toim

pl

emen

tsom

efo

rmo

fsep

ara

tion

ofd

utie

so

rat

the

very

le

ast

min

imal

che

cks

and

bal

ance

sto

pre

vent

tam

peri

ngw

ith

the

voic

emai

lsys

tem

U

SCIS

sho

uld

ensu

reth

atit

man

ag

esa

ccou

nts

and

pass

wor

dsfo

rin

tern

als

yste

ms

such

as

voic

em

ail

asw

ella

sex

tern

ala

cco

unts

O

nein

side

rdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

cha

nged

the

dom

ain

nam

esy

stem

reg

istr

yfo

rhis

or

gani

zatio

nrsquos

web

site

so

that

vis

ito

rsw

ere

sent

toa

por

nogr

aphi

c


Sugg

este

dCo

unte

rmea

sure

sw

ebsi

te

Thes

ety

pes

ofa

ccou

nts

are

used

ver

yin

freq

uent

lya

nd

are

ofte

nno

tinc

lude

din

form

al

term

inat

ion

proc

edur

es

USC

ISs

houl

dco

ordi

nate

with

D

HS

pers

onne

lto

ensu

reth

at

desi

red

USC

ISs

ecur

ityp

olic

ies

are

enfo

rced

for

pers

onne

lac

cess

ing

USC

ISs

yste

ms

and

data

Se

ven

perc

ent(

26)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

toa

ttac

kin

par

tbec

ause

of

insu

ffic

ient

mon

itori

ngo

fext

er

nala

cces

s

Polic

yor

Pra

ctic

eG

aps

A

lthou

ghc

onne

ctin

ga

pers

onal

lap

top

toa

USC

ISn

etw

ork

via

are

mot

eco

nnec

tion

may

or

may

not

be

bloc

ked

the

SNO

Cw

asn

otc

onfid

ent

itw

ould

be

bloc

ked

beca

use

itdo

es

notc

ontr

olth

ata

cces

sI

tis

poss

ible

th

ata

use

rco

uld

conn

ectw

itha

per

so

nalm

achi

neif

DH

Sal

low

edit

Polic

yan

dor

Sec

urit

yM

easu

re

Port

sec

urity

wou

ldp

reve

nta

use

rfr

omc

onne

ctin

ga

pers

onal

mac

hine

di

rect

lyto

aU

SCIS

net

wor

kT

his

secu

rity

mec

hani

smis

han

dled

by

the

SNO

C

Rem

ote

acce

sso

nth

eot

herh

and

is

hand

led

byD

HS

USC

ISh

asa

cces

sto

ve

ryli

mite

din

form

atio

nin

clud

ing

logs

for

rem

ote

conn

ectio

nsb

eca

use

ofc

ontr

acts

tipul

atio

nsw

ith

Spri

nt

The

asse

ssm

entt

eam

re

ceiv

edc

onfli

ctin

gop

inio

nsa

bout

w

heth

era

per

sona

lmac

hine

cou

ld

bec

onne

cted

with

ar

emot

eac

coun

t

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Secu

rity

Net

wor

kO

pera

ti

ons

Cent

er

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Man

agem

ento

fRe

mot

eA

cces

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

The

cont

ract

ors

resp

onsi

ble

for

VIS

have

impl

emen

ted

ast

rict

acc

ess

cont

rols

olut

ion

with

Fir

epas

san

dit

appe

ars

toa

ccom

plis

hits

goa

lofe

nsu

ring

that

onl

yth

epr

oper

per

sonn

el

are

gran

ted

acce

ssa

ndth

atth

eyp

er

form

aut

hori

zed

actio

nso

nce

they

ar

eco

nnec

ted

Unf

ortu

nate

lyt

hey

are

the

only

con

trac

tors

and

sys

tem

us

ing

Fire

pass

and

itw

illn

otb

eus

ed

once

the

mov

eis

mad

eto

Ste

nnis

Sp

ace

Cent

er

They

are

uns

ure

of

wha

tcon

trol

sw

illb

eus

eda

tSte

nnis

Sugg

este

dCo

unte

rmea

sure

s

Impl

emen

ting

aFi

repa

sss

olut

ion

for

allU

SCIS

sys

tem

sm

ight

not

be

cos

tef

fect

ive

USC

ISm

an

agem

ents

houl

dat

leas

texa

min

eth

eri

skp

osed

toth

em

ostc

ritic

al

syst

ems

and

impl

emen

taF

ire

pass

like

sol

utio

nfo

rth

ose

that

re

quir

ere

mot

eac

cess

A

sst

ated

ab

ove

one

inte

nin

side

rsd

ocu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

seu

sed

the

crea

tion

ofu

nkno

wn

path

sin

to

orga

niza

tion

syst

ems

pro

per

mea

sure

sm

ight

hav

epr

even

ted

man

yof

thos

ein

stan

ces


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Non

Sys

tem

Ad

USC

ISL

eade

rshi

pA

ccor

ding

too

nein

terv

iew

eeF

SNs

An

FSN

who

isa

sys

tem

adm

inis

trat

or

Ten

perc

ent(

39)o

fins

ider

sm

inis

trat

ors

Wit

h

are

syst

ema

dmin

istr

ator

son

som

efo

rU

SD

epar

tmen

tofS

tate

sys

tem

sdo

cum

ente

din

the

CERT

Insi

der

A

utho

rize

dA

cces

sIn

form

atio

nTe

chno

logy

U

SD

epar

tmen

tofS

tate

sys

tem

sin

do

esn

otn

eces

sari

lyh

ave

adm

inis

tra

Thre

atC

ase

data

base

took

ad

toA

dmin

istr

ator

em

bass

ies

orc

onsu

late

sab

road

to

rri

ghts

on

USC

ISs

yste

ms

One

in

vant

age

ofin

suff

icie

nta

cces

sA

ccou

nts

The

US

Dep

artm

ento

fSta

teh

as

terv

iew

eee

xpre

ssed

con

cern

how

co

ntro

lsto

con

duct

thei

rcr

imes

au

thor

ized

acc

ess

for

som

eFS

Ns

to

ever

tha

tan

adm

inis

trat

orw

hois

a

USC

ISs

houl

dex

amin

eU

SCIS

sys

so

me

USC

ISs

yste

ms

need

edfo

rth

eci

tizen

ofa

fore

ign

coun

try

coul

des

te

ma

cces

sfo

rU

SD

epar

tmen

tpe

rfor

man

ceo

fthe

ird

utie

s

cala

tep

rivi

lege

sor

use

soc

iale

ngi

ofS

tate

sys

tem

adm

inis

trat

ors

ne

erin

gta

ctic

sto

gai

nun

auth

oriz

ed

asw

ella

sho

wth

ose

conn

ectio

ns

acce

ssto

USC

ISs

yste

ms

ar

em

onito

red

orlo

gged

Th

ey

sh

ould

als

ow

ork

with

the

US

Dep

artm

ento

fSta

teto

und

er

stan

dits

pro

cess

esfo

rgr

antin

g

FSN

sac

cess

toU

SD

epar

tmen

t

ofS

tate

sys

tem

s


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

Lea

ders

hip

Ther

ear

ecu

rren

tlyn

olim

itso

nTh

ela

cko

flim

itsp

lace

don

req

uest

Th

ere

shou

ldb

elo

gica

lcon

trol

s

w

hich

Af

iles

ana

djud

icat

orc

anr

ein

gA

file

sin

NFT

Sm

aya

llow

adj

udi

tod

etec

tldquoex

trao

rdin

aryrdquo

or

sus

Info

rmat

ion

Tech

nolo

gy

ques

tin

the

Nat

iona

lFile

Tra

ckin

gca

tors

tor

eque

sta

file

by

nam

eev

en

pici

ous

file

tran

sfer

req

uest

sI

n

Syst

em(N

FTS)

if

they

sho

uld

notb

eac

cess

ing

that

on

eU

SCIS

cas

eth

ein

side

rre

fil

e

ques

ted

afil

etr

ansf

erto

ar

egio

nfo

ran

indi

vidu

alw

hose

file

sw

ere

ina

noth

err

egio

nan

dw

hose

form

sha

dbe

enp

revi

ousl

yde

ni

ed


cri

tilt

om

itiga

ting

the

insi

der

rsc

arri

edo

uta

nat

tack

ta

nce

mal

icio

usin

side

rsu

sed

uste

nsur

end

enf

orce

cn

have

dev

eff

ects

on

ano

ras

tatin

gta

r

nom

alou

sin

crea

sein

net

ay

Sugg

este

dCo

unte

rmea

sure

s

ca sn

toc

ompe

titor

sor

con

spir

ator

sO

rgan

izat

ions

mth

ate

mpl

oyee

sr

esou

rces

inc

ludi

ngin

form

atio

nas

sets

aom

plia

nce

sen

sitiv

ebu

tunc

lass

ified

or

prop

rie

y)is

cri

tical

tom

itiga

ting

an

am

onito

ring

net

wor

ktr

affic

mh

elp

prot

ectc

ontr

olle

d

side

unc

lass

ified

or

prop

riet

ary)

isea

led

circ

umst

ance

sin

whi

chin

tern

ales

In

som

ein

ss

tora

ged

evic

tion

mal

icio

usin

side

rsc

ab

y

mou

nts

ofd

ata

dow

nloa

ded

orou

ghT

h

Polic

yor

Pra

ctic

eG

aps

a re

ono

fCon

trol

led

Info

rmat

ion

ntro

lled

info

rmat

ion

(ie

inf

orm

atio

nth

atis

cla

ssifi

eds

ensi

tive

but

CER

Tr

thre

atr

isk

too

rgan

izat

ions

A

var

iety

ofi

nsid

erth

reat

cas

ess

tudi

edb

yev

thro

ugh

thd

ownl

oad

ofin

form

atio

nto

por

tabl

em

edia

or

exe

unau

thor

ized

ptt

acks

or

toc

omm

unic

ate

sens

itive

info

rmat

ioun

ders

tan

tcon

stitu

tes

acce

ptab

leu

seo

fcom

pany

dpo

licie

sre

gard

ing

wha

thro

ugh

teed

info

rma

chni

calm

eans

Th

eun

auth

oriz

ede

xfilt

ratio

nof

con

trol

l(i

ei

nfor

mat

ion

that

isc

lass

ifie

gani

zatio

nP

rote

ctin

gco

ntro

lled

info

rmat

ion

dth

reat

ris

kto

org

aniz

atio

ns

impl

emen

ted

netw

ork

mon

itori

ngs

trat

egie

sth

atw

ould

det

ectl

arge

wor

ktr

affi

by

tota

lvol

ume

orty

peo

ftra

ffic

(eg

by

ce

ither

por

tor

prot

ocol

)n

Polic

yan

dor

Sec

urit

yM

easu

Resp

onsi

ble

Pers

onne

lIn

form

atio

nTe

chno

logy

ncer

nlo

adto

Prot

ecti

Prot

ectin

gco

emai

lto

lan

thei

ra

the

insi

der

USC

ISh

as

info

rmat

io

Are

aof

Co

Dat

aD

own

Med

ia


sure

s

po

1

pria

yte

lld

be

func

he

T ed

s

ecu

itted

em

os

ogs

el

vity

by

org

za

ani

ot

sbe

nter

mea

side

rtw

o

hori

zed

inap

pro

uev

ices

co

bite

dfr

omsy

stem

s

bit

epr

ohi fa

hec

ont

oc

gn

are

per

m hus

eso

fta

ndth

cti

ciou

sa

ngth

es

her

exhi

bitin

glm

alic

iou

Cou

uld

con

ora

ut ed

thes

ed

pro

hi SSC

Iy

ar

rity

aw

aren

ess

ampa

i

evic

es lb

elo

gged

uspi

ted

for

ss

leav

i

ntia

te

Sugg

este

d

Ss

o

ptf

1)E

xce

ces

that

ar

ete

chni

cally

Ung

in

that

the

shou

nte

ldb

et

2)If

USB

dfo

ru

nal

set

held

empl

oyee pl

tion

em

oyee

sign

sof

po c

ore

t

USC

Ih

tions

stan

trac

k

tioni

fact

shou

audi

havi

ns

ider

un

t

of

wor

k

ssed

de

s

onvi

ctio ns

tne

i eng

tel

He

acce

rder

to

Prac

tice

Gap

mth

eU

SCIS

CTa

skF

orc

sho

wed

tha

oe d

ant

pe

rfor

me

sig

nific

aam

oof

ficia

lbus

ines

sin

clud

ill

apto

p

sona

mai

lin

ond

e

Polic

yor

Ac

ase

fro

onh

isp

ersy

stem

sa

sure

pmen

tSC

IS

gov

(G

FE)

orS

ecur

ity

Mea

per

aga

inst

usi

ng

son

ompu

ter

equi

cial

dut

ies

for

Ub

edo

new

ithm

entf

urni

shed

ent

ern

quip

me

Polic

yan

d

Ther

eis

ap

olic

yd

cal

lyo

wne

top

erfo

rmo

ffi

Tele

wor

ksh

ould

on

ly

nel

ble

Pers

on

Resp

onsi

o

ern

Are

aof

Con

c dt

Dat

aD

ownl

oaor

Fro

mH

ome


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sve

lop

asy

stem

that

he

was

rew

arde

d

fo

rpr

oduc

ing

The

rea

ren

ote

chni

cal

co

ntro

lsto

cat

chth

isa

ctiv

ityu

nles

s

the

devi

ceis

phy

sica

llyp

lugg

edin

to

the

netw

ork

Prot

ecti

ngC

riti

cal

Info

rmat

ion

Tech

nolo

gy

The

SNO

Cre

spon

dsto

spi

llso

fPII

USC

ISr

espo

nds

toP

IIsp

illag

es

Fi

les

whi

cho

ccur

on

aw

eekl

yba

sis

The

ofte

nen

ough

that

its

staf

fis

wel

l

info

rmat

ion

abou

tthe

inci

dent

is

ve

rsed

inr

espo

nse

proc

edur

es

tran

sfer

red

from

the

data

ow

ner

U

nfor

tuna

tely

the

freq

uenc

yto

w

hob

ecom

esa

war

eof

the

spill

to

w

hich

inci

dent

soc

cur

and

the

the

OSI

whi

chc

reat

esa

Ser

ious

In

re

spon

sep

roce

dure

sin

pla

ced

o

cide

ntR

epor

t(SI

R)th

atit

forw

ards

nots

eem

tor

educ

eth

enu

mbe

rto

the

Priv

acy

Off

icer

and

fina

llyto

Th

ere

spon

see

ffor

tto

aPI

Ispi

llage

of

inci

dent

sor

pro

vide

aut

oth

eSN

OC

in

volv

esm

any

part

ies

and

appe

ars

to

mat

edd

etec

tion

whe

nsp

illag

ebe

ac

ompl

icat

edp

roce

ssfo

ran

eve

nt

occu

rs

that

hap

pens

on

aw

eekl

yba

sis

Thou

ghth

ese

spill

ages

are

acc

iden

tal

even

ts


Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

sho

uld

cont

inue

this

pra

ctic

eas

par

tofi

tsin

cide

ntr

esp

onse

pro

cedu

res

Inc

orpo

rat

ing

ana

ppro

pria

tele

velo

fm

onito

ring

wou

lda

lso

bea

pru

de

ntm

easu

re

Polic

yor

Pra

ctic

eG

aps

This

pra

ctic

eap

pear

sto

be

done

con

si

sten

tly

Polic

yan

dor

Sec

urit

yM

easu

re

Acc

ess

ton

etw

ork

reso

urce

sis

ter

min

ated

imm

edia

tely

whe

na

spill

or

mis

cond

ucti

ssu

spec

ted

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Aud

it

Mon

itor

B

acku

p

Reco

very

Insi

der

thre

atr

esea

rch

cond

ucte

dby

CER

Tha

ssh

own

that

logg

ing

mon

itori

nga

nda

uditi

nge

mpl

oyee

onl

ine

actio

nsc

anp

rovi

dea

nor

gani

za

tion

the

oppo

rtun

ityto

dis

cove

ran

din

vest

igat

esu

spic

ious

insi

der

activ

ityb

efor

em

ore

seri

ous

cons

eque

nces

ens

ue

Org

aniz

atio

nss

houl

dle

ver

age

auto

mat

edp

roce

sses

and

tool

sw

hene

ver

poss

ible

M

oreo

ver

net

wor

kau

ditin

gsh

ould

be

ongo

ing

and

cond

ucte

dra

ndom

lya

nde

m

ploy

ees

shou

ldb

eaw

are

that

cer

tain

act

iviti

esa

rer

egul

arly

mon

itore

dT

his

empl

oyee

aw

aren

ess

can

pote

ntia

llys

erve

as

ade

terr

entt

oin

side

rth

reat

s

Prev

entin

gin

side

rat

tack

sis

the

first

line

ofd

efen

se

Non

ethe

less

eff

ectiv

eba

ckup

and

rec

over

ypr

oces

ses

need

tob

ein

pla

cea

ndo

pera

tion

ally

eff

ectiv

eso

that

ifa

co m

prom

ise

occu

rsb

usin

ess

oper

atio

nsc

anb

esu

stai

ned

with

min

imal

inte

rrup

tion

In

one

case

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sea

nin

side

rw

asa

ble

tom

agni

fyth

eim

pact

ofh

isa

ttac

kby

acc

essi

nga

ndd

estr

oyin

gba

ckup

med

ia

Org

aniz

a


Ina

dditi

ont

heS

NO

Cla

cks

the

reso

urce

sto

focu

son

mon

itori

ngfo

rsu

spic

ious

insi

der

activ

ityf

ocus

ing

inst

ead

prim

arily

on

prot

ectio

nfr

om

exte

rnal

inci

dent

s

Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sM

odifi

cati

on

In

form

atio

nTe

chno

logy

Lo

gfil

esa

rea

cces

sibl

eby

the

do

D

isab

ling

Log

File

sm

ain

adm

inis

trat

ors

and

syst

em

adm

inis

trat

ors

ofe

ach

resp

ectiv

e

syst

em

USC

ISs

houl

dse

ndc

ritic

allo

gsto

a

cent

raliz

edlo

gse

rver

and

pro

te

ctth

elo

gfil

esto

per

mit

afo

re

nsic

rec

onst

r uct

ion

ofn

etw

ork

orh

ost

base

dev

ents

In

form

atio

nTe

chno

logy

Th

ela

cko

fcon

sist

ency

for

wha

tis

Alth

ough

six

per

cent

(23)

oft

he

logg

eda

cros

sU

SCIS

ser

vers

sys

tem

s

insi

ders

doc

umen

ted

inth

eCE

RT

appl

icat

ions

and

wor

ksta

tions

isc

on

Insi

der

Thre

atC

ase

data

base

cern

ing

Sev

eral

par

ties

addr

esse

dw

ere

able

tom

odify

ord

isab

le


tions

nee

dto

con

side

rth

eim

port

ance

ofb

acku

pan

dre

cove

ryp

roce

sses

and

car

em

ustb

eta

ken

that

bac

kups

are

per

form

edr

egul

arly

pro

te

cted

and

test

edto

ens

ure

busi

ness

con

tinui

tyin

the

even

tofd

amag

eto

or

loss

ofc

entr

aliz

edd

ata

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

slo

gfil

es

Mon

itor

ing

Susp

ici

ous

Act

ivit

y

Info

rmat

ion

Tech

nolo

gy

are

som

etim

esli

mite

dto

24

hour

sor

less

ofc

olle

ctio

n

the

fact

that

ITp

erso

nnel

mus

tbe

able

top

hysi

cally

rea

cha

mac

hine

in

atim

ely

fash

ion

ifth

eyh

ope

toc

ap

ture

logs

rel

ated

toa

nin

cide

nt

This

as

sum

ptio

nm

akes

itli

kely

that

cri

tica

llog

info

rmat

ion

will

be

mis

sed


Sugg

este

dCo

unte

rmea

sure

s

Polic

yor

Pra

ctic

eG

aps

Polic

yan

dor

Sec

urit

yM

easu

re

Dat

abas

ead

min

istr

ator

sar

ere

spon

si

ble

for

mon

itori

nga

nda

lert

ing

whe

nda

taa

cces

sat

tem

pts

are

mad

eto

cri

tical

dat

ain

USC

ISd

ata

base

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

sU

SCIS

sho

uld

cons

ider

cle

arly

de

finin

gth

ere

spon

sibi

lity

ofd

ata

base

adm

inis

trat

ors

and

the

SNO

Cfo

rm

onito

ring

ale

rtin

g

and

resp

ondi

ngto

una

utho

rize

dda

taa

cces

sO

nce

the

resp

onsi

bi

lity

isa

ssig

ned

the

appr

opri

ate

grou

psh

ould

dili

gent

lyp

reve

nt

dete

cta

ndr

espo

ndto

una

utho

riz

edd

ata

acce

ssm

odifi

catio

n

and

exfil

trat

ion

atte

mpt

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

mon

itors

and

filte

rs

inbo

und

and

outb

ound

net

wor

ktr

affic

Th

iss

trat

egy

may

pre

ve

nto

rde

tect

the

unau

thor

ized

tr

ansf

ero

fUSC

ISd

ata

outs

ide

the

orga

niza

tion

Man

yin

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

sew

ere

able

toc

omm

itth

eir

mal

icio

usa

ctiv

ities

usi

ngla

ptop

s

Polic

yor

Pra

ctic

eG

aps

Net

wor

ktr

affic

filte

ring

ish

appe

ning

on

lyo

nin

boun

dtr

affic

not

out

boun

dtr

affic

Th

ere

sour

ces

don

ote

xist

toe

xam

ine

ou

tbou

ndtr

affic

onl

yin

boun

dtr

affic

Fu

rthe

rmor

eth

ein

trus

ion

dete

ctio

nsy

stem

sar

eno

topt

imiz

edto

det

ect

secu

rity

eve

nts

Polic

yan

dor

Sec

urit

yM

easu

re

USC

ISh

asth

eab

ility

toc

reat

ein

bo

und

firew

allr

ules

tofi

lter

pote

ntia

llym

alic

ious

net

wor

ktr

affic

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

incl

udes

fore

nsic

to

ols

toa

idin

vest

igat

ions

Ins

ixp

erce

nt(2

2)o

fthe

cas

es

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

heim

pact

of

the

crim

ew

asm

agni

fied

be

caus

eof

insu

ffic

ient

bac

kups

Polic

yor

Pra

ctic

eG

aps

The

SNO

Cha

sha

dpr

oble

ms

iden

tify

ing

the

root

cau

seo

fan

affe

cted

w

orks

tatio

nor

use

rbe

caus

eof

the

lack

ofn

etw

ork

fore

nsic

app

licat

ions

Id

eally

the

SN

OC

shou

ldb

eab

leto

tr

ace

netw

ork

traf

ficfr

oms

ourc

eto

de

stin

atio

nan

dw

atch

act

ivity

It

has

a

stan

dal

one

fore

nsic

cap

abili

tyb

ut

noth

ing

onth

ene

twor

k

Tabl

etop

exe

rcis

esm

ayn

otg

ive

USC

ISa

true

indi

catio

nof

its

abili

tyto

re

cove

rfr

oma

sys

tem

icfa

ilure

W

hen

poss

ible

bac

kups

sho

uld

be

impl

emen

ted

ons

imila

rha

rdw

are

to

ensu

reth

atth

eba

ckup

tape

isfu

nc

tiona

land

the

back

upis

ope

ratio

nal

Polic

yan

dor

Sec

urit

yM

easu

re

The

SNO

Cis

res

pons

ible

for

dete

rm

inin

gth

ero

otc

ause

ofa

nin

cide

nt

incl

udin

gus

ing

fore

nsic

tool

sto

id

entif

yaf

fect

edw

orks

tatio

nsd

esk

tops

and

lapt

ops

Ba

ckup

test

ing

for

man

ysy

stem

soc

curs

onc

epe

rye

ar

Ins

ome

case

s

the

back

ups

are

only

test

edw

itha

ta

blet

ope

xerc

ise

and

don

otu

se

sim

ilar

orid

entic

alh

ardw

are

toth

at

used

inth

epr

oduc

tion

envi

ronm

ent

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Back

ups


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Info

rmat

ion

Tech

nolo

gy

Year

sof

bac

kup

tape

sar

eke

pto

nsi

tea

tthe

Ver

mon

tSer

vice

Cen

ter

an

dsy

stem

adm

inis

trat

ors

have

ac

cess

toth

ese

back

upfi

les

Adm

inis

trat

ors

who

hav

eac

cess

to

the

back

upta

pes

wou

ldb

eab

leto

Back

upm

edia

sho

uld

bec

on

trol

led

care

fully

doc

umen

ted

an

dst

ored

off

site

with

lim

ited

acce

ss

With

outt

hose

con

trol

s

USC

ISc

anno

tbe

sure

its

back

ups

will

giv

eit

the

abili

tyto

rec

over

ss

ecur

ity o wn

Proa

ctiv

ely

addr

essi

ngk

now

nse

curi

tyv

ulne

rabi

litie

ssh

ould

be

apr

iori

tyfo

ran

yor

gani

zatio

nse

ekin

gto

miti

gate

the

risk

ofi

nsid

erth

reat

sa

wel

las

exte

rnal

thre

ats

Cas

est

udie

sha

ves

how

nth

atm

alic

ious

insi

ders

fol

low

ing

term

inat

ion

will

som

etim

ese

xplo

itkn

own

tech

nica

lho

uld

have

ap

roce

sst

vuln

erab

ilitie

sth

atth

eyk

now

hav

eno

tbee

npa

tche

dto

obt

ain

syst

ema

cces

san

dca

rry

outa

nat

tack

O

rgan

izat

ions

sdr

ess

kno

ensu

reth

ato

pera

ting

syst

ems

and

othe

rso

ftw

are

have

bee

nha

rden

edo

rpa

tche

din

ati

mel

ym

anne

rw

hen

poss

ible

Fa

ilure

toa

dvu

lner

abili

ties

prov

ides

an

insi

der

ampl

eop

port

unity

and

pat

hway

sfo

rat

tack

mak

ing

itm

ore

diff

icul

tfor

an

orga

niza

tion

top

rote

ctit

self

Tech

nica

lSec

urit

yV

ulne

rabi

litie

s


ount

erm

easu

res

Sugg

este

dC


ceG

aps

Polic

yor

Pra

cti

The

pres

ence

of

host

pe

rim

eter

and

m

prot

ectio

nfo

rCI

Sin

al

war

epu

tsU

Sa

rela

tivel

yse

curd

ing

rep

ositi

onr

ega

oads

m

alic

ious

dow

nl

Polic

yan

dor

Se

easu

re

curi

tyM

Th

eO

ITr

elie

son

tan

ism

sto

w

om

ech

wnl

ode

tect

the

doad

of

licio

us

ma

code

1)

DH

S

nte

mon

itors

the

Ig

atrn

etw

aya

nd

e

2)

orks

ta

age

nto

nw

tio

ns

ale

rts

mm

edi

the

OIT

iat

ely

upon

dis

cov

wn

mal

er

yof

kno

war

eT

heO

ITs

hth

epo

rt

uts

dow

n

tob

lock

mal

ici

ere

ap

ous

code

wh

prop

riat

e

sin

stal

la

als

ode

tect

nel

Resp

onsi

ble

Pers

onog

yIn

form

atio

nTe

chno

l ogy

Info

rmat

ion

Tech

nol

Are

ac

ofC

oner

ne

Add

rss

ino

wn

ngK

Secu

rer

it

yV

uln

ies

abili

t

eA

ddr

ssi

now

nng

KSe

cur

er

ity

Vul

nie

sab

ilit

Sugg

este

dCo

unte

rmea

sure

s

Tw

elve

per

cent

(46)

oft

hec

ases

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

invo

lve

user

sab

usin

gad

min

istr

ator

pri

vi

lege

sto

sab

otag

esy

stem

sor

da

ta

Alth

ough

USC

ISu

sers

nee

dfo

rad

min

istr

ator

righ

tsto

inst

allo

rru

nau

thor

ized

sof

twar

eth

eO

IT

shou

ldc

onsi

der

givi

ngu

sers

se

para

tea

dmin

istr

ator

acc

ount

sfo

rth

ese

expl

icit

purp

oses

U

sers

co

uld

then

use

non

adm

inis

trat

or

acco

unts

for

thei

rda

ilyw

ork

Th

isw

ould

gre

atly

min

imiz

eth

eri

sko

fmal

war

eco

mpr

omis

e

Polic

yor

Pra

ctic

eG

aps

Am

itiga

ting

fact

or

is

that

the

depa

rtin

gem

ploy

eew

ould

ne

edp

hysi

cala

cces

sto

the

syst

emto

lo

gin

A

use

rw

itha

dmin

istr

ator

pri

vile

ges

mus

tnot

rel

yso

lely

on

auto

mat

ic

mec

hani

sms

tos

afeg

uard

his

or

her

com

pute

rA

dmin

istr

ator

rig

hts

give

in

adve

rten

tlyd

ownl

oade

dm

alw

are

the

abili

tyto

com

plet

ely

com

prom

ise

asy

stem

som

etim

esw

ithou

tthe

kn

owle

dge

ofth

eus

er

Polic

yan

dor

Sec

urit

yM

easu

re

tion

ofm

alic

ious

cod

efr

omU

SBs

and

othe

rm

edia

USC

ISu

sers

hav

elo

cala

dmin

istr

ator

ri

ghts

on

thei

row

nm

achi

nes

Thi

sal

low

sus

ers

toin

stal

lsof

twar

eon

th

eirs

yste

ms

So

me

auth

oriz

eds

oftw

are

does

re

quir

ead

min

istr

ator

rig

hts

toin

stal

l

Som

eap

plic

atio

nsa

ctua

llyr

equi

re

adm

inis

trat

orri

ghts

tor

un

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Unm

anag

edS

ys

tem

s


Conf

igur

atio

nM

anag

emen

t

Effe

ctiv

eco

nfig

urat

ion

man

agem

enth

elps

ens

ure

the

accu

racy

int

egri

tya

ndd

ocum

enta

tion

ofa

llco

mpu

ter

and

netw

ork

syst

emc

onfig

ura

tions

A

wid

eva

riet

yof

cas

esin

the

CERT

Insi

der

Thre

atC

ase

data

base

doc

umen

tins

ider

sw

hor

elie

dhe

avily

on

the

mis

conf

igur

atio

nof

sys

te

ms

The

yhi

ghlig

htth

ene

edfo

rst

rong

erm

ore

effe

ctiv

eim

plem

enta

tion

ofa

utom

ated

con

figur

atio

nm

anag

emen

tcon

trol

sO

rgan

izat

ions

sh

ould

als

oco

nsid

erc

onsi

sten

tdef

initi

ona

nde

nfor

cem

ento

fapp

rove

dco

nfig

urat

ions

Ch

ange

sor

dev

iatio

nsfr

omth

eap

prov

edc

onfig

urat

ion

base

line

shou

ldb

elo

gged

so

they

can

be

inve

stig

ated

for

pote

ntia

lmal

icio

usin

tent

Co

nfig

urat

ion

man

agem

enta

lso

appl

ies

tos

oftw

are

sou

rce

code

and

app

licat

ion

files

O

rgan

izat

ions

that

do

note

nfor

cec

onfig

urat

ion

ma n

agem

enta

cros

sth

een

terp

rise

are

ope

ning

vul

nera

bilit

ies

for

expl

oitb

yte

chni

cali

nsid

ers

with

suf

ficie

ntm

otiv

atio

nan

da

lack

ofe

thic

s

The

OIT

has

ac

onfig

urat

ion

man

agem

entp

olic

yth

atp

rovi

des

base

line

soft

war

eco

nfig

urat

ions

for

USC

ISd

eskt

ops

and

lapt

ops

The

OIT

sca

ns

for

inco

rrec

to

utda

ted

or

unp

atch

edv

ersi

ons

ofs

oftw

are

onth

eap

prov

eds

oftw

are

list

The

OIT

kee

pstr

ack

ofd

iffer

entb

asel

ines

for

diff

er

entc

ontr

acts

D

espi

tetr

acki

nga

nda

rig

orou

sco

nfig

urat

ion

man

agem

entp

olic

yth

eO

ITh

asd

iffic

ulty

kee

ping

trac

kof

the

901

50d

iffer

ents

ys

tem

imag

esin

the

USC

ISe

nvir

onm

ent

Rog

ues

oftw

are

orm

alw

are

iso

ften

dis

cove

red

thro

ugh

ade

liber

ate

man

uals

can

rat

her

than

thro

ugh

ana

utom

ated

pro

cess

To

mak

eth

ista

skm

ore

diff

icul

tth

ere

have

bee

nU

SCIS

em

ploy

ees

with

sen

iori

tyo

rin

fluen

cew

hoa

rea

ble

tou

selo

cal

adm

inis

trat

orp

rivi

lege

sto

inst

alls

oftw

are

for

the

sake

ofc

onve

nien

ce

Conc

erns

reg

ardi

ngc

onfig

urat

ion

man

agem

entm

ake

itdi

ffic

ultf

orth

eO

ITto

ad e

quat

ely

prev

ent

det

ect

and

res

pond

tor

ogue

sof

twar

eor

m

alw

are

usin

gits

cur

rent

pro

cedu

res

We

sugg

ests

ome

cons

ider

atio

nsfo

rle

vera

ging

exi

stin

gde

ploy

men

tsa

ndm

odify

ing

inci

dent

res

pons

epr

actic

esto

incr

ease

eff

ectiv

enes

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

The

OIT

has

ac

onfig

urat

ion

man

ag

emen

tpol

icy

for

soft

war

eco

nfig

ura

tion

base

lines

Th

eO

ITs

cans

for

inco

rrec

to

utda

ted

or

unpa

tche

dve

rsio

nso

fsof

twar

eon

the

ap

Des

pite

rig

orou

sco

nfig

urat

ion

man

ag

emen

tpol

icy

the

OIT

has

diff

icul

ty

keep

ing

trac

kof

the

90to

150

diff

er

ents

yste

mim

ages

inth

eU

SCIS

env

iro

nmen

tR

ogue

sof

twar

eor

mal

war

e

Seve

ntee

nca

ses

docu

men

ted

in

the

CERT

Insi

der

Thre

atC

ase

da

taba

sein

volv

eus

ers

expl

oitin

gth

ela

cko

rw

eakn

ess

ofa

con

fig

urat

ion

man

agem

ents

yste

m


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

spr

oved

sof

twar

elis

tT

heO

ITk

eeps

tr

ack

ofd

iffer

entb

asel

ines

for

dif

fere

ntc

ontr

acts

iso

ften

dis

cove

red

thro

ugh

ade

liber

at

em

anua

lsca

nra

ther

than

thro

ugh

ana

utom

ated

pro

cess

toc

arry

out

thei

rat

tack

s

The

OIT

cou

ldle

vera

geth

eex

ist

ing

ePO

dep

loym

entt

oco

mpl

em

enti

tsc

onfig

urat

ion

man

age

men

teff

orts

eP

Oc

and

efin

ea

base

line

for

soft

war

eap

plic

atio

ns

and

aler

ton

any

devi

atio

nsfr

om

that

bas

elin

e

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ins

ome

case

sin

divi

dual

sw

iths

en

iori

tyo

rin

fluen

cea

rea

ble

tou

se

adm

inis

trat

orp

rivi

lege

sto

inst

all

soft

war

efo

rth

esa

keo

fcon

veni

ence

USC

ISs

houl

den

sure

that

con

fig

urat

ion

polic

yis

con

sist

ently

co

mm

unic

ated

and

enf

orce

dth

roug

hout

the

orga

niza

tion

Ev

ens

enio

rle

ader

ship

sho

uld

notb

eab

leto

cas

ually

cir

cum

ve

ntth

ese

polic

ies

with

outg

oing

th

roug

hth

epr

oper

cha

nnel

sas

de

fined

by

the

conf

igur

atio

nm

anag

emen

tpol

icy

Conf

igur

atio

nM

anag

emen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Serv

ice

Cent

ers

are

resp

onsi

ble

for

lock

ing

dow

nde

skto

psto

pre

vent

un

auth

oriz

eds

oftw

are

from

runn

ing

The

lock

dow

npr

oces

sre

lies

onh

um

anin

terv

entio

nI

fcal

lvol

ume

to

the

Serv

ice

Cent

eris

hea

vyt

his

may

in

crea

ser

espo

nse

time

toa

nun

ac

cept

able

leve

l

The

OIT

sho

uld

expl

ore

way

sto

au

tom

ate

lock

dow

nof

pot

en

tially

com

prom

ised

sys

tem

sT

his

wou

ldr

equi

rea

car

eful

bal

ance

of

ser

vice

ver

sus

secu

rity

O

nth

ese

rvic

esi

ded

elay

edr

espo

nse

by

the

Serv

ice

Cent

erm

ayr

esul

tin

loss

ofp

rodu

ctiv

ity

On

the

secu

ri

tys

ide

del

ayed

res

pons

eco

uld


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sle

adto

sys

tem

com

prom

ise

M

anag

emen

tsho

uld

eval

uate

the

risk

sof

ac

ompr

omis

ean

dw

eigh

th

ose

risk

sag

ains

tthe

pot

entia

lco

nseq

uenc

eso

fser

vice

dis

rup

tion


Appendix H Acronyms



107

Appendix H Acronyms


108


109






110






Congress


111



OIG HOTLINE







NOWARRANTY



TableofContents

ExecutiveSummary 1



Background 2

Objective 3

Scope 3



Organizational 7

HumanResources 9

PhysicalSecurity 11


IncidentResponse 14






Recommendation4 23









24

fashion 24

25


Recommendation12 25


25

Recommendation14 25


Recommendation16 26

Recommendation17 26







Appendixes 28









ExecutiveSummary







Background









Objective






Scope


































Transformation








HumanResources











ExitProcedures




PhysicalSecurity











BusinessProcesses








CLAIMS3LAN


FDNSDS


IncidentResponse



IncidentManagement




SoftwareEngineering

CodeReviews







AccountManagement









AccessControl

























Recommendations















Recommendation12


Recommendation14




Recommendation16

Recommendation17







Appendixes










AppendixHAcronyms














Ap

pen

dix

AO

rgan

izat

ion

al

Risk

Man

agem

ent

Co

mm

unic

atio

n

Secu

rity

Pro

cess

Impr

ovem

ent

USC

ISis

ina

diff

icul

tpos

ition

Pa

rto

fits

mis

sion

isto

pro

vide

cus

tom

ers

ervi

ceto

thos

ese

ekin

gim

mig

ratio

nan

dci

tizen

ship

ben

efits

from

the

US

Gov

ernm

ent

How

ever

iti

sch

alle

ngin

gto

opt

imiz

ebu

sine

ssp

roce

sses

for

cust

omer

ser

vice

whi

lea

tthe

sam

etim

eim

plem

entin

gpr

otec

tiv

em

easu

res

toc

ount

erth

eri

skp

osed

by

gran

ting

thos

eve

ryb

enef

its

Man

yU

SCIS

em

ploy

ees

inte

rvie

wed

for

this

ass

essm

enti

dent

ified

the

orga

niza

tionrsquo

spr

imar

yri

ska

sal

low

ing

the

next

terr

oris

tto

live

and

wor

kle

gally

inth

eU

nite

dSt

ates

Th

eyd

esir

ehe

lpin

iden

tifyi

nga

ndim

ple

men

ting

inte

rnal

con

trol

sto

cou

nter

that

ris

kS

ome

ofth

ein

terv

iew

ees

how

ever

mdashev

ens

ome

ofth

eIS

SOs

and

data

ow

ners

mdashfo

cuse

don

leak

ag

eof

PII

asth

eir

prim

ary

conc

ern

Aft

erd

elvi

ngin

toth

em

atte

rw

ithth

eas

sess

men

ttea

mt

hey

cam

eto

und

erst

and

the

risk

pos

edb

yex

po

sure

or

mis

use

ofc

ritic

ald

ata

asth

egr

eate

str

isk

face

dby

USC

ISp

rim

arily

bec

ause

suc

ha

secu

rity

bre

ach

coul

dre

sult

ina

llow

ing

ate

rror

isti

nto

the

coun

try

Ac

ritic

alis

sue

for

USC

ISis

ens

urin

gth

een

tire

orga

niza

tion

isr

isk

awar

ea

ndim

plem

entin

ga

form

alr

isk

man

agem

entp

roce

ssto

add

ress

ris

kco

nsis

tent

lya

ndc

ontin

ually

acr

oss

the

ente

rpri

se

Ther

edo

esn

ota

ppea

rto

be

aco

nsis

tent

und

erst

andi

ngo

fthe

bro

ads

pect

rum

ofr

isks

faci

ng

USC

IS

The

asse

ssm

entt

eam

was

told

ther

eis

no

ente

rpri

sew

ide

risk

man

agem

entp

rogr

ama

tUSC

IS

OIT

per

form

sri

skm

anag

emen

tfor

ITa

nd

Fina

ncia

lMan

agem

entp

erfo

rms

risk

man

agem

entf

orfi

nanc

ialm

atte

rsb

utn

oon

ew

asa

war

eof

any

ent

erpr

ise

wid

eef

fort

sI

nad

ditio

ne

ach

field

off

ice

and

serv

ice

cent

era

ppea

rsto

ope

rate

fair

lyin

depe

nden

tly

Itis

impo

rtan

tfor

thos

eor

gani

zatio

nsto

wor

kto

geth

erto

iden

tify

pri

or

itize

and

add

ress

ris

kO

ngoi

ngc

omm

unic

atio

nbe

twee

nal

lcom

pone

nts

ofU

SCIS

will

hel

pen

sure

that

new

thre

ats

att

ack

vect

ors

and

cou

nte

rmea

sure

sar

eco

mm

unic

ated

and

han

dled

eff

ectiv

ely

bya

ll

Ina

dditi

onU

SCIS

em

ploy

ees

and

cont

ract

ors

hold

the

keys

too

neo

fthe

wor

ldrsquos

mos

tcov

eted

kin

gdom

smdashU

Sc

itize

nshi

pT

his

mak

ese

mpl

oy

ees

and

cont

ract

ors

attr

activ

eta

rget

sfo

rre

crui

tmen

tB

ecau

seo

fthe

sen

sitiv

ena

ture

ofU

SCIS

mis

sion

som

eof

its

empl

oyee

san

dco

ntra

ctor

s


have

bee

nta

rget

sfo

rre

crui

tmen

tfor

thef

tor

unau

thor

ized

mod

ifica

tion

ofU

SCIS

dat

aA

llem

ploy

ees

shou

ldb

eaw

are

ofth

eco

nseq

uenc

eso

fpa

rtic

ipat

ing

infr

aud

agai

nstU

SCIS

Th

eys

houl

dal

sob

ein

stru

cted

on

how

tor

epor

tsol

icita

tions

mad

eto

com

mit

frau

d

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEn

terp

rise

Ris

kM

anag

emen

t

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Indi

vidu

alo

rgan

izat

ions

with

inU

SCIS

do

ris

km

anag

emen

trel

ated

toth

eir

part

icul

ard

omai

nF

orin

stan

ceI

Tdo

esr

isk

man

agem

entf

rom

an

IT

pers

pect

ive

and

the

Fina

ncia

lMan

ag

emen

tdoe

sfin

anci

alr

isk

man

ag

emen

t

USC

ISp

erso

nnel

sta

ted

ther

eis

no

ente

rpri

ser

isk

man

agem

entp

roce

ss

for

anal

yzin

gth

eor

gani

zatio

nrsquos

over

al

lris

k

We

sugg

estt

hatU

SCIS

inst

itute

an

ent

erpr

ise

risk

man

agem

ent

prog

ram

W

ithou

tac

omm

on

visi

onfo

rri

skm

anag

emen

tth

eIS

SOs

and

allo

rgan

izat

ions

w

ithin

USC

ISc

anno

teff

ectiv

ely

unde

rsta

ndth

eri

ske

nvir

onm

ent

and

wor

kto

geth

erto

eff

ectiv

ely

miti

gate

ris

k

Inin

terv

iew

ss

ome

USC

ISs

taff

in

clud

ing

som

eIS

SOs

dat

aow

ners

an

dO

ITs

taff

see

med

tov

iew

loss

of

PIIa

sth

em

osti

mpo

rtan

tins

ider

th

reat

ris

kA

llof

the

asse

ssm

ent

ques

tions

wer

ean

swer

edin

the

con

text

ofl

oss

ofP

II

Whe

nw

eas

ked

spec

ifica

llyw

hatt

hey

see

asth

ebi

gges

tins

ider

thre

atr

isk

ev

eryo

nes

eem

edto

agr

eeit

isc

rea

tion

ofr

ealc

itize

nshi

pdo

cum

ents

for

peop

lew

hos

houl

dno

thav

eth

em

In

fact

int

ervi

ewee

sat

the

Verm

ont

Serv

ice

Cent

erc

ateg

oriz

edth

efu

nc

tions

cha

ract

eriz

edb

yth

ehi

ghes

tris

kas

follo

ws

1)

Unl

awfu

lalie

nin

the

Uni

ted

Stat

es

gran

ted

non

imm

igra

nts

tatu

s

2)S

omeo

new

ithn

onim

mig

rant

st

atus

gra

nted

per

man

entr

esid

ency

w

hich

mea

nsh

eor

she

can

live

and

w

ork

inde

finite

lyin

the

Uni

ted

Stat

es

Aga

ina

nen

terp

rise

ris

km

an

agem

entp

rogr

amw

ille

nsur

eth

ate

very

one

acro

ssU

SCIS

is

wor

king

toge

ther

tom

itiga

teth

ehi

ghes

tpri

ority

ris

ks

Ther

ear

ere

gula

tions

and

law

ssu

rrou

nd

ing

prot

ectio

nof

PII

but

focu

sin

gpr

imar

ilyo

nth

atis

sue

can

lead

toa

fals

ese

nse

ofs

ecur

ity

ifot

her

mor

eim

port

antr

isk

ar

eas

are

give

nle

ssa

tten

tion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dal

soc

anp

etiti

onfo

rre

lativ

es

The

Verm

ontS

ervi

ceC

ente

ris

im

plem

entin

gse

para

tion

ofd

utie

sfo

rpe

rfor

min

gfu

nctio

ns

1an

d2

ab

ove

(gra

ntin

gno

nim

mig

rant

st

atus

and

mov

ing

som

eone

from

no

nim

mig

rant

sta

tus

top

erm

anen

tre

side

ncy)

so

that

one

USC

ISa

djud

ica

tor

alon

eca

nnot

take

an

appl

ican

tfr

omu

nlaw

fult

ope

rman

entr

esi

dent

Th

ese

two

func

tions

will

be

perf

orm

eda

tdiff

eren

tphy

sica

lloc

atio

ns2

9m

iles

apar

t

The

Verm

ontS

ervi

ceC

ente

rhas

not

ha

dan

adj

udic

ator

who

per

form

ed

both

func

tions

1

and

2fo

rth

esa

me

appl

ican

t

This

dec

isio

nde

mon

stra

tes

that

le

ader

ship

att

heV

erm

ontS

er

vice

Cen

terr

ecog

nize

sth

esi

gni

fican

tris

kof

cre

atin

gle

gal

citiz

ensh

ipd

ocum

ents

fori

llega

lal

iens

and

ista

king

ste

psto

m

itiga

teth

atr

isk

How

ever

our

in

side

rth

reat

ass

essm

enth

as

unco

vere

dot

her

issu

esth

at

coul

dbe

add

ress

edto

miti

gate

th

atr

isk

Aga

ina

form

alr

isk

anal

ysis

wou

lde

nabl

eU

SCIS

to

thor

ough

lye

xam

ine

the

issu

es

and

prio

ritiz

eco

unte

rmea

sure

sus

ing

afo

rmal

pro

cess

Fo

rex

am

ple

an

alte

rnat

ive

toth

eph

ysic

alm

ove

coul

dbe

toim

pl

emen

tan

audi

tmec

hani

smto

lo

okfo

rad

judi

cato

rsw

hop

er

form

edb

oth

func

tions

1

and

2

for

the

sam

eap

plic

ant

Ente

rpri

seW

ide

Com

mun

icat

ion

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ther

eis

no

cons

iste

ncy

ofc

ontr

ols

from

one

ser

vice

cen

ter

toth

ene

xt

We

wer

eto

ldth

eye

ach

oper

ate

fair

ly

inde

pend

ently

USC

ISw

ould

ben

efit

from

ong

oin

gco

mm

unic

atio

nsa

bout

ris

kba

sed

issu

esb

etw

een

the

ser

vice

cen

ters

Fo

rin

stan

ce

com

mun

icat

ions

con

cern

ing

prob

lem

se

ffec

tive

coun

ter

mea

sure

sm

odifi

catio

nsto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sbu

sine

ssp

roce

sses

or

idea

sfo

rco

unte

ring

incr

ease

dri

skc

ould

le

adto

an

impr

oved

ris

kpo

stur

efo

rth

een

tire

USC

ISe

nter

pris

e

Cont

inua

lSec

urit

yPr

oces

sIm

prov

em

ent

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

The

USC

ISC

onvi

ctio

nsT

ask

Forc

eis

an

exc

elle

ntfo

rum

for

anal

yzin

gpa

st

crim

inal

cas

esa

ndd

eter

min

ing

mea

sure

sth

ats

houl

dbe

inst

itute

dto

pre

vent

sim

ilar

crim

esin

the

fu

ture

Ther

eis

no

proc

ess

for

follo

win

gup

on

ac

ase

afte

rthe

Off

ice

ofS

peci

al

Inve

stig

atio

n(O

SI)f

inis

hes

anin

vest

iga

tion

Th

eCo

nvic

tions

Tas

kFo

rce

isth

eon

ly

proc

ess

we

foun

dfo

rfor

mal

trac

king

an

alys

isa

ndp

roce

ssim

prov

emen

tba

sed

ona

ctua

linc

iden

ts

The

as

sess

men

ttea

ma

sked

var

ious

gro

ups

ifth

ere

isa

nyfo

llow

up

toin

cide

nts

fo

rin

stan

ceim

plem

entin

gau

tom

ated

sc

ript

sor

con

trol

sto

det

ectt

hes

ame

inci

dent

inth

efu

ture

Th

ete

amc

ould

no

tfin

da

sing

lep

erso

nw

hok

now

sof

su

cha

nac

tivity

Man

yex

ampl

eso

fem

ploy

eem

isco

ndu

ctc

ited

toth

eas

sess

men

ttea

m

coul

dea

sily

hav

ebe

end

etec

ted

or

even

pre

vent

edv

iaa

utom

ated

con

tr

ols

In

add

ition

the

reis

no

mec

hani

smfo

rco

mm

unic

atin

gis

sues

out

side

ofa

In

nea

rly2

5(9

1)o

fthe

cas

esin

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

hein

side

rw

asa

ble

to

carr

you

tthe

cri

me

beca

use

of

inad

equa

tea

uditi

ngo

fcri

tical

pr

oces

ses

in2

8of

thes

eca

ses

it

was

bec

ause

ofi

nade

quat

eau

ditin

gof

irre

gula

rpr

oces

ses

In

29

ofth

eca

ses

the

orga

niza

tio

nha

dre

peat

edin

cide

nts

ofa

si

mila

rna

ture

A

utom

ated

sc

ript

sar

ean

exc

elle

ntm

echa

ni

smfo

rde

tect

ing

susp

icio

us

tran

sact

ions

as

wel

las

hone

st

mis

take

sU

SCIS

sho

uld

cons

ider

a

form

alp

roce

ssfo

ran

alys

iso

fth

eO

SIrsquos

find

ings

and

the

deve

lop

men

tofa

utom

ated

che

cks

impl

emen

ted

natio

nally


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sgi

ven

serv

ice

cent

er

U

SCIS

Em

ploy

ees

are

Pote

ntia

lTar

ge

tsfo

rRe

crui

tm

ent

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

No

evid

ence

pro

vide

d

Som

eU

SCIS

em

ploy

ees

inte

rvie

wed

ha

ver

ecei

ved

are

ques

tfor

ass

ista

nce

from

afr

iend

rel

ativ

eo

rst

rang

er

seek

ing

top

rom

ote

aca

sefo

rso

me

form

ofa

pplic

ant

One

adj

udic

ator

sa

idh

edo

esn

otte

llot

hers

who

he

wor

ksfo

rH

owev

ert

hed

istin

ctiv

egr

een

park

ing

stic

ker

onh

isc

arc

ould

in

as

mal

ltow

nlik

eBu

rlin

gton

VT

re

veal

the

iden

tity

ofh

ise

mpl

oyer

U

SCIS

per

sonn

ela

reth

eref

ore

unus

ual

lyv

ulne

rabl

eto

sol

icita

tion

byo

ut

side

rs

Twen

tyn

ine

perc

ento

fthe

in

side

rsin

the

CERT

Insi

der

Thre

at

Case

dat

abas

ew

ere

recr

uite

dby

ou

tsid

ers

toc

omm

itth

eir

crim

es

USC

ISs

houl

dco

nsid

er

incr

easi

ngth

ese

curi

tya

war

ene

sstr

aini

ngp

rovi

ded

toU

SCIS

em

ploy

ees

and

cont

ract

ors

The

tr

aini

ngs

houl

dbe

con

tinuo

us

incl

udin

gpo

rtio

nsin

tend

edto

ra

ise

awar

enes

sof

the

pote

ntia

lta

rget

that

USC

ISe

mpl

oyee

spr

esen

tA

llem

ploy

ees

shou

ld

bea

war

eof

the

cons

eque

nces

of

par

ticip

atin

gin

frau

dag

ains

tU

SCIS

as

wel

las

how

tor

epor

tso

licita

tions

mad

eto

com

mit

frau

d

Tran

sfor

mat

ion

USC

ISL

eade

rshi

p D

ata

Ow

ners

In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Tran

sfor

mat

ion

isa

larg

ebu

sine

ss

proc

ess

reen

gine

erin

gef

fort

inU

SCIS

th

atis

pri

mar

ilyfo

cuse

don

impr

oved

cu

stom

ers

ervi

cea

ndfr

aud

dete

ctio

nF

ore

xam

ple

the

asse

ssm

ent

team

was

told

that

Tra

nsfo

rmat

ion

will

aut

omat

ical

lyv

alid

ate

data

in

CLA

IMS

agai

nsto

ther

ext

erna

lsys

te

ms

(eg

IC

Ean

dFB

I)a

ndth

at

secu

rity

req

uire

men

tsa

ndc

ontr

ols

Tran

sfor

mat

ion

was

men

tione

din

m

osti

nter

view

sfo

rth

isa

sses

smen

t

Ita

ppea

rsth

atU

SCIS

isr

elyi

ngh

eavi

ly

upon

Tra

nsfo

rmat

ion

toc

orre

ctm

any

ofth

epr

oble

ms

resu

lting

from

lega

cy

syst

ems

How

ever

iti

sun

clea

rw

heth

erin

tern

alp

erso

nnel

sec

urity

an

din

form

atio

nse

curi

tyc

once

rns

will

bein

clud

edin

this

pro

gram

This

rel

ianc

eon

as

ingl

eef

fort

m

akes

the

effe

ctiv

enes

sof

this

ef

fort

ver

yim

port

ant

USC

IS

shou

ldc

onsi

der

the

Tran

sfor

ma

tion

proj

ectf

rom

an

ente

rpris

ew

ide

pers

pect

ive

Iti

sim

port

ant

for

itto

use

afo

rmal

req

uire

m

ents

gat

herin

gpr

oces

sin

or

der

toe

ffec

tivel

ym

itiga

teb

oth

inte

rnal

and

ext

erna

lthr

eats


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

veb

een

iden

tifie

dby

cur

rent

C3

LAN

dat

aow

ners

Read

ing

the

Tran

sfor

mat

ion

requ

ire

men

tsd

ocum

enta

tion

itis

not

cle

ar

that

insi

ders

are

con

side

red

inth

ese

curi

tyr

equi

rem

ents

for

prev

entio

nan

dde

tect

ion

offr

aud

orn

atio

nal

secu

rity

inU

SCIS

sys

tem

s

Pers

onne

lsec

urity

sho

uld

be

incl

uded

as

wel

las

info

rmat

ion

secu

rity

to

ensu

reth

atth

eap

pr

opri

ate

inte

rnal

con

trol

sar

ein

pl

ace

tor

educ

eth

eri

skp

osed

by

mal

icio

usin

side

rs


Trai

ning

and

Aw

aren

ess

Itis

ess

entia

ltha

tsec

urity

aw

aren

ess

trai

ning

be

cons

iste

ntly

pro

vide

dto

all

empl

oyee

sto

ens

ure

that

sec

urity

pol

icie

san

dpr

actic

esa

rein

stitu

tio

naliz

edth

roug

hout

an

orga

niza

tion

Man

ytim

esc

owor

kers

and

sup

ervi

sors

are

the

first

peo

ple

too

bser

vec

once

rnin

gbe

havi

ore

xhib

ited

by

mal

icio

usin

side

rs

Failu

reb

yco

wor

kers

or

othe

rsin

an

orga

niza

tion

tor

epor

tcon

cern

ing

beha

vior

was

ap

rim

ary

reas

onin

side

rsin

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

tos

etu

por

car

ryo

utth

eir

atta

cks

USC

ISs

houl

dco

ntin

ueto

pro

vide

sec

urity

aw

aren

ess

trai

ning

toa

llem

ploy

ees

and

cont

ract

ors

acro

ssth

egl

obe

Thi

str

aini

ngs

houl

dbe

con

sis

tent

lya

pplie

dto

eac

hsi

tew

itha

con

sist

entm

essa

geo

fsec

urity

ofU

SCIS

peo

ple

sys

tem

sa

ndd

ata

Iti

sim

pera

tive

that

all

USC

ISe

mpl

oyee

sbe

re

spon

sibl

efo

rac

hiev

ing

the

mis

sion

ofU

SCIS

and

pro

tect

ing

the

criti

cala

sset

sto

the

high

este

xten

tpos

sibl

e

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sTr

aini

ngo

rSk

ills

Requ

ired

ofT

hose

in

App

oint

edS

ecu

rity

Rol

es

USC

ISL

eade

rshi

p

USC

ISh

asa

trai

ning

pro

cess

thro

ugh

anin

form

atio

nsy

stem

sse

curi

ty

man

ager

(ISS

M)

USC

ISr

elie

she

av

ilyo

nco

ntra

ctor

sto

pro

vide

ade

qu

atel

ytr

aine

dst

aff

Man

yIS

SOs

are

notw

ellv

erse

din

se

curi

ty

ISSO

sar

ecu

rren

tlyin

an

educ

atio

npr

oces

sb

utIS

SOs

are

typi

ca

llyn

ots

ecur

ityw

atch

dogs

ISSO

sm

usth

ave

prop

ertr

aini

ng

ino

rder

tok

eep

upw

ithth

eev

erc

hang

ing

info

rmat

ion

secu

ri

tye

nvir

onm

enta

ndto

be

able

to

dea

lwith

the

myr

iad

tech

no

logi

esa

ndto

ols

avai

labl

eto

th

em

App

ropr

iate

bud

get

shou

ldb

eal

loca

ted

forI

SSO

tr

aini

ngi

nclu

ding

ven

dor

spec

ific

trai

ning

(eg

M

cAfe

ean

dCi

sco)

and

indu

stry

spe

cific

tr

aini

ng(e

g

SAN

S)


Ap

pen

dix

BH

um

anR

esou

rces

Empl

oyee

Issu

es

An

orga

niza

tionrsquo

sap

proa

chto

red

ucin

gin

side

rth

reat

sho

uld

focu

son

pro

activ

ely

man

agin

gem

ploy

eeis

sues

and

beh

avio

rs

This

con

cept

beg

ins

with

eff

ectiv

ehi

ring

pro

cess

esa

ndb

ackg

roun

din

vest

igat

ions

tos

cree

npo

tent

ialc

andi

date

sO

rgan

izat

ions

sho

uld

also

trai

nsu

perv

isor

sto

m

onito

ran

dre

spon

dto

beh

avio

rso

fcon

cern

by

curr

ente

mpl

oyee

sS

ome

case

sfr

omth

eCE

RTIn

sid e

rTh

reat

Cas

eda

taba

ser

evea

led

that

sus

pi

ciou

sac

tivity

was

not

iced

inth

ew

orkp

lace

but

not

act

edu

pon

Org

aniz

atio

nss

houl

des

tabl

ish

aw

ello

rgan

ized

and

pro

fess

iona

lmet

hod

for

hand

ling

nega

tive

empl

oym

enti

ssue

san

den

suri

ngth

ath

uman

res

ourc

epo

licy

viol

atio

nsa

rea

ddre

ssed

Org

aniz

atio

nali

ssue

sre

late

dto

func

tions

sha

red

byH

Ran

dse

curi

typ

erso

nnel

are

att

heh

eart

ofi

nsid

err

isk

man

agem

ent

Em

ploy

ees

cree

ning

an

dse

lect

ion

isv

italt

opr

even

ting

cand

idat

esw

ithk

now

nbe

havi

oral

ris

kfa

ctor

sfr

ome

nter

ing

the

orga

niza

tion

or

ifth

eyd

oe

nsur

ing

that

th

ese

risk

sar

eun

ders

tood

and

mon

itore

dC

lear

pol

icy

guid

elin

esa

ddre

ssin

gbo

thp

erm

itted

and

pro

hibi

ted

empl

oyee

beh

avio

rar

evi

talt

ori

sk

dete

ctio

nan

dm

onito

ring

and

cle

arr

equi

rem

ents

for

ensu

ring

em

ploy

eesrsquo

kno

wle

dge

ofth

ese

guid

elin

esa

ree

ssen

tialt

oth

eir

succ

ess

In

addi

tio

nr

epor

tso

fpol

icy

ques

tions

and

vio

latio

nsn

eed

tob

esy

stem

atic

ally

rec

orde

dso

that

man

agem

ent

HR

and

sec

urity

per

sonn

elc

ana

ppr

oach

cas

ede

cisi

ons

with

com

plet

eba

ckgr

ound

info

rmat

ion

Ana

lysi

sof

thes

ere

port

sac

ross

indi

vidu

als

and

depa

rtm

ents

can

sup

ply

vita

lkno

wle

dge

ofp

robl

ema

reas

bey

ond

indi

vidu

alc

ases

Re

latio

nshi

ps

inw

hich

HR

sec

urity

and

man

agem

entp

erso

nnel

col

labo

rate

as

educ

ator

san

dco

nsul

tant

sar

evi

talt

oea

rly

dete

ctio

nan

def

fect

ive

man

age

men

tofe

mpl

oyee

spo

sing

an

insi

der

risk

Th

ene

edfo

rcl

ear

polic

ies

com

plet

epe

rson

nelr

isk

data

and

clo

sem

anag

emen

tH

Rse

curi

tyc

olla

bo

ratio

nis

rar

ely

grea

ter

than

whe

nha

ndlin

gem

ploy

eete

rmin

atio

nis

sues

whe

ther

vol

unta

ryo

rin

volu

ntar

y

CERT

sug

gest

sen

hanc

emen

tsto

the

USC

ISh

irin

gan

dte

rmin

atio

npr

oces

ses

For

exa

mpl

eU

SCIS

sho

uld

cons

ider

add

ition

als

cree

ning

for

high

ri

skp

ositi

ons

suc

has

adj

udic

ator

sU

SCIS

sho

uld

als o

con

side

rbe

com

ing

mor

ein

volv

edin

vet

ting

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)p

rior

tog

rant


ing

them

acc

ess

toU

SCIS

cri

tical

sys

tem

san

dda

ta

Fina

llyU

SCIS

sho

uld

cons

ider

ado

ptin

gan

ent

erpr

ise

wid

eex

itpr

oced

ure

toe

nsur

eco

nsis

te

ntte

rmin

atio

nof

all

empl

oyee

san

dco

ntra

ctor

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPr

eEm

ploy

men

tSc

reen

ing

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

No

evid

ence

pro

vide

d

The

empl

oyee

scr

eeni

ngp

roce

ssla

cks

any

form

ofp

sych

olog

ical

scr

eeni

ng

for

ara

nge

ofp

ositi

ons

incl

udin

gad

ju

dica

tors

Five

per

cent

(18)

oft

hein

side

rs

inth

eCE

RTd

atab

ase

had

poss

ibl

eps

ycho

logi

cali

ssue

sU

SCIS

sh

ould

con

side

rin

clud

ing

psy

chol

ogic

alte

stin

gas

par

toft

h e

new

hir

epr

oces

sfo

rse

lect

pos

itio

nsi

nclu

ding

adj

udic

ator

s

Giv

enth

esi

gnifi

cant

soc

ialp

res

sure

son

adj

udic

ator

san

dth

ere

lativ

ela

cko

fmon

itori

ngfo

rin

side

rri

ski

tsee

ms

impo

rtan

tto

impr

ove

this

asp

ecto

fscr

een

ing

Hum

anR

esou

rces

App

lican

tsa

rea

ssig

ned

ara

ting

by

HR

the

ratin

gis

use

dto

ran

kap

pli

cant

s

Ther

eis

cur

rent

lyn

oau

ditl

ogth

at

wou

ldc

aptu

rein

stan

ces

inw

hich

so

meo

nein

HR

chan

ged

ara

ting

to

enab

les

omeo

neto

get

hir

edm

ore

easi

ly

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

udit

log

totr

a ck

the

cand

idat

era

tings

and

ale

rtw

hen

cand

idat

era

tings

are

cha

nged

by

som

eone

inH

R


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Ifa

pers

onal

issu

e(e

g

subs

tanc

eab

use

rel

ativ

ely

larg

efin

anci

alin

de

bted

ness

)aris

esd

urin

gPe

rson

nel

Secu

rity

rsquos(P

ERSE

Crsquos)

scr

eeni

ng

PERS

ECm

ayis

sue

ale

tter

ofa

dvis

em

entt

oth

eca

ndid

ate

and

clea

rth

at

pers

onfo

rhir

eP

ERSE

RCis

hes

itant

to

sha

ren

egat

ive

info

rmat

ion

abou

tap

plic

ants

with

USC

ISb

eca u

seo

fpr

ivac

yco

ncer

ns

Beca

use

ofth

ese

conc

erns

am

anag

erm

ayn

otk

now

th

ats

omeo

neis

com

ing

into

ap

osi

tion

with

ah

isto

ryo

falc

ohol

and

or

drug

abu

sef

inan

cial

inde

bted

ness

et

c

The

priv

acy

wal

lbet

wee

nPE

RSEC

and

fie

ldp

erso

nnel

con

cern

edw

ithh

irin

gis

trou

blin

gI

tis

diff

icul

tfor

PER

SEC

repr

esen

tativ

esto

indi

cate

thei

rco

nce

rns

abou

tpot

entia

lhir

esw

hoh

ave

risk

fact

ors

that

do

notc

ross

adj

udic

atio

ngu

idel

ines

for

disq

ualif

icat

ion

USC

ISs

houl

dco

nsid

era

dditi

onal

sc

reen

ing

for

adju

dica

tors

U

SCIS

sho

uld

bem

ore

invo

lved

in

dec

idin

gw

hois

gra

nted

au

thor

ized

acc

ess

beca

use

ofth

ese

nsiti

ven

atur

eof

the

syst

ems

and

data

tha t

USC

ISm

anag

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Each

fiel

dof

fice

dete

rmin

esw

heth

er

orn

otto

mee

tan

appl

ican

tfac

eto

fa

ceb

efor

ehi

ring

Ther

ew

asa

nim

pres

sion

ath

eadq

uar

ters

that

nea

rly1

00

oft

hose

hir

ed

bym

anag

ers

are

inte

rvie

wed

but

re

pres

enta

tives

inB

urlin

gton

Ver

m

ontt

old

uso

ther

wis

eT

his

gap

be

twee

npe

rcep

tion

(the

reis

not

ap

ol

icy

stat

ing

this

mus

tbe

done

)and

re

ality

iso

fcon

cern

Ther

eha

veb

een

know

nin

stan

ces

in

whi

cha

pplic

ants

wer

eon

lys

cree

ned

USC

ISs

houl

dre

quir

ein

terv

iew

sfo

ral

lpos

ition

sT

hein

terv

iew

sne

edto

be

cond

ucte

dby

som

eon

ein

volv

edin

the

day

tod

ay

supe

rvis

ion

ofth

epo

sitio

nto

be

fille

d


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

son

pap

ero

rove

rth

eph

one

befo

re

bein

ghi

red

Sta

ndar

dop

erat

ing

pro

cedu

res

are

notf

ollo

wed

ata

llfie

ld

offic

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

PERS

ECv

ets

fede

rale

mpl

oyee

san

dco

ntra

ctor

s(w

itha

min

imum

bac

kgr

ound

inve

stig

atio

n)

USC

ISr

elie

son

the

US

Dep

artm

ent

ofS

tate

tov

etfo

reig

nna

tiona

lem

pl

oyee

sw

how

ork

ate

mba

ssie

sor

co

nsul

ates

abr

oad

FSN

sin

som

ein

stan

ces

are

gra

nted

ac

coun

tso

nU

SCIS

info

rmat

ion

sys

tem

sI

fFSN

sne

eda

cces

sto

DH

Ssy

ste

ms

(incl

udin

gU

SCIS

)cur

rent

lyt

his

acce

ssm

ustb

eap

prov

edb

yth

eCS

O

and

CIO

for

DH

ST

his

prac

tice

was

no

talw

ays

follo

wed

con

sist

ently

in

the

past

so

ther

em

ayb

eFS

Ns

who

w

ere

gran

ted

acce

ssw

ithou

tall

the

curr

entv

ettin

gan

dap

prov

als

U

SCIS

sho

uld

cons

ider

be c

omin

gm

ore

invo

lved

inv

ettin

gof

FSN

spr

ior

tog

rant

ing

them

acc

ess

to

USC

ISs

yste

ms

In

addi

tion

U

SCIS

sho

uld

audi

tcur

rent

FSN

sw

itha

cces

sto

USC

ISs

yste

ms

and

ensu

reth

ata

ppro

pria

te

vett

ing

was

per

form

ed

Cand

idat

eCe

rtifi

ca

tion

Ver

ifica

tion

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

USC

ISd

oes

noth

ave

ast

anda

rdp

ro

cedu

refo

rve

rifyi

ngth

ece

rtifi

catio

ns

ofjo

bap

plic

ants

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ast

epin

the

new

hir

epr

oces

sto

ver

ifyc

ertif

icat

ions

of

allc

andi

date

sA

few

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eab

le


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sto

obt

ain

posi

tions

ino

rgan

iza

tions

by

prov

idin

gfa

lsifi

edc

erti

ficat

ions

Empl

oyee

and

Co

ntra

ctor

Ter

mi

nati

on

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Exit

proc

edur

esa

rer

ecen

tlyd

evel

op

eda

ndi

nso

me

case

ss

tillu

nder

de

velo

pmen

t(ie

fo

rmal

exi

tpro

ce

dure

sar

eex

pect

edto

be

rele

ased

in

3m

onth

s)

This

gap

may

man

ifest

itse

lfin

the

inco

nsis

tent

col

lect

ion

ofb

adge

sla

pto

psm

obile

dev

ices

and

oth

erU

SCIS

eq

uipm

ent

USC

ISs

houl

dco

nsid

era

dopt

ing

ane

nter

pris

ew

ide

exit

proc

edu

reto

ens

ure

cons

iste

ntte

rmi

natio

nof

all

empl

oyee

san

dco

ntr

acto

rs

Ita

ppea

rsth

ere

spon

sibi

lity

for

ensu

ring

that

em

ploy

ees

and

cont

ract

ors

are

term

inat

edr

ests

sol

ely

with

the

man

ager

It

als

oap

pear

sdi

ffer

en

tman

ager

sfo

llow

diff

eren

tpr

oced

ures

toe

nsur

eth

ata

cce

ssis

dis

able

dan

deq

uipm

ent

isr

etur

ned

ase

mpl

oyee

san

dco

ntra

ctor

sle

ave

USC

IS

Empl

oyee

and

Co

ntra

ctor

Man

da

tory

Dru

gTe

stin

g

Hum

anR

esou

rces

All

fede

ralp

ositi

ons

are

subj

ectt

odr

ugte

stin

gb

uto

nly

forn

ewh

ires

Acc

ordi

ngto

aU

SCIS

Con

vict

ions

Tas

kFo

rce

inve

stig

atio

nca

sec

all

cont

rac

tor

posi

tions

do

notr

equi

red

rug

test

in

g

Fift

een

insi

ders

doc

umen

ted

in

the

CERT

Insi

der

Thre

atC

ase

data

base

exh

ibite

dsu

bsta

nce

abus

eU

SCIS

sho

uld

cons

ider

im

plem

entin

gm

anda

tory

pos

thi

red

rug

test

ing

for

alle

mpl

oy

ees

and

cont

ract

ors


Ap

pen

dix

CP

hys

ical

Sec

uri

ty

Fiel

dof

fices

A

cces

sFo

llow

ing

Term

inat

ion

Se

curi

tyo

fPhy

sica

lCas

eFi

les

Som

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

exp

loite

dph

ysic

als

ecur

ityv

ulne

rabi

litie

s

Som

ew

ere

able

tog

ain

acce

ss

too

rgan

izat

ion

faci

litie

sou

tsid

eof

nor

mal

wor

king

hou

rsto

ste

alc

ontr

olle

din

form

atio

nor

toe

xact

rev

enge

on

the

orga

niza

tion

bys

abot

agin

gcr

itica

lope

ratio

ns

Phys

ical

sec

urity

can

als

opr

ovid

ean

othe

rla

yer

ofd

efen

sea

gain

stte

rmin

ated

insi

ders

who

wis

hto

reg

ain

phys

ical

acc

ess

to

atta

ck

Just

as

with

ele

ctro

nic

secu

rity

how

ever

for

mer

em

ploy

ees

have

bee

nsu

cces

sful

inw

orki

nga

roun

dth

eir

orga

niza

tionrsquo

sph

ysic

als

ecu

rity

mea

sure

sI

tis

impo

rtan

tfor

org

aniz

atio

nsto

man

age

phys

ical

sec

urity

for

full

time

par

ttim

ea

ndte

mpo

rary

em

ploy

ees

con

trac

tors

and

co

ntra

ctla

bore

rs

USC

ISP

hysi

calS

ecur

ityh

asm

ade

sign

ifica

ntp

rogr

ess

prot

ectin

gU

SCIS

faci

litie

san

das

sets

inth

ena

tiona

lcap

italr

egio

n(N

CR)s

ince

Janu

ary

2008

whe

nit

stoo

dup

an

ewp

hysi

cals

ecur

ityp

rogr

am

Alth

ough

phy

sica

lsec

urity

inth

eN

CRis

con

sist

ently

dir

ecte

dan

den

forc

edb

yPh

ysic

al

Secu

rity

eac

hfie

ldo

ffic

ese

tsit

sow

npo

licie

san

dac

cess

con

trol

sI

nad

ditio

ng

aps

inte

rmin

atio

npr

oced

ures

hav

ere

sulte

din

ong

oing

phy

sica

lac

cess

follo

win

gte

rmin

atio

nF

inal

lyi

ssue

sco

ncer

ning

the

secu

rity

ofp

hysi

calc

ase

files

sho

uld

bec

onsi

dere

das

par

tofa

USC

ISr

isk

man

age

men

tstr

ateg

y

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPh

ysic

alS

ecur

ity

ofF

ield

Off

ices

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

USC

ISis

inth

epr

oces

sof

put

ting

ane

wa

cces

sco

ntro

lsys

tem

inp

lace

fo

rth

eN

CR

Befo

reit

doe

sit

will

di

sabl

eac

cess

for

anyo

new

hoh

as

notu

sed

phys

ical

acc

ess

inm

ore

Each

USC

ISfa

cilit

yha

sits

ow

n

polic

ies

and

acce

ssc

ontr

ols

syst

ems

Som

efie

ldo

ffic

esw

ithin

USC

ISh

ave

acce

ss

cont

rols

yste

ms

oth

ers

don

ot

Not

al

loff

ices

inth

efie

ldh

ave

elec

tron

ic

Fort

yof

the

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

took

adv

an

tage

ofi

nade

quat

eph

ysic

als

ecu

rity

toc

arry

out

thei

rcr

imes

El

ectr

onic

acc

ess

cont

rols

pro

vide


Sugg

este

dCo

unte

rmea

sure

slo

gsth

atc

ould

be

usef

ulin

inve

s

tigat

ions

ofi

llici

tact

ivity

out

side

of

nor

mal

wor

king

hou

rs

USC

IS

shou

ldc

onsi

der

deve

lopi

nge

nte

rpri

sew

ide

phys

ical

sec

urity

pr

oced

ures

rol

ltho

seo

utto

ea

chfi

eld

offic

ea

ndr

equi

rea

ph

ysic

als

ecur

ityr

epre

sent

ativ

eat

eac

hsi

teto

ens

ure

cons

iste

nt

enfo

rcem

ento

fthe

pol

icie

s

USC

ISs

houl

dco

nsid

erp

rohi

bitin

gea

chfi

eld

offic

efr

omd

evel

opin

gsi

tes

peci

ficp

olic

ies

and

rem

ov

ing

enfo

rcem

entc

ontr

olfr

om

each

site

In1

0ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

follo

win

gte

rmin

atio

ndu

eto

fa

ilure

ton

otify

sec

urity

em

pl

oyee

san

dbu

sine

ssp

artn

ers

of

the

term

inat

ion

To

cont

rola

cce

ssto

USC

ISfa

cilit

ies

itis

im

port

antf

orU

SCIS

toc

ompa

re

curr

ente

mpl

oyee

san

dco

ntra

cto

rsto

the

auth

oriz

eda

cces

slis

t

Polic

yor

Pra

ctic

eG

aps

acce

ssc

ontr

ols

ndashso

me

only

hav

elo

cks

and

keys

N

ote

very

USC

ISs

iteh

asa

phy

sica

lse

curi

tyr

epre

sent

ativ

eW

here

no

re

pres

enta

tive

isp

rese

ntt

his

resp

on

sibi

lity

falls

on

othe

rm

anag

emen

t pe

rson

nelw

hom

ayn

otb

eeq

uipp

ed

toh

andl

eth

ese

issu

esp

rope

rly

and

repo

rtth

emin

ati

mel

ym

anne

r

So

me

man

ager

str

ack

who

acc

esse

s

wha

twhe

nan

dot

hers

do

not

Ac

cord

ing

toP

hysi

calS

ecur

ityin

Ver

m

ont

onl

y20

o

fvio

latio

nsa

reb

ein

gre

port

edto

sec

urity

Polic

yan

dor

Sec

urit

yM

easu

re

than

12

mon

ths

as

wel

las

anyo

ne

nolo

nger

em

ploy

edb

yU

SCIS

It

als

opl

ans

one

xam

inin

gal

lacc

ount

sth

at

have

not

use

dph

ysic

ala

cces

sin

m

ore

than

30

days

Se

curi

tyo

ffie

ldo

ffic

esfa

llsu

nder

th

eFi

eld

Secu

rity

Div

isio

n(F

SD)

The

O

ffic

eof

Sec

urity

and

Inte

grity

(OSI

)re

cent

lyd

evel

oped

an

insp

ectio

nw

orkb

ook

and

isfi

eld

test

ing

itw

ith

FSD

U

SCIS

Fie

ldS

ecur

ityD

ivis

ion

isp

lan

ning

top

uta

sec

urity

rep

rese

ntat

ive

ine

very

fiel

dof

fice

Ite

xpec

tstw

oto

thre

etim

esm

ore

repo

rts

ofv

iola

tio

nso

nce

itha

sa

repr

esen

tativ

ein

ever

ylo

catio

n

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

Phys

ical

Acc

ess

Follo

win

gTe

rmi

nati

on


Sugg

este

dCo

unte

rmea

sure

s

ine

ach

faci

lityrsquo

sac

cess

con

trol

syst

em

D

isab

ling

phys

ical

acc

ess

tofa

cili

ties

whe

nem

ploy

ees

and

con

trac

tors

term

inat

eis

ess

entia

lto

prot

ectin

gU

SCIS

em

ploy

ees

and

faci

litie

sU

SCIS

sho

uld

cons

ider

au

tom

atin

gth

ere

voca

tion

of

empl

oyee

and

con

trac

tor

phys

ica

lacc

ess

whe

na

term

inat

ion

occu

rs

The

term

inat

ion

chec

klis

tsh

ould

incl

ude

ano

tific

atio

nto

ph

ysic

als

ecur

itys

oph

ysic

ala

cce

ssc

anb

edi

sabl

ed

Cons

ider

con

sist

ente

nfor

cem

ent

and

inve

stig

atio

nof

USC

ISp

hysi

ca

lsec

urity

inci

dent

sA

llal

erts

sh

ould

be

inve

stig

ated

and

Polic

yor

Pra

ctic

eG

aps

Secu

rity

gua

rds

ats

itelo

catio

nsh

ave

on

occ

asio

nig

nore

ddo

orp

ropp

ed

open

ala

rms

beca

use

thef

thas

trad

itio

nally

bee

na

very

sm

allp

robl

ema

t

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

No

Two

Pers

on

Cont

rol


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sU

SCIS

docu

men

ted

ifth

eal

erti

sde

emed

unn

eces

sary

then

it

shou

ldb

edi

scon

tinue

dA

llse

cu

rity

vio

latio

nss

houl

dbe

trac

ked

ina

cen

tral

rep

osito

rys

oa

com

pl

ete

hist

ory

for

each

indi

vidu

alis

av

aila

ble

Aft

erH

ours

Acc

ess

Phys

ical

Sec

urit

y

Aut

hori

zed

Acc

ess

Mos

tacc

ess

is2

4ho

urs

ada

y7

days

a

wee

kndash

Tw

enty

nin

eof

the

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seu

sed

phys

ical

acc

ess

outs

ide

ofn

orm

alw

orki

ngh

ours

toa

tta

ck

USC

ISs

houl

dco

nsid

erim

pl

emen

ting

ana

cces

sco

ntro

lsy

stem

that

gra

nts

acce

ssc

om

men

sura

tew

ithth

epo

sitio

nan

em

ploy

eeo

rcon

trac

tor

fills

If

apo

sitio

ndo

esn

otr

equi

rea

cces

sou

tsid

eof

nor

mal

wor

king

hou

rs

the

acce

ssc

ontr

ols

yste

ms

houl

dpr

ohib

itsu

cha

cces

san

dlo

gun

su

cces

sful

acc

ess

atte

mpt

s

Secu

rity

ofP

hysi

ca

lCas

eFi

les

Phys

ical

Sec

urit

y

Prot

ectio

nof

USC

ISC

ase

File

Dat

a

Phys

ical

file

sw

ere

obse

rved

inc

rate

sst

acke

din

the

hallw

ays

inth

eVe

rm

ontS

ervi

ceC

ente

rA

ccor

ding

toa

nin

terv

iew

att

heS

ervi

ceC

ente

ra

ny

one

coul

dw

alk

outw

itha

ldquocr

ate

fullrdquo

of

file

saf

ter

hour

se

spec

ially

ify

ou

are

ate

lew

orke

r

USC

ISa

ssum

esit

sca

sefi

led

ata

is

secu

reb

ecau

seit

sem

ploy

ees

and

cont

ract

ors

have

ac

lear

ance

or

hav

eha

da

back

grou

ndc

heck

It

isim

port

antt

ono

teth

at4

9in

side

rsd

ocum

ente

din

the

CERT

da

taba

sev

iola

ted

need

to

know


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ca

sefi

les

are

assu

med

tob

ese

cure

on

ceth

eya

rec

onta

ined

with

ina

Ser

vi

ceC

ente

rb

utth

eyc

ould

be

phys

ica

llya

ltere

dor

sto

len

bya

nyon

ew

ith

phys

ical

acc

ess

toth

efa

cilit

y

One

inte

rvie

wee

sta

ted

that

adj

udic

ato

rsty

pica

llyh

ave

50to

100

file

ssc

at

tere

dar

ound

thei

rof

fice

ord

esk

So

me

are

trac

ked

and

som

em

ayn

ot

be

Adj

udic

ator

sco

nduc

tint

ervi

ews

with

app

lican

tsin

thei

rof

fices

and

th

eym

ight

leav

eap

plic

ants

une

sco

rted

inth

eir

offic

esw

ithth

eca

se

files

whe

nfo

rin

stan

cem

akin

gco

pie

sor

att

endi

ngto

oth

erU

SCIS

bus

ine

ss

Acc

ordi

ngto

the

sam

ein

terv

iew

eei

non

efie

ldo

ffic

en

atur

aliz

atio

nce

rtifi

ca

tes

pas

spor

tsa

ndc

redi

tcar

din

fo

rmat

ion

has

been

foun

din

gar

bage

ca

nsin

the

hallw

ay

Adj

udic

ator

spi

cku

pth

eir

case

sin

an

enve

lope

inth

eir

mai

lbox

D

urin

gth

esi

tev

isit

the

asse

ssm

entt

eam

ob

serv

edth

em

ailr

oom

att

heV

erm

ont

Serv

ice

Cent

eru

natt

ende

dbe

twee

n

polic

ies

inth

eco

mm

issi

ono

fth

eir

crim

es

Ther

efor

er

elyi

ng

onc

lear

ance

sal

one

can

bev

ery

dang

erou

s

Thir

teen

insi

ders

doc

umen

ted

in

the

CERT

dat

abas

est

ole

phys

ical

pr

oper

tyb

elon

ging

toth

eor

gani

za

tion

CER

Tsu

gges

tsU

SCIS

con

si

der

the

cons

eque

nces

oft

heft

or

una

utho

rize

dac

cess

top

hysi

ca

lcas

efil

esa

ndm

ake

ari

sk

base

dde

cisi

onr

egar

ding

pot

en

tialp

olic

yan

dpr

oced

ure

chan

ges

Th

ere

are

stan

dard

pol

icie

san

dpr

oced

ures

forh

andl

ing

sens

itive

in

form

atio

nb

uta

str

ong

educ

atio

nalc

ampa

ign

isn

eede

dto

en

sure

the

prot

ectio

nof

dat

a


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

ssh

ifts

(app

roxi

mat

ely

3p

m)

Whe

nad

judi

cato

rsfi

nish

with

afi

let

hey

retu

rnit

toa

dro

pof

fspo

tT

hea

sse

ssm

entt

eam

obs

erve

dth

ose

spot

s

whi

cha

rein

the

open

and

una

tte

nded

A

djud

icat

ors

may

kee

pca

ses

over

nigh

tand

usu

ally

ret

urn

them

w

ithin

1w

eek

Tele

wor

kers

at

Serv

ice

Cent

ers

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

One

hun

dred

eig

hty

nine

peo

ple

at

the

Verm

ontS

ervi

ceC

ente

rare

au

thor

ized

tow

ork

from

hom

eT

hese

em

ploy

ees

pick

up

files

att

heV

er

mon

tSer

vice

Cen

ter

and

take

them

ho

me

The

yw

ork

2da

ysp

erw

eek

in

the

Serv

ice

Cent

era

nd3

day

spe

rw

eek

ath

ome

USC

ISp

ays

anu

nan

noun

ced

visi

tto

allh

omes

toin

ven

tory

the

empl

oyee

srsquofi

les

atle

ast

quar

terl

yT

hese

em

ploy

ees

mus

tha

vea

lock

edfa

cilit

yin

thei

rho

me

and

mus

talw

ays

have

the

abili

tyto

re

turn

the

files

toth

eSe

rvic

eCe

nter

w

ithin

4h

ours

The

cont

rolo

fUSC

ISd

ata

whe

nit

leav

esth

eVe

rmon

tSer

vice

Cen

ter

is

diff

icul

tto

enfo

rce

Em

ploy

ees

mus

tha

vea

ppro

pria

tes

tora

gefa

cilit

ies

bu

tthe

yco

uld

easi

lyc

opy

USC

ISd

ata

and

shar

eit

with

una

utho

rize

din

di

vidu

als

Twen

tyn

ine

perc

ento

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

taba

sew

ere

recr

uite

dby

out

si

ders

toc

omm

itth

eir

crim

e

Mos

toft

hese

insi

ders

com

mitt

ed

the

crim

efo

rfin

anci

alg

ain

Iti

sim

port

antt

hatU

SCIS

rec

ogni

ze

the

pote

ntia

lfor

recr

uitm

ent

an

dth

ela

cko

fcon

trol

exe

rcis

ed

over

sen

sitiv

eda

taa

tadj

udic

ato

rsrsquor

esid

ence

s


Ap

pen

dix

DB

usi

nes

sP

roce

sses

Tech

nica

lCon

trol

s

Aut

hori

zati

onv

iaP

ICS

A

ccou

ntM

anag

emen

t

Av

arie

tyo

fcas

esfr

omth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sed

ocum

enti

nsid

era

ttac

ksw

here

gap

sin

bus

ines

spr

oces

ses

prov

ided

ap

athw

ay

for

atta

ck

Enfo

rcin

gse

para

tion

ofd

utie

san

dth

epr

inci

ple

ofle

astp

rivi

lege

are

pro

ven

met

hods

for

limiti

nga

utho

rize

dac

cess

by

insi

ders

Id

eal

lyo

rgan

izat

ions

sho

uld

incl

ude

sepa

ratio

nof

dut

ies

inth

ede

sign

ofk

eyb

usin

ess

proc

esse

san

dfu

nctio

nsa

nde

nfor

ceth

emv

iate

chni

cala

nd

nont

echn

ical

mea

ns

Acc

ess

cont

rolb

ased

on

sepa

ratio

nof

dut

ies

and

leas

tpri

vile

gei

nbo

thth

eph

ysic

ala

ndv

irtu

ale

nvir

onm

ents

is

cruc

ialt

om

itiga

ting

the

risk

ofi

nsid

era

ttac

kT

hese

con

cept

sal

one

will

not

elim

inat

eth

eth

reat

pos

edb

yin

side

rst

hey

are

how

ever

ano

ther

laye

rin

the

defe

nsiv

epo

stur

eof

an

orga

niza

tion

Beca

use

ofth

ese

nsiti

ven

atur

eof

the

USC

ISm

issi

ons

ome

ofit

sem

ploy

ees

and

cont

ract

ors

are

targ

ets

for

recr

uitm

entf

orth

efto

run

auth

or

ized

mod

ifica

tion

ofU

SCIS

dat

aT

wen

tyn

ine

perc

ento

fthe

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

we r

ere

crui

ted

byo

utsi

ders

toc

omm

itth

eir

crim

eM

osto

fthe

sein

side

rsc

omm

itted

the

crim

efo

rfin

anci

alg

ain

Cri

tical

USC

ISb

usin

ess

proc

esse

ssh

ould

incl

ude

tech

nica

lcon

trol

sto

en

forc

ese

para

tion

ofd

utie

san

ddu

alc

ontr

olto

red

uce

the

risk

ofi

nsid

erfr

aud

In

addi

tion

pot

entia

lvul

nera

bilit

ies

surr

ound

the

use

ofth

eIC

EPI

CSs

yste

mfo

rau

thor

izat

ion

for

criti

calU

SCIS

sys

tem

sA

lthou

ghP

ICS

iso

utsi

deth

eco

ntro

lofU

SCIS

CER

Tre

com

men

dsth

atU

SCIS

exp

lore

the

poss

ibili

tyo

faud

iting

and

con

trol

ling

auth

oriz

atio

nsin

PIC

Sfo

rcr

itica

lUSC

ISs

yste

ms

Fin

ally

acc

ount

man

agem

enti

ssue

sre

late

dto

cri

tical

sys

te

ms

shou

ldb

eco

nsid

ered

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

utho

riza

tion

for

USC

ISC

riti

calS

ys

tem

sth

roug

hP

ICS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Seve

ralc

ritic

alU

SCIS

sys

tem

sar

etie

dto

PIC

Sfo

raut

hent

icat

ion

whi

ch

isa

dmin

istr

ated

by

the

ICE

PI

CSlo

gsa

ccou

ntc

reat

ions

whe

nth

eac

coun

tsw

ere

crea

ted

wha

tro

les

appl

ied

toth

eac

coun

tse

tc

PICS

per

mits

use

rso

utsi

deo

fUSC

ISto

au

thor

ize

user

sfo

ran

yU

SCIS

app

lica

tion

tied

toP

ICS

Tw

oth

ousa

ndlo

cal

PICS

off

icer

s(L

POs)

inth

eIC

Ean

dU

SCIS

can

cre

ate

new

acc

ount

sin

PIC

Sfo

rem

ploy

ees

loca

ted

atth

eir

site

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

utho

riza

tion

proc

es

san

dsy

stem

that

ena

bles

itto

co

ntro

lwho

isg

rant

e da

cces

sto

U

SCIS

sys

tem

san

dda

ta


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLP

Os

cont

rola

cces

sfo

rshe

riff

sp

eti

tione

rsC

BPD

OJ

TSA

DH

SO

IGT

er

rori

smT

ask

Forc

ea

ndo

ther

s

Acc

ount

sar

eba

sed

onp

erso

nnel

re

cord

so

LPO

sca

nnot

cre

ate

acco

unts

fo

ran

yone

who

isn

ota

nem

ploy

eea

tth

eir

site

H

owev

erP

ICS

adm

inis

tra

tors

can

cre

ate

acco

unts

for

anyo

ne

wor

king

att

heir

site

for

any

syst

em

tied

toP

ICS

CERT

sug

gest

sth

atU

SCIS

val

ida

tec

urre

ntP

ICS

acco

unts

and

ro

les

agai

nstc

urre

nte

mpl

oyee

lis

ts

Ten

perc

ent(

37)o

fth e

in

side

rsd

ocum

ente

din

the

CERT

da

taba

seh

ade

xces

sive

pri

vi

lege

sw

hich

ena

bled

them

to

atta

ck

Ina

dditi

on

b

ecau

seldquo

priv

ilege

cr

eeprdquo

ena

bled

afe

w(s

ix)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

tab a

seto

car

ryo

utth

eir

crim

es


Sugg

este

dCo

unte

rmea

sure

s

Twen

tyfo

ur(6

per

cent

)oft

he

insi

ders

doc

umen

ted

inth

eCE

RT

data

base

wer

eab

leto

car

ryo

ut

thei

rcr

imes

bec

ause

insi

ders

sh

ared

acc

ount

and

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bse

asie

ran

dto

incr

ease

pro

du

ctiv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tio

nsa

ndp

ossi

bly

impl

emen

tst

rong

era

uthe

ntic

atio

nto

ma k

esh

arin

gac

coun

tsm

ore

diff

icul

t

Polic

yor

Pra

ctic

eG

aps

VIS

adm

inis

trat

ors

ine

xter

nalc

ompa

ni

eso

rag

enci

esh

ave

been

cau

ght

le

ttin

gm

ultip

lee

mpl

oyee

sus

eth

e

sa

me

VIS

acco

unt

but

USC

ISh

asn

o ab

ility

tota

kea

nya

ctio

nT

hea

cco

unts

ena

ble

empl

oyee

sto

val

idat

ePI

Iand

citi

zens

hip

info

rmat

ion

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

Mod

ifica

tions

by

VIS

user

sto

cri

tical

da

taa

relo

gged

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

VIS

Ac

coun

ts

Logg

ing

Aud

itin

g

and

Ale

rtin

gin

VIS

Ver

ifica

tion

Info

rmat

ion

Syst

em(V


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Com

pute

rLi

nked

App

licat

ion

Info

rmat

ion

Man

agem

ent

Syst

em(C

LAIM

S)3

LA

N

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Su

gges

ted

Coun

term

easu

res

Self

Sele

ctio

nof

A

djud

icat

ion

Case

s

ISSO

s D

ata

Ow

ners

Adj

udic

ator

sca

nse

lfse

lect

cas

es

(acc

ordi

ngto

an

inte

rvie

wc

once

rn

ing

anin

tern

alin

cide

ntth

ato

ccur

red

atth

eU

SCIS

and

inte

rvie

ws

with

da

tao

wne

rsa

tthe

Ver

mon

tSer

vice

Ce

nter

)

With

inth

eSe

rvic

eCe

nter

sa

djud

ica

tors

hav

evi

rtua

llyu

nlim

ited

acce

ssto

ap

plic

antf

ilesmdash

ther

ear

eno

nee

dto

kn

owli

mita

tions

or

cont

rols

top

re

vent

an

adju

dica

tor

from

acc

essi

ng

sens

itive

info

rmat

ion

and

repo

rtin

git

too

utsi

ders

or

mod

ifyin

ga

file

(ent

er

ing

anin

valid

dec

isio

n)

Adj

udic

ator

sca

nal

soa

ppro

vea

cas

eth

atis

not

ass

igne

dto

them

Th

ere

is

noti

ebe

twee

nth

eca

sem

anag

emen

tsy

stem

(ie

N

atio

nalF

ileT

rack

ing

Syst

emo

rN

FTS)

and

the

case

adj

udi

catio

nsy

stem

(ie

CL

AIM

S)

Inth

ein

tern

alc

ase

that

occ

urre

dat

U

SCIS

the

per

petr

ator

cir

cum

vent

ed

the

inte

rvie

wp

roce

ssfo

r14

mon

ths

ndash

USC

ISs

houl

dco

nsid

erim

ple

men

ting

tech

nica

lcon

trol

sto

pr

ohib

itad

judi

cato

rsfr

oms

elf

sele

ctin

gca

ses

toa

djud

icat

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

she

app

rove

dldquon

osh

owrdquo

case

sT

here

w

ere

noc

ontr

ols

tod

etec

tthi

s

Ina

dditi

ona

djud

icat

ors

can

adju

di

cate

any

type

ofc

ase

eve

nth

ough

th

eya

ree

ach

assi

gned

cer

tain

type

sof

ben

efits

cas

esfo

rad

judi

catio

n

Emph

asis

on

Cus

tom

erS

ervi

ceO

ver

Risk

Dat

aO

wne

rs

No

evid

ence

pro

vide

d

One

inte

rvie

wee

att

heV

erm

ontD

ata

Cent

ers

aid

that

ldquost

atsrdquo

can

be

ast

rain

esp

ecia

llyfo

rne

wh

ires

al

thou

ghth

eyd

oge

ta9

0da

ygr

ace

peri

od

USC

ISs

houl

dus

eca

utio

nin

em

ph

asiz

ing

cust

omer

ser

vice

as

the

only

per

form

ance

met

ric

beca

use

this

cou

lde

ncou

rage

la

cko

fatt

entio

nto

ris

kre

late

dac

tiviti

es(s

uch

asa

ccur

ate

adju

di

catio

nde

cisi

ons)

Lack

ofS

epar

atio

nof

Dut

ies

in

CLA

IMS

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Curr

ently

all

decl

ined

req

uest

sfo

rbe

nefit

sar

ere

view

edb

ya

supe

rvi

sor

H

owev

ert

here

was

ad

iscr

ep

ancy

dur

ing

inte

rvie

ws

adj

udic

ator

ssa

idth

ats

uper

viso

rss

topp

edlo

okin

gat

all

deni

als

beca

use

they

are

too

busy

Su

perv

isor

sal

sor

ecei

vea

rep

orto

fal

ladj

udic

atio

nde

cisi

ons

ente

red

by

ana

djud

icat

orfo

ra

form

type

that

th

ead

judi

cato

rdo

esn

otn

orm

ally

ap

prov

e

Onl

ya

rand

oms

ampl

eof

app

rove

dad

judi

catio

nde

cisi

ons

isr

evie

wed

For

som

eca

ses

(for

inst

ance

vic

tims

case

s)a

sen

ior

adju

dica

tor

has

to

revi

ewth

ede

cisi

ona

fter

the

adju

dica

to

ren

ters

itt

hen

the

supe

rvis

orr

evi

ews

itT

his

isa

man

ually

enf

orce

dpr

oces

s

Ther

ew

asa

noth

erd

iscr

epan

cy

in

inte

rvie

ws

the

adju

dica

tors

sai

dth

at

USC

ISs

houl

dco

nsid

erim

ple

men

ting

auto

mat

edp

roce

sses

to

prev

enta

ndd

etec

tfra

ud

Man

ag

emen

tind

icat

edit

wou

ldli

ke

tos

eea

utom

ated

tech

nica

len

forc

emen

toft

her

evie

wa

nd

appr

oval

pro

cess

Inn

earl y

ten

perc

ent(

39)o

fthe

ca

ses

docu

men

ted

inth

eCE

RT

data

base

ins

ider

sto

oka

dvan


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s W

hen

adju

dica

tors

are

intr

aini

ng

they

are

und

er1

00

rev

iew

Th

ey

are

intr

aini

ngo

na

spec

ific

type

of

case

for

atle

ast6

mon

ths

A

uditi

ngfo

rim

prop

erly

gra

nted

be

nefit

sis

bas

edo

nsa

mpl

ing

and

or

blin

dqu

ality

ass

uran

ce(Q

A)a

ccor

din

gldquot

oA

rmy

stan

dard

srdquoa

fter

the

fact

A

rand

omly

sel

ecte

d30

cas

es

per

quar

ter

are

also

rev

iew

edb

yldquos

iste

rce

nter

srdquo

QA

pro

cess

var

ies

offic

eby

off

ice

(no

natio

nalp

roce

ss)

Th

isQ

Ah

asb

een

done

fort

hep

ast

year

and

ah

alf

Inth

eVe

rmon

tfie

ld

offic

ee

ach

supe

rvis

orp

ulls

atl

east

10

cas

esp

era

djud

icat

orp

erm

onth

Th

eyr

evie

wd

ecis

ion

rela

ted

issu

es

secu

rity

rel

ated

issu

esa

ndp

roce

du

rali

ssue

s(d

idth

eyfo

llow

the

righ

tst

eps

)T

hey

also

look

for

less

ons

lear

ned

The

pri

mar

ypu

rpos

eof

QA

is

toid

entif

yth

ene

edfo

rre

med

ial

trai

ning

rath

erth

and

elib

erat

efr

aud

So

me

case

sar

em

ore

than

10

00

page

ss

oev

ery

deta

ilca

nnot

be

prac

tical

lyr

evie

wed

for

ever

yca

se

cler

ksp

ullc

ases

ac

oupl

eof

tim

esp

er

mon

thndash

ac

erta

inn

umbe

rof

cas

es

per

empl

oyee

Th

ose

case

sar

epa

ssed

toQ

Aw

hor

evie

ws

the

case

s

QA

then

sen

dsfe

edba

ckto

the

supe

rvi

sor

and

adju

dica

tor

ifth

eyfi

nd

som

ethi

ngth

atd

oes

notl

ook

righ

t

tage

ofi

nsuf

ficie

nts

epar

atio

nof

du

ties

toc

arr y

out

thei

rcr

imes

U

SCIS

sho

uld

care

fully

con

side

rth

ebi

gges

tris

kto

the

orga

niza

tio

nM

any

ofth

eU

SCIS

em

pl

oyee

sin

terv

iew

edfo

rth

isa

sse

ssm

enti

dent

ified

the

prim

ary

risk

for

the

orga

niza

tion

asa

llo

win

gth

ene

xtte

rror

istt

oliv

ean

dw

ork

lega

llyin

the

Uni

ted

Stat

es

They

des

ire

assi

stan

cein

id

entif

ying

and

impl

emen

ting

inte

rnal

con

trol

sto

cou

nter

that

ri

sk

Aud

iting

eve

ryd

enie

dre

ques

tin

dica

tes

that

the

bigg

estr

isk

to

USC

ISis

toin

corr

ectly

den

ya

bene

fitto

an

appl

ican

trat

her

than

tog

rant

ab

enef

itto

som

eon

ew

hod

oes

notd

eser

veit

IfU

SCIS

agr

ees

that

gra

ntin

gle

gald

ocum

ents

toil

lega

lapp

lica

nts

iso

neo

fthe

big

gest

ris

ks

toth

eor

gani

zatio

nth

enit

sh

ould

con

side

rre

quir

ing

dual


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sau

thor

izat

ion

for

thes

ead

judi

ca

tion

deci

sion

s

Lack

ofA

utom

ated

Ch

ecks

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Verm

ontI

Tha

sdo

ned

ata

swee

ps

afte

rit

foun

dso

met

hing

sus

pici

ous

W

hen

itha

sdo

nes

oit

has

foun

dm

ore

ofth

esa

me

activ

ity

Ther

ear

eno

aut

omat

edc

heck

s(t

here

w

illb

ein

Tra

nsfo

rmat

ion)

Chec

ksth

atd

oex

ista

rem

anag

eda

tth

elo

call

evel

rat

her

than

ale

rtin

gto

th

ehe

adqu

arte

rsle

vel

Inn

early

twen

tyf

ive

perc

ent

(91)

ofc

ases

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

ca

rry

outt

hec

rim

ebe

caus

eof

in

adeq

uate

aud

iting

ofc

ritic

al

proc

esse

sin

28

case

sit

was

be

caus

eof

inad

equa

tea

uditi

ng

ofir

regu

lar

proc

esse

sI

n29

of

the

case

sth

eor

gani

zatio

nha

dre

peat

edin

cide

nts

ofa

sim

ilar

natu

re

Aut

omat

eds

crip

tsa

re

ane

xcel

lent

mec

hani

smfo

rde

te

ctin

gsu

spic

ious

tran

sact

ions

as

wel

las

hone

stm

ista

kes

U

SCIS

sho

uld

cons

ider

afo

rmal

pr

oces

sfo

ran

alyz

ing

the

OSI

rsquos

findi

ngs

and

deve

lopi

nga

uto

mat

edc

heck

sth

ata

rer

olle

dou

tna

tiona

lly

Phys

ical

Sec

urit

yof

Ca

seF

iles

Dat

aO

wne

rs

Adj

udic

ator

s

No

evid

ence

pro

vide

d

The

NFT

Str

acks

mill

ions

off

iles

It

was

des

crib

edh

owev

era

sa

very

la

rge

war

ehou

sew

here

file

sdo

occ

a

Ten

perc

ent(

40)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

sec

arri

edo

utth

eir

crim

esb

y


C

ER

T | S

OFT

WA

RE

EN

GIN

EE

RIN

G IN

STI

TUTE

| 55

Sugg

este

dCo

unte

rmea

sure

s

the

sam

eap

plic

ant

C3LA

Nw

illb

ere

tired

as

part

of

Tran

sfor

mat

ion

C4

will

als

obe

re

tired

A

cop

yof

sec

urity

con

tr

ols

and

requ

irem

ents

has

bee

npr

ovid

edb

yC3

LAN

dat

aow

ners

to

Tra

nsfo

rmat

ion

Iti

sim

por

tant

for

the

Tran

sfor

mat

ion

team

tom

ake

risk

bas

edd

eci

sion

sin

Tra

nsfo

rmat

ion

desi

gn

and

deve

lopm

ent

Polic

yor

Pra

ctic

eG

aps

T

hen

ewH

Rfo

rmh

asn

otb

een

soci

aliz

edo

rw

idel

yad

vert

ised

It

is

upto

the

COTR

san

dsu

perv

isor

sto

co

nsis

tent

lyr

eque

stth

ata

cces

sbe

di

sabl

edw

hen

ane

mpl

oyee

or

con

trac

tor

nolo

nger

nee

dsa

cces

s

Polic

yan

dor

Sec

urit

yM

easu

re

Curr

ently

eve

rym

onth

USC

ISc

om

pare

sth

eH

uman

Res

ourc

esa

ttri

tion

lista

gain

stth

eC3

LA

Na

ccou

ntli

st

and

disa

bles

inac

tive

empl

oyee

ac

coun

ts

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

cces

sto

CL

AIM

S


Are

aof

Con

cern

Non

Att

ribu

tion

fo

rD

BAA

ccou

nts

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Pend

ing

Redu

ctio

nin

For

cefo

rD

ata

Entr

yCl

erks

Dat

aO

wne

rs

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

Dat

aen

try

cler

ksw

illb

elo

sing

thei

rjo

bsw

hen

they

mov

eto

Loc

kBox

w

hich

will

take

ove

rth

efu

nctio

nal

ityo

facc

eptin

gre

mitt

ance

sfo

rbe

nefit

app

lican

ts

Itw

ass

tate

dth

atth

eda

tae

ntry

cle

rks

mig

htb

ehi

red

away

tow

ork

atth

eor

gani

za

tion

whi

chp

erfo

rms

that

func

tio

n

USC

ISs

houl

dbe

aw

are

ofth

ein

crea

sed

insi

der

risk

inth

efa

ce

ofn

egat

ive

orga

niza

tiona

lev

ents

like

this

It

sho

uld

con

side

rpr

oact

ive

step

sto

dec

reas

est

ress

inth

ew

orkp

lace

and

to

ease

pot

entia

lfin

anci

alb

urde

ns

that

cou

ldm

ake

empl

oyee

sm

ore

susc

eptib

leto

rec

ruitm

ent

byo

utsi

ders

Shar

ing

Acc

ount

sin

CLA

IMS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aEn

try

Cler

ks

The

NFT

Sw

illn

otle

tcle

rks

log

inif

th

eyh

ave

notu

sed

the

syst

emfo

ra

cert

ain

num

ber

ofd

ays

Ac

lerk

rsquosc

ube

mat

ew

illlo

gin

for

thei

rcu

bem

ate

ifit

isth

een

dof

the

day

and

ITh

asg

one

hom

efo

rthe

day

Twen

tyf

our

(6

)oft

hein

side

rs

docu

men

ted

inth

eCE

RTd

ata

base

wer

eab

leto

car

ryo

utth

eir

crim

esb

ecau

sein

side

rss

hare

dac

coun

tand

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bs

easi

era

ndto

incr

ease

pro

duct

iv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tions

an

dpo

ssib

lyim

plem

ents

tron

ger

auth

entic

atio

nto

mak

eac

coun

tsh

arin

gm

ore

diff

icul

t


Sugg

este

dCo

unte

rmea

sure

s

Ten

perc

ent(

39)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seto

oka

dvan

tage

ofi

nsuf

fici

enta

cces

sco

ntro

ls

USC

IS

shou

ldc

onsi

der

redu

cing

the

num

ber

ofp

rivi

lege

dac

coun

ts

with

acc

ess

toth

eFD

NS

DS

If

the

num

ber

ofs

uper

user

ac

coun

tsw

ere

redu

ced

then

en

hanc

eda

uditi

ngc

ould

be

em

ploy

edo

ntr

ansa

ctio

ns

cond

ucte

dus

ing

thos

eac

coun

ts

Polic

yor

Pra

ctic

eG

aps

b

ut

ther

ear

ena

tiona

lcon

trol

sto

ens

ure

th

atc

eleb

ritie

srsquofi

les

are

notb

eing

ac

cess

ed

Ther

eis

ala

rge

supe

ruse

rco

mm

unity

m

ore

than

thirt

ype

rcen

tofa

llFD

NS

DS

user

sw

itha

cces

sto

the

FDN

SD

S

Thes

eac

coun

tsh

ave

exte

nsiv

epo

wer

a

mal

icio

uss

uper

user

can

com

plet

ely

dele

tea

rec

ord

orm

odify

the

sum

m

ary

offi

ndin

gs

Polic

yan

dor

Sec

urit

yM

easu

re

The

FDN

SD

Sis

ac

entr

alr

epos

itory

of

frau

dan

dna

tiona

lsec

urity

inve

stig

atio

ns

This

sys

tem

hol

dsa

ppli

cant

san

dpe

titio

ners

as

wel

las

PII

Th

ere

isa

lso

ana

tiona

lsec

urity

tab

N

oev

iden

cep

rovi

ded

nnel

logy

logy

sibl

ePe

rso

wne

rs

tion

Tec

hno

wne

rs

tion

Tec

hno

Resp

onD

ata

O In

form

a

Dat

aO

Info

rma

rn

sac

ges

eCo

ncn e

Priv

ilD

S

Are

aof

ng

oLo

ggi

fTra

tion

s

Elev

ated

N

Sto

FD

Frau

dD

etec

tion

and

Nat

ural

izat

ion

Syst

emndash

Dat

aSy

stem

(FD

NS

DS)


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Unk

now

n

Conn

ecti

ons

to

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Failu

reto

Add

ress

Kn

own

Secu

rity

V

ulne

rabi

litie

s

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Ther

eis

no

auto

mat

edp

atch

ing

be

caus

eof

the

age

ofth

ese

rver

san

dth

eap

plic

atio

nO

nly

criti

calp

atch

es

are

appl

ied

forf

ear

ofc

rash

ing

the

serv

ers

Thir

teen

insi

ders

inth

eCE

RT

data

base

exp

loite

dkn

own

secu

ri

tyv

ulne

rabi

litie

sth

atw

ere

not

addr

esse

dby

the

orga

niza

tion

U

SCIS

sho

uld

cons

ider

upg

radi

ng

the

FDN

SD

Ssi

nce

thes

evu

lner

ab

ilitie

sin

crea

ser

isk

ofa

ttac

kfr

omo

utsi

dea

ndin

side

Prod

ucti

onD

ata

Ava

ilabl

eto

Con

tr

acto

rsin

Dev

el

opm

ent

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

CSC

has

prod

uctio

nda

tain

the

deve

lop

men

tenv

iron

men

te

ven

thou

ghit

sh

ould

not

hav

eac

cess

top

rodu

ctio

nda

ta

Onl

yon

ein

side

rdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

ses

tole

pro

duct

ion

data

th

ats

houl

dno

thav

ebe

ena

vail

able

tod

evel

oper

sin

the

deve

lop

men

tenv

iron

men

tH

owev

er

itw

ase

xtre

mel

yse

nsiti

ved

ata

with

ver

yst

rict

con

trol

sin

the

prod

uctio

nen

viro

nmen

ta

nd

was

not

sub

ject

toth

ose

sam

eco

ntro

lsin

the

deve

lopm

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sen

viro

nmen

tT

his

isv

ery

sim

ilar

toth

esi

tuat

ion

atU

SCIS

U

SCIS

sh

ould

exa

min

eda

tab

eing

use

din

the

rem

ote

con

trac

tor

owne

dde

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

vel

ofs

ecur

ityc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data

Conf

igur

atio

nM

anag

emen

tan

dor

Cha

nge

Cont

rolP

roce

ss

Not

Enf

orce

d

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Dev

elop

ers

cann

otr

elea

sen

ewe

xec

utab

les

as

epar

ate

syst

ema

dmin

is

trat

orh

asto

pus

hth

emo

ut

Cont

ract

ors

som

etim

esr

elea

sec

ode

tofi

xpr

oble

ms

with

outf

ollo

win

gth

ech

ange

man

agem

entp

roce

ss

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

ofl

ack

ofa

de

quat

eco

nfig

urat

ion

man

age

men

tU

SCIS

has

afo

rmal

con

fig

urat

ion

man

agem

entp

roce

ss

Itis

impo

rtan

tto

enfo

rce

itsu

se

for

alle

mpl

oyee

san

dco

ntra

cto

rs

Oth

erw

ise

itw

illb

eex

tr

emel

ydi

ffic

ultt

oin

vest

igat

ea

crim

eco

mm

itted

usi

ngfl

aws

inte

ntio

nally

inje

cted

into

sou

rce

code

by

aco

ntra

ctor


Ap

pen

dix

EI

nci

den

tR

esp

onse

Inci

dent

Man

agem

ent

Se

curi

tyA

war

enes

s

Conc

erni

ngB

ehav

iors

Thro

ugh

case

ana

lysi

sC

ERT

has

note

dth

atp

roce

dure

sfo

rre

spon

ding

top

oten

tiali

nsid

erin

cide

nts

pres

entu

niqu

ech

alle

nges

an

inci

dent

re

spon

sep

lan

for

insi

der

inci

dent

sdi

ffer

sfr

oma

res

pons

epl

anfo

rin

cide

nts

caus

edb

yan

ext

erna

latt

acke

rI

nad

ditio

nin

adeq

uate

det

ectio

nan

dre

spon

seto

sec

urity

vio

latio

nsc

ould

em

bold

enth

ein

side

rm

akin

gth

eor

gani

zatio

nev

enm

ore

vuln

erab

leto

an

insi

der

crim

eI

nfa

cti

n18

of

the

case

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

the

org

aniz

atio

nex

peri

ence

dre

peat

insi

der

inci

dent

sof

as

imila

rna

ture

In

si

der

inci

dent

man

agem

ents

houl

dle

vera

gee

xist

ing

secu

rity

pol

icie

san

dfo

rmal

pro

cedu

res

for

hand

ling

polic

yvi

olat

ions

So

me

ofth

eca

ses

from

the

CERT

Insi

d er

Thre

atC

ase

data

base

illu

stra

tein

side

rat

tack

sin

whi

cha

nor

gani

zatio

nrsquos

lack

ofi

ncid

entr

espo

nse

proc

edur

esli

mite

dits

ab

ility

tom

anag

eits

res

pons

eef

fort

som

etim

ese

ven

resu

lting

inm

ultip

lec

rim

inal

act

sby

the

sam

ein

side

r

USC

ISis

ac

ompl

exo

rgan

izat

ion

with

man

ydi

ffer

entc

ompo

nent

sin

volv

edin

det

ectin

gtr

acki

ngi

nves

tigat

ing

and

follo

win

gup

on

empl

oyee

m

isco

nduc

tT

his

com

plex

itya

ndw

idel

ydi

stri

bute

dfu

nctio

ncr

eate

sa

situ

atio

nin

whi

chit

isv

ery

diff

icul

tto

obta

ina

com

plet

epi

ctur

eof

an

in

divi

dual

rsquosin

side

rth

reat

ris

kle

vel

Bec

ause

oft

his

itis

pra

ctic

ally

impo

ssib

lefo

rU

SCIS

toim

plem

enta

pro

activ

epr

ogra

mto

miti

gate

insi

der

thre

at

CERT

str

ongl

yre

com

men

dsth

atU

SCIS

cre

ate

ace

ntra

lrep

osito

ryo

fem

ploy

eem

isco

nduc

tso

itca

nde

tect

indi

cato

rso

finc

reas

ing

in

side

rth

reat

ris

kan

dm

itiga

teth

ema

squ

ickl

yas

pos

sibl

e

Furt

herm

ore

81

ofth

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

edc

once

rnin

gbe

havi

ors

inth

ew

orkp

lace

pri

orto

or

whi

lec

arry

ing

out

thei

rcr

imin

ala

ctiv

ities

onl

ine

Sup

ervi

sors

and

em

ploy

ees

shou

ldb

etr

aine

dto

rec

ogni

zea

ndr

espo

ndto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

and

oth

erm

alic

ious

insi

der

acts

Ev

enif

itis

not

pos

sibl

eto

req

uire

non

sup

ervi

sors

to

repo

rtc

o nce

rns

this

tr

aini

ngm

ayin

crea

seth

efr

eque

ncy

ofr

epor

ting

and

the

dete

rren

ceo

fins

ider

act

ions


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLa

cko

fCen

tral

Re

posi

tory

ofE

m

ploy

eeM

isco

nduc

t

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

IfFi

eld

Secu

rity

rec

eive

sa

Sign

ifica

nt

Inci

dent

Rep

ort(

SIR)

the

nit

inve

sti

gate

sE

mpl

oyee

mis

cond

ucti

sth

en

repo

rted

toO

ffic

eof

Sec

urity

and

In

tegr

ity(O

SI)

Ifth

eO

SIin

vest

igat

ion

subs

tant

iate

san

em

ploy

eersquos

mis

con

duct

itp

rovi

des

Coun

teri

ntel

ligen

ce

(CI)

am

onth

lyr

epor

tI

tals

opr

ovid

es

the

empl

oyee

rsquosm

anag

emen

tac

opy

CI

iss

tart

ing

tog

etm

ore

repo

rts

of

acce

ptab

leu

sev

iola

tions

and

sec

urity

vi

olat

ions

It

trac

kse

very

thin

gin

a

file

for

late

rus

ein

rei

nves

tigat

ions

La

bor

Empl

oyee

Rel

atio

ns(L

ER)h

asa

re

cord

oft

here

port

sit

rece

ives

of

mis

cond

uct

com

plai

nts

agai

nsta

nem

ploy

eer

ule

viol

atio

nsa

nds

oon

H

Rm

aint

ains

the

Off

icia

lPer

sonn

el

File

whi

chc

onta

ins

reco

rds

ofs

us

pens

ions

etc

LE

Rco

ntac

tsH

Ron

ly

for

thos

ety

pes

ofa

ctio

ns

Th

eO

SIe

valu

ates

all

com

plai

nts

itre

ceiv

esa

ndlo

gsth

emin

toth

eca

se

man

agem

ents

yste

m

Ita

ssig

nsth

em

toa

fiel

dof

fice

Att

hatp

oint

any

co

mpl

aint

sar

eth

ere

spon

sibi

lity

of

the

spec

iala

gent

inc

harg

eat

the

field

of

fice

The

fiel

dof

fice

inve

stig

ates

Ther

eis

no

sing

lep

lace

tog

ofo

ran

em

ploy

eersquos

dis

cipl

inar

yre

cord

sT

he

num

ber

ofo

rgan

izat

ions

invo

lved

an

dm

anag

emen

tofr

ecor

dsis

ver

yco

mpl

exa

ndd

istr

ibut

edth

roug

hout

th

eor

gani

zatio

n

Acc

ordi

ngto

Phy

sica

lSec

urity

the

fie

ldo

ffic

edo

esn

otte

llth

eO

SI

abou

tpro

blem

sndashth

eO

SIfi

nds

out

whe

nit

ldquohits

the

pres

srdquo

For

exa

m

ple

the

OSI

isn

otin

form

edo

fad

is

grun

tled

syst

ema

dmin

istr

ator

who

is

exhi

bitin

gco

ncer

ning

beh

avio

rs

USC

ISs

houl

dco

nsid

err

equi

ring

m

anda

tory

rep

ortin

gof

all

inci

de

nts

toth

eO

SI

This

com

mu

nica

tion

stre

amw

illa

llow

the

OSI

tog

etin

volv

eda

sea

rly

as

poss

ible

and

tod

ocum

enta

nd

mai

ntai

na

cent

ralr

epos

itory

of

alli

ncid

ents

Th

isc

entr

alr

epo

sito

ryis

cri

tical

for

ade

quat

ely

man

agin

gin

side

rth

reat

sin

USC

IS


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dse

nds

the

case

for

corr

ectiv

eac

tio

nto

the

regi

onal

dir

ecto

rin

the

chai

nof

com

man

da

ndth

enth

ere

gi

onal

dir

ecto

rret

urns

am

anag

emen

tre

port

ofa

ctio

nto

the

spec

iala

gent

in

cha

rge

Th

eO

SIc

onta

cts

the

DH

SO

IGfo

rpo

te

ntia

llyc

rim

inal

beh

avio

ror

ser

ious

m

isco

nduc

tI

fthe

DH

SO

IGtu

rns

the

case

dow

nth

enit

iss

entt

oth

efie

ld

offic

eor

tola

we

nfor

cem

ent

Th

ePe

rson

nelS

ecur

ityd

ivis

ion

(PER

SEC)

not

ifies

the

OSI

mon

thly

of

arre

sts

(tra

cked

inth

eca

sem

anag

em

ents

yste

m)a

ndth

eO

SIn

otifi

es

PERS

ECo

finv

estig

atio

ns

Trac

king

ofO

nlin

eIn

cide

nts

Info

rmat

ion

Tech

nolo

gy

Com

pute

ror

net

wor

kvi

olat

ion

inci

de

nts

are

trac

ked

bya

Rem

edy

sys

tem

tied

toa

uni

que

com

pute

rid

enti

fier

rath

erth

ana

use

rin

an

atte

mpt

to

kee

pPI

Iout

oft

heti

cket

Itis

diff

icul

tto

tiea

nev

entt

oa

par

ticul

arp

erso

nE

ven

ifth

eid

entit

yof

an

off

ende

ris

know

nr

epea

toff

end

ers

are

nott

rack

edin

any

aut

omat

ed

orc

orre

late

dw

ay

USC

ISs

houl

dco

nsid

erin

clud

ing

user

info

rmat

ion

for

each

inci

de

nts

oth

atr

epea

toff

ende

rs

can

bee

asily

iden

tifie

da

sre

pe

ato

ffen

ses

coul

din

dica

tea

nin

side

rof

hig

her

risk

Cons

iste

ncy

inR

esp

onse

toS

ecur

ity

Vio

lati

ons

and

Con

cern

ing

Beha

vior

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

eis

no

requ

ired

trai

ning

for

su

perv

isor

son

how

tor

espo

ndto

a

rang

eof

beh

avio

rsa

ssoc

iate

dw

ith

man

yfo

rms

ofin

side

rri

sk

Co

mpu

ter

use

viol

atio

nsa

ren

ot

Eigh

tyo

neo

fthe

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

ed

conc

erni

ngb

ehav

iors

pri

orto

or

whi

lec

arry

ing

outt

heir

cri

min

al

activ

ities

Em

ploy

ees

shou

ldb

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

ndle

dco

nsis

tent

lya

cros

sde

part

m

ents

sup

ervi

sors

and

type

ofe

m

ploy

ee

Egre

giou

svi

olat

ions

are

re

ferr

edto

the

OSI

for

afu

llin

vest

igat

ion

but

the

crite

rion

for

deci

ding

whe

nth

atis

war

rant

edis

a

gutr

eact

ion

trai

ned

tor

ecog

nize

and

re

spon

dto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

an

dot

her

insi

der

acts

Ev

enif

it

isn

otp

ossi

ble

tor

equi

ren

on

supe

rvis

ors

tor

epor

tcon

cern

s

this

trai

ning

may

incr

ease

the

freq

uenc

yof

repo

rtin

gan

dde

te

rren

ceo

fins

ider

act

ions

US

Dep

artm

ento

fSt

ate

Inve

stig

atio

ns

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

OSI

Inve

stig

atio

nsh

ave

been

sub

ject

to

alle

gatio

nso

fvio

latio

nsin

volv

ing

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)

but

the

OIS

rel

ies

onth

eU

SD

epar

tmen

tof

Sta

teto

inve

stig

ate

USC

ISh

asn

ovi

sibi

lity

into

US

De

part

men

tofS

tate

inve

stig

atio

ns

FSN

sw

hoh

ave

acce

ssto

USC

IS

syst

ems

and

data

sho

uld

be

incl

uded

ina

nin

side

rth

reat

risk

m

itiga

tion

stra

tegy

Prep

arat

ion

for

Neg

ativ

eW

ork

Rela

ted

Even

ts

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

edo

not

app

ear

tob

ean

ygu

ide

lines

tra

inin

go

rpe

rson

nela

vaila

ble

toe

valu

ate

empl

oyee

insi

der

risk

be

fore

or

afte

rfre

quen

tlyp

reci

pita

tin

gev

ents

suc

has

term

inat

ion

de

mot

ions

tra

nsfe

rso

rot

her

disa

ppo

intm

ents

or

unm

ete

xpec

tatio

ns

Ther

eal

sod

oes

nota

ppea

rto

bea

gr

oup

char

ged

with

eva

luat

ing

in

side

rri

skfr

omo

rgan

izat

iona

leve

nts

ord

evel

opm

ents

aff

ectin

ggr

oups

of

empl

oyee

ss

uch

asr

eloc

atio

nsc

on

trac

tcha

nges

lay

offs

and

reo

rgan

iza

tions

Fift

yfiv

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

had

neg

ativ

eem

pl

oym

enti

ssue

sN

inet

yfo

ur

had

ach

ange

ine

mpl

oym

ent

stat

usp

rior

toth

eir

atta

cks

20

had

com

pens

atio

nor

ben

efit

issu

esa

nd6

5w

ere

disg

runt

led

Su

perv

isor

ssh

ould

be

trai

ned

in

thes

eri

skin

dica

tors

Th

ere

shou

lda

lso

bea

nav

aila

ble

pane

lofs

peci

alis

tsfr

omth

eO

SI

orth

eLa

bor

Empl

oyee

Rel

atio

ns(L

ER)t

rain

edto

ass

ess

such

ris

k


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Si

mila

rsp

ecia

lists

sho

uld

be

avai

labl

eto

par

ticip

ate

inp

lan

ning

and

exe

cutio

nof

res

pons

epl

ans

inp

repa

ratio

nfo

rne

ga

tive

wor

kpla

cee

vent

sth

atp

ote

ntia

llyc

ould

lead

tod

isgr

un

tlem

enta

mon

gth

ew

orkf

orce

at

USC

IS

Cont

ract

orM

an

agem

ent

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Hum

anR

esou

rces

Pers

onne

lscr

eeni

ngp

roce

dure

sfo

rco

ntra

ctor

sar

esi

mila

rto

thos

efo

rem

ploy

ees

Cont

ract

ing

com

pani

esa

rer

equi

red

tor

epor

tany

adv

erse

info

rmat

ion

rega

rdin

gth

eir

empl

oyee

sim

med

iat

ely

(ina

llco

ntra

cts)

LER

has

noin

volv

emen

twith

con

tr

acto

rs

They

hav

eno

rec

ord

of

cont

ract

orm

isbe

havi

ors

orc

om

plai

nts

agai

nstc

ontr

acto

rs

Supe

rvis

ors

the

OSI

LER

and

oth

ers

conc

erne

dw

itho

rgan

izat

iona

lsec

uri

tym

ayb

ela

rgel

yun

awar

eof

in

side

rri

sks

rela

ted

toc

ontr

acto

rs

Cont

ract

ors

are

nots

ubje

ctto

gov

er

nmen

tmon

itori

ngo

rris

kas

sess

m

ent

Ac

ontr

acto

ron

ac

ritic

als

ys

tem

may

dev

elop

or

have

sig

nific

ant

insi

der

risk

fact

ors

that

may

rem

ain

unkn

own

tog

over

nmen

tem

ploy

ees

due

tola

cko

frep

ortin

gre

quir

em

ents

Sixt

ytw

oof

the

insi

ders

doc

um

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eco

ntr

acto

rs

USC

ISc

ontr

actm

an

agem

ents

taff

sho

uld

cons

ider

th

ene

edfo

rre

port

ing

ara

nge

ofp

oten

tiali

ndic

ator

sof

insi

der

risk

am

ong

cont

ract

sta

ff

Inci

de

ntr

espo

nse

plan

ssh

ould

in

clud

ere

spon

seto

em

ploy

ee

and

cont

ract

oris

sues

Empl

oyee

or

Con

trac

tor

Conc

erni

ng

Beha

vior

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Byp

olic

yit

ise

very

em

ploy

eersquos

re

spon

sibi

lity

tor

epor

tsus

pici

ous

be

havi

oro

rm

isco

nduc

tS

uper

viso

rs

Self

repo

rted

dru

gus

ea

rres

ta

nd

asso

ciat

ions

with

fore

ign

natio

nals

du

ring

em

ploy

men

tare

sen

tto

the

Supe

rvis

ors

need

tob

eno

tifie

dim

med

iate

lyw

hen

ane

mpl

oyee

re

port

sdr

ugu

sea

rres

tso

r


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Labo

rEm

ploy

eeR

elat

ions

who

obs

erve

con

cern

ing

ors

uspi

ciou

sbe

havi

orr

epor

titt

oLE

Ror

the

OSI

Fo

rlo

wle

velm

isco

nduc

tL

ERa

dvis

es

the

field

off

ice

man

agem

ento

nha

ndl

ing

the

mat

ter

LER

rep

orts

mor

ese

riou

sm

isco

nduc

twith

mor

ese

vere

co

nseq

uenc

esto

HR

M

isco

nduc

tcan

als

obe

rep

orte

dvi

aSi

gnifi

cant

Inci

dent

Rep

orts

(SIR

s)

SIRs

are

sen

tto

Phys

ical

Sec

urity

or

to

the

OSI

for

inve

stig

atio

n

IfCI

dis

cove

rss

omet

hing

sus

pici

ous

duri

nga

rei

nves

tigat

ion

itin

form

sth

eem

ploy

eersquos

sup

ervi

sor

The

su

perv

isor

wor

ksw

ithL

ERa

ndc

ouns

el

tod

ecid

eon

follo

wu

pac

tions

OSI

Th

eO

SIs

ends

res

ults

tos

uper

vi

sor

follo

win

gin

vest

igat

ion

asso

ciat

ion

with

fore

ign

natio

nal

ss

oth

eyh

ave

ana

ccur

ate

perc

eptio

nof

the

risk

ass

oci

ated

with

eac

hof

thei

rem

ploy

ee

sI

nad

ditio

n1

8of

the

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se

had

poss

ible

psy

chol

ogic

alis

su

es

Inc

olla

bora

tion

with

the

OSI

and

LER

sup

ervi

sors

con

fr

ontin

gem

ploy

ees

who

dis

play

co

ncer

ning

beh

avio

rss

houl

dha

veth

eab

ility

tor

emov

eth

em

from

the

wor

kfor

cep

endi

nga

m

edic

alo

rps

ycho

logi

cal

eval

uatio

nto

det

erm

ine

whe

ther

they

hav

ea

diso

rder

or

illne

ssth

atm

ayim

pair

thei

rtr

ustw

orth

ines

sor

judg

men

tor

mak

eth

ema

dan

gert

oth

em

selv

eso

rot

hers

Si

mila

rly

em

po

wer

ing

supe

rvis

ors

tom

ake

ane

mpl

oyee

ass

ista

nce

pro

gram

ref

erra

land

eva

luat

ion

man

dato

ryi

nco

llabo

ratio

nw

ithL

ERo

rth

eO

SIm

ight

hel

pre

mov

eat

ris

kin

divi

dual

sfr

om

the

wor

kfor

ceu

ntil

they

can

sa

fely

and

sec

urel

yre

turn


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEl

ectr

onic

Inve

sti

gati

ons

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Mos

talle

gatio

nsr

epor

ted

toth

eO

SI

are

notv

ery

tech

nica

lth

eO

ITp

ro

vide

sfo

rens

ics

uppo

rtfo

rin

vest

iga

tions

(pri

mar

ilyd

atab

ase

tran

sac

tions

)

PERS

ECh

asn

ever

ask

edth

eO

ITto

re

view

au

serrsquo

son

line

activ

ity

Onl

yon

epe

rson

inO

SIis

qua

lifie

dto

do

afo

rens

icin

spec

tion

USC

ISs

houl

dco

nsid

erin

clud

ing

the

OIT

inin

vest

igat

ions

ofs

us

pici

ous

activ

ity

CERT

rsquosin

side

rth

reat

res

earc

hha

ssh

own

that

no

ntec

hnic

alc

once

rnin

gbe

hav

iors

can

be

asso

ciat

edw

ith

onlin

ecr

imin

ala

ctiv

ity

It

wou

ldb

ebe

nefic

ialt

och

eck

for

past

tech

nica

lsec

urity

vio

la

tions

and

hav

eth

eO

ITa

naly

ze

curr

ento

nlin

eac

tivity

as

part

of

the

OSI

inve

stig

atio

ns


t

efe

w de ti

nth

eca

ses

docu

men

ted

inth

eCE

RTd

atab

ase

inje

cted

cod

ein

tos

ourc

eco

deto

faci

lita

but

ina

ase

the

coo

utb

yso

f

L

oggi

ng

Cri

tica

lDat

aCo

ntro

ls

urce

cod

ew

ere

inte

nded

tos

abot

age

the

orga

niza

tionrsquo

ssy

stem

sc

ases

the

code

n

ino

nec

was

set

toe

xecu

tefo

llow

ing

the

insi

derrsquo

ste

rmin

atio

SCIS

rec

ogni

zeth

epo

dbe

car

ried

tent

iali

llici

tact

ivity

that

cou

lr

the

mos

tcri

tical

sys

tem

san

dsy

stem

com

pone

nts

Cod

eRe

view

s

Conf

igur

atio

nM

anag

emen

t

side

rsb

oth

empl

oyee

san

dco

ntra

ctor

snd

ITs

abot

age

In

mos

tcas

est

hem

odifi

catio

nsto

so

faci

litat

efr

aud

In

man

yde

was

use

dto

impo

rtan

ttha

tUfo

ra

year

bef

ore

final

lye

xecu

ting

Iti

ser

sa

ndim

plem

enta

ppro

pria

tec

ontr

ols

par

ticul

arly

fo

ciou

sin

frau

da

sth

eco

plan

ted

eng

ine

Mal

ibo

thca

sew

as

war

e

Ap

pen

dix

FS

oftw

are

Engi

nee

rin


Are

aof

Con

cern

C

ode

Re

view

s

Resp

onsi

ble

Pers

onne

lIS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Cont

ract

ors

are

requ

ired

tom

aint

ain

ace

rtai

nle

velo

fpro

cess

mat

urity

(C

MM

ILev

el3

)to

bein

com

plia

nce

with

USC

ISp

olic

ies

So

urce

cod

eis

res

tric

ted

toth

ose

with

the

need

tok

now

Ve

rsio

nM

anag

eris

use

dto

con

trol

an

dtr

ack

chan

ges

tos

ourc

eco

de

Sepa

ratio

nof

dut

ies

isim

plem

ente

din

the

soft

war

ere

leas

epr

oces

sC

SC

chec

ksn

ews

ourc

eco

dein

toV

ersi

on

Man

ager

aU

SCIS

em

ploy

eec

heck

sou

tthe

sou

rce

code

and

rel

ease

sit

into

pro

duct

ion

Th

eU

SCIS

DBA

mov

esn

ewd

atab

ase

obje

cts

into

the

prod

uctio

nda

ta

base

Polic

yor

Pra

ctic

eG

aps

Ano

ther

inte

rvie

wee

men

tione

dth

at

anldquo

East

ere

ggrdquo

was

foun

din

sou

rce

code

aft

erth

eco

ntra

ctw

asg

iven

toa

ne

wc

ompa

ny4

Sugg

este

dCo

unte

rmea

sure

s

4 Av

irtu

alE

aste

reg

gis

an

inte

ntio

nalh

idde

nm

essa

gej

oke

orfe

atur

ein

ap

rogr

amm

ovie

boo

ke

tc


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

and

orC

hang

eCo

ntro

lPro

cess

N

otE

nfor

ced

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

No

evid

ence

pro

vide

d

Whe

nco

ntra

ctor

sde

velo

pso

ftw

are

rem

otel

yth

eya

res

uppo

sed

tor

egis

te

rco

dein

Ver

sion

Man

ager

but

this

is

not

alw

ays

done

con

sist

ently

Co

ntra

ctor

sso

met

imes

rel

ease

cod

eto

fix

prob

lem

sw

ithou

tfol

low

ing

the

chan

gem

anag

emen

tpro

cess

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

oft

hela

cko

fade

qu

ate

conf

igur

atio

nm

anag

emen

t

Soft

war

eEn

gine

er

ing

Cont

rols

inth

eSe

rvic

eCe

nter

s

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

ISSO

s

No

evid

ence

pro

vide

d

Soft

war

eis

bei

ngd

evel

oped

inth

eSe

rvic

eCe

nter

sw

ithou

tcon

sist

ently

en

forc

ing

the

sam

ech

ange

man

age

men

tpro

cess

ese

nfor

ced

atth

ena

tio

nal(

ente

rpris

e)le

vel

The

cen

ters

us

ea

code

rep

osito

ryb

utn

otV

ersi

on

Man

ager

to

trac

kso

ftw

are

chan

ges

Th

eyd

ope

err

evie

ws

ofc

ode

and

belie

veth

ate

nter

pris

eco

ntro

lsfo

rco

der

evie

wa

rem

ore

deta

iled

(al

thou

ghth

atb

elie

fapp

ears

tob

efa

lse

ac

cord

ing

toin

terv

iew

sat

hea

dqua

rte

rs)

USC

ISs

houl

dco

nsid

erc

onsi

sten

tpo

licie

san

dpr

oced

ures

for

soft

w

are

engi

neer

ing

for

the

entir

een

terp

rise

inc

ludi

ngth

eSe

rvic

eCe

nter

s

Mos

tins

ider

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data


A

rea

ofC

once

rn

Resp

onsi

ble

Pers

onne

lPo

licy

and

orS

ecur

ity

Mea

sure

Po

licy

orP

ract

ice

Gap

sSu

gges

ted

Coun

term

easu

res

Dat

aO

wne

rs

ba

sew

ere

dete

cted

or

iden

tifie

d

usin

gso

me

kind

ofs

yste

mlo

g

Info

rmat

ion

Tech

nolo

gy

Lo

gsu

sed

incl

ude

data

base

logs

appl

icat

ion

logs

sys

tem

logs

re

mot

eac

cess

logs

and

man

y

othe

rs

Prod

ucti

onD

ata

in

ISSO

sD

evel

opm

enta

ndp

rodu

ctio

nsy

sIn

som

eca

ses

con

trac

tors

hav

eac

O

nly

one

insi

der

docu

men

ted

in

Dev

elop

men

tEnv

i

tem

ssh

ould

be

sepa

rate

inte

rms

of

cess

tob

oth

syst

ems

incl

udin

gpr

oth

eCE

RTIn

side

rTh

reat

Cas

eda


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sro

nmen

t

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

data

sha

ring

and

acc

ess

cont

rol

duct

ion

data

inth

ede

velo

pmen

ten

viro

nmen

t

taba

ses

tole

pro

duct

ion

data

that

sh

ould

not

hav

ebe

ena

vaila

ble

to

deve

lope

rsin

the

deve

lopm

ent

envi

ronm

ent

How

ever

itw

as

extr

emel

yse

nsiti

ved

ata

with

ve

rys

tric

tcon

trol

sin

the

prod

uc

tion

envi

ronm

ent

and

was

not

su

bjec

tto

thos

esa

me

cont

rols

in

the

deve

lopm

ente

nvir

onm

ent

Th

isis

ver

ysi

mila

rto

the

situ

atio

nat

USC

IS

USC

ISs

houl

dex

am

ine

data

bei

ngu

sed

inth

ede

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

velo

fse

curi

tyc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Ap

pen

dix

GI

nfo

rmat

ion

Tec

hn

olog

y

Acc

ount

Man

agem

ent

Rese

arch

has

dem

onst

rate

dth

atif

an

orga

niza

tionrsquo

sco

mpu

ter

acco

unts

can

be

com

prom

ised

ins

ider

sha

vea

nop

port

unity

toc

ircu

mve

ntm

an

uala

nda

utom

ated

con

trol

mec

hani

sms

inte

nded

top

reve

ntin

side

rat

tack

sE

ffec

tive

com

pute

rac

coun

tand

pas

swor

dm

anag

emen

tpol

icie

san

dpr

actic

esa

rec

ritic

alto

impe

dea

nin

side

rrsquos

abili

tyto

use

the

orga

niza

tionrsquo

ssy

stem

sfo

rill

icit

purp

oses

In

av

arie

tyo

fcas

esd

ocum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sei

nsid

ers

expl

oite

dpa

ssw

ord

vuln

erab

ilitie

ss

hare

dac

coun

tsa

ndb

ackd

oor

acco

unts

toc

arry

out

att

acks

It

isim

port

antf

oro

rgan

izat

ions

toli

mit

com

pute

rac

coun

tsto

thos

eth

ata

rea

bsol

utel

yne

cess

ary

usi

ngs

tric

tpro

cedu

res

and

tech

nica

lcon

trol

sth

atfa

cilit

ate

attr

ibut

ion

ofa

llon

line

activ

itya

ssoc

iate

dw

ithe

a ch

acco

untt

oan

indi

vidu

alu

ser

Fur

ther

mor

ea

nor

gani

zatio

nrsquos

acco

unta

nd

pass

wor

dm

anag

emen

tpol

icie

sm

ustb

eap

plie

dco

nsis

tent

lya

cros

sth

een

terp

rise

toin

clud

eco

ntra

ctor

ss

ubco

ntra

ctor

sa

ndv

endo

rsw

hoh

ave

acce

ssto

the

orga

niza

tionrsquo

sin

form

atio

nsy

stem

sor

net

wor

ks

Ins

ome

area

sc

ompu

ter

acco

unts

are

man

aged

fair

lyw

ella

tUSC

IS

USC

ISis

impl

emen

ting

Hom

elan

dSe

curi

tyP

resi

dent

ialD

irec

tive

12(H

SPD

12

)for

phy

sica

land

ele

ctro

nic

acco

untm

anag

emen

tI

nad

ditio

nm

osts

hare

dac

coun

tsa

rec

ontr

olle

dan

dal

lact

ions

per

form

edu

sing

thos

eac

coun

tsc

anb

eat

trib

uted

toa

sin

gle

user

H

owev

ers

ome

acco

untm

anag

emen

tlie

sou

tsid

eth

eco

ntro

lofU

SCIS

Th

i sp

rese

nts

ahi

ghd

egre

eof

ris

kF

irst

ofa

lla

ccou

nts

and

acce

ssfo

rFS

Ns

shou

ldb

eco

nsid

ered

car

eful

lyb

yU

SCIS

A

lthou

ghF

SNs

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

ch

anne

lsw

hich

req

uire

sau

thor

izat

ion

byth

eCS

Oa

ndC

IOo

fDH

Ss

uch

pape

rwor

kw

asn

ots

ubm

itted

con

sist

ently

pri

orto

200

7A

sa

resu

lt

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

tF

urth

erm

ore

an

FSN

acc

ount

and

aU

S

citiz

enfe

dera

lem

ploy

eea

ccou

ntc

anno

tbe

dist

ingu

ishe

don

ceit

isc

reat

ed

Alth

ough

acc

ount

nam

ing

conv

entio

nsa

red

icta

ted

byD

HS

and

the

US

Dep

artm

ento

fSta

teU

SCIS

cou

ldr

eque

sta

nam

ing

conv

entio

nto

diff

eren

tiate

bet

wee

nFS

Na

ndU

Sc

itize

nfe

dera

lem

ploy

eea

ccou

nts

In

addi

tion

USC

ISs

houl

dco

nsis

tent

lytr

ack

the

auth

oriz

atio

nan

dcr

eatio

nof

all

USC

ISa

ccou

nts

To

dete

rmin

eif

unau

thor

ized

or

lega

cya

ccou

nts

exis

tU

SCIS

sho

uld

cons

ider

con

duct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSta

tep

erso

nnel

tov

alid

ate

alle

xist

ing

FSN

ac

coun

ts


Seco

nda

cces

sto

som

ecr

itica

lUSC

ISs

yste

ms

isc

ontr

olle

dby

the

Pass

wor

dIs

suan

cea

ndC

ontr

olS

yste

m(P

ICS)

Th

epu

rpos

eof

PIC

Sis

tofa

cili

tate

the

adm

inis

trat

ion

ofu

sern

ames

and

pas

swor

dsto

cer

tain

ICE

and

USC

ISin

form

atio

nsy

stem

sO

nea

rea

ofc

once

rnr

egar

ding

PIC

Sis

that

it

isa

dmin

iste

red

byIC

Ea

ndth

ere

are

mor

eth

an2

000

Loc

alP

ICS

Off

icer

s(L

POs)

acr

oss

vari

ous

com

pone

nts

ofD

HS

The

seL

POs

use

PICS

to

gran

taut

hori

zed

acce

ssto

ICE

and

USC

ISs

yste

ms

for

the

pers

onne

latt

heir

res

pect

ive

site

or

agen

cys

uch

aslo

cals

heri

ffs

pet

ition

ers

Cus

tom

san

dBo

rder

Pat

rol(

CBP)

Dep

artm

ento

fJus

tice

(DO

J)T

rans

port

atio

nSe

curi

tyA

dmin

istr

atio

n(T

SA)

Terr

oris

mT

ask

Forc

ea

ndD

HS

OIG

Ea

ch

LPO

can

gra

nta

cces

sto

any

sys

tem

con

trol

led

byP

ICS

In

othe

rw

ords

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

rany

oft

heir

sta

ffto

an

yU

SCIS

sys

tem

Fu

rthe

rmor

eU

SCIS

has

no

visi

bilit

yin

tow

hoh

asa

cces

sto

its

syst

ems

Giv

enth

edi

stri

bute

dna

ture

ofa

ccou

nta

dmin

istr

atio

nit

isv

ery

diff

icul

tfor

USC

ISd

ata

owne

rsa

ndO

ITs

taff

tom

anag

eau

thor

izat

ion

ofu

ser

acco

unts

toU

SCIS

cri

tical

sys

tem

sF

inal

lyt

hep

roc

ess

for

com

mun

icat

ing

chan

ges

ine

mpl

oyee

sta

tus

and

disa

blin

gac

coun

tsv

arie

sw

idel

yam

ong

indi

vidu

alfi

eld

offic

esS

ervi

ceC

ente

rsa

ndo

ffic

esin

the

NCR

D

orm

anta

ccou

nts

prov

ide

aco

nven

ient

unk

now

nac

cess

pat

hfo

rcu

rren

tand

form

ere

mpl

oyee

sto

use

for

illic

itac

tivity

Ala

cko

fcon

sist

ency

exi

sts

inth

eap

plic

atio

nof

acc

ount

man

agem

entp

ract

ices

und

erth

eco

ntro

lofU

SCIS

Fo

rex

ampl

ed

isab

ling

orte

rmin

at

ing

acco

unts

for

empl

oyee

sis

not

alw

ays

com

plet

edin

ati

mel

ym

anne

rup

onth

eem

ploy

eersquos

cha

nge

ins

tatu

sT

his

lack

ofc

onsi

sten

cyis

mad

ew

orse

whe

nde

cent

raliz

edL

POs

acro

ssU

SCIS

do

notf

ollo

wth

esa

me

proc

edur

es

Ino

ther

cas

ese

mpl

oyee

sar

ere

tain

ing

acce

ssa

fter

atr

ansf

er

whe

nth

eys

houl

dno

tw

hich

req

uire

sth

elo

sing

and

gai

ning

sup

e rvi

sors

ton

otify

pro

per

acco

untm

anag

emen

tper

sonn

el

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

ccou

ntE

stab

lis

hmen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ino

rder

for

FSN

sto

gai

nac

cess

to

USC

ISs

yste

ms

they

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

cha

nnel

s

whi

che

vent

ually

req

uire

sau

thor

iza

tion

byth

eCS

Oa

ndC

IOo

fDH

S

Prio

rto

200

7w

aive

rpa

perw

ork

for

FSN

sre

ques

ting

acco

unta

cces

sw

as

nots

ubm

itted

con

sist

ently

A

sa

re

sult

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

t

USC

ISs

houl

dco

nsid

erc

ondu

ct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSt

ate

pers

onne

lto

valid

ate

all

exis

ting

FSN

acc

ount

s

Info

rmat

ion

Tech

nolo

gy

Diff

eren

tper

sonn

ela

rer

espo

nsib

le

for

acco

untc

reat

ion

and

dele

tion

acro

ssth

een

tire

ente

rpri

sed

epe

ndin

gon

the

syst

emo

rne

twor

kin

Dat

abas

ead

min

istr

ator

sm

ayb

eab

le

toc

reat

ean

dde

lete

dat

abas

ean

dap

plic

atio

nac

coun

tsw

ithou

tas

ec

ond

pers

onv

erify

ing

that

act

ion

Beca

use

data

base

adm

inis

trat

ors

have

acc

ess

tos

uch

criti

cald

ata

U

SCIS

sho

uld

cons

ider

sep

arat

ing

the

task

ofa

utho

rizi

nga

cces

sto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

squ

estio

n

USC

ISd

atab

ases

from

the

task

of

man

agin

gth

eda

tain

the

data

ba

ses

Thi

sse

para

tion

ofd

utie

sm

ayr

educ

eth

eri

sko

fad

ata

base

adm

inis

trat

orc

reat

ing

an

unau

thor

ized

acc

ount

and

usi

ng

that

acc

ount

toc

arry

out

am

ali

ciou

sac

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ac

ompu

ter

acco

unti

ses

tabl

ishe

don

lya

fter

an

umbe

rof

cri

teri

aha

ve

been

met

inc

ludi

ngs

ecur

itya

war

ene

sstr

aini

ng

Ina

dditi

onto

the

step

sre

quire

dof

al

lper

sonn

elfo

rac

coun

tacc

ess

co

ntra

ctor

sha

veto

go

thro

ugh

extr

ast

eps

som

eof

whi

chin

clud

eve

rifi

catio

nby

the

COTR

Com

pute

racc

ount

acc

ess

iss

ome

times

gra

nted

bef

ore

secu

rity

aw

are

ness

trai

ning

isc

ompl

eted

Th

isp

rac

tice

may

be

true

esp

ecia

llyfo

rco

ntra

ctor

ss

ince

the

onb

oard

ing

proc

ess

depe

nds

onth

eco

ntra

ctin

gag

ency

and

the

COTR

tov

erify

that

th

etr

aini

ngis

com

plet

ed

USC

ISs

houl

dco

nsid

err

equi

ring

co

mpu

ter

secu

rity

aw

aren

ess

trai

ning

for

allp

erso

nnel

ndashfu

lltim

eem

ploy

ees

par

ttim

eem

pl

oyee

sa

ndc

ontr

acto

rsndash

and

ve

rify

that

itis

com

plet

ebe

fore

cr

eatin

gan

ysy

stem

acc

ount

sfo

rth

ese

pers

onne

l

Acc

ount

Man

age

men

tG

ener

al

Info

rmat

ion

Tech

nolo

gy

PICS

isa

dmin

iste

red

byIC

Ew

hich

ha

sov

er2

000

LPO

sac

ross

var

ious

co

mpo

nent

sof

DH

ST

hese

LPO

sar

ere

spon

sibl

efo

rgra

ntin

gau

thor

ized

ac

cess

toP

ICS

for

the

pers

onne

lat

thei

rre

spec

tive

wor

ksi

tes

Eac

hLP

Oc

ang

rant

acc

ess

toa

nys

yste

m

cont

rolle

dby

PIC

SI

not

her

wor

ds

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

ran

yof

thei

rst

afft

o

Alth

ough

the

PICS

acc

ount

pro

cess

re

quir

esth

eac

coun

tto

beli

nked

toa

va

lide

mpl

oyee

PIC

Sad

min

istr

ator

sco

uld

crea

teu

naut

hori

zed

acco

unts

in

the

nam

eof

val

ide

mpl

oyee

sw

ith

outt

heir

kno

wle

dge

Inv

alid

acc

ount

sar

ety

pica

llyfl

agge

don

lyw

hen

the

acco

unti

sdo

rman

tfor

ac

erta

inp

eri

odo

ftim

eA

nLP

Oc

ana

lso

assi

gn

righ

tsfo

ran

ysy

stem

con

trol

led

by

In1

2of

the

case

sdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

ins

uffic

ient

acc

ount

m

anag

emen

tena

bled

the

insi

der

sto

com

mit

thei

rcr

imes

U

SCIS

sho

uld

cons

ider

con

duct

in

gac

coun

taud

itsa

tthe

loca

lsi

tele

vel

whi

chw

ould

allo

wth

eva

lidat

ion

ofc

urre

ntP

ICS

ac

coun

tsa

ndr

oles

ver

sus

curr

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

yU

SCIS

sys

tem

PICS

empl

oyee

list

s

Furt

herm

ore

ICE

adm

inis

ters

this

USC

ISs

houl

dex

plor

ea

mea

nso

fsy

stem

and

cou

lda

ffec

tUSC

ISr

e

segr

egat

ing

acco

untm

anag

eco

rds

unbe

know

nstt

oU

SCIS

men

tin

PICS

so

that

LPO

sca

nad

min

iste

rac

coun

tso

nly

for

thei

row

nor

gani

zatio

nrsquos

syst

ems

In

oth

erw

ords

USC

ISL

POs

wou

ldo

nly

bea

ble

toa

dmin

iste

rau

thor

izat

ions

for

USC

ISs

yste

ms

inP

ICS

and

ICE

LPO

sw

ould

onl

ybe

abl

eto

adm

inis

ter

auth

oriz

atio

nsfo

rIC

Esy

stem

s

Info

rmat

ion

Tech

nolo

gy

Acc

ount

man

agem

enti

sha

ndle

dby

a

num

ber

ofd

iffer

entg

roup

sac

ross

U

SCIS

A

lthou

ghth

ere

isa

nef

fort

to

cent

raliz

eac

coun

tman

agem

ent

lo

cala

ndr

egio

nalo

ffic

eso

fUSC

IS

have

his

tori

cally

don

eth

eir

own

ac

coun

tman

agem

ent

Ifan

acc

ount

has

not

bee

nus

edfo

ra

cert

ain

peri

odo

ftim

eit

isa

uto

mat

ical

lyd

isab

led

The

tim

epe

riod

st

ated

by

vari

ous

inte

rvie

wee

sva

rie

dfr

om3

06

0o

r90

days


Sugg

este

dCo

unte

rmea

sure

s

Six

insi

ders

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

wer

eab

leto

car

ryo

utth

eir

illeg

ala

ctiv

ities

bec

ause

ofldquo

priv

ile

gec

reep

rdquoU

SCIS

sho

uld

revi

ew

acco

untm

anag

emen

tpro

ce

dure

sto

ens

ure

that

the

step

scu

rren

tlyta

ken

tor

emov

eor

al

ter

acco

unta

cces

sar

eco

m

plet

ean

dbe

ing

cons

iste

ntly

fol

low

ed

Inp

artic

ular

the

pro

ce

dure

sus

edw

hen

som

eone

ch

ange

slo

catio

nso

rde

part

m

ents

with

inU

SCIS

sho

uld

be

exam

ined

A

sem

ploy

ees

tran

sfe

rth

roug

hout

an

agen

cyt

hey

shou

ldn

otb

eac

cum

ulat

ing

priv

ile

ges

The

ysh

ould

onl

yre

tain

pr

ivile

ges

com

men

sura

tew

ith

thei

rjo

bre

spon

sibi

litie

s

Twel

vep

erce

nt(4

6)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

seu

sed

syst

ema

dmin

istr

ator

pri

vile

ges

tos

abot

age

syst

ems

ord

ata

sh

ared

acc

ount

sw

ere

used

by

insi

ders

follo

win

gte

rmin

atio

nin

Polic

yor

Pra

ctic

eG

aps

The

issu

eof

acc

ount

man

agem

entf

or

empl

oyee

tran

sfer

sis

not

bei

nga

d

dres

sed

ina

con

sist

entm

anne

rT

he

O

ITr

elie

son

not

ifica

tion

bye

ither

the

ne

wo

rol

dsu

perv

isor

whe

nan

em

ploy

eetr

ansf

ers

but

ther

eha

veb

een

ca

ses

inU

SCIS

inw

hich

em

ploy

ees

have

ret

aine

dac

cess

whe

nth

ey

shou

ldn

oth

ave

Th

ough

itw

ould

req

uire

phy

sica

lac

cess

toa

USC

ISm

achi

net

hatf

orm

er

Polic

yan

dor

Sec

urit

yM

easu

re

Whe

nan

em

ploy

eem

oves

from

one

po

sitio

nto

ano

ther

or

tran

sfer

sto

an

othe

rdep

artm

ent

the

man

age

men

tin

thos

ede

part

men

tsm

ust

initi

ate

the

requ

ired

com

pute

rac

coun

tcha

nges

Ther

ear

eop

erat

ing

syst

emim

ages

us

edth

roug

hout

USC

ISth

atp

erm

itan

adm

inis

trat

orto

inst

alla

sta

nda

rdc

onfig

urat

ion

ofa

nop

erat

ing

syst

ema

nda

ccom

pany

ing

soft

war

e

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Chan

ging

Pas

sw

ord

ofS

hare

dA

ccou

ntU

pon

Term

inat

ion


Sugg

este

dCo

unte

rmea

sure

s

14c

ases

A

lthou

gha

nad

min

is

trat

orw

ould

nee

dph

ysic

ala

cce

ssto

ap

iece

ofe

quip

men

t

The

lack

ofc

onsi

sten

cya

nd

awar

enes

sof

the

stan

dard

pro

ce

dure

sm

ayp

erm

itth

eac

coun

tof

an

insi

der

tob

eus

edfo

llow

ing

term

inat

ion

Term

inat

ing

acco

unts

eve

n2

wee

ksfo

llow

ing

term

inat

ion

may

Polic

yor

Pra

ctic

eG

aps

adm

inis

trat

orw

ould

hav

ead

min

istr

ato

rri

ghts

toG

FE

Itis

cle

arfr

omin

terv

iew

sw

ithU

SCIS

pe

rson

nelt

hata

sin

gle

proc

ess

isn

ei

ther

und

erst

ood

norf

ollo

wed

for

dis

ab

ling

acco

unts

follo

win

gan

em

pl

oyee

orc

ontr

acto

rte

rmin

atio

n

The

proc

edur

esu

sed

are

notc

onsi

ste

ntb

etw

een

supe

rvis

ors

orfi

eld

of

fices

and

for

fede

rale

mpl

oyee

sve

rsu

sco

ntra

ctor

sS

omet

imes

the

exit

clea

ranc

efo

rmm

akes

itto

the

OIT

an

dso

met

imes

itd

oes

not

The

OIT

rsquos

task

ism

ade

even

mor

edi

ffic

ultb

yth

efa

ctth

atit

wou

ldn

eed

tok

now

ex

actly

whi

cha

ccou

nts

anin

divi

dual

ha

sac

cess

to

Thou

ghth

isp

roce

ssis

fair

lye

ffec

tive

it

pote

ntia

llya

llow

sun

auth

oriz

ed

Polic

yan

dor

Sec

urit

yM

easu

re

The

OIT

typi

cally

isn

otifi

edo

fan

acco

untt

erm

inat

ion

ino

neo

fthr

ee

way

s

1)A

sta

ndar

dfo

rmc

alle

dan

exi

tcl

eara

nce

form

is

dist

ribu

ted

and

sign

edb

yot

her

part

ies

suc

has

Hu

man

Res

ourc

esa

ndth

eO

ffic

eof

Se

curi

tya

ndIn

tegr

ity(O

SI)

Thi

sfo

rmle

tsth

eO

ITk

now

that

an

em

ploy

eersquos

acc

ount

ssh

ould

be

dis

able

dor

term

inat

ed

2)T

hes

uper

viso

rof

the

depa

rtin

gem

ploy

eec

onta

cts

the

OIT

dire

ctly

an

din

form

sth

emo

fthe

em

ploy

eersquos

de

part

ure

3)

Whe

na

cont

ract

oris

invo

lved

it

is

the

resp

onsi

bilit

yof

the

COTR

to

info

rmth

eO

IT

The

OIT

rec

eive

san

ldquoat

triti

onli

strdquo

ever

y2

wee

ks

Whe

nth

isli

stis

re

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Upo

nEm

ploy

ee

Term

inat

ion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sH

uman

Res

ourc

es

ceiv

eda

man

ualc

heck

isd

one

to

ensu

reth

ate

mpl

oyee

sw

hoh

ave

depa

rted

inth

ela

st2

wee

ksh

ave

thei

rac

coun

tacc

ess

dele

ted

acce

ssfo

r2

wee

ksfo

llow

ing

term

ina

tion

Bec

ause

this

isa

man

ualp

roc

ess

ther

eis

cur

rent

lyn

oau

tom

atic

w

ayto

ens

ure

that

ith

appe

ns

USC

IS

pers

onne

lcite

dan

inst

ance

inw

hich

th

ese

proc

edur

esfa

iled

for

ane

m

ploy

eew

how

aste

rmin

ated

as

aco

ntr

acto

ran

dla

ter

hire

das

afe

dera

lem

ploy

ee

notb

een

ough

top

reve

ntu

nau

thor

ized

orc

rimin

ala

ctiv

ity

As

soon

as

HR

isa

war

eof

the

chan

gea

mor

eau

tom

ated

m

echa

nism

ofd

elet

ing

thes

eac

coun

tss

houl

dbe

impl

em

ente

d

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Dur

ing

Empl

oyee

Le

ave

ofA

bsen

ces

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

LPO

sw

ork

inth

eir

resp

ectiv

ere

gion

sor

off

ices

and

are

dec

entr

aliz

edb

yna

ture

Th

epo

licie

san

dpr

oced

ures

fo

llow

edo

ften

dep

end

onh

ow

thin

gsh

ave

been

don

ehi

stor

ical

lyin

th

atp

artic

ular

off

ice

Beca

use

acco

unta

utho

riza

tion

pro

cedu

res

are

nots

tand

ardi

zed

thro

ugho

uta

llor

gani

zatio

nsu

sing

the

PICS

sL

POs

acro

ssth

een

tire

USC

IS

ente

rpri

seh

ave

notb

een

cons

iste

nt

inh

owth

eyh

ave

hand

led

acco

unt

dele

tion

follo

win

gem

ploy

eete

rmin

atio

n

Ther

eis

no

offic

ialg

uida

nce

orp

rac

tice

inth

epr

oper

way

tos

uspe

nd

acce

ssfo

ran

em

ploy

eeo

na

leav

eof

ab

senc

eI

non

eca

sep

rovi

ded

by

USC

ISa

nem

ploy

eer

etai

ned

acce

ss

toc

ritic

als

yste

ms

even

aft

erb

eing

pl

aced

on

ana

dmin

istr

ativ

ele

ave

of

abse

nce

USC

ISs

houl

dco

ntin

ueit

sef

fort

sto

cen

tral

ize

orr

educ

eth

enu

m

ber

ofL

POs

ino

rder

for

stan

dard

pr

oced

ures

tob

efo

llow

ed

Ifth

isc

anno

tbe

acco

mpl

ishe

d

stan

dard

pro

cedu

res

shou

ldb

epu

blis

hed

inst

ruct

eda

ndc

onsi

ste

ntly

enf

orce

d

Afe

win

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

ser

etai

ned

acce

ssto

org

aniz

atio

nsy

stem

sw

hile

on

ale

ave

of

abse

nce

and

used

that

acc

ess

to

stea

linf

orm

atio

nor

com

mit

frau

dU

SCIS

sho

uld

impl

emen

ta

polic

yto

out

line

exac

tlyw

hat

shou

ldb

edo

new

hen

ago

vern

m

ente

mpl

oyee

or

cont

ract

or

goes

on

ale

ave

ofa

bsen

cec

on


Sugg

este

dCo

unte

rmea

sure

ssi

deri

ngth

eri

sks

vers

usb

enef

its

ofa

llow

ing

syst

ema

cces

s

Acc

ess

toth

ese

acco

unts

sho

uld

bec

aref

ully

doc

umen

ted

and

trac

ked

soth

atc

rede

ntia

lsc

an

bec

hang

edif

som

eone

inth

at

rest

rict

edg

roup

no

long

erw

ar

rant

sac

cess

Polic

yor

Pra

ctic

eG

aps

Alth

ough

con

cern

has

bee

nex

pres

sed

ab

outt

hee

xist

ence

oft

hese

ac

co

unts

the

bus

ines

sju

stifi

catio

nha

sta

ken

prec

eden

ceo

vert

her

isk

bein

g

assu

med

Polic

yan

dor

Sec

urit

yM

easu

re

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

Acc

ount

an

dPa

ssw

ord

In

form

atio

n

Acc

ess

Cont

rol

An

orga

niza

tionrsquo

sla

cko

fsuf

ficie

nta

cces

sco

ntro

lmec

hani

sms

was

ac

omm

onth

eme

inm

any

ofth

ein

side

rth

reat

cas

ese

xam

ined

by

CERT

In

si

ders

hav

ebe

ena

ble

toe

xplo

itex

cess

ive

priv

ilege

sto

gai

nac

cess

tos

yste

ms

and

info

rmat

ion

they

oth

erw

ise

wou

ldn

oth

ave

been

aut

hori

zed

toa

cces

sA

dditi

onal

lyi

nsid

ers

have

bee

nkn

own

tou

ser

emot

eac

cess

aft

erte

rmin

atio

nto

att

ack

ano

rgan

izat

ionrsquo

sin

tern

aln

etw

ork

Org

ani

zatio

nss

houl

den

sure

that

net

wor

km

onito

ring

and

logg

ing

ise

nabl

edfo

rex

tern

ala

cces

sM

onito

ring

ofn

etw

ork

activ

ityis

ext

rem

ely

impo

rta

nte

spec

ially

inth

epe

riod

bet

wee

nem

ploy

eer

esig

natio

nan

dte

rmin

atio

n

Giv

enth

edi

stri

bute

dna

ture

ofa

cces

sau

thor

izat

ion

via

PICS

ICE

and

the

US

Dep

artm

ento

fSta

ten

onU

SCIS

em

ploy

ees

and

cont

ract

ors

coul

dbe

gra

nted

acc

ess

toU

SCIS

cri

tical

sys

tem

sI

tis

poss

ible

that

the

non

USC

ISe

mpl

oyee

san

dco

ntra

ctor

sha

ven

otb

een

thro

ugh

the

rigo

rous

pr

eem

ploy

men

tscr

eeni

ngr

equi

red

ofU

SCIS

em

ploy

ees

and

cont

ract

ors

par

ticul

arly

thos

egr

ante

dac

cess

thro

ugh

the

US

Dep

artm

ento

fSta

te

for

acce

ssfr

ome

mba

ssie

sov

erse

as

USC

ISs

houl

dco

nsid

erth

eri

skth

ese

insi

ders

pos

eto

the

prot

ectio

nof

the

criti

calU

SCIS

dat

aan

dsy

stem

s

and

impl

emen

tpro

tect

ion

mec

hani

sms

toli

mit

the

dam

age

that

thes

ein

side

rsm

ight

cau

se


Oth

era

cces

sco

ntro

liss

ues

that

sho

uld

bec

onsi

dere

din

clud

eun

rest

rict

eda

cces

sto

som

ecr

itica

lsys

tem

sby

OIT

sta

ffl

ack

ofc

onsi

sten

tpro

ces

ses

for

man

agin

gem

ploy

eea

cces

sas

they

mov

efr

omo

ned

epar

tmen

tto

the

next

with

inU

SCIS

abi

lity

tou

sep

erso

nalc

ompu

ters

for

USC

IS

wor

ka

ndla

cko

fmon

itori

nga

ndc

ontr

ols

for

som

ecr

itica

lsys

tem

adm

inis

trat

ion

func

tions

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

cces

sCo

ntro

l

Fore

ign

Serv

ice

Nat

iona

ls

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

O

ffic

eof

Sec

urit

yan

dIn

te

grit

y

Curr

ently

aF

orei

gnS

ervi

ceN

atio

nal

(FSN

)req

uiri

nga

cces

sto

USC

ISs

ys

tem

ssu

bmits

pap

erw

ork

incl

udin

ga

wai

ver

thro

ugh

the

USC

ISd

irec

tor

and

the

CIO

and

CSO

ofD

HS

Alth

ough

the

asse

ssm

entt

eam

was

ab

leto

get

lim

ited

visi

bilit

yin

toth

is

prac

tice

its

eem

sto

be

alig

ned

with

th

epo

licy

Ift

rue

ith

asg

iven

USC

IS

and

DH

Sbe

tter

vis

ibili

tyin

toth

isa

ctiv

ity

The

prac

tice

shou

ldb

eco

ntin

ued

and

expa

nded

as

need

edto

in

form

all

rele

vant

USC

ISp

erso

nne

l

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

Pe

rson

nelS

ecur

ity

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Whe

nFS

Ns

requ

ire

acce

ssto

USC

IS

syst

ems

ine

mba

ssie

san

dco

nsul

ates

ab

road

the

yar

eve

tted

by

the

US

D

epar

tmen

tofS

tate

Beca

use

the

US

Dep

artm

ento

fSta

te

isp

erfo

rmin

gth

eve

ttin

gpr

oces

s

USC

ISh

asv

ery

little

con

trol

or

visi

bil

ityin

toth

epr

oces

sfo

rgr

antin

gFS

Ns

acce

ssto

USC

ISs

yste

ms

and

net

wor

ks

Inte

rvie

wee

sst

ated

that

in

som

eca

ses

FSN

sha

vea

dmin

istr

ativ

eco

ntro

love

rso

me

syst

ems

and

that

in

oth

erc

ases

the

yar

ese

rvin

gas

in

form

atio

nsy

stem

sec

urity

off

icer

s(IS

SOs)

USC

ISs

houl

dga

ina

bet

ter

un

ders

tand

ing

ofth

eU

SD

epar

tm

ento

fSta

tersquos

vet

ting

proc

ess

and

clar

ifyit

sow

nre

quir

emen

ts

for

gran

ting

and

trac

king

acc

ess

for

FSN

sto

USC

ISs

yste

ms

If

cont

inue

dac

cess

isr

equi

red

the

proc

edur

esto

doc

umen

tand

co

ntro

ltha

tacc

ess

shou

ldb

ene

gotia

ted

with

the

US

De

part

men

tofS

tate

and

con

sis

tent

lye

nfor

ced

Info

rmat

ion

Tech

nolo

gy

Onc

ea

trad

ition

alu

ser

acco

unti

scr

eate

dth

ere

isli

ttle

ton

ow

ayto

di

stin

guis

han

FSN

acc

ount

from

one

be

long

ing

toa

US

citi

zen

Beca

use

anF

SNa

ccou

ntis

not

dis

tin

guis

habl

efr

omo

ther

acc

ount

sit

w

ould

be

extr

emel

ydi

ffic

ultt

oas

so

ciat

esp

ecifi

con

line

activ

ities

with

ac

coun

tsb

elon

ging

toF

SNs

Em

ail

USC

ISs

houl

dco

nsid

erw

heth

er

orn

otit

wan

tsth

eab

ility

tod

is

tingu

ish

wha

tonl

ine

activ

ities

an

dac

cess

esF

SNs

are

enga

ging

in

If

soi

tsho

uld

inco

rpor

ate


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sad

dres

ses

appe

arth

esa

me

and

viol

atio

nac

tiviti

esw

ould

not

eas

ilyb

eat

trib

uted

toa

nFS

N

thos

est

eps

into

the

proc

edur

es

men

tione

dab

ove

Info

rmat

ion

Tech

nolo

gy

DH

Sis

inth

epr

oces

sof

bui

ldin

ga

secu

rein

tran

etc

alle

dO

neN

et

whi

chw

illb

ette

ren

able

info

rmat

ion

shar

ing

amon

gD

HS

com

pone

nts

Th

isp

roje

ctw

illb

een

able

dby

inte

rco

nnec

tion

agre

emen

tsb

etw

een

segm

ents

Onc

eth

eap

prop

riat

ein

terc

onne

ctio

nag

reem

ents

are

inp

lace

itw

illb

eha

rder

tor

estr

icta

cces

sfo

rFSN

sto

sp

ecifi

csy

stem

s(e

g

Shar

ePoi

nt)

USC

ISs

houl

dm

ake

ade

term

ina

tion

abou

twhe

ther

or

notF

SN

acce

sss

houl

dbe

any

diff

eren

tfr

omo

ther

sim

ilar

acco

unts

of

US

citi

zens

If

the

lack

ofr

est

rict

ions

isu

nacc

epta

ble

that

is

sue

shou

ldb

ebr

ough

tto

DH

Spe

rson

nelr

espo

nsib

lefo

rim

pl

emen

ting

the

One

Net

sol

utio

n

Acc

ess

cont

rols

Ther

ear

ebu

sine

ssp

roce

ssa

ndr

eso

urce

s(e

g

PICS

CLA

IMS

3a

nd

CLA

IMS

4)th

ata

res

hare

dw

ithIC

E

This

par

tner

ship

isa

nar

tifac

toft

he

past

and

cur

rent

rel

atio

nshi

psb

etw

een

depa

rtm

ents

with

inD

HS

For

thes

esh

ared

res

ourc

esto

func

tio

npr

oper

lyt

hey

requ

ire

care

ful

coor

dina

tion

whi

chd

oes

nott

ake

plac

ein

all

case

sF

ore

xam

ple

USC

IS

does

not

rec

eive

ac

opy

ofth

efo

rmal

ac

cess

req

uest

sub

mitt

edto

ICE

for

anIC

Eem

ploy

eeto

acc

ess

aU

SCIS

sy

stem

USC

ISs

houl

dca

refu

llyd

ocum

ent

wha

tacc

ess

isb

eing

gra

nted

to

any

part

ies

exte

rnal

toU

SCIS

If

addi

tiona

lcoo

rdin

atio

nis

re

quir

edi

tsho

uld

bed

one

with

th

ere

leva

ntd

epar

tmen

tso

fD

HS

For

cert

ain

info

rmat

ion

syst

ems

lo

cala

ndr

emot

elo

gins

are

not

per

m

itted

bet

wee

nth

eho

urs

of1

130

p

ma

nd6

00

am

Th

isp

ract

ice

clos

ely

adhe

res

toth

epo

licy

for

spec

ific

syst

ems

Enfo

rcin

ga

man

dato

rya

cces

spe

riod

may

hel

pen

sure

that

a

mal

icio

usin

side

ris

not

usi

ngs

ys

tem

sw

hen

supe

rvis

ion

isle

ss

ened

Ei

ghtp

erce

nt(2

9)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sus

eda

cces

sou

tsid

eof

nor

mal

w

orki

ngh

ours

toc

arry

out

thei

rill

icit

activ

ities

Whe

nan

em

ploy

eea

ttem

pts

tolo

gin

toa

res

tric

ted

syst

emd

urin

gof

fpe

akh

ours

an

auto

mat

ice

mai

lno

tice

iss

entb

yth

eO

ITto

per

sons

in

the

empl

oyee

rsquosm

anag

emen

tch

ain

ofc

omm

and

This

pra

ctic

eis

not

con

sist

enta

cros

sal

lsys

tem

san

dis

not

par

tofo

ther

in

cide

ntr

espo

nse

proc

edur

es

USC

ISs

houl

dco

nsid

erim

ple

men

ting

this

pra

ctic

ein

toth

ela

rger

sys

tem

ofi

ncid

entr

esp

onse

to

incl

ude

corr

elat

ion

with

oth

ere

vent

san

dov

era

pe

riod

oft

ime

Acc

ess

Priv

ilege

sndash

Gen

eral

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Att

heV

erm

ontS

ervi

ceC

ente

rO

IT

staf

fare

the

only

one

spr

esen

tlat

eat

nig

ht

As

part

oft

heir

dut

ies

they

al

soh

ave

elec

tron

ica

cces

sto

the

CLA

IMS3

info

rmat

ion

syst

em

As

afu

nctio

nof

the

elec

tron

ica

cces

san

dth

eph

ysic

alla

yout

oft

heS

ervi

ce

Cent

erO

ITp

erso

nnel

hav

eac

cess

to

CLA

IMS3

as

wel

las

the

phys

ical

file

sin

the

build

ing

U

SCIS

sho

uld

cons

ider

the

min

im

umle

velo

facc

ess

(leas

tpriv

ile

ge)n

eede

dfo

ral

lper

sonn

elto

ac

com

plis

hth

eir

job

dutie

sT

hir

teen

per

cent

(49)

oft

hein

side

rs

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sev

iola

ted

ane

edto

kno

win

ord

erto

per

pe

trat

eth

eir

crim

esi

nclu

ding

st

ealin

gPI

Iand

pro

prie

tary

in

form

atio

nI

nad

ditio

ns

ever

al

insi

ders

com

mitt

edth

eir

crim

es

whi

lew

orki

ngo

nth

eni

ghts

hift

w

here

they

enj

oyed

ar

educ

ed

leve

lofs

crut

iny

Unr

estr

icte

del

ectr

onic

and

phy

sica

lacc

ess

to

such

hig

hri

skd

ata

and

syst

ems

outs

ide

ofn

orm

alw

orki

ngh

ours

pr

esen

tsa

hig

hde

gree

ofr

isk

to


Sugg

este

dCo

unte

rmea

sure

s

USC

IS

Sinc

eU

SCIS

can

notd

eter

min

ew

hata

cces

sth

eU

SD

epar

tmen

tof

Sta

teg

rant

sto

FSN

son

its

sys

tem

sU

SCIS

sho

uld

cont

inue

to

use

tech

nica

lmea

sure

sto

pre

ve

ntu

naut

hori

zed

acce

ssw

hile

w

orki

ngw

ithc

ount

erin

telli

genc

epe

rson

nelt

ode

alw

iths

uspe

cted

fo

reig

nag

ents

wor

king

aro

und

US

gov

ernm

entf

acili

ties

A

few

insi

ders

inth

eca

ses

ana

lyze

dby

CER

Tus

edth

eir

un

revo

ked

acce

ssto

the

orga

niza

Polic

yor

Pra

ctic

eG

aps

Acc

ordi

ngto

one

inte

rvie

wee

som

eFS

Ns

onth

eCo

nsul

arA

ffai

rsn

etw

ork

are

susp

ecte

dto

be

wor

king

for

arm

sof

fore

ign

inte

llige

nce

ors

ecur

ity

agen

cies

U

SCIS

has

use

dte

chni

cal

met

hods

(eg

fir

ewal

ls)t

oen

sure

th

atU

SCIS

sys

tem

sar

epr

otec

ted

from

any

inte

rcon

nect

ions

with

the

US

Dep

artm

ento

fSta

tersquos

net

wor

ks

This

sin

gle

poin

toff

ailu

rem

akes

it

diff

icul

tto

reco

ver

from

am

alic

ious

ac

ton

this

par

ticul

ars

yste

m

Polic

yan

dor

Sec

urit

yM

easu

re

The

US

Dep

artm

ento

fSta

teC

onsu

la

rA

ffai

rsn

etw

ork

gran

tsa

cces

sto

FSN

sw

orki

ngin

em

bass

ies

and

con

su

late

san

dit

conn

ects

toU

SCIS

sys

te

ms

Ther

eis

as

ingl

epe

rson

who

has

the

know

ledg

eof

and

res

pons

ibili

tyfo

rad

min

iste

ring

the

voic

emai

lsys

tem

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Are

aof

Con

cern

Acc

ess

Priv

ilege

sndash

Syst

emA

dmin

is

trat

or


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sfo

rU

SCIS

tionrsquo

sph

one

syst

emto

har

mth

eor

gani

zatio

nI

non

eca

set

he

entir

ecu

stom

ers

ervi

cev

oice

m

ails

yste

mw

asr

edir

ecte

dto

a

porn

ogra

phic

pho

nes

ite

Ina

not

her

der

ogat

ory

com

men

ts

abou

tthe

org

aniz

atio

nw

ere

re

cord

eda

ndp

laye

dfo

rev

ery

voic

em

ailb

ox

USC

ISs

houl

dpl

ace

addi

tiona

lst

affi

nth

ero

leo

fadm

inis

trat

ors

for

the

USC

ISv

oice

mai

lsys

tem

Th

isw

ould

allo

wU

SCIS

toim

pl

emen

tsom

efo

rmo

fsep

ara

tion

ofd

utie

so

rat

the

very

le

ast

min

imal

che

cks

and

bal

ance

sto

pre

vent

tam

peri

ngw

ith

the

voic

emai

lsys

tem

U

SCIS

sho

uld

ensu

reth

atit

man

ag

esa

ccou

nts

and

pass

wor

dsfo

rin

tern

als

yste

ms

such

as

voic

em

ail

asw

ella

sex

tern

ala

cco

unts

O

nein

side

rdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

cha

nged

the

dom

ain

nam

esy

stem

reg

istr

yfo

rhis

or

gani

zatio

nrsquos

web

site

so

that

vis

ito

rsw

ere

sent

toa

por

nogr

aphi

c


Sugg

este

dCo

unte

rmea

sure

sw

ebsi

te

Thes

ety

pes

ofa

ccou

nts

are

used

ver

yin

freq

uent

lya

nd

are

ofte

nno

tinc

lude

din

form

al

term

inat

ion

proc

edur

es

USC

ISs

houl

dco

ordi

nate

with

D

HS

pers

onne

lto

ensu

reth

at

desi

red

USC

ISs

ecur

ityp

olic

ies

are

enfo

rced

for

pers

onne

lac

cess

ing

USC

ISs

yste

ms

and

data

Se

ven

perc

ent(

26)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

toa

ttac

kin

par

tbec

ause

of

insu

ffic

ient

mon

itori

ngo

fext

er

nala

cces

s

Polic

yor

Pra

ctic

eG

aps

A

lthou

ghc

onne

ctin

ga

pers

onal

lap

top

toa

USC

ISn

etw

ork

via

are

mot

eco

nnec

tion

may

or

may

not

be

bloc

ked

the

SNO

Cw

asn

otc

onfid

ent

itw

ould

be

bloc

ked

beca

use

itdo

es

notc

ontr

olth

ata

cces

sI

tis

poss

ible

th

ata

use

rco

uld

conn

ectw

itha

per

so

nalm

achi

neif

DH

Sal

low

edit

Polic

yan

dor

Sec

urit

yM

easu

re

Port

sec

urity

wou

ldp

reve

nta

use

rfr

omc

onne

ctin

ga

pers

onal

mac

hine

di

rect

lyto

aU

SCIS

net

wor

kT

his

secu

rity

mec

hani

smis

han

dled

by

the

SNO

C

Rem

ote

acce

sso

nth

eot

herh

and

is

hand

led

byD

HS

USC

ISh

asa

cces

sto

ve

ryli

mite

din

form

atio

nin

clud

ing

logs

for

rem

ote

conn

ectio

nsb

eca

use

ofc

ontr

acts

tipul

atio

nsw

ith

Spri

nt

The

asse

ssm

entt

eam

re

ceiv

edc

onfli

ctin

gop

inio

nsa

bout

w

heth

era

per

sona

lmac

hine

cou

ld

bec

onne

cted

with

ar

emot

eac

coun

t

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Secu

rity

Net

wor

kO

pera

ti

ons

Cent

er

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Man

agem

ento

fRe

mot

eA

cces

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

The

cont

ract

ors

resp

onsi

ble

for

VIS

have

impl

emen

ted

ast

rict

acc

ess

cont

rols

olut

ion

with

Fir

epas

san

dit

appe

ars

toa

ccom

plis

hits

goa

lofe

nsu

ring

that

onl

yth

epr

oper

per

sonn

el

are

gran

ted

acce

ssa

ndth

atth

eyp

er

form

aut

hori

zed

actio

nso

nce

they

ar

eco

nnec

ted

Unf

ortu

nate

lyt

hey

are

the

only

con

trac

tors

and

sys

tem

us

ing

Fire

pass

and

itw

illn

otb

eus

ed

once

the

mov

eis

mad

eto

Ste

nnis

Sp

ace

Cent

er

They

are

uns

ure

of

wha

tcon

trol

sw

illb

eus

eda

tSte

nnis

Sugg

este

dCo

unte

rmea

sure

s

Impl

emen

ting

aFi

repa

sss

olut

ion

for

allU

SCIS

sys

tem

sm

ight

not

be

cos

tef

fect

ive

USC

ISm

an

agem

ents

houl

dat

leas

texa

min

eth

eri

skp

osed

toth

em

ostc

ritic

al

syst

ems

and

impl

emen

taF

ire

pass

like

sol

utio

nfo

rth

ose

that

re

quir

ere

mot

eac

cess

A

sst

ated

ab

ove

one

inte

nin

side

rsd

ocu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

seu

sed

the

crea

tion

ofu

nkno

wn

path

sin

to

orga

niza

tion

syst

ems

pro

per

mea

sure

sm

ight

hav

epr

even

ted

man

yof

thos

ein

stan

ces


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Non

Sys

tem

Ad

USC

ISL

eade

rshi

pA

ccor

ding

too

nein

terv

iew

eeF

SNs

An

FSN

who

isa

sys

tem

adm

inis

trat

or

Ten

perc

ent(

39)o

fins

ider

sm

inis

trat

ors

Wit

h

are

syst

ema

dmin

istr

ator

son

som

efo

rU

SD

epar

tmen

tofS

tate

sys

tem

sdo

cum

ente

din

the

CERT

Insi

der

A

utho

rize

dA

cces

sIn

form

atio

nTe

chno

logy

U

SD

epar

tmen

tofS

tate

sys

tem

sin

do

esn

otn

eces

sari

lyh

ave

adm

inis

tra

Thre

atC

ase

data

base

took

ad

toA

dmin

istr

ator

em

bass

ies

orc

onsu

late

sab

road

to

rri

ghts

on

USC

ISs

yste

ms

One

in

vant

age

ofin

suff

icie

nta

cces

sA

ccou

nts

The

US

Dep

artm

ento

fSta

teh

as

terv

iew

eee

xpre

ssed

con

cern

how

co

ntro

lsto

con

duct

thei

rcr

imes

au

thor

ized

acc

ess

for

som

eFS

Ns

to

ever

tha

tan

adm

inis

trat

orw

hois

a

USC

ISs

houl

dex

amin

eU

SCIS

sys

so

me

USC

ISs

yste

ms

need

edfo

rth

eci

tizen

ofa

fore

ign

coun

try

coul

des

te

ma

cces

sfo

rU

SD

epar

tmen

tpe

rfor

man

ceo

fthe

ird

utie

s

cala

tep

rivi

lege

sor

use

soc

iale

ngi

ofS

tate

sys

tem

adm

inis

trat

ors

ne

erin

gta

ctic

sto

gai

nun

auth

oriz

ed

asw

ella

sho

wth

ose

conn

ectio

ns

acce

ssto

USC

ISs

yste

ms

ar

em

onito

red

orlo

gged

Th

ey

sh

ould

als

ow

ork

with

the

US

Dep

artm

ento

fSta

teto

und

er

stan

dits

pro

cess

esfo

rgr

antin

g

FSN

sac

cess

toU

SD

epar

tmen

t

ofS

tate

sys

tem

s


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

Lea

ders

hip

Ther

ear

ecu

rren

tlyn

olim

itso

nTh

ela

cko

flim

itsp

lace

don

req

uest

Th

ere

shou

ldb

elo

gica

lcon

trol

s

w

hich

Af

iles

ana

djud

icat

orc

anr

ein

gA

file

sin

NFT

Sm

aya

llow

adj

udi

tod

etec

tldquoex

trao

rdin

aryrdquo

or

sus

Info

rmat

ion

Tech

nolo

gy

ques

tin

the

Nat

iona

lFile

Tra

ckin

gca

tors

tor

eque

sta

file

by

nam

eev

en

pici

ous

file

tran

sfer

req

uest

sI

n

Syst

em(N

FTS)

if

they

sho

uld

notb

eac

cess

ing

that

on

eU

SCIS

cas

eth

ein

side

rre

fil

e

ques

ted

afil

etr

ansf

erto

ar

egio

nfo

ran

indi

vidu

alw

hose

file

sw

ere

ina

noth

err

egio

nan

dw

hose

form

sha

dbe

enp

revi

ousl

yde

ni

ed


cri

tilt

om

itiga

ting

the

insi

der

rsc

arri

edo

uta

nat

tack

ta

nce

mal

icio

usin

side

rsu

sed

uste

nsur

end

enf

orce

cn

have

dev

eff

ects

on

ano

ras

tatin

gta

r

nom

alou

sin

crea

sein

net

ay

Sugg

este

dCo

unte

rmea

sure

s

ca sn

toc

ompe

titor

sor

con

spir

ator

sO

rgan

izat

ions

mth

ate

mpl

oyee

sr

esou

rces

inc

ludi

ngin

form

atio

nas

sets

aom

plia

nce

sen

sitiv

ebu

tunc

lass

ified

or

prop

rie

y)is

cri

tical

tom

itiga

ting

an

am

onito

ring

net

wor

ktr

affic

mh

elp

prot

ectc

ontr

olle

d

side

unc

lass

ified

or

prop

riet

ary)

isea

led

circ

umst

ance

sin

whi

chin

tern

ales

In

som

ein

ss

tora

ged

evic

tion

mal

icio

usin

side

rsc

ab

y

mou

nts

ofd

ata

dow

nloa

ded

orou

ghT

h

Polic

yor

Pra

ctic

eG

aps

a re

ono

fCon

trol

led

Info

rmat

ion

ntro

lled

info

rmat

ion

(ie

inf

orm

atio

nth

atis

cla

ssifi

eds

ensi

tive

but

CER

Tr

thre

atr

isk

too

rgan

izat

ions

A

var

iety

ofi

nsid

erth

reat

cas

ess

tudi

edb

yev

thro

ugh

thd

ownl

oad

ofin

form

atio

nto

por

tabl

em

edia

or

exe

unau

thor

ized

ptt

acks

or

toc

omm

unic

ate

sens

itive

info

rmat

ioun

ders

tan

tcon

stitu

tes

acce

ptab

leu

seo

fcom

pany

dpo

licie

sre

gard

ing

wha

thro

ugh

teed

info

rma

chni

calm

eans

Th

eun

auth

oriz

ede

xfilt

ratio

nof

con

trol

l(i

ei

nfor

mat

ion

that

isc

lass

ifie

gani

zatio

nP

rote

ctin

gco

ntro

lled

info

rmat

ion

dth

reat

ris

kto

org

aniz

atio

ns

impl

emen

ted

netw

ork

mon

itori

ngs

trat

egie

sth

atw

ould

det

ectl

arge

wor

ktr

affi

by

tota

lvol

ume

orty

peo

ftra

ffic

(eg

by

ce

ither

por

tor

prot

ocol

)n

Polic

yan

dor

Sec

urit

yM

easu

Resp

onsi

ble

Pers

onne

lIn

form

atio

nTe

chno

logy

ncer

nlo

adto

Prot

ecti

Prot

ectin

gco

emai

lto

lan

thei

ra

the

insi

der

USC

ISh

as

info

rmat

io

Are

aof

Co

Dat

aD

own

Med

ia


sure

s

po

1

pria

yte

lld

be

func

he

T ed

s

ecu

itted

em

os

ogs

el

vity

by

org

za

ani

ot

sbe

nter

mea

side

rtw

o

hori

zed

inap

pro

uev

ices

co

bite

dfr

omsy

stem

s

bit

epr

ohi fa

hec

ont

oc

gn

are

per

m hus

eso

fta

ndth

cti

ciou

sa

ngth

es

her

exhi

bitin

glm

alic

iou

Cou

uld

con

ora

ut ed

thes

ed

pro

hi SSC

Iy

ar

rity

aw

aren

ess

ampa

i

evic

es lb

elo

gged

uspi

ted

for

ss

leav

i

ntia

te

Sugg

este

d

Ss

o

ptf

1)E

xce

ces

that

ar

ete

chni

cally

Ung

in

that

the

shou

nte

ldb

et

2)If

USB

dfo

ru

nal

set

held

empl

oyee pl

tion

em

oyee

sign

sof

po c

ore

t

USC

Ih

tions

stan

trac

k

tioni

fact

shou

audi

havi

ns

ider

un

t

of

wor

k

ssed

de

s

onvi

ctio ns

tne

i eng

tel

He

acce

rder

to

Prac

tice

Gap

mth

eU

SCIS

CTa

skF

orc

sho

wed

tha

oe d

ant

pe

rfor

me

sig

nific

aam

oof

ficia

lbus

ines

sin

clud

ill

apto

p

sona

mai

lin

ond

e

Polic

yor

Ac

ase

fro

onh

isp

ersy

stem

sa

sure

pmen

tSC

IS

gov

(G

FE)

orS

ecur

ity

Mea

per

aga

inst

usi

ng

son

ompu

ter

equi

cial

dut

ies

for

Ub

edo

new

ithm

entf

urni

shed

ent

ern

quip

me

Polic

yan

d

Ther

eis

ap

olic

yd

cal

lyo

wne

top

erfo

rmo

ffi

Tele

wor

ksh

ould

on

ly

nel

ble

Pers

on

Resp

onsi

o

ern

Are

aof

Con

c dt

Dat

aD

ownl

oaor

Fro

mH

ome


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sve

lop

asy

stem

that

he

was

rew

arde

d

fo

rpr

oduc

ing

The

rea

ren

ote

chni

cal

co

ntro

lsto

cat

chth

isa

ctiv

ityu

nles

s

the

devi

ceis

phy

sica

llyp

lugg

edin

to

the

netw

ork

Prot

ecti

ngC

riti

cal

Info

rmat

ion

Tech

nolo

gy

The

SNO

Cre

spon

dsto

spi

llso

fPII

USC

ISr

espo

nds

toP

IIsp

illag

es

Fi

les

whi

cho

ccur

on

aw

eekl

yba

sis

The

ofte

nen

ough

that

its

staf

fis

wel

l

info

rmat

ion

abou

tthe

inci

dent

is

ve

rsed

inr

espo

nse

proc

edur

es

tran

sfer

red

from

the

data

ow

ner

U

nfor

tuna

tely

the

freq

uenc

yto

w

hob

ecom

esa

war

eof

the

spill

to

w

hich

inci

dent

soc

cur

and

the

the

OSI

whi

chc

reat

esa

Ser

ious

In

re

spon

sep

roce

dure

sin

pla

ced

o

cide

ntR

epor

t(SI

R)th

atit

forw

ards

nots

eem

tor

educ

eth

enu

mbe

rto

the

Priv

acy

Off

icer

and

fina

llyto

Th

ere

spon

see

ffor

tto

aPI

Ispi

llage

of

inci

dent

sor

pro

vide

aut

oth

eSN

OC

in

volv

esm

any

part

ies

and

appe

ars

to

mat

edd

etec

tion

whe

nsp

illag

ebe

ac

ompl

icat

edp

roce

ssfo

ran

eve

nt

occu

rs

that

hap

pens

on

aw

eekl

yba

sis

Thou

ghth

ese

spill

ages

are

acc

iden

tal

even

ts


Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

sho

uld

cont

inue

this

pra

ctic

eas

par

tofi

tsin

cide

ntr

esp

onse

pro

cedu

res

Inc

orpo

rat

ing

ana

ppro

pria

tele

velo

fm

onito

ring

wou

lda

lso

bea

pru

de

ntm

easu

re

Polic

yor

Pra

ctic

eG

aps

This

pra

ctic

eap

pear

sto

be

done

con

si

sten

tly

Polic

yan

dor

Sec

urit

yM

easu

re

Acc

ess

ton

etw

ork

reso

urce

sis

ter

min

ated

imm

edia

tely

whe

na

spill

or

mis

cond

ucti

ssu

spec

ted

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Aud

it

Mon

itor

B

acku

p

Reco

very

Insi

der

thre

atr

esea

rch

cond

ucte

dby

CER

Tha

ssh

own

that

logg

ing

mon

itori

nga

nda

uditi

nge

mpl

oyee

onl

ine

actio

nsc

anp

rovi

dea

nor

gani

za

tion

the

oppo

rtun

ityto

dis

cove

ran

din

vest

igat

esu

spic

ious

insi

der

activ

ityb

efor

em

ore

seri

ous

cons

eque

nces

ens

ue

Org

aniz

atio

nss

houl

dle

ver

age

auto

mat

edp

roce

sses

and

tool

sw

hene

ver

poss

ible

M

oreo

ver

net

wor

kau

ditin

gsh

ould

be

ongo

ing

and

cond

ucte

dra

ndom

lya

nde

m

ploy

ees

shou

ldb

eaw

are

that

cer

tain

act

iviti

esa

rer

egul

arly

mon

itore

dT

his

empl

oyee

aw

aren

ess

can

pote

ntia

llys

erve

as

ade

terr

entt

oin

side

rth

reat

s

Prev

entin

gin

side

rat

tack

sis

the

first

line

ofd

efen

se

Non

ethe

less

eff

ectiv

eba

ckup

and

rec

over

ypr

oces

ses

need

tob

ein

pla

cea

ndo

pera

tion

ally

eff

ectiv

eso

that

ifa

co m

prom

ise

occu

rsb

usin

ess

oper

atio

nsc

anb

esu

stai

ned

with

min

imal

inte

rrup

tion

In

one

case

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sea

nin

side

rw

asa

ble

tom

agni

fyth

eim

pact

ofh

isa

ttac

kby

acc

essi

nga

ndd

estr

oyin

gba

ckup

med

ia

Org

aniz

a


Ina

dditi

ont

heS

NO

Cla

cks

the

reso

urce

sto

focu

son

mon

itori

ngfo

rsu

spic

ious

insi

der

activ

ityf

ocus

ing

inst

ead

prim

arily

on

prot

ectio

nfr

om

exte

rnal

inci

dent

s

Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sM

odifi

cati

on

In

form

atio

nTe

chno

logy

Lo

gfil

esa

rea

cces

sibl

eby

the

do

D

isab

ling

Log

File

sm

ain

adm

inis

trat

ors

and

syst

em

adm

inis

trat

ors

ofe

ach

resp

ectiv

e

syst

em

USC

ISs

houl

dse

ndc

ritic

allo

gsto

a

cent

raliz

edlo

gse

rver

and

pro

te

ctth

elo

gfil

esto

per

mit

afo

re

nsic

rec

onst

r uct

ion

ofn

etw

ork

orh

ost

base

dev

ents

In

form

atio

nTe

chno

logy

Th

ela

cko

fcon

sist

ency

for

wha

tis

Alth

ough

six

per

cent

(23)

oft

he

logg

eda

cros

sU

SCIS

ser

vers

sys

tem

s

insi

ders

doc

umen

ted

inth

eCE

RT

appl

icat

ions

and

wor

ksta

tions

isc

on

Insi

der

Thre

atC

ase

data

base

cern

ing

Sev

eral

par

ties

addr

esse

dw

ere

able

tom

odify

ord

isab

le


tions

nee

dto

con

side

rth

eim

port

ance

ofb

acku

pan

dre

cove

ryp

roce

sses

and

car

em

ustb

eta

ken

that

bac

kups

are

per

form

edr

egul

arly

pro

te

cted

and

test

edto

ens

ure

busi

ness

con

tinui

tyin

the

even

tofd

amag

eto

or

loss

ofc

entr

aliz

edd

ata

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

slo

gfil

es

Mon

itor

ing

Susp

ici

ous

Act

ivit

y

Info

rmat

ion

Tech

nolo

gy

are

som

etim

esli

mite

dto

24

hour

sor

less

ofc

olle

ctio

n

the

fact

that

ITp

erso

nnel

mus

tbe

able

top

hysi

cally

rea

cha

mac

hine

in

atim

ely

fash

ion

ifth

eyh

ope

toc

ap

ture

logs

rel

ated

toa

nin

cide

nt

This

as

sum

ptio

nm

akes

itli

kely

that

cri

tica

llog

info

rmat

ion

will

be

mis

sed


Sugg

este

dCo

unte

rmea

sure

s

Polic

yor

Pra

ctic

eG

aps

Polic

yan

dor

Sec

urit

yM

easu

re

Dat

abas

ead

min

istr

ator

sar

ere

spon

si

ble

for

mon

itori

nga

nda

lert

ing

whe

nda

taa

cces

sat

tem

pts

are

mad

eto

cri

tical

dat

ain

USC

ISd

ata

base

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

sU

SCIS

sho

uld

cons

ider

cle

arly

de

finin

gth

ere

spon

sibi

lity

ofd

ata

base

adm

inis

trat

ors

and

the

SNO

Cfo

rm

onito

ring

ale

rtin

g

and

resp

ondi

ngto

una

utho

rize

dda

taa

cces

sO

nce

the

resp

onsi

bi

lity

isa

ssig

ned

the

appr

opri

ate

grou

psh

ould

dili

gent

lyp

reve

nt

dete

cta

ndr

espo

ndto

una

utho

riz

edd

ata

acce

ssm

odifi

catio

n

and

exfil

trat

ion

atte

mpt

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

mon

itors

and

filte

rs

inbo

und

and

outb

ound

net

wor

ktr

affic

Th

iss

trat

egy

may

pre

ve

nto

rde

tect

the

unau

thor

ized

tr

ansf

ero

fUSC

ISd

ata

outs

ide

the

orga

niza

tion

Man

yin

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

sew

ere

able

toc

omm

itth

eir

mal

icio

usa

ctiv

ities

usi

ngla

ptop

s

Polic

yor

Pra

ctic

eG

aps

Net

wor

ktr

affic

filte

ring

ish

appe

ning

on

lyo

nin

boun

dtr

affic

not

out

boun

dtr

affic

Th

ere

sour

ces

don

ote

xist

toe

xam

ine

ou

tbou

ndtr

affic

onl

yin

boun

dtr

affic

Fu

rthe

rmor

eth

ein

trus

ion

dete

ctio

nsy

stem

sar

eno

topt

imiz

edto

det

ect

secu

rity

eve

nts

Polic

yan

dor

Sec

urit

yM

easu

re

USC

ISh

asth

eab

ility

toc

reat

ein

bo

und

firew

allr

ules

tofi

lter

pote

ntia

llym

alic

ious

net

wor

ktr

affic

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

incl

udes

fore

nsic

to

ols

toa

idin

vest

igat

ions

Ins

ixp

erce

nt(2

2)o

fthe

cas

es

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

heim

pact

of

the

crim

ew

asm

agni

fied

be

caus

eof

insu

ffic

ient

bac

kups

Polic

yor

Pra

ctic

eG

aps

The

SNO

Cha

sha

dpr

oble

ms

iden

tify

ing

the

root

cau

seo

fan

affe

cted

w

orks

tatio

nor

use

rbe

caus

eof

the

lack

ofn

etw

ork

fore

nsic

app

licat

ions

Id

eally

the

SN

OC

shou

ldb

eab

leto

tr

ace

netw

ork

traf

ficfr

oms

ourc

eto

de

stin

atio

nan

dw

atch

act

ivity

It

has

a

stan

dal

one

fore

nsic

cap

abili

tyb

ut

noth

ing

onth

ene

twor

k

Tabl

etop

exe

rcis

esm

ayn

otg

ive

USC

ISa

true

indi

catio

nof

its

abili

tyto

re

cove

rfr

oma

sys

tem

icfa

ilure

W

hen

poss

ible

bac

kups

sho

uld

be

impl

emen

ted

ons

imila

rha

rdw

are

to

ensu

reth

atth

eba

ckup

tape

isfu

nc

tiona

land

the

back

upis

ope

ratio

nal

Polic

yan

dor

Sec

urit

yM

easu

re

The

SNO

Cis

res

pons

ible

for

dete

rm

inin

gth

ero

otc

ause

ofa

nin

cide

nt

incl

udin

gus

ing

fore

nsic

tool

sto

id

entif

yaf

fect

edw

orks

tatio

nsd

esk

tops

and

lapt

ops

Ba

ckup

test

ing

for

man

ysy

stem

soc

curs

onc

epe

rye

ar

Ins

ome

case

s

the

back

ups

are

only

test

edw

itha

ta

blet

ope

xerc

ise

and

don

otu

se

sim

ilar

orid

entic

alh

ardw

are

toth

at

used

inth

epr

oduc

tion

envi

ronm

ent

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Back

ups


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Info

rmat

ion

Tech

nolo

gy

Year

sof

bac

kup

tape

sar

eke

pto

nsi

tea

tthe

Ver

mon

tSer

vice

Cen

ter

an

dsy

stem

adm

inis

trat

ors

have

ac

cess

toth

ese

back

upfi

les

Adm

inis

trat

ors

who

hav

eac

cess

to

the

back

upta

pes

wou

ldb

eab

leto

Back

upm

edia

sho

uld

bec

on

trol

led

care

fully

doc

umen

ted

an

dst

ored

off

site

with

lim

ited

acce

ss

With

outt

hose

con

trol

s

USC

ISc

anno

tbe

sure

its

back

ups

will

giv

eit

the

abili

tyto

rec

over

ss

ecur

ity o wn

Proa

ctiv

ely

addr

essi

ngk

now

nse

curi

tyv

ulne

rabi

litie

ssh

ould

be

apr

iori

tyfo

ran

yor

gani

zatio

nse

ekin

gto

miti

gate

the

risk

ofi

nsid

erth

reat

sa

wel

las

exte

rnal

thre

ats

Cas

est

udie

sha

ves

how

nth

atm

alic

ious

insi

ders

fol

low

ing

term

inat

ion

will

som

etim

ese

xplo

itkn

own

tech

nica

lho

uld

have

ap

roce

sst

vuln

erab

ilitie

sth

atth

eyk

now

hav

eno

tbee

npa

tche

dto

obt

ain

syst

ema

cces

san

dca

rry

outa

nat

tack

O

rgan

izat

ions

sdr

ess

kno

ensu

reth

ato

pera

ting

syst

ems

and

othe

rso

ftw

are

have

bee

nha

rden

edo

rpa

tche

din

ati

mel

ym

anne

rw

hen

poss

ible

Fa

ilure

toa

dvu

lner

abili

ties

prov

ides

an

insi

der

ampl

eop

port

unity

and

pat

hway

sfo

rat

tack

mak

ing

itm

ore

diff

icul

tfor

an

orga

niza

tion

top

rote

ctit

self

Tech

nica

lSec

urit

yV

ulne

rabi

litie

s


ount

erm

easu

res

Sugg

este

dC


ceG

aps

Polic

yor

Pra

cti

The

pres

ence

of

host

pe

rim

eter

and

m

prot

ectio

nfo

rCI

Sin

al

war

epu

tsU

Sa

rela

tivel

yse

curd

ing

rep

ositi

onr

ega

oads

m

alic

ious

dow

nl

Polic

yan

dor

Se

easu

re

curi

tyM

Th

eO

ITr

elie

son

tan

ism

sto

w

om

ech

wnl

ode

tect

the

doad

of

licio

us

ma

code

1)

DH

S

nte

mon

itors

the

Ig

atrn

etw

aya

nd

e

2)

orks

ta

age

nto

nw

tio

ns

ale

rts

mm

edi

the

OIT

iat

ely

upon

dis

cov

wn

mal

er

yof

kno

war

eT

heO

ITs

hth

epo

rt

uts

dow

n

tob

lock

mal

ici

ere

ap

ous

code

wh

prop

riat

e

sin

stal

la

als

ode

tect

nel

Resp

onsi

ble

Pers

onog

yIn

form

atio

nTe

chno

l ogy

Info

rmat

ion

Tech

nol

Are

ac

ofC

oner

ne

Add

rss

ino

wn

ngK

Secu

rer

it

yV

uln

ies

abili

t

eA

ddr

ssi

now

nng

KSe

cur

er

ity

Vul

nie

sab

ilit

Sugg

este

dCo

unte

rmea

sure

s

Tw

elve

per

cent

(46)

oft

hec

ases

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

invo

lve

user

sab

usin

gad

min

istr

ator

pri

vi

lege

sto

sab

otag

esy

stem

sor

da

ta

Alth

ough

USC

ISu

sers

nee

dfo

rad

min

istr

ator

righ

tsto

inst

allo

rru

nau

thor

ized

sof

twar

eth

eO

IT

shou

ldc

onsi

der

givi

ngu

sers

se

para

tea

dmin

istr

ator

acc

ount

sfo

rth

ese

expl

icit

purp

oses

U

sers

co

uld

then

use

non

adm

inis

trat

or

acco

unts

for

thei

rda

ilyw

ork

Th

isw

ould

gre

atly

min

imiz

eth

eri

sko

fmal

war

eco

mpr

omis

e

Polic

yor

Pra

ctic

eG

aps

Am

itiga

ting

fact

or

is

that

the

depa

rtin

gem

ploy

eew

ould

ne

edp

hysi

cala

cces

sto

the

syst

emto

lo

gin

A

use

rw

itha

dmin

istr

ator

pri

vile

ges

mus

tnot

rel

yso

lely

on

auto

mat

ic

mec

hani

sms

tos

afeg

uard

his

or

her

com

pute

rA

dmin

istr

ator

rig

hts

give

in

adve

rten

tlyd

ownl

oade

dm

alw

are

the

abili

tyto

com

plet

ely

com

prom

ise

asy

stem

som

etim

esw

ithou

tthe

kn

owle

dge

ofth

eus

er

Polic

yan

dor

Sec

urit

yM

easu

re

tion

ofm

alic

ious

cod

efr

omU

SBs

and

othe

rm

edia

USC

ISu

sers

hav

elo

cala

dmin

istr

ator

ri

ghts

on

thei

row

nm

achi

nes

Thi

sal

low

sus

ers

toin

stal

lsof

twar

eon

th

eirs

yste

ms

So

me

auth

oriz

eds

oftw

are

does

re

quir

ead

min

istr

ator

rig

hts

toin

stal

l

Som

eap

plic

atio

nsa

ctua

llyr

equi

re

adm

inis

trat

orri

ghts

tor

un

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Unm

anag

edS

ys

tem

s


Conf

igur

atio

nM

anag

emen

t

Effe

ctiv

eco

nfig

urat

ion

man

agem

enth

elps

ens

ure

the

accu

racy

int

egri

tya

ndd

ocum

enta

tion

ofa

llco

mpu

ter

and

netw

ork

syst

emc

onfig

ura

tions

A

wid

eva

riet

yof

cas

esin

the

CERT

Insi

der

Thre

atC

ase

data

base

doc

umen

tins

ider

sw

hor

elie

dhe

avily

on

the

mis

conf

igur

atio

nof

sys

te

ms

The

yhi

ghlig

htth

ene

edfo

rst

rong

erm

ore

effe

ctiv

eim

plem

enta

tion

ofa

utom

ated

con

figur

atio

nm

anag

emen

tcon

trol

sO

rgan

izat

ions

sh

ould

als

oco

nsid

erc

onsi

sten

tdef

initi

ona

nde

nfor

cem

ento

fapp

rove

dco

nfig

urat

ions

Ch

ange

sor

dev

iatio

nsfr

omth

eap

prov

edc

onfig

urat

ion

base

line

shou

ldb

elo

gged

so

they

can

be

inve

stig

ated

for

pote

ntia

lmal

icio

usin

tent

Co

nfig

urat

ion

man

agem

enta

lso

appl

ies

tos

oftw

are

sou

rce

code

and

app

licat

ion

files

O

rgan

izat

ions

that

do

note

nfor

cec

onfig

urat

ion

ma n

agem

enta

cros

sth

een

terp

rise

are

ope

ning

vul

nera

bilit

ies

for

expl

oitb

yte

chni

cali

nsid

ers

with

suf

ficie

ntm

otiv

atio

nan

da

lack

ofe

thic

s

The

OIT

has

ac

onfig

urat

ion

man

agem

entp

olic

yth

atp

rovi

des

base

line

soft

war

eco

nfig

urat

ions

for

USC

ISd

eskt

ops

and

lapt

ops

The

OIT

sca

ns

for

inco

rrec

to

utda

ted

or

unp

atch

edv

ersi

ons

ofs

oftw

are

onth

eap

prov

eds

oftw

are

list

The

OIT

kee

pstr

ack

ofd

iffer

entb

asel

ines

for

diff

er

entc

ontr

acts

D

espi

tetr

acki

nga

nda

rig

orou

sco

nfig

urat

ion

man

agem

entp

olic

yth

eO

ITh

asd

iffic

ulty

kee

ping

trac

kof

the

901

50d

iffer

ents

ys

tem

imag

esin

the

USC

ISe

nvir

onm

ent

Rog

ues

oftw

are

orm

alw

are

iso

ften

dis

cove

red

thro

ugh

ade

liber

ate

man

uals

can

rat

her

than

thro

ugh

ana

utom

ated

pro

cess

To

mak

eth

ista

skm

ore

diff

icul

tth

ere

have

bee

nU

SCIS

em

ploy

ees

with

sen

iori

tyo

rin

fluen

cew

hoa

rea

ble

tou

selo

cal

adm

inis

trat

orp

rivi

lege

sto

inst

alls

oftw

are

for

the

sake

ofc

onve

nien

ce

Conc

erns

reg

ardi

ngc

onfig

urat

ion

man

agem

entm

ake

itdi

ffic

ultf

orth

eO

ITto

ad e

quat

ely

prev

ent

det

ect

and

res

pond

tor

ogue

sof

twar

eor

m

alw

are

usin

gits

cur

rent

pro

cedu

res

We

sugg

ests

ome

cons

ider

atio

nsfo

rle

vera

ging

exi

stin

gde

ploy

men

tsa

ndm

odify

ing

inci

dent

res

pons

epr

actic

esto

incr

ease

eff

ectiv

enes

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

The

OIT

has

ac

onfig

urat

ion

man

ag

emen

tpol

icy

for

soft

war

eco

nfig

ura

tion

base

lines

Th

eO

ITs

cans

for

inco

rrec

to

utda

ted

or

unpa

tche

dve

rsio

nso

fsof

twar

eon

the

ap

Des

pite

rig

orou

sco

nfig

urat

ion

man

ag

emen

tpol

icy

the

OIT

has

diff

icul

ty

keep

ing

trac

kof

the

90to

150

diff

er

ents

yste

mim

ages

inth

eU

SCIS

env

iro

nmen

tR

ogue

sof

twar

eor

mal

war

e

Seve

ntee

nca

ses

docu

men

ted

in

the

CERT

Insi

der

Thre

atC

ase

da

taba

sein

volv

eus

ers

expl

oitin

gth

ela

cko

rw

eakn

ess

ofa

con

fig

urat

ion

man

agem

ents

yste

m


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

spr

oved

sof

twar

elis

tT

heO

ITk

eeps

tr

ack

ofd

iffer

entb

asel

ines

for

dif

fere

ntc

ontr

acts

iso

ften

dis

cove

red

thro

ugh

ade

liber

at

em

anua

lsca

nra

ther

than

thro

ugh

ana

utom

ated

pro

cess

toc

arry

out

thei

rat

tack

s

The

OIT

cou

ldle

vera

geth

eex

ist

ing

ePO

dep

loym

entt

oco

mpl

em

enti

tsc

onfig

urat

ion

man

age

men

teff

orts

eP

Oc

and

efin

ea

base

line

for

soft

war

eap

plic

atio

ns

and

aler

ton

any

devi

atio

nsfr

om

that

bas

elin

e

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ins

ome

case

sin

divi

dual

sw

iths

en

iori

tyo

rin

fluen

cea

rea

ble

tou

se

adm

inis

trat

orp

rivi

lege

sto

inst

all

soft

war

efo

rth

esa

keo

fcon

veni

ence

USC

ISs

houl

den

sure

that

con

fig

urat

ion

polic

yis

con

sist

ently

co

mm

unic

ated

and

enf

orce

dth

roug

hout

the

orga

niza

tion

Ev

ens

enio

rle

ader

ship

sho

uld

notb

eab

leto

cas

ually

cir

cum

ve

ntth

ese

polic

ies

with

outg

oing

th

roug

hth

epr

oper

cha

nnel

sas

de

fined

by

the

conf

igur

atio

nm

anag

emen

tpol

icy

Conf

igur

atio

nM

anag

emen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Serv

ice

Cent

ers

are

resp

onsi

ble

for

lock

ing

dow

nde

skto

psto

pre

vent

un

auth

oriz

eds

oftw

are

from

runn

ing

The

lock

dow

npr

oces

sre

lies

onh

um

anin

terv

entio

nI

fcal

lvol

ume

to

the

Serv

ice

Cent

eris

hea

vyt

his

may

in

crea

ser

espo

nse

time

toa

nun

ac

cept

able

leve

l

The

OIT

sho

uld

expl

ore

way

sto

au

tom

ate

lock

dow

nof

pot

en

tially

com

prom

ised

sys

tem

sT

his

wou

ldr

equi

rea

car

eful

bal

ance

of

ser

vice

ver

sus

secu

rity

O

nth

ese

rvic

esi

ded

elay

edr

espo

nse

by

the

Serv

ice

Cent

erm

ayr

esul

tin

loss

ofp

rodu

ctiv

ity

On

the

secu

ri

tys

ide

del

ayed

res

pons

eco

uld


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sle

adto

sys

tem

com

prom

ise

M

anag

emen

tsho

uld

eval

uate

the

risk

sof

ac

ompr

omis

ean

dw

eigh

th

ose

risk

sag

ains

tthe

pot

entia

lco

nseq

uenc

eso

fser

vice

dis

rup

tion


Appendix H Acronyms



107

Appendix H Acronyms


108


109






110






Congress


111



OIG HOTLINE







TableofContents

ExecutiveSummary 1



Background 2

Objective 3

Scope 3



Organizational 7

HumanResources 9

PhysicalSecurity 11


IncidentResponse 14






Recommendation4 23









24

fashion 24

25


Recommendation12 25


25

Recommendation14 25


Recommendation16 26

Recommendation17 26







Appendixes 28









ExecutiveSummary







Background









Objective






Scope


































Transformation








HumanResources











ExitProcedures




PhysicalSecurity











BusinessProcesses








CLAIMS3LAN


FDNSDS


IncidentResponse



IncidentManagement




SoftwareEngineering

CodeReviews







AccountManagement









AccessControl

























Recommendations















Recommendation12


Recommendation14




Recommendation16

Recommendation17







Appendixes










AppendixHAcronyms














Ap

pen

dix

AO

rgan

izat

ion

al

Risk

Man

agem

ent

Co

mm

unic

atio

n

Secu

rity

Pro

cess

Impr

ovem

ent

USC

ISis

ina

diff

icul

tpos

ition

Pa

rto

fits

mis

sion

isto

pro

vide

cus

tom

ers

ervi

ceto

thos

ese

ekin

gim

mig

ratio

nan

dci

tizen

ship

ben

efits

from

the

US

Gov

ernm

ent

How

ever

iti

sch

alle

ngin

gto

opt

imiz

ebu

sine

ssp

roce

sses

for

cust

omer

ser

vice

whi

lea

tthe

sam

etim

eim

plem

entin

gpr

otec

tiv

em

easu

res

toc

ount

erth

eri

skp

osed

by

gran

ting

thos

eve

ryb

enef

its

Man

yU

SCIS

em

ploy

ees

inte

rvie

wed

for

this

ass

essm

enti

dent

ified

the

orga

niza

tionrsquo

spr

imar

yri

ska

sal

low

ing

the

next

terr

oris

tto

live

and

wor

kle

gally

inth

eU

nite

dSt

ates

Th

eyd

esir

ehe

lpin

iden

tifyi

nga

ndim

ple

men

ting

inte

rnal

con

trol

sto

cou

nter

that

ris

kS

ome

ofth

ein

terv

iew

ees

how

ever

mdashev

ens

ome

ofth

eIS

SOs

and

data

ow

ners

mdashfo

cuse

don

leak

ag

eof

PII

asth

eir

prim

ary

conc

ern

Aft

erd

elvi

ngin

toth

em

atte

rw

ithth

eas

sess

men

ttea

mt

hey

cam

eto

und

erst

and

the

risk

pos

edb

yex

po

sure

or

mis

use

ofc

ritic

ald

ata

asth

egr

eate

str

isk

face

dby

USC

ISp

rim

arily

bec

ause

suc

ha

secu

rity

bre

ach

coul

dre

sult

ina

llow

ing

ate

rror

isti

nto

the

coun

try

Ac

ritic

alis

sue

for

USC

ISis

ens

urin

gth

een

tire

orga

niza

tion

isr

isk

awar

ea

ndim

plem

entin

ga

form

alr

isk

man

agem

entp

roce

ssto

add

ress

ris

kco

nsis

tent

lya

ndc

ontin

ually

acr

oss

the

ente

rpri

se

Ther

edo

esn

ota

ppea

rto

be

aco

nsis

tent

und

erst

andi

ngo

fthe

bro

ads

pect

rum

ofr

isks

faci

ng

USC

IS

The

asse

ssm

entt

eam

was

told

ther

eis

no

ente

rpri

sew

ide

risk

man

agem

entp

rogr

ama

tUSC

IS

OIT

per

form

sri

skm

anag

emen

tfor

ITa

nd

Fina

ncia

lMan

agem

entp

erfo

rms

risk

man

agem

entf

orfi

nanc

ialm

atte

rsb

utn

oon

ew

asa

war

eof

any

ent

erpr

ise

wid

eef

fort

sI

nad

ditio

ne

ach

field

off

ice

and

serv

ice

cent

era

ppea

rsto

ope

rate

fair

lyin

depe

nden

tly

Itis

impo

rtan

tfor

thos

eor

gani

zatio

nsto

wor

kto

geth

erto

iden

tify

pri

or

itize

and

add

ress

ris

kO

ngoi

ngc

omm

unic

atio

nbe

twee

nal

lcom

pone

nts

ofU

SCIS

will

hel

pen

sure

that

new

thre

ats

att

ack

vect

ors

and

cou

nte

rmea

sure

sar

eco

mm

unic

ated

and

han

dled

eff

ectiv

ely

bya

ll

Ina

dditi

onU

SCIS

em

ploy

ees

and

cont

ract

ors

hold

the

keys

too

neo

fthe

wor

ldrsquos

mos

tcov

eted

kin

gdom

smdashU

Sc

itize

nshi

pT

his

mak

ese

mpl

oy

ees

and

cont

ract

ors

attr

activ

eta

rget

sfo

rre

crui

tmen

tB

ecau

seo

fthe

sen

sitiv

ena

ture

ofU

SCIS

mis

sion

som

eof

its

empl

oyee

san

dco

ntra

ctor

s


have

bee

nta

rget

sfo

rre

crui

tmen

tfor

thef

tor

unau

thor

ized

mod

ifica

tion

ofU

SCIS

dat

aA

llem

ploy

ees

shou

ldb

eaw

are

ofth

eco

nseq

uenc

eso

fpa

rtic

ipat

ing

infr

aud

agai

nstU

SCIS

Th

eys

houl

dal

sob

ein

stru

cted

on

how

tor

epor

tsol

icita

tions

mad

eto

com

mit

frau

d

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEn

terp

rise

Ris

kM

anag

emen

t

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Indi

vidu

alo

rgan

izat

ions

with

inU

SCIS

do

ris

km

anag

emen

trel

ated

toth

eir

part

icul

ard

omai

nF

orin

stan

ceI

Tdo

esr

isk

man

agem

entf

rom

an

IT

pers

pect

ive

and

the

Fina

ncia

lMan

ag

emen

tdoe

sfin

anci

alr

isk

man

ag

emen

t

USC

ISp

erso

nnel

sta

ted

ther

eis

no

ente

rpri

ser

isk

man

agem

entp

roce

ss

for

anal

yzin

gth

eor

gani

zatio

nrsquos

over

al

lris

k

We

sugg

estt

hatU

SCIS

inst

itute

an

ent

erpr

ise

risk

man

agem

ent

prog

ram

W

ithou

tac

omm

on

visi

onfo

rri

skm

anag

emen

tth

eIS

SOs

and

allo

rgan

izat

ions

w

ithin

USC

ISc

anno

teff

ectiv

ely

unde

rsta

ndth

eri

ske

nvir

onm

ent

and

wor

kto

geth

erto

eff

ectiv

ely

miti

gate

ris

k

Inin

terv

iew

ss

ome

USC

ISs

taff

in

clud

ing

som

eIS

SOs

dat

aow

ners

an

dO

ITs

taff

see

med

tov

iew

loss

of

PIIa

sth

em

osti

mpo

rtan

tins

ider

th

reat

ris

kA

llof

the

asse

ssm

ent

ques

tions

wer

ean

swer

edin

the

con

text

ofl

oss

ofP

II

Whe

nw

eas

ked

spec

ifica

llyw

hatt

hey

see

asth

ebi

gges

tins

ider

thre

atr

isk

ev

eryo

nes

eem

edto

agr

eeit

isc

rea

tion

ofr

ealc

itize

nshi

pdo

cum

ents

for

peop

lew

hos

houl

dno

thav

eth

em

In

fact

int

ervi

ewee

sat

the

Verm

ont

Serv

ice

Cent

erc

ateg

oriz

edth

efu

nc

tions

cha

ract

eriz

edb

yth

ehi

ghes

tris

kas

follo

ws

1)

Unl

awfu

lalie

nin

the

Uni

ted

Stat

es

gran

ted

non

imm

igra

nts

tatu

s

2)S

omeo

new

ithn

onim

mig

rant

st

atus

gra

nted

per

man

entr

esid

ency

w

hich

mea

nsh

eor

she

can

live

and

w

ork

inde

finite

lyin

the

Uni

ted

Stat

es

Aga

ina

nen

terp

rise

ris

km

an

agem

entp

rogr

amw

ille

nsur

eth

ate

very

one

acro

ssU

SCIS

is

wor

king

toge

ther

tom

itiga

teth

ehi

ghes

tpri

ority

ris

ks

Ther

ear

ere

gula

tions

and

law

ssu

rrou

nd

ing

prot

ectio

nof

PII

but

focu

sin

gpr

imar

ilyo

nth

atis

sue

can

lead

toa

fals

ese

nse

ofs

ecur

ity

ifot

her

mor

eim

port

antr

isk

ar

eas

are

give

nle

ssa

tten

tion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dal

soc

anp

etiti

onfo

rre

lativ

es

The

Verm

ontS

ervi

ceC

ente

ris

im

plem

entin

gse

para

tion

ofd

utie

sfo

rpe

rfor

min

gfu

nctio

ns

1an

d2

ab

ove

(gra

ntin

gno

nim

mig

rant

st

atus

and

mov

ing

som

eone

from

no

nim

mig

rant

sta

tus

top

erm

anen

tre

side

ncy)

so

that

one

USC

ISa

djud

ica

tor

alon

eca

nnot

take

an

appl

ican

tfr

omu

nlaw

fult

ope

rman

entr

esi

dent

Th

ese

two

func

tions

will

be

perf

orm

eda

tdiff

eren

tphy

sica

lloc

atio

ns2

9m

iles

apar

t

The

Verm

ontS

ervi

ceC

ente

rhas

not

ha

dan

adj

udic

ator

who

per

form

ed

both

func

tions

1

and

2fo

rth

esa

me

appl

ican

t

This

dec

isio

nde

mon

stra

tes

that

le

ader

ship

att

heV

erm

ontS

er

vice

Cen

terr

ecog

nize

sth

esi

gni

fican

tris

kof

cre

atin

gle

gal

citiz

ensh

ipd

ocum

ents

fori

llega

lal

iens

and

ista

king

ste

psto

m

itiga

teth

atr

isk

How

ever

our

in

side

rth

reat

ass

essm

enth

as

unco

vere

dot

her

issu

esth

at

coul

dbe

add

ress

edto

miti

gate

th

atr

isk

Aga

ina

form

alr

isk

anal

ysis

wou

lde

nabl

eU

SCIS

to

thor

ough

lye

xam

ine

the

issu

es

and

prio

ritiz

eco

unte

rmea

sure

sus

ing

afo

rmal

pro

cess

Fo

rex

am

ple

an

alte

rnat

ive

toth

eph

ysic

alm

ove

coul

dbe

toim

pl

emen

tan

audi

tmec

hani

smto

lo

okfo

rad

judi

cato

rsw

hop

er

form

edb

oth

func

tions

1

and

2

for

the

sam

eap

plic

ant

Ente

rpri

seW

ide

Com

mun

icat

ion

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ther

eis

no

cons

iste

ncy

ofc

ontr

ols

from

one

ser

vice

cen

ter

toth

ene

xt

We

wer

eto

ldth

eye

ach

oper

ate

fair

ly

inde

pend

ently

USC

ISw

ould

ben

efit

from

ong

oin

gco

mm

unic

atio

nsa

bout

ris

kba

sed

issu

esb

etw

een

the

ser

vice

cen

ters

Fo

rin

stan

ce

com

mun

icat

ions

con

cern

ing

prob

lem

se

ffec

tive

coun

ter

mea

sure

sm

odifi

catio

nsto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sbu

sine

ssp

roce

sses

or

idea

sfo

rco

unte

ring

incr

ease

dri

skc

ould

le

adto

an

impr

oved

ris

kpo

stur

efo

rth

een

tire

USC

ISe

nter

pris

e

Cont

inua

lSec

urit

yPr

oces

sIm

prov

em

ent

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

The

USC

ISC

onvi

ctio

nsT

ask

Forc

eis

an

exc

elle

ntfo

rum

for

anal

yzin

gpa

st

crim

inal

cas

esa

ndd

eter

min

ing

mea

sure

sth

ats

houl

dbe

inst

itute

dto

pre

vent

sim

ilar

crim

esin

the

fu

ture

Ther

eis

no

proc

ess

for

follo

win

gup

on

ac

ase

afte

rthe

Off

ice

ofS

peci

al

Inve

stig

atio

n(O

SI)f

inis

hes

anin

vest

iga

tion

Th

eCo

nvic

tions

Tas

kFo

rce

isth

eon

ly

proc

ess

we

foun

dfo

rfor

mal

trac

king

an

alys

isa

ndp

roce

ssim

prov

emen

tba

sed

ona

ctua

linc

iden

ts

The

as

sess

men

ttea

ma

sked

var

ious

gro

ups

ifth

ere

isa

nyfo

llow

up

toin

cide

nts

fo

rin

stan

ceim

plem

entin

gau

tom

ated

sc

ript

sor

con

trol

sto

det

ectt

hes

ame

inci

dent

inth

efu

ture

Th

ete

amc

ould

no

tfin

da

sing

lep

erso

nw

hok

now

sof

su

cha

nac

tivity

Man

yex

ampl

eso

fem

ploy

eem

isco

ndu

ctc

ited

toth

eas

sess

men

ttea

m

coul

dea

sily

hav

ebe

end

etec

ted

or

even

pre

vent

edv

iaa

utom

ated

con

tr

ols

In

add

ition

the

reis

no

mec

hani

smfo

rco

mm

unic

atin

gis

sues

out

side

ofa

In

nea

rly2

5(9

1)o

fthe

cas

esin

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

hein

side

rw

asa

ble

to

carr

you

tthe

cri

me

beca

use

of

inad

equa

tea

uditi

ngo

fcri

tical

pr

oces

ses

in2

8of

thes

eca

ses

it

was

bec

ause

ofi

nade

quat

eau

ditin

gof

irre

gula

rpr

oces

ses

In

29

ofth

eca

ses

the

orga

niza

tio

nha

dre

peat

edin

cide

nts

ofa

si

mila

rna

ture

A

utom

ated

sc

ript

sar

ean

exc

elle

ntm

echa

ni

smfo

rde

tect

ing

susp

icio

us

tran

sact

ions

as

wel

las

hone

st

mis

take

sU

SCIS

sho

uld

cons

ider

a

form

alp

roce

ssfo

ran

alys

iso

fth

eO

SIrsquos

find

ings

and

the

deve

lop

men

tofa

utom

ated

che

cks

impl

emen

ted

natio

nally


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sgi

ven

serv

ice

cent

er

U

SCIS

Em

ploy

ees

are

Pote

ntia

lTar

ge

tsfo

rRe

crui

tm

ent

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

No

evid

ence

pro

vide

d

Som

eU

SCIS

em

ploy

ees

inte

rvie

wed

ha

ver

ecei

ved

are

ques

tfor

ass

ista

nce

from

afr

iend

rel

ativ

eo

rst

rang

er

seek

ing

top

rom

ote

aca

sefo

rso

me

form

ofa

pplic

ant

One

adj

udic

ator

sa

idh

edo

esn

otte

llot

hers

who

he

wor

ksfo

rH

owev

ert

hed

istin

ctiv

egr

een

park

ing

stic

ker

onh

isc

arc

ould

in

as

mal

ltow

nlik

eBu

rlin

gton

VT

re

veal

the

iden

tity

ofh

ise

mpl

oyer

U

SCIS

per

sonn

ela

reth

eref

ore

unus

ual

lyv

ulne

rabl

eto

sol

icita

tion

byo

ut

side

rs

Twen

tyn

ine

perc

ento

fthe

in

side

rsin

the

CERT

Insi

der

Thre

at

Case

dat

abas

ew

ere

recr

uite

dby

ou

tsid

ers

toc

omm

itth

eir

crim

es

USC

ISs

houl

dco

nsid

er

incr

easi

ngth

ese

curi

tya

war

ene

sstr

aini

ngp

rovi

ded

toU

SCIS

em

ploy

ees

and

cont

ract

ors

The

tr

aini

ngs

houl

dbe

con

tinuo

us

incl

udin

gpo

rtio

nsin

tend

edto

ra

ise

awar

enes

sof

the

pote

ntia

lta

rget

that

USC

ISe

mpl

oyee

spr

esen

tA

llem

ploy

ees

shou

ld

bea

war

eof

the

cons

eque

nces

of

par

ticip

atin

gin

frau

dag

ains

tU

SCIS

as

wel

las

how

tor

epor

tso

licita

tions

mad

eto

com

mit

frau

d

Tran

sfor

mat

ion

USC

ISL

eade

rshi

p D

ata

Ow

ners

In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Tran

sfor

mat

ion

isa

larg

ebu

sine

ss

proc

ess

reen

gine

erin

gef

fort

inU

SCIS

th

atis

pri

mar

ilyfo

cuse

don

impr

oved

cu

stom

ers

ervi

cea

ndfr

aud

dete

ctio

nF

ore

xam

ple

the

asse

ssm

ent

team

was

told

that

Tra

nsfo

rmat

ion

will

aut

omat

ical

lyv

alid

ate

data

in

CLA

IMS

agai

nsto

ther

ext

erna

lsys

te

ms

(eg

IC

Ean

dFB

I)a

ndth

at

secu

rity

req

uire

men

tsa

ndc

ontr

ols

Tran

sfor

mat

ion

was

men

tione

din

m

osti

nter

view

sfo

rth

isa

sses

smen

t

Ita

ppea

rsth

atU

SCIS

isr

elyi

ngh

eavi

ly

upon

Tra

nsfo

rmat

ion

toc

orre

ctm

any

ofth

epr

oble

ms

resu

lting

from

lega

cy

syst

ems

How

ever

iti

sun

clea

rw

heth

erin

tern

alp

erso

nnel

sec

urity

an

din

form

atio

nse

curi

tyc

once

rns

will

bein

clud

edin

this

pro

gram

This

rel

ianc

eon

as

ingl

eef

fort

m

akes

the

effe

ctiv

enes

sof

this

ef

fort

ver

yim

port

ant

USC

IS

shou

ldc

onsi

der

the

Tran

sfor

ma

tion

proj

ectf

rom

an

ente

rpris

ew

ide

pers

pect

ive

Iti

sim

port

ant

for

itto

use

afo

rmal

req

uire

m

ents

gat

herin

gpr

oces

sin

or

der

toe

ffec

tivel

ym

itiga

teb

oth

inte

rnal

and

ext

erna

lthr

eats


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

veb

een

iden

tifie

dby

cur

rent

C3

LAN

dat

aow

ners

Read

ing

the

Tran

sfor

mat

ion

requ

ire

men

tsd

ocum

enta

tion

itis

not

cle

ar

that

insi

ders

are

con

side

red

inth

ese

curi

tyr

equi

rem

ents

for

prev

entio

nan

dde

tect

ion

offr

aud

orn

atio

nal

secu

rity

inU

SCIS

sys

tem

s

Pers

onne

lsec

urity

sho

uld

be

incl

uded

as

wel

las

info

rmat

ion

secu

rity

to

ensu

reth

atth

eap

pr

opri

ate

inte

rnal

con

trol

sar

ein

pl

ace

tor

educ

eth

eri

skp

osed

by

mal

icio

usin

side

rs


Trai

ning

and

Aw

aren

ess

Itis

ess

entia

ltha

tsec

urity

aw

aren

ess

trai

ning

be

cons

iste

ntly

pro

vide

dto

all

empl

oyee

sto

ens

ure

that

sec

urity

pol

icie

san

dpr

actic

esa

rein

stitu

tio

naliz

edth

roug

hout

an

orga

niza

tion

Man

ytim

esc

owor

kers

and

sup

ervi

sors

are

the

first

peo

ple

too

bser

vec

once

rnin

gbe

havi

ore

xhib

ited

by

mal

icio

usin

side

rs

Failu

reb

yco

wor

kers

or

othe

rsin

an

orga

niza

tion

tor

epor

tcon

cern

ing

beha

vior

was

ap

rim

ary

reas

onin

side

rsin

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

tos

etu

por

car

ryo

utth

eir

atta

cks

USC

ISs

houl

dco

ntin

ueto

pro

vide

sec

urity

aw

aren

ess

trai

ning

toa

llem

ploy

ees

and

cont

ract

ors

acro

ssth

egl

obe

Thi

str

aini

ngs

houl

dbe

con

sis

tent

lya

pplie

dto

eac

hsi

tew

itha

con

sist

entm

essa

geo

fsec

urity

ofU

SCIS

peo

ple

sys

tem

sa

ndd

ata

Iti

sim

pera

tive

that

all

USC

ISe

mpl

oyee

sbe

re

spon

sibl

efo

rac

hiev

ing

the

mis

sion

ofU

SCIS

and

pro

tect

ing

the

criti

cala

sset

sto

the

high

este

xten

tpos

sibl

e

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sTr

aini

ngo

rSk

ills

Requ

ired

ofT

hose

in

App

oint

edS

ecu

rity

Rol

es

USC

ISL

eade

rshi

p

USC

ISh

asa

trai

ning

pro

cess

thro

ugh

anin

form

atio

nsy

stem

sse

curi

ty

man

ager

(ISS

M)

USC

ISr

elie

she

av

ilyo

nco

ntra

ctor

sto

pro

vide

ade

qu

atel

ytr

aine

dst

aff

Man

yIS

SOs

are

notw

ellv

erse

din

se

curi

ty

ISSO

sar

ecu

rren

tlyin

an

educ

atio

npr

oces

sb

utIS

SOs

are

typi

ca

llyn

ots

ecur

ityw

atch

dogs

ISSO

sm

usth

ave

prop

ertr

aini

ng

ino

rder

tok

eep

upw

ithth

eev

erc

hang

ing

info

rmat

ion

secu

ri

tye

nvir

onm

enta

ndto

be

able

to

dea

lwith

the

myr

iad

tech

no

logi

esa

ndto

ols

avai

labl

eto

th

em

App

ropr

iate

bud

get

shou

ldb

eal

loca

ted

forI

SSO

tr

aini

ngi

nclu

ding

ven

dor

spec

ific

trai

ning

(eg

M

cAfe

ean

dCi

sco)

and

indu

stry

spe

cific

tr

aini

ng(e

g

SAN

S)


Ap

pen

dix

BH

um

anR

esou

rces

Empl

oyee

Issu

es

An

orga

niza

tionrsquo

sap

proa

chto

red

ucin

gin

side

rth

reat

sho

uld

focu

son

pro

activ

ely

man

agin

gem

ploy

eeis

sues

and

beh

avio

rs

This

con

cept

beg

ins

with

eff

ectiv

ehi

ring

pro

cess

esa

ndb

ackg

roun

din

vest

igat

ions

tos

cree

npo

tent

ialc

andi

date

sO

rgan

izat

ions

sho

uld

also

trai

nsu

perv

isor

sto

m

onito

ran

dre

spon

dto

beh

avio

rso

fcon

cern

by

curr

ente

mpl

oyee

sS

ome

case

sfr

omth

eCE

RTIn

sid e

rTh

reat

Cas

eda

taba

ser

evea

led

that

sus

pi

ciou

sac

tivity

was

not

iced

inth

ew

orkp

lace

but

not

act

edu

pon

Org

aniz

atio

nss

houl

des

tabl

ish

aw

ello

rgan

ized

and

pro

fess

iona

lmet

hod

for

hand

ling

nega

tive

empl

oym

enti

ssue

san

den

suri

ngth

ath

uman

res

ourc

epo

licy

viol

atio

nsa

rea

ddre

ssed

Org

aniz

atio

nali

ssue

sre

late

dto

func

tions

sha

red

byH

Ran

dse

curi

typ

erso

nnel

are

att

heh

eart

ofi

nsid

err

isk

man

agem

ent

Em

ploy

ees

cree

ning

an

dse

lect

ion

isv

italt

opr

even

ting

cand

idat

esw

ithk

now

nbe

havi

oral

ris

kfa

ctor

sfr

ome

nter

ing

the

orga

niza

tion

or

ifth

eyd

oe

nsur

ing

that

th

ese

risk

sar

eun

ders

tood

and

mon

itore

dC

lear

pol

icy

guid

elin

esa

ddre

ssin

gbo

thp

erm

itted

and

pro

hibi

ted

empl

oyee

beh

avio

rar

evi

talt

ori

sk

dete

ctio

nan

dm

onito

ring

and

cle

arr

equi

rem

ents

for

ensu

ring

em

ploy

eesrsquo

kno

wle

dge

ofth

ese

guid

elin

esa

ree

ssen

tialt

oth

eir

succ

ess

In

addi

tio

nr

epor

tso

fpol

icy

ques

tions

and

vio

latio

nsn

eed

tob

esy

stem

atic

ally

rec

orde

dso

that

man

agem

ent

HR

and

sec

urity

per

sonn

elc

ana

ppr

oach

cas

ede

cisi

ons

with

com

plet

eba

ckgr

ound

info

rmat

ion

Ana

lysi

sof

thes

ere

port

sac

ross

indi

vidu

als

and

depa

rtm

ents

can

sup

ply

vita

lkno

wle

dge

ofp

robl

ema

reas

bey

ond

indi

vidu

alc

ases

Re

latio

nshi

ps

inw

hich

HR

sec

urity

and

man

agem

entp

erso

nnel

col

labo

rate

as

educ

ator

san

dco

nsul

tant

sar

evi

talt

oea

rly

dete

ctio

nan

def

fect

ive

man

age

men

tofe

mpl

oyee

spo

sing

an

insi

der

risk

Th

ene

edfo

rcl

ear

polic

ies

com

plet

epe

rson

nelr

isk

data

and

clo

sem

anag

emen

tH

Rse

curi

tyc

olla

bo

ratio

nis

rar

ely

grea

ter

than

whe

nha

ndlin

gem

ploy

eete

rmin

atio

nis

sues

whe

ther

vol

unta

ryo

rin

volu

ntar

y

CERT

sug

gest

sen

hanc

emen

tsto

the

USC

ISh

irin

gan

dte

rmin

atio

npr

oces

ses

For

exa

mpl

eU

SCIS

sho

uld

cons

ider

add

ition

als

cree

ning

for

high

ri

skp

ositi

ons

suc

has

adj

udic

ator

sU

SCIS

sho

uld

als o

con

side

rbe

com

ing

mor

ein

volv

edin

vet

ting

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)p

rior

tog

rant


ing

them

acc

ess

toU

SCIS

cri

tical

sys

tem

san

dda

ta

Fina

llyU

SCIS

sho

uld

cons

ider

ado

ptin

gan

ent

erpr

ise

wid

eex

itpr

oced

ure

toe

nsur

eco

nsis

te

ntte

rmin

atio

nof

all

empl

oyee

san

dco

ntra

ctor

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPr

eEm

ploy

men

tSc

reen

ing

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

No

evid

ence

pro

vide

d

The

empl

oyee

scr

eeni

ngp

roce

ssla

cks

any

form

ofp

sych

olog

ical

scr

eeni

ng

for

ara

nge

ofp

ositi

ons

incl

udin

gad

ju

dica

tors

Five

per

cent

(18)

oft

hein

side

rs

inth

eCE

RTd

atab

ase

had

poss

ibl

eps

ycho

logi

cali

ssue

sU

SCIS

sh

ould

con

side

rin

clud

ing

psy

chol

ogic

alte

stin

gas

par

toft

h e

new

hir

epr

oces

sfo

rse

lect

pos

itio

nsi

nclu

ding

adj

udic

ator

s

Giv

enth

esi

gnifi

cant

soc

ialp

res

sure

son

adj

udic

ator

san

dth

ere

lativ

ela

cko

fmon

itori

ngfo

rin

side

rri

ski

tsee

ms

impo

rtan

tto

impr

ove

this

asp

ecto

fscr

een

ing

Hum

anR

esou

rces

App

lican

tsa

rea

ssig

ned

ara

ting

by

HR

the

ratin

gis

use

dto

ran

kap

pli

cant

s

Ther

eis

cur

rent

lyn

oau

ditl

ogth

at

wou

ldc

aptu

rein

stan

ces

inw

hich

so

meo

nein

HR

chan

ged

ara

ting

to

enab

les

omeo

neto

get

hir

edm

ore

easi

ly

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

udit

log

totr

a ck

the

cand

idat

era

tings

and

ale

rtw

hen

cand

idat

era

tings

are

cha

nged

by

som

eone

inH

R


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Ifa

pers

onal

issu

e(e

g

subs

tanc

eab

use

rel

ativ

ely

larg

efin

anci

alin

de

bted

ness

)aris

esd

urin

gPe

rson

nel

Secu

rity

rsquos(P

ERSE

Crsquos)

scr

eeni

ng

PERS

ECm

ayis

sue

ale

tter

ofa

dvis

em

entt

oth

eca

ndid

ate

and

clea

rth

at

pers

onfo

rhir

eP

ERSE

RCis

hes

itant

to

sha

ren

egat

ive

info

rmat

ion

abou

tap

plic

ants

with

USC

ISb

eca u

seo

fpr

ivac

yco

ncer

ns

Beca

use

ofth

ese

conc

erns

am

anag

erm

ayn

otk

now

th

ats

omeo

neis

com

ing

into

ap

osi

tion

with

ah

isto

ryo

falc

ohol

and

or

drug

abu

sef

inan

cial

inde

bted

ness

et

c

The

priv

acy

wal

lbet

wee

nPE

RSEC

and

fie

ldp

erso

nnel

con

cern

edw

ithh

irin

gis

trou

blin

gI

tis

diff

icul

tfor

PER

SEC

repr

esen

tativ

esto

indi

cate

thei

rco

nce

rns

abou

tpot

entia

lhir

esw

hoh

ave

risk

fact

ors

that

do

notc

ross

adj

udic

atio

ngu

idel

ines

for

disq

ualif

icat

ion

USC

ISs

houl

dco

nsid

era

dditi

onal

sc

reen

ing

for

adju

dica

tors

U

SCIS

sho

uld

bem

ore

invo

lved

in

dec

idin

gw

hois

gra

nted

au

thor

ized

acc

ess

beca

use

ofth

ese

nsiti

ven

atur

eof

the

syst

ems

and

data

tha t

USC

ISm

anag

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Each

fiel

dof

fice

dete

rmin

esw

heth

er

orn

otto

mee

tan

appl

ican

tfac

eto

fa

ceb

efor

ehi

ring

Ther

ew

asa

nim

pres

sion

ath

eadq

uar

ters

that

nea

rly1

00

oft

hose

hir

ed

bym

anag

ers

are

inte

rvie

wed

but

re

pres

enta

tives

inB

urlin

gton

Ver

m

ontt

old

uso

ther

wis

eT

his

gap

be

twee

npe

rcep

tion

(the

reis

not

ap

ol

icy

stat

ing

this

mus

tbe

done

)and

re

ality

iso

fcon

cern

Ther

eha

veb

een

know

nin

stan

ces

in

whi

cha

pplic

ants

wer

eon

lys

cree

ned

USC

ISs

houl

dre

quir

ein

terv

iew

sfo

ral

lpos

ition

sT

hein

terv

iew

sne

edto

be

cond

ucte

dby

som

eon

ein

volv

edin

the

day

tod

ay

supe

rvis

ion

ofth

epo

sitio

nto

be

fille

d


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

son

pap

ero

rove

rth

eph

one

befo

re

bein

ghi

red

Sta

ndar

dop

erat

ing

pro

cedu

res

are

notf

ollo

wed

ata

llfie

ld

offic

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

PERS

ECv

ets

fede

rale

mpl

oyee

san

dco

ntra

ctor

s(w

itha

min

imum

bac

kgr

ound

inve

stig

atio

n)

USC

ISr

elie

son

the

US

Dep

artm

ent

ofS

tate

tov

etfo

reig

nna

tiona

lem

pl

oyee

sw

how

ork

ate

mba

ssie

sor

co

nsul

ates

abr

oad

FSN

sin

som

ein

stan

ces

are

gra

nted

ac

coun

tso

nU

SCIS

info

rmat

ion

sys

tem

sI

fFSN

sne

eda

cces

sto

DH

Ssy

ste

ms

(incl

udin

gU

SCIS

)cur

rent

lyt

his

acce

ssm

ustb

eap

prov

edb

yth

eCS

O

and

CIO

for

DH

ST

his

prac

tice

was

no

talw

ays

follo

wed

con

sist

ently

in

the

past

so

ther

em

ayb

eFS

Ns

who

w

ere

gran

ted

acce

ssw

ithou

tall

the

curr

entv

ettin

gan

dap

prov

als

U

SCIS

sho

uld

cons

ider

be c

omin

gm

ore

invo

lved

inv

ettin

gof

FSN

spr

ior

tog

rant

ing

them

acc

ess

to

USC

ISs

yste

ms

In

addi

tion

U

SCIS

sho

uld

audi

tcur

rent

FSN

sw

itha

cces

sto

USC

ISs

yste

ms

and

ensu

reth

ata

ppro

pria

te

vett

ing

was

per

form

ed

Cand

idat

eCe

rtifi

ca

tion

Ver

ifica

tion

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

USC

ISd

oes

noth

ave

ast

anda

rdp

ro

cedu

refo

rve

rifyi

ngth

ece

rtifi

catio

ns

ofjo

bap

plic

ants

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ast

epin

the

new

hir

epr

oces

sto

ver

ifyc

ertif

icat

ions

of

allc

andi

date

sA

few

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eab

le


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sto

obt

ain

posi

tions

ino

rgan

iza

tions

by

prov

idin

gfa

lsifi

edc

erti

ficat

ions

Empl

oyee

and

Co

ntra

ctor

Ter

mi

nati

on

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Exit

proc

edur

esa

rer

ecen

tlyd

evel

op

eda

ndi

nso

me

case

ss

tillu

nder

de

velo

pmen

t(ie

fo

rmal

exi

tpro

ce

dure

sar

eex

pect

edto

be

rele

ased

in

3m

onth

s)

This

gap

may

man

ifest

itse

lfin

the

inco

nsis

tent

col

lect

ion

ofb

adge

sla

pto

psm

obile

dev

ices

and

oth

erU

SCIS

eq

uipm

ent

USC

ISs

houl

dco

nsid

era

dopt

ing

ane

nter

pris

ew

ide

exit

proc

edu

reto

ens

ure

cons

iste

ntte

rmi

natio

nof

all

empl

oyee

san

dco

ntr

acto

rs

Ita

ppea

rsth

ere

spon

sibi

lity

for

ensu

ring

that

em

ploy

ees

and

cont

ract

ors

are

term

inat

edr

ests

sol

ely

with

the

man

ager

It

als

oap

pear

sdi

ffer

en

tman

ager

sfo

llow

diff

eren

tpr

oced

ures

toe

nsur

eth

ata

cce

ssis

dis

able

dan

deq

uipm

ent

isr

etur

ned

ase

mpl

oyee

san

dco

ntra

ctor

sle

ave

USC

IS

Empl

oyee

and

Co

ntra

ctor

Man

da

tory

Dru

gTe

stin

g

Hum

anR

esou

rces

All

fede

ralp

ositi

ons

are

subj

ectt

odr

ugte

stin

gb

uto

nly

forn

ewh

ires

Acc

ordi

ngto

aU

SCIS

Con

vict

ions

Tas

kFo

rce

inve

stig

atio

nca

sec

all

cont

rac

tor

posi

tions

do

notr

equi

red

rug

test

in

g

Fift

een

insi

ders

doc

umen

ted

in

the

CERT

Insi

der

Thre

atC

ase

data

base

exh

ibite

dsu

bsta

nce

abus

eU

SCIS

sho

uld

cons

ider

im

plem

entin

gm

anda

tory

pos

thi

red

rug

test

ing

for

alle

mpl

oy

ees

and

cont

ract

ors


Ap

pen

dix

CP

hys

ical

Sec

uri

ty

Fiel

dof

fices

A

cces

sFo

llow

ing

Term

inat

ion

Se

curi

tyo

fPhy

sica

lCas

eFi

les

Som

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

exp

loite

dph

ysic

als

ecur

ityv

ulne

rabi

litie

s

Som

ew

ere

able

tog

ain

acce

ss

too

rgan

izat

ion

faci

litie

sou

tsid

eof

nor

mal

wor

king

hou

rsto

ste

alc

ontr

olle

din

form

atio

nor

toe

xact

rev

enge

on

the

orga

niza

tion

bys

abot

agin

gcr

itica

lope

ratio

ns

Phys

ical

sec

urity

can

als

opr

ovid

ean

othe

rla

yer

ofd

efen

sea

gain

stte

rmin

ated

insi

ders

who

wis

hto

reg

ain

phys

ical

acc

ess

to

atta

ck

Just

as

with

ele

ctro

nic

secu

rity

how

ever

for

mer

em

ploy

ees

have

bee

nsu

cces

sful

inw

orki

nga

roun

dth

eir

orga

niza

tionrsquo

sph

ysic

als

ecu

rity

mea

sure

sI

tis

impo

rtan

tfor

org

aniz

atio

nsto

man

age

phys

ical

sec

urity

for

full

time

par

ttim

ea

ndte

mpo

rary

em

ploy

ees

con

trac

tors

and

co

ntra

ctla

bore

rs

USC

ISP

hysi

calS

ecur

ityh

asm

ade

sign

ifica

ntp

rogr

ess

prot

ectin

gU

SCIS

faci

litie

san

das

sets

inth

ena

tiona

lcap

italr

egio

n(N

CR)s

ince

Janu

ary

2008

whe

nit

stoo

dup

an

ewp

hysi

cals

ecur

ityp

rogr

am

Alth

ough

phy

sica

lsec

urity

inth

eN

CRis

con

sist

ently

dir

ecte

dan

den

forc

edb

yPh

ysic

al

Secu

rity

eac

hfie

ldo

ffic

ese

tsit

sow

npo

licie

san

dac

cess

con

trol

sI

nad

ditio

ng

aps

inte

rmin

atio

npr

oced

ures

hav

ere

sulte

din

ong

oing

phy

sica

lac

cess

follo

win

gte

rmin

atio

nF

inal

lyi

ssue

sco

ncer

ning

the

secu

rity

ofp

hysi

calc

ase

files

sho

uld

bec

onsi

dere

das

par

tofa

USC

ISr

isk

man

age

men

tstr

ateg

y

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPh

ysic

alS

ecur

ity

ofF

ield

Off

ices

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

USC

ISis

inth

epr

oces

sof

put

ting

ane

wa

cces

sco

ntro

lsys

tem

inp

lace

fo

rth

eN

CR

Befo

reit

doe

sit

will

di

sabl

eac

cess

for

anyo

new

hoh

as

notu

sed

phys

ical

acc

ess

inm

ore

Each

USC

ISfa

cilit

yha

sits

ow

n

polic

ies

and

acce

ssc

ontr

ols

syst

ems

Som

efie

ldo

ffic

esw

ithin

USC

ISh

ave

acce

ss

cont

rols

yste

ms

oth

ers

don

ot

Not

al

loff

ices

inth

efie

ldh

ave

elec

tron

ic

Fort

yof

the

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

took

adv

an

tage

ofi

nade

quat

eph

ysic

als

ecu

rity

toc

arry

out

thei

rcr

imes

El

ectr

onic

acc

ess

cont

rols

pro

vide


Sugg

este

dCo

unte

rmea

sure

slo

gsth

atc

ould

be

usef

ulin

inve

s

tigat

ions

ofi

llici

tact

ivity

out

side

of

nor

mal

wor

king

hou

rs

USC

IS

shou

ldc

onsi

der

deve

lopi

nge

nte

rpri

sew

ide

phys

ical

sec

urity

pr

oced

ures

rol

ltho

seo

utto

ea

chfi

eld

offic

ea

ndr

equi

rea

ph

ysic

als

ecur

ityr

epre

sent

ativ

eat

eac

hsi

teto

ens

ure

cons

iste

nt

enfo

rcem

ento

fthe

pol

icie

s

USC

ISs

houl

dco

nsid

erp

rohi

bitin

gea

chfi

eld

offic

efr

omd

evel

opin

gsi

tes

peci

ficp

olic

ies

and

rem

ov

ing

enfo

rcem

entc

ontr

olfr

om

each

site

In1

0ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

follo

win

gte

rmin

atio

ndu

eto

fa

ilure

ton

otify

sec

urity

em

pl

oyee

san

dbu

sine

ssp

artn

ers

of

the

term

inat

ion

To

cont

rola

cce

ssto

USC

ISfa

cilit

ies

itis

im

port

antf

orU

SCIS

toc

ompa

re

curr

ente

mpl

oyee

san

dco

ntra

cto

rsto

the

auth

oriz

eda

cces

slis

t

Polic

yor

Pra

ctic

eG

aps

acce

ssc

ontr

ols

ndashso

me

only

hav

elo

cks

and

keys

N

ote

very

USC

ISs

iteh

asa

phy

sica

lse

curi

tyr

epre

sent

ativ

eW

here

no

re

pres

enta

tive

isp

rese

ntt

his

resp

on

sibi

lity

falls

on

othe

rm

anag

emen

t pe

rson

nelw

hom

ayn

otb

eeq

uipp

ed

toh

andl

eth

ese

issu

esp

rope

rly

and

repo

rtth

emin

ati

mel

ym

anne

r

So

me

man

ager

str

ack

who

acc

esse

s

wha

twhe

nan

dot

hers

do

not

Ac

cord

ing

toP

hysi

calS

ecur

ityin

Ver

m

ont

onl

y20

o

fvio

latio

nsa

reb

ein

gre

port

edto

sec

urity

Polic

yan

dor

Sec

urit

yM

easu

re

than

12

mon

ths

as

wel

las

anyo

ne

nolo

nger

em

ploy

edb

yU

SCIS

It

als

opl

ans

one

xam

inin

gal

lacc

ount

sth

at

have

not

use

dph

ysic

ala

cces

sin

m

ore

than

30

days

Se

curi

tyo

ffie

ldo

ffic

esfa

llsu

nder

th

eFi

eld

Secu

rity

Div

isio

n(F

SD)

The

O

ffic

eof

Sec

urity

and

Inte

grity

(OSI

)re

cent

lyd

evel

oped

an

insp

ectio

nw

orkb

ook

and

isfi

eld

test

ing

itw

ith

FSD

U

SCIS

Fie

ldS

ecur

ityD

ivis

ion

isp

lan

ning

top

uta

sec

urity

rep

rese

ntat

ive

ine

very

fiel

dof

fice

Ite

xpec

tstw

oto

thre

etim

esm

ore

repo

rts

ofv

iola

tio

nso

nce

itha

sa

repr

esen

tativ

ein

ever

ylo

catio

n

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

Phys

ical

Acc

ess

Follo

win

gTe

rmi

nati

on


Sugg

este

dCo

unte

rmea

sure

s

ine

ach

faci

lityrsquo

sac

cess

con

trol

syst

em

D

isab

ling

phys

ical

acc

ess

tofa

cili

ties

whe

nem

ploy

ees

and

con

trac

tors

term

inat

eis

ess

entia

lto

prot

ectin

gU

SCIS

em

ploy

ees

and

faci

litie

sU

SCIS

sho

uld

cons

ider

au

tom

atin

gth

ere

voca

tion

of

empl

oyee

and

con

trac

tor

phys

ica

lacc

ess

whe

na

term

inat

ion

occu

rs

The

term

inat

ion

chec

klis

tsh

ould

incl

ude

ano

tific

atio

nto

ph

ysic

als

ecur

itys

oph

ysic

ala

cce

ssc

anb

edi

sabl

ed

Cons

ider

con

sist

ente

nfor

cem

ent

and

inve

stig

atio

nof

USC

ISp

hysi

ca

lsec

urity

inci

dent

sA

llal

erts

sh

ould

be

inve

stig

ated

and

Polic

yor

Pra

ctic

eG

aps

Secu

rity

gua

rds

ats

itelo

catio

nsh

ave

on

occ

asio

nig

nore

ddo

orp

ropp

ed

open

ala

rms

beca

use

thef

thas

trad

itio

nally

bee

na

very

sm

allp

robl

ema

t

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

No

Two

Pers

on

Cont

rol


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sU

SCIS

docu

men

ted

ifth

eal

erti

sde

emed

unn

eces

sary

then

it

shou

ldb

edi

scon

tinue

dA

llse

cu

rity

vio

latio

nss

houl

dbe

trac

ked

ina

cen

tral

rep

osito

rys

oa

com

pl

ete

hist

ory

for

each

indi

vidu

alis

av

aila

ble

Aft

erH

ours

Acc

ess

Phys

ical

Sec

urit

y

Aut

hori

zed

Acc

ess

Mos

tacc

ess

is2

4ho

urs

ada

y7

days

a

wee

kndash

Tw

enty

nin

eof

the

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seu

sed

phys

ical

acc

ess

outs

ide

ofn

orm

alw

orki

ngh

ours

toa

tta

ck

USC

ISs

houl

dco

nsid

erim

pl

emen

ting

ana

cces

sco

ntro

lsy

stem

that

gra

nts

acce

ssc

om

men

sura

tew

ithth

epo

sitio

nan

em

ploy

eeo

rcon

trac

tor

fills

If

apo

sitio

ndo

esn

otr

equi

rea

cces

sou

tsid

eof

nor

mal

wor

king

hou

rs

the

acce

ssc

ontr

ols

yste

ms

houl

dpr

ohib

itsu

cha

cces

san

dlo

gun

su

cces

sful

acc

ess

atte

mpt

s

Secu

rity

ofP

hysi

ca

lCas

eFi

les

Phys

ical

Sec

urit

y

Prot

ectio

nof

USC

ISC

ase

File

Dat

a

Phys

ical

file

sw

ere

obse

rved

inc

rate

sst

acke

din

the

hallw

ays

inth

eVe

rm

ontS

ervi

ceC

ente

rA

ccor

ding

toa

nin

terv

iew

att

heS

ervi

ceC

ente

ra

ny

one

coul

dw

alk

outw

itha

ldquocr

ate

fullrdquo

of

file

saf

ter

hour

se

spec

ially

ify

ou

are

ate

lew

orke

r

USC

ISa

ssum

esit

sca

sefi

led

ata

is

secu

reb

ecau

seit

sem

ploy

ees

and

cont

ract

ors

have

ac

lear

ance

or

hav

eha

da

back

grou

ndc

heck

It

isim

port

antt

ono

teth

at4

9in

side

rsd

ocum

ente

din

the

CERT

da

taba

sev

iola

ted

need

to

know


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ca

sefi

les

are

assu

med

tob

ese

cure

on

ceth

eya

rec

onta

ined

with

ina

Ser

vi

ceC

ente

rb

utth

eyc

ould

be

phys

ica

llya

ltere

dor

sto

len

bya

nyon

ew

ith

phys

ical

acc

ess

toth

efa

cilit

y

One

inte

rvie

wee

sta

ted

that

adj

udic

ato

rsty

pica

llyh

ave

50to

100

file

ssc

at

tere

dar

ound

thei

rof

fice

ord

esk

So

me

are

trac

ked

and

som

em

ayn

ot

be

Adj

udic

ator

sco

nduc

tint

ervi

ews

with

app

lican

tsin

thei

rof

fices

and

th

eym

ight

leav

eap

plic

ants

une

sco

rted

inth

eir

offic

esw

ithth

eca

se

files

whe

nfo

rin

stan

cem

akin

gco

pie

sor

att

endi

ngto

oth

erU

SCIS

bus

ine

ss

Acc

ordi

ngto

the

sam

ein

terv

iew

eei

non

efie

ldo

ffic

en

atur

aliz

atio

nce

rtifi

ca

tes

pas

spor

tsa

ndc

redi

tcar

din

fo

rmat

ion

has

been

foun

din

gar

bage

ca

nsin

the

hallw

ay

Adj

udic

ator

spi

cku

pth

eir

case

sin

an

enve

lope

inth

eir

mai

lbox

D

urin

gth

esi

tev

isit

the

asse

ssm

entt

eam

ob

serv

edth

em

ailr

oom

att

heV

erm

ont

Serv

ice

Cent

eru

natt

ende

dbe

twee

n

polic

ies

inth

eco

mm

issi

ono

fth

eir

crim

es

Ther

efor

er

elyi

ng

onc

lear

ance

sal

one

can

bev

ery

dang

erou

s

Thir

teen

insi

ders

doc

umen

ted

in

the

CERT

dat

abas

est

ole

phys

ical

pr

oper

tyb

elon

ging

toth

eor

gani

za

tion

CER

Tsu

gges

tsU

SCIS

con

si

der

the

cons

eque

nces

oft

heft

or

una

utho

rize

dac

cess

top

hysi

ca

lcas

efil

esa

ndm

ake

ari

sk

base

dde

cisi

onr

egar

ding

pot

en

tialp

olic

yan

dpr

oced

ure

chan

ges

Th

ere

are

stan

dard

pol

icie

san

dpr

oced

ures

forh

andl

ing

sens

itive

in

form

atio

nb

uta

str

ong

educ

atio

nalc

ampa

ign

isn

eede

dto

en

sure

the

prot

ectio

nof

dat

a


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

ssh

ifts

(app

roxi

mat

ely

3p

m)

Whe

nad

judi

cato

rsfi

nish

with

afi

let

hey

retu

rnit

toa

dro

pof

fspo

tT

hea

sse

ssm

entt

eam

obs

erve

dth

ose

spot

s

whi

cha

rein

the

open

and

una

tte

nded

A

djud

icat

ors

may

kee

pca

ses

over

nigh

tand

usu

ally

ret

urn

them

w

ithin

1w

eek

Tele

wor

kers

at

Serv

ice

Cent

ers

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

One

hun

dred

eig

hty

nine

peo

ple

at

the

Verm

ontS

ervi

ceC

ente

rare

au

thor

ized

tow

ork

from

hom

eT

hese

em

ploy

ees

pick

up

files

att

heV

er

mon

tSer

vice

Cen

ter

and

take

them

ho

me

The

yw

ork

2da

ysp

erw

eek

in

the

Serv

ice

Cent

era

nd3

day

spe

rw

eek

ath

ome

USC

ISp

ays

anu

nan

noun

ced

visi

tto

allh

omes

toin

ven

tory

the

empl

oyee

srsquofi

les

atle

ast

quar

terl

yT

hese

em

ploy

ees

mus

tha

vea

lock

edfa

cilit

yin

thei

rho

me

and

mus

talw

ays

have

the

abili

tyto

re

turn

the

files

toth

eSe

rvic

eCe

nter

w

ithin

4h

ours

The

cont

rolo

fUSC

ISd

ata

whe

nit

leav

esth

eVe

rmon

tSer

vice

Cen

ter

is

diff

icul

tto

enfo

rce

Em

ploy

ees

mus

tha

vea

ppro

pria

tes

tora

gefa

cilit

ies

bu

tthe

yco

uld

easi

lyc

opy

USC

ISd

ata

and

shar

eit

with

una

utho

rize

din

di

vidu

als

Twen

tyn

ine

perc

ento

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

taba

sew

ere

recr

uite

dby

out

si

ders

toc

omm

itth

eir

crim

e

Mos

toft

hese

insi

ders

com

mitt

ed

the

crim

efo

rfin

anci

alg

ain

Iti

sim

port

antt

hatU

SCIS

rec

ogni

ze

the

pote

ntia

lfor

recr

uitm

ent

an

dth

ela

cko

fcon

trol

exe

rcis

ed

over

sen

sitiv

eda

taa

tadj

udic

ato

rsrsquor

esid

ence

s


Ap

pen

dix

DB

usi

nes

sP

roce

sses

Tech

nica

lCon

trol

s

Aut

hori

zati

onv

iaP

ICS

A

ccou

ntM

anag

emen

t

Av

arie

tyo

fcas

esfr

omth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sed

ocum

enti

nsid

era

ttac

ksw

here

gap

sin

bus

ines

spr

oces

ses

prov

ided

ap

athw

ay

for

atta

ck

Enfo

rcin

gse

para

tion

ofd

utie

san

dth

epr

inci

ple

ofle

astp

rivi

lege

are

pro

ven

met

hods

for

limiti

nga

utho

rize

dac

cess

by

insi

ders

Id

eal

lyo

rgan

izat

ions

sho

uld

incl

ude

sepa

ratio

nof

dut

ies

inth

ede

sign

ofk

eyb

usin

ess

proc

esse

san

dfu

nctio

nsa

nde

nfor

ceth

emv

iate

chni

cala

nd

nont

echn

ical

mea

ns

Acc

ess

cont

rolb

ased

on

sepa

ratio

nof

dut

ies

and

leas

tpri

vile

gei

nbo

thth

eph

ysic

ala

ndv

irtu

ale

nvir

onm

ents

is

cruc

ialt

om

itiga

ting

the

risk

ofi

nsid

era

ttac

kT

hese

con

cept

sal

one

will

not

elim

inat

eth

eth

reat

pos

edb

yin

side

rst

hey

are

how

ever

ano

ther

laye

rin

the

defe

nsiv

epo

stur

eof

an

orga

niza

tion

Beca

use

ofth

ese

nsiti

ven

atur

eof

the

USC

ISm

issi

ons

ome

ofit

sem

ploy

ees

and

cont

ract

ors

are

targ

ets

for

recr

uitm

entf

orth

efto

run

auth

or

ized

mod

ifica

tion

ofU

SCIS

dat

aT

wen

tyn

ine

perc

ento

fthe

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

we r

ere

crui

ted

byo

utsi

ders

toc

omm

itth

eir

crim

eM

osto

fthe

sein

side

rsc

omm

itted

the

crim

efo

rfin

anci

alg

ain

Cri

tical

USC

ISb

usin

ess

proc

esse

ssh

ould

incl

ude

tech

nica

lcon

trol

sto

en

forc

ese

para

tion

ofd

utie

san

ddu

alc

ontr

olto

red

uce

the

risk

ofi

nsid

erfr

aud

In

addi

tion

pot

entia

lvul

nera

bilit

ies

surr

ound

the

use

ofth

eIC

EPI

CSs

yste

mfo

rau

thor

izat

ion

for

criti

calU

SCIS

sys

tem

sA

lthou

ghP

ICS

iso

utsi

deth

eco

ntro

lofU

SCIS

CER

Tre

com

men

dsth

atU

SCIS

exp

lore

the

poss

ibili

tyo

faud

iting

and

con

trol

ling

auth

oriz

atio

nsin

PIC

Sfo

rcr

itica

lUSC

ISs

yste

ms

Fin

ally

acc

ount

man

agem

enti

ssue

sre

late

dto

cri

tical

sys

te

ms

shou

ldb

eco

nsid

ered

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

utho

riza

tion

for

USC

ISC

riti

calS

ys

tem

sth

roug

hP

ICS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Seve

ralc

ritic

alU

SCIS

sys

tem

sar

etie

dto

PIC

Sfo

raut

hent

icat

ion

whi

ch

isa

dmin

istr

ated

by

the

ICE

PI

CSlo

gsa

ccou

ntc

reat

ions

whe

nth

eac

coun

tsw

ere

crea

ted

wha

tro

les

appl

ied

toth

eac

coun

tse

tc

PICS

per

mits

use

rso

utsi

deo

fUSC

ISto

au

thor

ize

user

sfo

ran

yU

SCIS

app

lica

tion

tied

toP

ICS

Tw

oth

ousa

ndlo

cal

PICS

off

icer

s(L

POs)

inth

eIC

Ean

dU

SCIS

can

cre

ate

new

acc

ount

sin

PIC

Sfo

rem

ploy

ees

loca

ted

atth

eir

site

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

utho

riza

tion

proc

es

san

dsy

stem

that

ena

bles

itto

co

ntro

lwho

isg

rant

e da

cces

sto

U

SCIS

sys

tem

san

dda

ta


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLP

Os

cont

rola

cces

sfo

rshe

riff

sp

eti

tione

rsC

BPD

OJ

TSA

DH

SO

IGT

er

rori

smT

ask

Forc

ea

ndo

ther

s

Acc

ount

sar

eba

sed

onp

erso

nnel

re

cord

so

LPO

sca

nnot

cre

ate

acco

unts

fo

ran

yone

who

isn

ota

nem

ploy

eea

tth

eir

site

H

owev

erP

ICS

adm

inis

tra

tors

can

cre

ate

acco

unts

for

anyo

ne

wor

king

att

heir

site

for

any

syst

em

tied

toP

ICS

CERT

sug

gest

sth

atU

SCIS

val

ida

tec

urre

ntP

ICS

acco

unts

and

ro

les

agai

nstc

urre

nte

mpl

oyee

lis

ts

Ten

perc

ent(

37)o

fth e

in

side

rsd

ocum

ente

din

the

CERT

da

taba

seh

ade

xces

sive

pri

vi

lege

sw

hich

ena

bled

them

to

atta

ck

Ina

dditi

on

b

ecau

seldquo

priv

ilege

cr

eeprdquo

ena

bled

afe

w(s

ix)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

tab a

seto

car

ryo

utth

eir

crim

es


Sugg

este

dCo

unte

rmea

sure

s

Twen

tyfo

ur(6

per

cent

)oft

he

insi

ders

doc

umen

ted

inth

eCE

RT

data

base

wer

eab

leto

car

ryo

ut

thei

rcr

imes

bec

ause

insi

ders

sh

ared

acc

ount

and

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bse

asie

ran

dto

incr

ease

pro

du

ctiv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tio

nsa

ndp

ossi

bly

impl

emen

tst

rong

era

uthe

ntic

atio

nto

ma k

esh

arin

gac

coun

tsm

ore

diff

icul

t

Polic

yor

Pra

ctic

eG

aps

VIS

adm

inis

trat

ors

ine

xter

nalc

ompa

ni

eso

rag

enci

esh

ave

been

cau

ght

le

ttin

gm

ultip

lee

mpl

oyee

sus

eth

e

sa

me

VIS

acco

unt

but

USC

ISh

asn

o ab

ility

tota

kea

nya

ctio

nT

hea

cco

unts

ena

ble

empl

oyee

sto

val

idat

ePI

Iand

citi

zens

hip

info

rmat

ion

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

Mod

ifica

tions

by

VIS

user

sto

cri

tical

da

taa

relo

gged

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

VIS

Ac

coun

ts

Logg

ing

Aud

itin

g

and

Ale

rtin

gin

VIS

Ver

ifica

tion

Info

rmat

ion

Syst

em(V


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Com

pute

rLi

nked

App

licat

ion

Info

rmat

ion

Man

agem

ent

Syst

em(C

LAIM

S)3

LA

N

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Su

gges

ted

Coun

term

easu

res

Self

Sele

ctio

nof

A

djud

icat

ion

Case

s

ISSO

s D

ata

Ow

ners

Adj

udic

ator

sca

nse

lfse

lect

cas

es

(acc

ordi

ngto

an

inte

rvie

wc

once

rn

ing

anin

tern

alin

cide

ntth

ato

ccur

red

atth

eU

SCIS

and

inte

rvie

ws

with

da

tao

wne

rsa

tthe

Ver

mon

tSer

vice

Ce

nter

)

With

inth

eSe

rvic

eCe

nter

sa

djud

ica

tors

hav

evi

rtua

llyu

nlim

ited

acce

ssto

ap

plic

antf

ilesmdash

ther

ear

eno

nee

dto

kn

owli

mita

tions

or

cont

rols

top

re

vent

an

adju

dica

tor

from

acc

essi

ng

sens

itive

info

rmat

ion

and

repo

rtin

git

too

utsi

ders

or

mod

ifyin

ga

file

(ent

er

ing

anin

valid

dec

isio

n)

Adj

udic

ator

sca

nal

soa

ppro

vea

cas

eth

atis

not

ass

igne

dto

them

Th

ere

is

noti

ebe

twee

nth

eca

sem

anag

emen

tsy

stem

(ie

N

atio

nalF

ileT

rack

ing

Syst

emo

rN

FTS)

and

the

case

adj

udi

catio

nsy

stem

(ie

CL

AIM

S)

Inth

ein

tern

alc

ase

that

occ

urre

dat

U

SCIS

the

per

petr

ator

cir

cum

vent

ed

the

inte

rvie

wp

roce

ssfo

r14

mon

ths

ndash

USC

ISs

houl

dco

nsid

erim

ple

men

ting

tech

nica

lcon

trol

sto

pr

ohib

itad

judi

cato

rsfr

oms

elf

sele

ctin

gca

ses

toa

djud

icat

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

she

app

rove

dldquon

osh

owrdquo

case

sT

here

w

ere

noc

ontr

ols

tod

etec

tthi

s

Ina

dditi

ona

djud

icat

ors

can

adju

di

cate

any

type

ofc

ase

eve

nth

ough

th

eya

ree

ach

assi

gned

cer

tain

type

sof

ben

efits

cas

esfo

rad

judi

catio

n

Emph

asis

on

Cus

tom

erS

ervi

ceO

ver

Risk

Dat

aO

wne

rs

No

evid

ence

pro

vide

d

One

inte

rvie

wee

att

heV

erm

ontD

ata

Cent

ers

aid

that

ldquost

atsrdquo

can

be

ast

rain

esp

ecia

llyfo

rne

wh

ires

al

thou

ghth

eyd

oge

ta9

0da

ygr

ace

peri

od

USC

ISs

houl

dus

eca

utio

nin

em

ph

asiz

ing

cust

omer

ser

vice

as

the

only

per

form

ance

met

ric

beca

use

this

cou

lde

ncou

rage

la

cko

fatt

entio

nto

ris

kre

late

dac

tiviti

es(s

uch

asa

ccur

ate

adju

di

catio

nde

cisi

ons)

Lack

ofS

epar

atio

nof

Dut

ies

in

CLA

IMS

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Curr

ently

all

decl

ined

req

uest

sfo

rbe

nefit

sar

ere

view

edb

ya

supe

rvi

sor

H

owev

ert

here

was

ad

iscr

ep

ancy

dur

ing

inte

rvie

ws

adj

udic

ator

ssa

idth

ats

uper

viso

rss

topp

edlo

okin

gat

all

deni

als

beca

use

they

are

too

busy

Su

perv

isor

sal

sor

ecei

vea

rep

orto

fal

ladj

udic

atio

nde

cisi

ons

ente

red

by

ana

djud

icat

orfo

ra

form

type

that

th

ead

judi

cato

rdo

esn

otn

orm

ally

ap

prov

e

Onl

ya

rand

oms

ampl

eof

app

rove

dad

judi

catio

nde

cisi

ons

isr

evie

wed

For

som

eca

ses

(for

inst

ance

vic

tims

case

s)a

sen

ior

adju

dica

tor

has

to

revi

ewth

ede

cisi

ona

fter

the

adju

dica

to

ren

ters

itt

hen

the

supe

rvis

orr

evi

ews

itT

his

isa

man

ually

enf

orce

dpr

oces

s

Ther

ew

asa

noth

erd

iscr

epan

cy

in

inte

rvie

ws

the

adju

dica

tors

sai

dth

at

USC

ISs

houl

dco

nsid

erim

ple

men

ting

auto

mat

edp

roce

sses

to

prev

enta

ndd

etec

tfra

ud

Man

ag

emen

tind

icat

edit

wou

ldli

ke

tos

eea

utom

ated

tech

nica

len

forc

emen

toft

her

evie

wa

nd

appr

oval

pro

cess

Inn

earl y

ten

perc

ent(

39)o

fthe

ca

ses

docu

men

ted

inth

eCE

RT

data

base

ins

ider

sto

oka

dvan


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s W

hen

adju

dica

tors

are

intr

aini

ng

they

are

und

er1

00

rev

iew

Th

ey

are

intr

aini

ngo

na

spec

ific

type

of

case

for

atle

ast6

mon

ths

A

uditi

ngfo

rim

prop

erly

gra

nted

be

nefit

sis

bas

edo

nsa

mpl

ing

and

or

blin

dqu

ality

ass

uran

ce(Q

A)a

ccor

din

gldquot

oA

rmy

stan

dard

srdquoa

fter

the

fact

A

rand

omly

sel

ecte

d30

cas

es

per

quar

ter

are

also

rev

iew

edb

yldquos

iste

rce

nter

srdquo

QA

pro

cess

var

ies

offic

eby

off

ice

(no

natio

nalp

roce

ss)

Th

isQ

Ah

asb

een

done

fort

hep

ast

year

and

ah

alf

Inth

eVe

rmon

tfie

ld

offic

ee

ach

supe

rvis

orp

ulls

atl

east

10

cas

esp

era

djud

icat

orp

erm

onth

Th

eyr

evie

wd

ecis

ion

rela

ted

issu

es

secu

rity

rel

ated

issu

esa

ndp

roce

du

rali

ssue

s(d

idth

eyfo

llow

the

righ

tst

eps

)T

hey

also

look

for

less

ons

lear

ned

The

pri

mar

ypu

rpos

eof

QA

is

toid

entif

yth

ene

edfo

rre

med

ial

trai

ning

rath

erth

and

elib

erat

efr

aud

So

me

case

sar

em

ore

than

10

00

page

ss

oev

ery

deta

ilca

nnot

be

prac

tical

lyr

evie

wed

for

ever

yca

se

cler

ksp

ullc

ases

ac

oupl

eof

tim

esp

er

mon

thndash

ac

erta

inn

umbe

rof

cas

es

per

empl

oyee

Th

ose

case

sar

epa

ssed

toQ

Aw

hor

evie

ws

the

case

s

QA

then

sen

dsfe

edba

ckto

the

supe

rvi

sor

and

adju

dica

tor

ifth

eyfi

nd

som

ethi

ngth

atd

oes

notl

ook

righ

t

tage

ofi

nsuf

ficie

nts

epar

atio

nof

du

ties

toc

arr y

out

thei

rcr

imes

U

SCIS

sho

uld

care

fully

con

side

rth

ebi

gges

tris

kto

the

orga

niza

tio

nM

any

ofth

eU

SCIS

em

pl

oyee

sin

terv

iew

edfo

rth

isa

sse

ssm

enti

dent

ified

the

prim

ary

risk

for

the

orga

niza

tion

asa

llo

win

gth

ene

xtte

rror

istt

oliv

ean

dw

ork

lega

llyin

the

Uni

ted

Stat

es

They

des

ire

assi

stan

cein

id

entif

ying

and

impl

emen

ting

inte

rnal

con

trol

sto

cou

nter

that

ri

sk

Aud

iting

eve

ryd

enie

dre

ques

tin

dica

tes

that

the

bigg

estr

isk

to

USC

ISis

toin

corr

ectly

den

ya

bene

fitto

an

appl

ican

trat

her

than

tog

rant

ab

enef

itto

som

eon

ew

hod

oes

notd

eser

veit

IfU

SCIS

agr

ees

that

gra

ntin

gle

gald

ocum

ents

toil

lega

lapp

lica

nts

iso

neo

fthe

big

gest

ris

ks

toth

eor

gani

zatio

nth

enit

sh

ould

con

side

rre

quir

ing

dual


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sau

thor

izat

ion

for

thes

ead

judi

ca

tion

deci

sion

s

Lack

ofA

utom

ated

Ch

ecks

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Verm

ontI

Tha

sdo

ned

ata

swee

ps

afte

rit

foun

dso

met

hing

sus

pici

ous

W

hen

itha

sdo

nes

oit

has

foun

dm

ore

ofth

esa

me

activ

ity

Ther

ear

eno

aut

omat

edc

heck

s(t

here

w

illb

ein

Tra

nsfo

rmat

ion)

Chec

ksth

atd

oex

ista

rem

anag

eda

tth

elo

call

evel

rat

her

than

ale

rtin

gto

th

ehe

adqu

arte

rsle

vel

Inn

early

twen

tyf

ive

perc

ent

(91)

ofc

ases

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

ca

rry

outt

hec

rim

ebe

caus

eof

in

adeq

uate

aud

iting

ofc

ritic

al

proc

esse

sin

28

case

sit

was

be

caus

eof

inad

equa

tea

uditi

ng

ofir

regu

lar

proc

esse

sI

n29

of

the

case

sth

eor

gani

zatio

nha

dre

peat

edin

cide

nts

ofa

sim

ilar

natu

re

Aut

omat

eds

crip

tsa

re

ane

xcel

lent

mec

hani

smfo

rde

te

ctin

gsu

spic

ious

tran

sact

ions

as

wel

las

hone

stm

ista

kes

U

SCIS

sho

uld

cons

ider

afo

rmal

pr

oces

sfo

ran

alyz

ing

the

OSI

rsquos

findi

ngs

and

deve

lopi

nga

uto

mat

edc

heck

sth

ata

rer

olle

dou

tna

tiona

lly

Phys

ical

Sec

urit

yof

Ca

seF

iles

Dat

aO

wne

rs

Adj

udic

ator

s

No

evid

ence

pro

vide

d

The

NFT

Str

acks

mill

ions

off

iles

It

was

des

crib

edh

owev

era

sa

very

la

rge

war

ehou

sew

here

file

sdo

occ

a

Ten

perc

ent(

40)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

sec

arri

edo

utth

eir

crim

esb

y


C

ER

T | S

OFT

WA

RE

EN

GIN

EE

RIN

G IN

STI

TUTE

| 55

Sugg

este

dCo

unte

rmea

sure

s

the

sam

eap

plic

ant

C3LA

Nw

illb

ere

tired

as

part

of

Tran

sfor

mat

ion

C4

will

als

obe

re

tired

A

cop

yof

sec

urity

con

tr

ols

and

requ

irem

ents

has

bee

npr

ovid

edb

yC3

LAN

dat

aow

ners

to

Tra

nsfo

rmat

ion

Iti

sim

por

tant

for

the

Tran

sfor

mat

ion

team

tom

ake

risk

bas

edd

eci

sion

sin

Tra

nsfo

rmat

ion

desi

gn

and

deve

lopm

ent

Polic

yor

Pra

ctic

eG

aps

T

hen

ewH

Rfo

rmh

asn

otb

een

soci

aliz

edo

rw

idel

yad

vert

ised

It

is

upto

the

COTR

san

dsu

perv

isor

sto

co

nsis

tent

lyr

eque

stth

ata

cces

sbe

di

sabl

edw

hen

ane

mpl

oyee

or

con

trac

tor

nolo

nger

nee

dsa

cces

s

Polic

yan

dor

Sec

urit

yM

easu

re

Curr

ently

eve

rym

onth

USC

ISc

om

pare

sth

eH

uman

Res

ourc

esa

ttri

tion

lista

gain

stth

eC3

LA

Na

ccou

ntli

st

and

disa

bles

inac

tive

empl

oyee

ac

coun

ts

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

cces

sto

CL

AIM

S


Are

aof

Con

cern

Non

Att

ribu

tion

fo

rD

BAA

ccou

nts

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Pend

ing

Redu

ctio

nin

For

cefo

rD

ata

Entr

yCl

erks

Dat

aO

wne

rs

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

Dat

aen

try

cler

ksw

illb

elo

sing

thei

rjo

bsw

hen

they

mov

eto

Loc

kBox

w

hich

will

take

ove

rth

efu

nctio

nal

ityo

facc

eptin

gre

mitt

ance

sfo

rbe

nefit

app

lican

ts

Itw

ass

tate

dth

atth

eda

tae

ntry

cle

rks

mig

htb

ehi

red

away

tow

ork

atth

eor

gani

za

tion

whi

chp

erfo

rms

that

func

tio

n

USC

ISs

houl

dbe

aw

are

ofth

ein

crea

sed

insi

der

risk

inth

efa

ce

ofn

egat

ive

orga

niza

tiona

lev

ents

like

this

It

sho

uld

con

side

rpr

oact

ive

step

sto

dec

reas

est

ress

inth

ew

orkp

lace

and

to

ease

pot

entia

lfin

anci

alb

urde

ns

that

cou

ldm

ake

empl

oyee

sm

ore

susc

eptib

leto

rec

ruitm

ent

byo

utsi

ders

Shar

ing

Acc

ount

sin

CLA

IMS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aEn

try

Cler

ks

The

NFT

Sw

illn

otle

tcle

rks

log

inif

th

eyh

ave

notu

sed

the

syst

emfo

ra

cert

ain

num

ber

ofd

ays

Ac

lerk

rsquosc

ube

mat

ew

illlo

gin

for

thei

rcu

bem

ate

ifit

isth

een

dof

the

day

and

ITh

asg

one

hom

efo

rthe

day

Twen

tyf

our

(6

)oft

hein

side

rs

docu

men

ted

inth

eCE

RTd

ata

base

wer

eab

leto

car

ryo

utth

eir

crim

esb

ecau

sein

side

rss

hare

dac

coun

tand

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bs

easi

era

ndto

incr

ease

pro

duct

iv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tions

an

dpo

ssib

lyim

plem

ents

tron

ger

auth

entic

atio

nto

mak

eac

coun

tsh

arin

gm

ore

diff

icul

t


Sugg

este

dCo

unte

rmea

sure

s

Ten

perc

ent(

39)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seto

oka

dvan

tage

ofi

nsuf

fici

enta

cces

sco

ntro

ls

USC

IS

shou

ldc

onsi

der

redu

cing

the

num

ber

ofp

rivi

lege

dac

coun

ts

with

acc

ess

toth

eFD

NS

DS

If

the

num

ber

ofs

uper

user

ac

coun

tsw

ere

redu

ced

then

en

hanc

eda

uditi

ngc

ould

be

em

ploy

edo

ntr

ansa

ctio

ns

cond

ucte

dus

ing

thos

eac

coun

ts

Polic

yor

Pra

ctic

eG

aps

b

ut

ther

ear

ena

tiona

lcon

trol

sto

ens

ure

th

atc

eleb

ritie

srsquofi

les

are

notb

eing

ac

cess

ed

Ther

eis

ala

rge

supe

ruse

rco

mm

unity

m

ore

than

thirt

ype

rcen

tofa

llFD

NS

DS

user

sw

itha

cces

sto

the

FDN

SD

S

Thes

eac

coun

tsh

ave

exte

nsiv

epo

wer

a

mal

icio

uss

uper

user

can

com

plet

ely

dele

tea

rec

ord

orm

odify

the

sum

m

ary

offi

ndin

gs

Polic

yan

dor

Sec

urit

yM

easu

re

The

FDN

SD

Sis

ac

entr

alr

epos

itory

of

frau

dan

dna

tiona

lsec

urity

inve

stig

atio

ns

This

sys

tem

hol

dsa

ppli

cant

san

dpe

titio

ners

as

wel

las

PII

Th

ere

isa

lso

ana

tiona

lsec

urity

tab

N

oev

iden

cep

rovi

ded

nnel

logy

logy

sibl

ePe

rso

wne

rs

tion

Tec

hno

wne

rs

tion

Tec

hno

Resp

onD

ata

O In

form

a

Dat

aO

Info

rma

rn

sac

ges

eCo

ncn e

Priv

ilD

S

Are

aof

ng

oLo

ggi

fTra

tion

s

Elev

ated

N

Sto

FD

Frau

dD

etec

tion

and

Nat

ural

izat

ion

Syst

emndash

Dat

aSy

stem

(FD

NS

DS)


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Unk

now

n

Conn

ecti

ons

to

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Failu

reto

Add

ress

Kn

own

Secu

rity

V

ulne

rabi

litie

s

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Ther

eis

no

auto

mat

edp

atch

ing

be

caus

eof

the

age

ofth

ese

rver

san

dth

eap

plic

atio

nO

nly

criti

calp

atch

es

are

appl

ied

forf

ear

ofc

rash

ing

the

serv

ers

Thir

teen

insi

ders

inth

eCE

RT

data

base

exp

loite

dkn

own

secu

ri

tyv

ulne

rabi

litie

sth

atw

ere

not

addr

esse

dby

the

orga

niza

tion

U

SCIS

sho

uld

cons

ider

upg

radi

ng

the

FDN

SD

Ssi

nce

thes

evu

lner

ab

ilitie

sin

crea

ser

isk

ofa

ttac

kfr

omo

utsi

dea

ndin

side

Prod

ucti

onD

ata

Ava

ilabl

eto

Con

tr

acto

rsin

Dev

el

opm

ent

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

CSC

has

prod

uctio

nda

tain

the

deve

lop

men

tenv

iron

men

te

ven

thou

ghit

sh

ould

not

hav

eac

cess

top

rodu

ctio

nda

ta

Onl

yon

ein

side

rdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

ses

tole

pro

duct

ion

data

th

ats

houl

dno

thav

ebe

ena

vail

able

tod

evel

oper

sin

the

deve

lop

men

tenv

iron

men

tH

owev

er

itw

ase

xtre

mel

yse

nsiti

ved

ata

with

ver

yst

rict

con

trol

sin

the

prod

uctio

nen

viro

nmen

ta

nd

was

not

sub

ject

toth

ose

sam

eco

ntro

lsin

the

deve

lopm

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sen

viro

nmen

tT

his

isv

ery

sim

ilar

toth

esi

tuat

ion

atU

SCIS

U

SCIS

sh

ould

exa

min

eda

tab

eing

use

din

the

rem

ote

con

trac

tor

owne

dde

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

vel

ofs

ecur

ityc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data

Conf

igur

atio

nM

anag

emen

tan

dor

Cha

nge

Cont

rolP

roce

ss

Not

Enf

orce

d

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Dev

elop

ers

cann

otr

elea

sen

ewe

xec

utab

les

as

epar

ate

syst

ema

dmin

is

trat

orh

asto

pus

hth

emo

ut

Cont

ract

ors

som

etim

esr

elea

sec

ode

tofi

xpr

oble

ms

with

outf

ollo

win

gth

ech

ange

man

agem

entp

roce

ss

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

ofl

ack

ofa

de

quat

eco

nfig

urat

ion

man

age

men

tU

SCIS

has

afo

rmal

con

fig

urat

ion

man

agem

entp

roce

ss

Itis

impo

rtan

tto

enfo

rce

itsu

se

for

alle

mpl

oyee

san

dco

ntra

cto

rs

Oth

erw

ise

itw

illb

eex

tr

emel

ydi

ffic

ultt

oin

vest

igat

ea

crim

eco

mm

itted

usi

ngfl

aws

inte

ntio

nally

inje

cted

into

sou

rce

code

by

aco

ntra

ctor


Ap

pen

dix

EI

nci

den

tR

esp

onse

Inci

dent

Man

agem

ent

Se

curi

tyA

war

enes

s

Conc

erni

ngB

ehav

iors

Thro

ugh

case

ana

lysi

sC

ERT

has

note

dth

atp

roce

dure

sfo

rre

spon

ding

top

oten

tiali

nsid

erin

cide

nts

pres

entu

niqu

ech

alle

nges

an

inci

dent

re

spon

sep

lan

for

insi

der

inci

dent

sdi

ffer

sfr

oma

res

pons

epl

anfo

rin

cide

nts

caus

edb

yan

ext

erna

latt

acke

rI

nad

ditio

nin

adeq

uate

det

ectio

nan

dre

spon

seto

sec

urity

vio

latio

nsc

ould

em

bold

enth

ein

side

rm

akin

gth

eor

gani

zatio

nev

enm

ore

vuln

erab

leto

an

insi

der

crim

eI

nfa

cti

n18

of

the

case

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

the

org

aniz

atio

nex

peri

ence

dre

peat

insi

der

inci

dent

sof

as

imila

rna

ture

In

si

der

inci

dent

man

agem

ents

houl

dle

vera

gee

xist

ing

secu

rity

pol

icie

san

dfo

rmal

pro

cedu

res

for

hand

ling

polic

yvi

olat

ions

So

me

ofth

eca

ses

from

the

CERT

Insi

d er

Thre

atC

ase

data

base

illu

stra

tein

side

rat

tack

sin

whi

cha

nor

gani

zatio

nrsquos

lack

ofi

ncid

entr

espo

nse

proc

edur

esli

mite

dits

ab

ility

tom

anag

eits

res

pons

eef

fort

som

etim

ese

ven

resu

lting

inm

ultip

lec

rim

inal

act

sby

the

sam

ein

side

r

USC

ISis

ac

ompl

exo

rgan

izat

ion

with

man

ydi

ffer

entc

ompo

nent

sin

volv

edin

det

ectin

gtr

acki

ngi

nves

tigat

ing

and

follo

win

gup

on

empl

oyee

m

isco

nduc

tT

his

com

plex

itya

ndw

idel

ydi

stri

bute

dfu

nctio

ncr

eate

sa

situ

atio

nin

whi

chit

isv

ery

diff

icul

tto

obta

ina

com

plet

epi

ctur

eof

an

in

divi

dual

rsquosin

side

rth

reat

ris

kle

vel

Bec

ause

oft

his

itis

pra

ctic

ally

impo

ssib

lefo

rU

SCIS

toim

plem

enta

pro

activ

epr

ogra

mto

miti

gate

insi

der

thre

at

CERT

str

ongl

yre

com

men

dsth

atU

SCIS

cre

ate

ace

ntra

lrep

osito

ryo

fem

ploy

eem

isco

nduc

tso

itca

nde

tect

indi

cato

rso

finc

reas

ing

in

side

rth

reat

ris

kan

dm

itiga

teth

ema

squ

ickl

yas

pos

sibl

e

Furt

herm

ore

81

ofth

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

edc

once

rnin

gbe

havi

ors

inth

ew

orkp

lace

pri

orto

or

whi

lec

arry

ing

out

thei

rcr

imin

ala

ctiv

ities

onl

ine

Sup

ervi

sors

and

em

ploy

ees

shou

ldb

etr

aine

dto

rec

ogni

zea

ndr

espo

ndto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

and

oth

erm

alic

ious

insi

der

acts

Ev

enif

itis

not

pos

sibl

eto

req

uire

non

sup

ervi

sors

to

repo

rtc

o nce

rns

this

tr

aini

ngm

ayin

crea

seth

efr

eque

ncy

ofr

epor

ting

and

the

dete

rren

ceo

fins

ider

act

ions


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLa

cko

fCen

tral

Re

posi

tory

ofE

m

ploy

eeM

isco

nduc

t

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

IfFi

eld

Secu

rity

rec

eive

sa

Sign

ifica

nt

Inci

dent

Rep

ort(

SIR)

the

nit

inve

sti

gate

sE

mpl

oyee

mis

cond

ucti

sth

en

repo

rted

toO

ffic

eof

Sec

urity

and

In

tegr

ity(O

SI)

Ifth

eO

SIin

vest

igat

ion

subs

tant

iate

san

em

ploy

eersquos

mis

con

duct

itp

rovi

des

Coun

teri

ntel

ligen

ce

(CI)

am

onth

lyr

epor

tI

tals

opr

ovid

es

the

empl

oyee

rsquosm

anag

emen

tac

opy

CI

iss

tart

ing

tog

etm

ore

repo

rts

of

acce

ptab

leu

sev

iola

tions

and

sec

urity

vi

olat

ions

It

trac

kse

very

thin

gin

a

file

for

late

rus

ein

rei

nves

tigat

ions

La

bor

Empl

oyee

Rel

atio

ns(L

ER)h

asa

re

cord

oft

here

port

sit

rece

ives

of

mis

cond

uct

com

plai

nts

agai

nsta

nem

ploy

eer

ule

viol

atio

nsa

nds

oon

H

Rm

aint

ains

the

Off

icia

lPer

sonn

el

File

whi

chc

onta

ins

reco

rds

ofs

us

pens

ions

etc

LE

Rco

ntac

tsH

Ron

ly

for

thos

ety

pes

ofa

ctio

ns

Th

eO

SIe

valu

ates

all

com

plai

nts

itre

ceiv

esa

ndlo

gsth

emin

toth

eca

se

man

agem

ents

yste

m

Ita

ssig

nsth

em

toa

fiel

dof

fice

Att

hatp

oint

any

co

mpl

aint

sar

eth

ere

spon

sibi

lity

of

the

spec

iala

gent

inc

harg

eat

the

field

of

fice

The

fiel

dof

fice

inve

stig

ates

Ther

eis

no

sing

lep

lace

tog

ofo

ran

em

ploy

eersquos

dis

cipl

inar

yre

cord

sT

he

num

ber

ofo

rgan

izat

ions

invo

lved

an

dm

anag

emen

tofr

ecor

dsis

ver

yco

mpl

exa

ndd

istr

ibut

edth

roug

hout

th

eor

gani

zatio

n

Acc

ordi

ngto

Phy

sica

lSec

urity

the

fie

ldo

ffic

edo

esn

otte

llth

eO

SI

abou

tpro

blem

sndashth

eO

SIfi

nds

out

whe

nit

ldquohits

the

pres

srdquo

For

exa

m

ple

the

OSI

isn

otin

form

edo

fad

is

grun

tled

syst

ema

dmin

istr

ator

who

is

exhi

bitin

gco

ncer

ning

beh

avio

rs

USC

ISs

houl

dco

nsid

err

equi

ring

m

anda

tory

rep

ortin

gof

all

inci

de

nts

toth

eO

SI

This

com

mu

nica

tion

stre

amw

illa

llow

the

OSI

tog

etin

volv

eda

sea

rly

as

poss

ible

and

tod

ocum

enta

nd

mai

ntai

na

cent

ralr

epos

itory

of

alli

ncid

ents

Th

isc

entr

alr

epo

sito

ryis

cri

tical

for

ade

quat

ely

man

agin

gin

side

rth

reat

sin

USC

IS


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dse

nds

the

case

for

corr

ectiv

eac

tio

nto

the

regi

onal

dir

ecto

rin

the

chai

nof

com

man

da

ndth

enth

ere

gi

onal

dir

ecto

rret

urns

am

anag

emen

tre

port

ofa

ctio

nto

the

spec

iala

gent

in

cha

rge

Th

eO

SIc

onta

cts

the

DH

SO

IGfo

rpo

te

ntia

llyc

rim

inal

beh

avio

ror

ser

ious

m

isco

nduc

tI

fthe

DH

SO

IGtu

rns

the

case

dow

nth

enit

iss

entt

oth

efie

ld

offic

eor

tola

we

nfor

cem

ent

Th

ePe

rson

nelS

ecur

ityd

ivis

ion

(PER

SEC)

not

ifies

the

OSI

mon

thly

of

arre

sts

(tra

cked

inth

eca

sem

anag

em

ents

yste

m)a

ndth

eO

SIn

otifi

es

PERS

ECo

finv

estig

atio

ns

Trac

king

ofO

nlin

eIn

cide

nts

Info

rmat

ion

Tech

nolo

gy

Com

pute

ror

net

wor

kvi

olat

ion

inci

de

nts

are

trac

ked

bya

Rem

edy

sys

tem

tied

toa

uni

que

com

pute

rid

enti

fier

rath

erth

ana

use

rin

an

atte

mpt

to

kee

pPI

Iout

oft

heti

cket

Itis

diff

icul

tto

tiea

nev

entt

oa

par

ticul

arp

erso

nE

ven

ifth

eid

entit

yof

an

off

ende

ris

know

nr

epea

toff

end

ers

are

nott

rack

edin

any

aut

omat

ed

orc

orre

late

dw

ay

USC

ISs

houl

dco

nsid

erin

clud

ing

user

info

rmat

ion

for

each

inci

de

nts

oth

atr

epea

toff

ende

rs

can

bee

asily

iden

tifie

da

sre

pe

ato

ffen

ses

coul

din

dica

tea

nin

side

rof

hig

her

risk

Cons

iste

ncy

inR

esp

onse

toS

ecur

ity

Vio

lati

ons

and

Con

cern

ing

Beha

vior

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

eis

no

requ

ired

trai

ning

for

su

perv

isor

son

how

tor

espo

ndto

a

rang

eof

beh

avio

rsa

ssoc

iate

dw

ith

man

yfo

rms

ofin

side

rri

sk

Co

mpu

ter

use

viol

atio

nsa

ren

ot

Eigh

tyo

neo

fthe

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

ed

conc

erni

ngb

ehav

iors

pri

orto

or

whi

lec

arry

ing

outt

heir

cri

min

al

activ

ities

Em

ploy

ees

shou

ldb

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

ndle

dco

nsis

tent

lya

cros

sde

part

m

ents

sup

ervi

sors

and

type

ofe

m

ploy

ee

Egre

giou

svi

olat

ions

are

re

ferr

edto

the

OSI

for

afu

llin

vest

igat

ion

but

the

crite

rion

for

deci

ding

whe

nth

atis

war

rant

edis

a

gutr

eact

ion

trai

ned

tor

ecog

nize

and

re

spon

dto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

an

dot

her

insi

der

acts

Ev

enif

it

isn

otp

ossi

ble

tor

equi

ren

on

supe

rvis

ors

tor

epor

tcon

cern

s

this

trai

ning

may

incr

ease

the

freq

uenc

yof

repo

rtin

gan

dde

te

rren

ceo

fins

ider

act

ions

US

Dep

artm

ento

fSt

ate

Inve

stig

atio

ns

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

OSI

Inve

stig

atio

nsh

ave

been

sub

ject

to

alle

gatio

nso

fvio

latio

nsin

volv

ing

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)

but

the

OIS

rel

ies

onth

eU

SD

epar

tmen

tof

Sta

teto

inve

stig

ate

USC

ISh

asn

ovi

sibi

lity

into

US

De

part

men

tofS

tate

inve

stig

atio

ns

FSN

sw

hoh

ave

acce

ssto

USC

IS

syst

ems

and

data

sho

uld

be

incl

uded

ina

nin

side

rth

reat

risk

m

itiga

tion

stra

tegy

Prep

arat

ion

for

Neg

ativ

eW

ork

Rela

ted

Even

ts

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

edo

not

app

ear

tob

ean

ygu

ide

lines

tra

inin

go

rpe

rson

nela

vaila

ble

toe

valu

ate

empl

oyee

insi

der

risk

be

fore

or

afte

rfre

quen

tlyp

reci

pita

tin

gev

ents

suc

has

term

inat

ion

de

mot

ions

tra

nsfe

rso

rot

her

disa

ppo

intm

ents

or

unm

ete

xpec

tatio

ns

Ther

eal

sod

oes

nota

ppea

rto

bea

gr

oup

char

ged

with

eva

luat

ing

in

side

rri

skfr

omo

rgan

izat

iona

leve

nts

ord

evel

opm

ents

aff

ectin

ggr

oups

of

empl

oyee

ss

uch

asr

eloc

atio

nsc

on

trac

tcha

nges

lay

offs

and

reo

rgan

iza

tions

Fift

yfiv

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

had

neg

ativ

eem

pl

oym

enti

ssue

sN

inet

yfo

ur

had

ach

ange

ine

mpl

oym

ent

stat

usp

rior

toth

eir

atta

cks

20

had

com

pens

atio

nor

ben

efit

issu

esa

nd6

5w

ere

disg

runt

led

Su

perv

isor

ssh

ould

be

trai

ned

in

thes

eri

skin

dica

tors

Th

ere

shou

lda

lso

bea

nav

aila

ble

pane

lofs

peci

alis

tsfr

omth

eO

SI

orth

eLa

bor

Empl

oyee

Rel

atio

ns(L

ER)t

rain

edto

ass

ess

such

ris

k


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Si

mila

rsp

ecia

lists

sho

uld

be

avai

labl

eto

par

ticip

ate

inp

lan

ning

and

exe

cutio

nof

res

pons

epl

ans

inp

repa

ratio

nfo

rne

ga

tive

wor

kpla

cee

vent

sth

atp

ote

ntia

llyc

ould

lead

tod

isgr

un

tlem

enta

mon

gth

ew

orkf

orce

at

USC

IS

Cont

ract

orM

an

agem

ent

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Hum

anR

esou

rces

Pers

onne

lscr

eeni

ngp

roce

dure

sfo

rco

ntra

ctor

sar

esi

mila

rto

thos

efo

rem

ploy

ees

Cont

ract

ing

com

pani

esa

rer

equi

red

tor

epor

tany

adv

erse

info

rmat

ion

rega

rdin

gth

eir

empl

oyee

sim

med

iat

ely

(ina

llco

ntra

cts)

LER

has

noin

volv

emen

twith

con

tr

acto

rs

They

hav

eno

rec

ord

of

cont

ract

orm

isbe

havi

ors

orc

om

plai

nts

agai

nstc

ontr

acto

rs

Supe

rvis

ors

the

OSI

LER

and

oth

ers

conc

erne

dw

itho

rgan

izat

iona

lsec

uri

tym

ayb

ela

rgel

yun

awar

eof

in

side

rri

sks

rela

ted

toc

ontr

acto

rs

Cont

ract

ors

are

nots

ubje

ctto

gov

er

nmen

tmon

itori

ngo

rris

kas

sess

m

ent

Ac

ontr

acto

ron

ac

ritic

als

ys

tem

may

dev

elop

or

have

sig

nific

ant

insi

der

risk

fact

ors

that

may

rem

ain

unkn

own

tog

over

nmen

tem

ploy

ees

due

tola

cko

frep

ortin

gre

quir

em

ents

Sixt

ytw

oof

the

insi

ders

doc

um

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eco

ntr

acto

rs

USC

ISc

ontr

actm

an

agem

ents

taff

sho

uld

cons

ider

th

ene

edfo

rre

port

ing

ara

nge

ofp

oten

tiali

ndic

ator

sof

insi

der

risk

am

ong

cont

ract

sta

ff

Inci

de

ntr

espo

nse

plan

ssh

ould

in

clud

ere

spon

seto

em

ploy

ee

and

cont

ract

oris

sues

Empl

oyee

or

Con

trac

tor

Conc

erni

ng

Beha

vior

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Byp

olic

yit

ise

very

em

ploy

eersquos

re

spon

sibi

lity

tor

epor

tsus

pici

ous

be

havi

oro

rm

isco

nduc

tS

uper

viso

rs

Self

repo

rted

dru

gus

ea

rres

ta

nd

asso

ciat

ions

with

fore

ign

natio

nals

du

ring

em

ploy

men

tare

sen

tto

the

Supe

rvis

ors

need

tob

eno

tifie

dim

med

iate

lyw

hen

ane

mpl

oyee

re

port

sdr

ugu

sea

rres

tso

r


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Labo

rEm

ploy

eeR

elat

ions

who

obs

erve

con

cern

ing

ors

uspi

ciou

sbe

havi

orr

epor

titt

oLE

Ror

the

OSI

Fo

rlo

wle

velm

isco

nduc

tL

ERa

dvis

es

the

field

off

ice

man

agem

ento

nha

ndl

ing

the

mat

ter

LER

rep

orts

mor

ese

riou

sm

isco

nduc

twith

mor

ese

vere

co

nseq

uenc

esto

HR

M

isco

nduc

tcan

als

obe

rep

orte

dvi

aSi

gnifi

cant

Inci

dent

Rep

orts

(SIR

s)

SIRs

are

sen

tto

Phys

ical

Sec

urity

or

to

the

OSI

for

inve

stig

atio

n

IfCI

dis

cove

rss

omet

hing

sus

pici

ous

duri

nga

rei

nves

tigat

ion

itin

form

sth

eem

ploy

eersquos

sup

ervi

sor

The

su

perv

isor

wor

ksw

ithL

ERa

ndc

ouns

el

tod

ecid

eon

follo

wu

pac

tions

OSI

Th

eO

SIs

ends

res

ults

tos

uper

vi

sor

follo

win

gin

vest

igat

ion

asso

ciat

ion

with

fore

ign

natio

nal

ss

oth

eyh

ave

ana

ccur

ate

perc

eptio

nof

the

risk

ass

oci

ated

with

eac

hof

thei

rem

ploy

ee

sI

nad

ditio

n1

8of

the

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se

had

poss

ible

psy

chol

ogic

alis

su

es

Inc

olla

bora

tion

with

the

OSI

and

LER

sup

ervi

sors

con

fr

ontin

gem

ploy

ees

who

dis

play

co

ncer

ning

beh

avio

rss

houl

dha

veth

eab

ility

tor

emov

eth

em

from

the

wor

kfor

cep

endi

nga

m

edic

alo

rps

ycho

logi

cal

eval

uatio

nto

det

erm

ine

whe

ther

they

hav

ea

diso

rder

or

illne

ssth

atm

ayim

pair

thei

rtr

ustw

orth

ines

sor

judg

men

tor

mak

eth

ema

dan

gert

oth

em

selv

eso

rot

hers

Si

mila

rly

em

po

wer

ing

supe

rvis

ors

tom

ake

ane

mpl

oyee

ass

ista

nce

pro

gram

ref

erra

land

eva

luat

ion

man

dato

ryi

nco

llabo

ratio

nw

ithL

ERo

rth

eO

SIm

ight

hel

pre

mov

eat

ris

kin

divi

dual

sfr

om

the

wor

kfor

ceu

ntil

they

can

sa

fely

and

sec

urel

yre

turn


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEl

ectr

onic

Inve

sti

gati

ons

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Mos

talle

gatio

nsr

epor

ted

toth

eO

SI

are

notv

ery

tech

nica

lth

eO

ITp

ro

vide

sfo

rens

ics

uppo

rtfo

rin

vest

iga

tions

(pri

mar

ilyd

atab

ase

tran

sac

tions

)

PERS

ECh

asn

ever

ask

edth

eO

ITto

re

view

au

serrsquo

son

line

activ

ity

Onl

yon

epe

rson

inO

SIis

qua

lifie

dto

do

afo

rens

icin

spec

tion

USC

ISs

houl

dco

nsid

erin

clud

ing

the

OIT

inin

vest

igat

ions

ofs

us

pici

ous

activ

ity

CERT

rsquosin

side

rth

reat

res

earc

hha

ssh

own

that

no

ntec

hnic

alc

once

rnin

gbe

hav

iors

can

be

asso

ciat

edw

ith

onlin

ecr

imin

ala

ctiv

ity

It

wou

ldb

ebe

nefic

ialt

och

eck

for

past

tech

nica

lsec

urity

vio

la

tions

and

hav

eth

eO

ITa

naly

ze

curr

ento

nlin

eac

tivity

as

part

of

the

OSI

inve

stig

atio

ns


t

efe

w de ti

nth

eca

ses

docu

men

ted

inth

eCE

RTd

atab

ase

inje

cted

cod

ein

tos

ourc

eco

deto

faci

lita

but

ina

ase

the

coo

utb

yso

f

L

oggi

ng

Cri

tica

lDat

aCo

ntro

ls

urce

cod

ew

ere

inte

nded

tos

abot

age

the

orga

niza

tionrsquo

ssy

stem

sc

ases

the

code

n

ino

nec

was

set

toe

xecu

tefo

llow

ing

the

insi

derrsquo

ste

rmin

atio

SCIS

rec

ogni

zeth

epo

dbe

car

ried

tent

iali

llici

tact

ivity

that

cou

lr

the

mos

tcri

tical

sys

tem

san

dsy

stem

com

pone

nts

Cod

eRe

view

s

Conf

igur

atio

nM

anag

emen

t

side

rsb

oth

empl

oyee

san

dco

ntra

ctor

snd

ITs

abot

age

In

mos

tcas

est

hem

odifi

catio

nsto

so

faci

litat

efr

aud

In

man

yde

was

use

dto

impo

rtan

ttha

tUfo

ra

year

bef

ore

final

lye

xecu

ting

Iti

ser

sa

ndim

plem

enta

ppro

pria

tec

ontr

ols

par

ticul

arly

fo

ciou

sin

frau

da

sth

eco

plan

ted

eng

ine

Mal

ibo

thca

sew

as

war

e

Ap

pen

dix

FS

oftw

are

Engi

nee

rin


Are

aof

Con

cern

C

ode

Re

view

s

Resp

onsi

ble

Pers

onne

lIS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Cont

ract

ors

are

requ

ired

tom

aint

ain

ace

rtai

nle

velo

fpro

cess

mat

urity

(C

MM

ILev

el3

)to

bein

com

plia

nce

with

USC

ISp

olic

ies

So

urce

cod

eis

res

tric

ted

toth

ose

with

the

need

tok

now

Ve

rsio

nM

anag

eris

use

dto

con

trol

an

dtr

ack

chan

ges

tos

ourc

eco

de

Sepa

ratio

nof

dut

ies

isim

plem

ente

din

the

soft

war

ere

leas

epr

oces

sC

SC

chec

ksn

ews

ourc

eco

dein

toV

ersi

on

Man

ager

aU

SCIS

em

ploy

eec

heck

sou

tthe

sou

rce

code

and

rel

ease

sit

into

pro

duct

ion

Th

eU

SCIS

DBA

mov

esn

ewd

atab

ase

obje

cts

into

the

prod

uctio

nda

ta

base

Polic

yor

Pra

ctic

eG

aps

Ano

ther

inte

rvie

wee

men

tione

dth

at

anldquo

East

ere

ggrdquo

was

foun

din

sou

rce

code

aft

erth

eco

ntra

ctw

asg

iven

toa

ne

wc

ompa

ny4

Sugg

este

dCo

unte

rmea

sure

s

4 Av

irtu

alE

aste

reg

gis

an

inte

ntio

nalh

idde

nm

essa

gej

oke

orfe

atur

ein

ap

rogr

amm

ovie

boo

ke

tc


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

and

orC

hang

eCo

ntro

lPro

cess

N

otE

nfor

ced

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

No

evid

ence

pro

vide

d

Whe

nco

ntra

ctor

sde

velo

pso

ftw

are

rem

otel

yth

eya

res

uppo

sed

tor

egis

te

rco

dein

Ver

sion

Man

ager

but

this

is

not

alw

ays

done

con

sist

ently

Co

ntra

ctor

sso

met

imes

rel

ease

cod

eto

fix

prob

lem

sw

ithou

tfol

low

ing

the

chan

gem

anag

emen

tpro

cess

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

oft

hela

cko

fade

qu

ate

conf

igur

atio

nm

anag

emen

t

Soft

war

eEn

gine

er

ing

Cont

rols

inth

eSe

rvic

eCe

nter

s

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

ISSO

s

No

evid

ence

pro

vide

d

Soft

war

eis

bei

ngd

evel

oped

inth

eSe

rvic

eCe

nter

sw

ithou

tcon

sist

ently

en

forc

ing

the

sam

ech

ange

man

age

men

tpro

cess

ese

nfor

ced

atth

ena

tio

nal(

ente

rpris

e)le

vel

The

cen

ters

us

ea

code

rep

osito

ryb

utn

otV

ersi

on

Man

ager

to

trac

kso

ftw

are

chan

ges

Th

eyd

ope

err

evie

ws

ofc

ode

and

belie

veth

ate

nter

pris

eco

ntro

lsfo

rco

der

evie

wa

rem

ore

deta

iled

(al

thou

ghth

atb

elie

fapp

ears

tob

efa

lse

ac

cord

ing

toin

terv

iew

sat

hea

dqua

rte

rs)

USC

ISs

houl

dco

nsid

erc

onsi

sten

tpo

licie

san

dpr

oced

ures

for

soft

w

are

engi

neer

ing

for

the

entir

een

terp

rise

inc

ludi

ngth

eSe

rvic

eCe

nter

s

Mos

tins

ider

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data


A

rea

ofC

once

rn

Resp

onsi

ble

Pers

onne

lPo

licy

and

orS

ecur

ity

Mea

sure

Po

licy

orP

ract

ice

Gap

sSu

gges

ted

Coun

term

easu

res

Dat

aO

wne

rs

ba

sew

ere

dete

cted

or

iden

tifie

d

usin

gso

me

kind

ofs

yste

mlo

g

Info

rmat

ion

Tech

nolo

gy

Lo

gsu

sed

incl

ude

data

base

logs

appl

icat

ion

logs

sys

tem

logs

re

mot

eac

cess

logs

and

man

y

othe

rs

Prod

ucti

onD

ata

in

ISSO

sD

evel

opm

enta

ndp

rodu

ctio

nsy

sIn

som

eca

ses

con

trac

tors

hav

eac

O

nly

one

insi

der

docu

men

ted

in

Dev

elop

men

tEnv

i

tem

ssh

ould

be

sepa

rate

inte

rms

of

cess

tob

oth

syst

ems

incl

udin

gpr

oth

eCE

RTIn

side

rTh

reat

Cas

eda


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sro

nmen

t

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

data

sha

ring

and

acc

ess

cont

rol

duct

ion

data

inth

ede

velo

pmen

ten

viro

nmen

t

taba

ses

tole

pro

duct

ion

data

that

sh

ould

not

hav

ebe

ena

vaila

ble

to

deve

lope

rsin

the

deve

lopm

ent

envi

ronm

ent

How

ever

itw

as

extr

emel

yse

nsiti

ved

ata

with

ve

rys

tric

tcon

trol

sin

the

prod

uc

tion

envi

ronm

ent

and

was

not

su

bjec

tto

thos

esa

me

cont

rols

in

the

deve

lopm

ente

nvir

onm

ent

Th

isis

ver

ysi

mila

rto

the

situ

atio

nat

USC

IS

USC

ISs

houl

dex

am

ine

data

bei

ngu

sed

inth

ede

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

velo

fse

curi

tyc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Ap

pen

dix

GI

nfo

rmat

ion

Tec

hn

olog

y

Acc

ount

Man

agem

ent

Rese

arch

has

dem

onst

rate

dth

atif

an

orga

niza

tionrsquo

sco

mpu

ter

acco

unts

can

be

com

prom

ised

ins

ider

sha

vea

nop

port

unity

toc

ircu

mve

ntm

an

uala

nda

utom

ated

con

trol

mec

hani

sms

inte

nded

top

reve

ntin

side

rat

tack

sE

ffec

tive

com

pute

rac

coun

tand

pas

swor

dm

anag

emen

tpol

icie

san

dpr

actic

esa

rec

ritic

alto

impe

dea

nin

side

rrsquos

abili

tyto

use

the

orga

niza

tionrsquo

ssy

stem

sfo

rill

icit

purp

oses

In

av

arie

tyo

fcas

esd

ocum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sei

nsid

ers

expl

oite

dpa

ssw

ord

vuln

erab

ilitie

ss

hare

dac

coun

tsa

ndb

ackd

oor

acco

unts

toc

arry

out

att

acks

It

isim

port

antf

oro

rgan

izat

ions

toli

mit

com

pute

rac

coun

tsto

thos

eth

ata

rea

bsol

utel

yne

cess

ary

usi

ngs

tric

tpro

cedu

res

and

tech

nica

lcon

trol

sth

atfa

cilit

ate

attr

ibut

ion

ofa

llon

line

activ

itya

ssoc

iate

dw

ithe

a ch

acco

untt

oan

indi

vidu

alu

ser

Fur

ther

mor

ea

nor

gani

zatio

nrsquos

acco

unta

nd

pass

wor

dm

anag

emen

tpol

icie

sm

ustb

eap

plie

dco

nsis

tent

lya

cros

sth

een

terp

rise

toin

clud

eco

ntra

ctor

ss

ubco

ntra

ctor

sa

ndv

endo

rsw

hoh

ave

acce

ssto

the

orga

niza

tionrsquo

sin

form

atio

nsy

stem

sor

net

wor

ks

Ins

ome

area

sc

ompu

ter

acco

unts

are

man

aged

fair

lyw

ella

tUSC

IS

USC

ISis

impl

emen

ting

Hom

elan

dSe

curi

tyP

resi

dent

ialD

irec

tive

12(H

SPD

12

)for

phy

sica

land

ele

ctro

nic

acco

untm

anag

emen

tI

nad

ditio

nm

osts

hare

dac

coun

tsa

rec

ontr

olle

dan

dal

lact

ions

per

form

edu

sing

thos

eac

coun

tsc

anb

eat

trib

uted

toa

sin

gle

user

H

owev

ers

ome

acco

untm

anag

emen

tlie

sou

tsid

eth

eco

ntro

lofU

SCIS

Th

i sp

rese

nts

ahi

ghd

egre

eof

ris

kF

irst

ofa

lla

ccou

nts

and

acce

ssfo

rFS

Ns

shou

ldb

eco

nsid

ered

car

eful

lyb

yU

SCIS

A

lthou

ghF

SNs

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

ch

anne

lsw

hich

req

uire

sau

thor

izat

ion

byth

eCS

Oa

ndC

IOo

fDH

Ss

uch

pape

rwor

kw

asn

ots

ubm

itted

con

sist

ently

pri

orto

200

7A

sa

resu

lt

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

tF

urth

erm

ore

an

FSN

acc

ount

and

aU

S

citiz

enfe

dera

lem

ploy

eea

ccou

ntc

anno

tbe

dist

ingu

ishe

don

ceit

isc

reat

ed

Alth

ough

acc

ount

nam

ing

conv

entio

nsa

red

icta

ted

byD

HS

and

the

US

Dep

artm

ento

fSta

teU

SCIS

cou

ldr

eque

sta

nam

ing

conv

entio

nto

diff

eren

tiate

bet

wee

nFS

Na

ndU

Sc

itize

nfe

dera

lem

ploy

eea

ccou

nts

In

addi

tion

USC

ISs

houl

dco

nsis

tent

lytr

ack

the

auth

oriz

atio

nan

dcr

eatio

nof

all

USC

ISa

ccou

nts

To

dete

rmin

eif

unau

thor

ized

or

lega

cya

ccou

nts

exis

tU

SCIS

sho

uld

cons

ider

con

duct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSta

tep

erso

nnel

tov

alid

ate

alle

xist

ing

FSN

ac

coun

ts


Seco

nda

cces

sto

som

ecr

itica

lUSC

ISs

yste

ms

isc

ontr

olle

dby

the

Pass

wor

dIs

suan

cea

ndC

ontr

olS

yste

m(P

ICS)

Th

epu

rpos

eof

PIC

Sis

tofa

cili

tate

the

adm

inis

trat

ion

ofu

sern

ames

and

pas

swor

dsto

cer

tain

ICE

and

USC

ISin

form

atio

nsy

stem

sO

nea

rea

ofc

once

rnr

egar

ding

PIC

Sis

that

it

isa

dmin

iste

red

byIC

Ea

ndth

ere

are

mor

eth

an2

000

Loc

alP

ICS

Off

icer

s(L

POs)

acr

oss

vari

ous

com

pone

nts

ofD

HS

The

seL

POs

use

PICS

to

gran

taut

hori

zed

acce

ssto

ICE

and

USC

ISs

yste

ms

for

the

pers

onne

latt

heir

res

pect

ive

site

or

agen

cys

uch

aslo

cals

heri

ffs

pet

ition

ers

Cus

tom

san

dBo

rder

Pat

rol(

CBP)

Dep

artm

ento

fJus

tice

(DO

J)T

rans

port

atio

nSe

curi

tyA

dmin

istr

atio

n(T

SA)

Terr

oris

mT

ask

Forc

ea

ndD

HS

OIG

Ea

ch

LPO

can

gra

nta

cces

sto

any

sys

tem

con

trol

led

byP

ICS

In

othe

rw

ords

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

rany

oft

heir

sta

ffto

an

yU

SCIS

sys

tem

Fu

rthe

rmor

eU

SCIS

has

no

visi

bilit

yin

tow

hoh

asa

cces

sto

its

syst

ems

Giv

enth

edi

stri

bute

dna

ture

ofa

ccou

nta

dmin

istr

atio

nit

isv

ery

diff

icul

tfor

USC

ISd

ata

owne

rsa

ndO

ITs

taff

tom

anag

eau

thor

izat

ion

ofu

ser

acco

unts

toU

SCIS

cri

tical

sys

tem

sF

inal

lyt

hep

roc

ess

for

com

mun

icat

ing

chan

ges

ine

mpl

oyee

sta

tus

and

disa

blin

gac

coun

tsv

arie

sw

idel

yam

ong

indi

vidu

alfi

eld

offic

esS

ervi

ceC

ente

rsa

ndo

ffic

esin

the

NCR

D

orm

anta

ccou

nts

prov

ide

aco

nven

ient

unk

now

nac

cess

pat

hfo

rcu

rren

tand

form

ere

mpl

oyee

sto

use

for

illic

itac

tivity

Ala

cko

fcon

sist

ency

exi

sts

inth

eap

plic

atio

nof

acc

ount

man

agem

entp

ract

ices

und

erth

eco

ntro

lofU

SCIS

Fo

rex

ampl

ed

isab

ling

orte

rmin

at

ing

acco

unts

for

empl

oyee

sis

not

alw

ays

com

plet

edin

ati

mel

ym

anne

rup

onth

eem

ploy

eersquos

cha

nge

ins

tatu

sT

his

lack

ofc

onsi

sten

cyis

mad

ew

orse

whe

nde

cent

raliz

edL

POs

acro

ssU

SCIS

do

notf

ollo

wth

esa

me

proc

edur

es

Ino

ther

cas

ese

mpl

oyee

sar

ere

tain

ing

acce

ssa

fter

atr

ansf

er

whe

nth

eys

houl

dno

tw

hich

req

uire

sth

elo

sing

and

gai

ning

sup

e rvi

sors

ton

otify

pro

per

acco

untm

anag

emen

tper

sonn

el

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

ccou

ntE

stab

lis

hmen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ino

rder

for

FSN

sto

gai

nac

cess

to

USC

ISs

yste

ms

they

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

cha

nnel

s

whi

che

vent

ually

req

uire

sau

thor

iza

tion

byth

eCS

Oa

ndC

IOo

fDH

S

Prio

rto

200

7w

aive

rpa

perw

ork

for

FSN

sre

ques

ting

acco

unta

cces

sw

as

nots

ubm

itted

con

sist

ently

A

sa

re

sult

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

t

USC

ISs

houl

dco

nsid

erc

ondu

ct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSt

ate

pers

onne

lto

valid

ate

all

exis

ting

FSN

acc

ount

s

Info

rmat

ion

Tech

nolo

gy

Diff

eren

tper

sonn

ela

rer

espo

nsib

le

for

acco

untc

reat

ion

and

dele

tion

acro

ssth

een

tire

ente

rpri

sed

epe

ndin

gon

the

syst

emo

rne

twor

kin

Dat

abas

ead

min

istr

ator

sm

ayb

eab

le

toc

reat

ean

dde

lete

dat

abas

ean

dap

plic

atio

nac

coun

tsw

ithou

tas

ec

ond

pers

onv

erify

ing

that

act

ion

Beca

use

data

base

adm

inis

trat

ors

have

acc

ess

tos

uch

criti

cald

ata

U

SCIS

sho

uld

cons

ider

sep

arat

ing

the

task

ofa

utho

rizi

nga

cces

sto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

squ

estio

n

USC

ISd

atab

ases

from

the

task

of

man

agin

gth

eda

tain

the

data

ba

ses

Thi

sse

para

tion

ofd

utie

sm

ayr

educ

eth

eri

sko

fad

ata

base

adm

inis

trat

orc

reat

ing

an

unau

thor

ized

acc

ount

and

usi

ng

that

acc

ount

toc

arry

out

am

ali

ciou

sac

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ac

ompu

ter

acco

unti

ses

tabl

ishe

don

lya

fter

an

umbe

rof

cri

teri

aha

ve

been

met

inc

ludi

ngs

ecur

itya

war

ene

sstr

aini

ng

Ina

dditi

onto

the

step

sre

quire

dof

al

lper

sonn

elfo

rac

coun

tacc

ess

co

ntra

ctor

sha

veto

go

thro

ugh

extr

ast

eps

som

eof

whi

chin

clud

eve

rifi

catio

nby

the

COTR

Com

pute

racc

ount

acc

ess

iss

ome

times

gra

nted

bef

ore

secu

rity

aw

are

ness

trai

ning

isc

ompl

eted

Th

isp

rac

tice

may

be

true

esp

ecia

llyfo

rco

ntra

ctor

ss

ince

the

onb

oard

ing

proc

ess

depe

nds

onth

eco

ntra

ctin

gag

ency

and

the

COTR

tov

erify

that

th

etr

aini

ngis

com

plet

ed

USC

ISs

houl

dco

nsid

err

equi

ring

co

mpu

ter

secu

rity

aw

aren

ess

trai

ning

for

allp

erso

nnel

ndashfu

lltim

eem

ploy

ees

par

ttim

eem

pl

oyee

sa

ndc

ontr

acto

rsndash

and

ve

rify

that

itis

com

plet

ebe

fore

cr

eatin

gan

ysy

stem

acc

ount

sfo

rth

ese

pers

onne

l

Acc

ount

Man

age

men

tG

ener

al

Info

rmat

ion

Tech

nolo

gy

PICS

isa

dmin

iste

red

byIC

Ew

hich

ha

sov

er2

000

LPO

sac

ross

var

ious

co

mpo

nent

sof

DH

ST

hese

LPO

sar

ere

spon

sibl

efo

rgra

ntin

gau

thor

ized

ac

cess

toP

ICS

for

the

pers

onne

lat

thei

rre

spec

tive

wor

ksi

tes

Eac

hLP

Oc

ang

rant

acc

ess

toa

nys

yste

m

cont

rolle

dby

PIC

SI

not

her

wor

ds

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

ran

yof

thei

rst

afft

o

Alth

ough

the

PICS

acc

ount

pro

cess

re

quir

esth

eac

coun

tto

beli

nked

toa

va

lide

mpl

oyee

PIC

Sad

min

istr

ator

sco

uld

crea

teu

naut

hori

zed

acco

unts

in

the

nam

eof

val

ide

mpl

oyee

sw

ith

outt

heir

kno

wle

dge

Inv

alid

acc

ount

sar

ety

pica

llyfl

agge

don

lyw

hen

the

acco

unti

sdo

rman

tfor

ac

erta

inp

eri

odo

ftim

eA

nLP

Oc

ana

lso

assi

gn

righ

tsfo

ran

ysy

stem

con

trol

led

by

In1

2of

the

case

sdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

ins

uffic

ient

acc

ount

m

anag

emen

tena

bled

the

insi

der

sto

com

mit

thei

rcr

imes

U

SCIS

sho

uld

cons

ider

con

duct

in

gac

coun

taud

itsa

tthe

loca

lsi

tele

vel

whi

chw

ould

allo

wth

eva

lidat

ion

ofc

urre

ntP

ICS

ac

coun

tsa

ndr

oles

ver

sus

curr

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

yU

SCIS

sys

tem

PICS

empl

oyee

list

s

Furt

herm

ore

ICE

adm

inis

ters

this

USC

ISs

houl

dex

plor

ea

mea

nso

fsy

stem

and

cou

lda

ffec

tUSC

ISr

e

segr

egat

ing

acco

untm

anag

eco

rds

unbe

know

nstt

oU

SCIS

men

tin

PICS

so

that

LPO

sca

nad

min

iste

rac

coun

tso

nly

for

thei

row

nor

gani

zatio

nrsquos

syst

ems

In

oth

erw

ords

USC

ISL

POs

wou

ldo

nly

bea

ble

toa

dmin

iste

rau

thor

izat

ions

for

USC

ISs

yste

ms

inP

ICS

and

ICE

LPO

sw

ould

onl

ybe

abl

eto

adm

inis

ter

auth

oriz

atio

nsfo

rIC

Esy

stem

s

Info

rmat

ion

Tech

nolo

gy

Acc

ount

man

agem

enti

sha

ndle

dby

a

num

ber

ofd

iffer

entg

roup

sac

ross

U

SCIS

A

lthou

ghth

ere

isa

nef

fort

to

cent

raliz

eac

coun

tman

agem

ent

lo

cala

ndr

egio

nalo

ffic

eso

fUSC

IS

have

his

tori

cally

don

eth

eir

own

ac

coun

tman

agem

ent

Ifan

acc

ount

has

not

bee

nus

edfo

ra

cert

ain

peri

odo

ftim

eit

isa

uto

mat

ical

lyd

isab

led

The

tim

epe

riod

st

ated

by

vari

ous

inte

rvie

wee

sva

rie

dfr

om3

06

0o

r90

days


Sugg

este

dCo

unte

rmea

sure

s

Six

insi

ders

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

wer

eab

leto

car

ryo

utth

eir

illeg

ala

ctiv

ities

bec

ause

ofldquo

priv

ile

gec

reep

rdquoU

SCIS

sho

uld

revi

ew

acco

untm

anag

emen

tpro

ce

dure

sto

ens

ure

that

the

step

scu

rren

tlyta

ken

tor

emov

eor

al

ter

acco

unta

cces

sar

eco

m

plet

ean

dbe

ing

cons

iste

ntly

fol

low

ed

Inp

artic

ular

the

pro

ce

dure

sus

edw

hen

som

eone

ch

ange

slo

catio

nso

rde

part

m

ents

with

inU

SCIS

sho

uld

be

exam

ined

A

sem

ploy

ees

tran

sfe

rth

roug

hout

an

agen

cyt

hey

shou

ldn

otb

eac

cum

ulat

ing

priv

ile

ges

The

ysh

ould

onl

yre

tain

pr

ivile

ges

com

men

sura

tew

ith

thei

rjo

bre

spon

sibi

litie

s

Twel

vep

erce

nt(4

6)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

seu

sed

syst

ema

dmin

istr

ator

pri

vile

ges

tos

abot

age

syst

ems

ord

ata

sh

ared

acc

ount

sw

ere

used

by

insi

ders

follo

win

gte

rmin

atio

nin

Polic

yor

Pra

ctic

eG

aps

The

issu

eof

acc

ount

man

agem

entf

or

empl

oyee

tran

sfer

sis

not

bei

nga

d

dres

sed

ina

con

sist

entm

anne

rT

he

O

ITr

elie

son

not

ifica

tion

bye

ither

the

ne

wo

rol

dsu

perv

isor

whe

nan

em

ploy

eetr

ansf

ers

but

ther

eha

veb

een

ca

ses

inU

SCIS

inw

hich

em

ploy

ees

have

ret

aine

dac

cess

whe

nth

ey

shou

ldn

oth

ave

Th

ough

itw

ould

req

uire

phy

sica

lac

cess

toa

USC

ISm

achi

net

hatf

orm

er

Polic

yan

dor

Sec

urit

yM

easu

re

Whe

nan

em

ploy

eem

oves

from

one

po

sitio

nto

ano

ther

or

tran

sfer

sto

an

othe

rdep

artm

ent

the

man

age

men

tin

thos

ede

part

men

tsm

ust

initi

ate

the

requ

ired

com

pute

rac

coun

tcha

nges

Ther

ear

eop

erat

ing

syst

emim

ages

us

edth

roug

hout

USC

ISth

atp

erm

itan

adm

inis

trat

orto

inst

alla

sta

nda

rdc

onfig

urat

ion

ofa

nop

erat

ing

syst

ema

nda

ccom

pany

ing

soft

war

e

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Chan

ging

Pas

sw

ord

ofS

hare

dA

ccou

ntU

pon

Term

inat

ion


Sugg

este

dCo

unte

rmea

sure

s

14c

ases

A

lthou

gha

nad

min

is

trat

orw

ould

nee

dph

ysic

ala

cce

ssto

ap

iece

ofe

quip

men

t

The

lack

ofc

onsi

sten

cya

nd

awar

enes

sof

the

stan

dard

pro

ce

dure

sm

ayp

erm

itth

eac

coun

tof

an

insi

der

tob

eus

edfo

llow

ing

term

inat

ion

Term

inat

ing

acco

unts

eve

n2

wee

ksfo

llow

ing

term

inat

ion

may

Polic

yor

Pra

ctic

eG

aps

adm

inis

trat

orw

ould

hav

ead

min

istr

ato

rri

ghts

toG

FE

Itis

cle

arfr

omin

terv

iew

sw

ithU

SCIS

pe

rson

nelt

hata

sin

gle

proc

ess

isn

ei

ther

und

erst

ood

norf

ollo

wed

for

dis

ab

ling

acco

unts

follo

win

gan

em

pl

oyee

orc

ontr

acto

rte

rmin

atio

n

The

proc

edur

esu

sed

are

notc

onsi

ste

ntb

etw

een

supe

rvis

ors

orfi

eld

of

fices

and

for

fede

rale

mpl

oyee

sve

rsu

sco

ntra

ctor

sS

omet

imes

the

exit

clea

ranc

efo

rmm

akes

itto

the

OIT

an

dso

met

imes

itd

oes

not

The

OIT

rsquos

task

ism

ade

even

mor

edi

ffic

ultb

yth

efa

ctth

atit

wou

ldn

eed

tok

now

ex

actly

whi

cha

ccou

nts

anin

divi

dual

ha

sac

cess

to

Thou

ghth

isp

roce

ssis

fair

lye

ffec

tive

it

pote

ntia

llya

llow

sun

auth

oriz

ed

Polic

yan

dor

Sec

urit

yM

easu

re

The

OIT

typi

cally

isn

otifi

edo

fan

acco

untt

erm

inat

ion

ino

neo

fthr

ee

way

s

1)A

sta

ndar

dfo

rmc

alle

dan

exi

tcl

eara

nce

form

is

dist

ribu

ted

and

sign

edb

yot

her

part

ies

suc

has

Hu

man

Res

ourc

esa

ndth

eO

ffic

eof

Se

curi

tya

ndIn

tegr

ity(O

SI)

Thi

sfo

rmle

tsth

eO

ITk

now

that

an

em

ploy

eersquos

acc

ount

ssh

ould

be

dis

able

dor

term

inat

ed

2)T

hes

uper

viso

rof

the

depa

rtin

gem

ploy

eec

onta

cts

the

OIT

dire

ctly

an

din

form

sth

emo

fthe

em

ploy

eersquos

de

part

ure

3)

Whe

na

cont

ract

oris

invo

lved

it

is

the

resp

onsi

bilit

yof

the

COTR

to

info

rmth

eO

IT

The

OIT

rec

eive

san

ldquoat

triti

onli

strdquo

ever

y2

wee

ks

Whe

nth

isli

stis

re

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Upo

nEm

ploy

ee

Term

inat

ion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sH

uman

Res

ourc

es

ceiv

eda

man

ualc

heck

isd

one

to

ensu

reth

ate

mpl

oyee

sw

hoh

ave

depa

rted

inth

ela

st2

wee

ksh

ave

thei

rac

coun

tacc

ess

dele

ted

acce

ssfo

r2

wee

ksfo

llow

ing

term

ina

tion

Bec

ause

this

isa

man

ualp

roc

ess

ther

eis

cur

rent

lyn

oau

tom

atic

w

ayto

ens

ure

that

ith

appe

ns

USC

IS

pers

onne

lcite

dan

inst

ance

inw

hich

th

ese

proc

edur

esfa

iled

for

ane

m

ploy

eew

how

aste

rmin

ated

as

aco

ntr

acto

ran

dla

ter

hire

das

afe

dera

lem

ploy

ee

notb

een

ough

top

reve

ntu

nau

thor

ized

orc

rimin

ala

ctiv

ity

As

soon

as

HR

isa

war

eof

the

chan

gea

mor

eau

tom

ated

m

echa

nism

ofd

elet

ing

thes

eac

coun

tss

houl

dbe

impl

em

ente

d

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Dur

ing

Empl

oyee

Le

ave

ofA

bsen

ces

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

LPO

sw

ork

inth

eir

resp

ectiv

ere

gion

sor

off

ices

and

are

dec

entr

aliz

edb

yna

ture

Th

epo

licie

san

dpr

oced

ures

fo

llow

edo

ften

dep

end

onh

ow

thin

gsh

ave

been

don

ehi

stor

ical

lyin

th

atp

artic

ular

off

ice

Beca

use

acco

unta

utho

riza

tion

pro

cedu

res

are

nots

tand

ardi

zed

thro

ugho

uta

llor

gani

zatio

nsu

sing

the

PICS

sL

POs

acro

ssth

een

tire

USC

IS

ente

rpri

seh

ave

notb

een

cons

iste

nt

inh

owth

eyh

ave

hand

led

acco

unt

dele

tion

follo

win

gem

ploy

eete

rmin

atio

n

Ther

eis

no

offic

ialg

uida

nce

orp

rac

tice

inth

epr

oper

way

tos

uspe

nd

acce

ssfo

ran

em

ploy

eeo

na

leav

eof

ab

senc

eI

non

eca

sep

rovi

ded

by

USC

ISa

nem

ploy

eer

etai

ned

acce

ss

toc

ritic

als

yste

ms

even

aft

erb

eing

pl

aced

on

ana

dmin

istr

ativ

ele

ave

of

abse

nce

USC

ISs

houl

dco

ntin

ueit

sef

fort

sto

cen

tral

ize

orr

educ

eth

enu

m

ber

ofL

POs

ino

rder

for

stan

dard

pr

oced

ures

tob

efo

llow

ed

Ifth

isc

anno

tbe

acco

mpl

ishe

d

stan

dard

pro

cedu

res

shou

ldb

epu

blis

hed

inst

ruct

eda

ndc

onsi

ste

ntly

enf

orce

d

Afe

win

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

ser

etai

ned

acce

ssto

org

aniz

atio

nsy

stem

sw

hile

on

ale

ave

of

abse

nce

and

used

that

acc

ess

to

stea

linf

orm

atio

nor

com

mit

frau

dU

SCIS

sho

uld

impl

emen

ta

polic

yto

out

line

exac

tlyw

hat

shou

ldb

edo

new

hen

ago

vern

m

ente

mpl

oyee

or

cont

ract

or

goes

on

ale

ave

ofa

bsen

cec

on


Sugg

este

dCo

unte

rmea

sure

ssi

deri

ngth

eri

sks

vers

usb

enef

its

ofa

llow

ing

syst

ema

cces

s

Acc

ess

toth

ese

acco

unts

sho

uld

bec

aref

ully

doc

umen

ted

and

trac

ked

soth

atc

rede

ntia

lsc

an

bec

hang

edif

som

eone

inth

at

rest

rict

edg

roup

no

long

erw

ar

rant

sac

cess

Polic

yor

Pra

ctic

eG

aps

Alth

ough

con

cern

has

bee

nex

pres

sed

ab

outt

hee

xist

ence

oft

hese

ac

co

unts

the

bus

ines

sju

stifi

catio

nha

sta

ken

prec

eden

ceo

vert

her

isk

bein

g

assu

med

Polic

yan

dor

Sec

urit

yM

easu

re

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

Acc

ount

an

dPa

ssw

ord

In

form

atio

n

Acc

ess

Cont

rol

An

orga

niza

tionrsquo

sla

cko

fsuf

ficie

nta

cces

sco

ntro

lmec

hani

sms

was

ac

omm

onth

eme

inm

any

ofth

ein

side

rth

reat

cas

ese

xam

ined

by

CERT

In

si

ders

hav

ebe

ena

ble

toe

xplo

itex

cess

ive

priv

ilege

sto

gai

nac

cess

tos

yste

ms

and

info

rmat

ion

they

oth

erw

ise

wou

ldn

oth

ave

been

aut

hori

zed

toa

cces

sA

dditi

onal

lyi

nsid

ers

have

bee

nkn

own

tou

ser

emot

eac

cess

aft

erte

rmin

atio

nto

att

ack

ano

rgan

izat

ionrsquo

sin

tern

aln

etw

ork

Org

ani

zatio

nss

houl

den

sure

that

net

wor

km

onito

ring

and

logg

ing

ise

nabl

edfo

rex

tern

ala

cces

sM

onito

ring

ofn

etw

ork

activ

ityis

ext

rem

ely

impo

rta

nte

spec

ially

inth

epe

riod

bet

wee

nem

ploy

eer

esig

natio

nan

dte

rmin

atio

n

Giv

enth

edi

stri

bute

dna

ture

ofa

cces

sau

thor

izat

ion

via

PICS

ICE

and

the

US

Dep

artm

ento

fSta

ten

onU

SCIS

em

ploy

ees

and

cont

ract

ors

coul

dbe

gra

nted

acc

ess

toU

SCIS

cri

tical

sys

tem

sI

tis

poss

ible

that

the

non

USC

ISe

mpl

oyee

san

dco

ntra

ctor

sha

ven

otb

een

thro

ugh

the

rigo

rous

pr

eem

ploy

men

tscr

eeni

ngr

equi

red

ofU

SCIS

em

ploy

ees

and

cont

ract

ors

par

ticul

arly

thos

egr

ante

dac

cess

thro

ugh

the

US

Dep

artm

ento

fSta

te

for

acce

ssfr

ome

mba

ssie

sov

erse

as

USC

ISs

houl

dco

nsid

erth

eri

skth

ese

insi

ders

pos

eto

the

prot

ectio

nof

the

criti

calU

SCIS

dat

aan

dsy

stem

s

and

impl

emen

tpro

tect

ion

mec

hani

sms

toli

mit

the

dam

age

that

thes

ein

side

rsm

ight

cau

se


Oth

era

cces

sco

ntro

liss

ues

that

sho

uld

bec

onsi

dere

din

clud

eun

rest

rict

eda

cces

sto

som

ecr

itica

lsys

tem

sby

OIT

sta

ffl

ack

ofc

onsi

sten

tpro

ces

ses

for

man

agin

gem

ploy

eea

cces

sas

they

mov

efr

omo

ned

epar

tmen

tto

the

next

with

inU

SCIS

abi

lity

tou

sep

erso

nalc

ompu

ters

for

USC

IS

wor

ka

ndla

cko

fmon

itori

nga

ndc

ontr

ols

for

som

ecr

itica

lsys

tem

adm

inis

trat

ion

func

tions

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

cces

sCo

ntro

l

Fore

ign

Serv

ice

Nat

iona

ls

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

O

ffic

eof

Sec

urit

yan

dIn

te

grit

y

Curr

ently

aF

orei

gnS

ervi

ceN

atio

nal

(FSN

)req

uiri

nga

cces

sto

USC

ISs

ys

tem

ssu

bmits

pap

erw

ork

incl

udin

ga

wai

ver

thro

ugh

the

USC

ISd

irec

tor

and

the

CIO

and

CSO

ofD

HS

Alth

ough

the

asse

ssm

entt

eam

was

ab

leto

get

lim

ited

visi

bilit

yin

toth

is

prac

tice

its

eem

sto

be

alig

ned

with

th

epo

licy

Ift

rue

ith

asg

iven

USC

IS

and

DH

Sbe

tter

vis

ibili

tyin

toth

isa

ctiv

ity

The

prac

tice

shou

ldb

eco

ntin

ued

and

expa

nded

as

need

edto

in

form

all

rele

vant

USC

ISp

erso

nne

l

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

Pe

rson

nelS

ecur

ity

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Whe

nFS

Ns

requ

ire

acce

ssto

USC

IS

syst

ems

ine

mba

ssie

san

dco

nsul

ates

ab

road

the

yar

eve

tted

by

the

US

D

epar

tmen

tofS

tate

Beca

use

the

US

Dep

artm

ento

fSta

te

isp

erfo

rmin

gth

eve

ttin

gpr

oces

s

USC

ISh

asv

ery

little

con

trol

or

visi

bil

ityin

toth

epr

oces

sfo

rgr

antin

gFS

Ns

acce

ssto

USC

ISs

yste

ms

and

net

wor

ks

Inte

rvie

wee

sst

ated

that

in

som

eca

ses

FSN

sha

vea

dmin

istr

ativ

eco

ntro

love

rso

me

syst

ems

and

that

in

oth

erc

ases

the

yar

ese

rvin

gas

in

form

atio

nsy

stem

sec

urity

off

icer

s(IS

SOs)

USC

ISs

houl

dga

ina

bet

ter

un

ders

tand

ing

ofth

eU

SD

epar

tm

ento

fSta

tersquos

vet

ting

proc

ess

and

clar

ifyit

sow

nre

quir

emen

ts

for

gran

ting

and

trac

king

acc

ess

for

FSN

sto

USC

ISs

yste

ms

If

cont

inue

dac

cess

isr

equi

red

the

proc

edur

esto

doc

umen

tand

co

ntro

ltha

tacc

ess

shou

ldb

ene

gotia

ted

with

the

US

De

part

men

tofS

tate

and

con

sis

tent

lye

nfor

ced

Info

rmat

ion

Tech

nolo

gy

Onc

ea

trad

ition

alu

ser

acco

unti

scr

eate

dth

ere

isli

ttle

ton

ow

ayto

di

stin

guis

han

FSN

acc

ount

from

one

be

long

ing

toa

US

citi

zen

Beca

use

anF

SNa

ccou

ntis

not

dis

tin

guis

habl

efr

omo

ther

acc

ount

sit

w

ould

be

extr

emel

ydi

ffic

ultt

oas

so

ciat

esp

ecifi

con

line

activ

ities

with

ac

coun

tsb

elon

ging

toF

SNs

Em

ail

USC

ISs

houl

dco

nsid

erw

heth

er

orn

otit

wan

tsth

eab

ility

tod

is

tingu

ish

wha

tonl

ine

activ

ities

an

dac

cess

esF

SNs

are

enga

ging

in

If

soi

tsho

uld

inco

rpor

ate


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sad

dres

ses

appe

arth

esa

me

and

viol

atio

nac

tiviti

esw

ould

not

eas

ilyb

eat

trib

uted

toa

nFS

N

thos

est

eps

into

the

proc

edur

es

men

tione

dab

ove

Info

rmat

ion

Tech

nolo

gy

DH

Sis

inth

epr

oces

sof

bui

ldin

ga

secu

rein

tran

etc

alle

dO

neN

et

whi

chw

illb

ette

ren

able

info

rmat

ion

shar

ing

amon

gD

HS

com

pone

nts

Th

isp

roje

ctw

illb

een

able

dby

inte

rco

nnec

tion

agre

emen

tsb

etw

een

segm

ents

Onc

eth

eap

prop

riat

ein

terc

onne

ctio

nag

reem

ents

are

inp

lace

itw

illb

eha

rder

tor

estr

icta

cces

sfo

rFSN

sto

sp

ecifi

csy

stem

s(e

g

Shar

ePoi

nt)

USC

ISs

houl

dm

ake

ade

term

ina

tion

abou

twhe

ther

or

notF

SN

acce

sss

houl

dbe

any

diff

eren

tfr

omo

ther

sim

ilar

acco

unts

of

US

citi

zens

If

the

lack

ofr

est

rict

ions

isu

nacc

epta

ble

that

is

sue

shou

ldb

ebr

ough

tto

DH

Spe

rson

nelr

espo

nsib

lefo

rim

pl

emen

ting

the

One

Net

sol

utio

n

Acc

ess

cont

rols

Ther

ear

ebu

sine

ssp

roce

ssa

ndr

eso

urce

s(e

g

PICS

CLA

IMS

3a

nd

CLA

IMS

4)th

ata

res

hare

dw

ithIC

E

This

par

tner

ship

isa

nar

tifac

toft

he

past

and

cur

rent

rel

atio

nshi

psb

etw

een

depa

rtm

ents

with

inD

HS

For

thes

esh

ared

res

ourc

esto

func

tio

npr

oper

lyt

hey

requ

ire

care

ful

coor

dina

tion

whi

chd

oes

nott

ake

plac

ein

all

case

sF

ore

xam

ple

USC

IS

does

not

rec

eive

ac

opy

ofth

efo

rmal

ac

cess

req

uest

sub

mitt

edto

ICE

for

anIC

Eem

ploy

eeto

acc

ess

aU

SCIS

sy

stem

USC

ISs

houl

dca

refu

llyd

ocum

ent

wha

tacc

ess

isb

eing

gra

nted

to

any

part

ies

exte

rnal

toU

SCIS

If

addi

tiona

lcoo

rdin

atio

nis

re

quir

edi

tsho

uld

bed

one

with

th

ere

leva

ntd

epar

tmen

tso

fD

HS

For

cert

ain

info

rmat

ion

syst

ems

lo

cala

ndr

emot

elo

gins

are

not

per

m

itted

bet

wee

nth

eho

urs

of1

130

p

ma

nd6

00

am

Th

isp

ract

ice

clos

ely

adhe

res

toth

epo

licy

for

spec

ific

syst

ems

Enfo

rcin

ga

man

dato

rya

cces

spe

riod

may

hel

pen

sure

that

a

mal

icio

usin

side

ris

not

usi

ngs

ys

tem

sw

hen

supe

rvis

ion

isle

ss

ened

Ei

ghtp

erce

nt(2

9)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sus

eda

cces

sou

tsid

eof

nor

mal

w

orki

ngh

ours

toc

arry

out

thei

rill

icit

activ

ities

Whe

nan

em

ploy

eea

ttem

pts

tolo

gin

toa

res

tric

ted

syst

emd

urin

gof

fpe

akh

ours

an

auto

mat

ice

mai

lno

tice

iss

entb

yth

eO

ITto

per

sons

in

the

empl

oyee

rsquosm

anag

emen

tch

ain

ofc

omm

and

This

pra

ctic

eis

not

con

sist

enta

cros

sal

lsys

tem

san

dis

not

par

tofo

ther

in

cide

ntr

espo

nse

proc

edur

es

USC

ISs

houl

dco

nsid

erim

ple

men

ting

this

pra

ctic

ein

toth

ela

rger

sys

tem

ofi

ncid

entr

esp

onse

to

incl

ude

corr

elat

ion

with

oth

ere

vent

san

dov

era

pe

riod

oft

ime

Acc

ess

Priv

ilege

sndash

Gen

eral

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Att

heV

erm

ontS

ervi

ceC

ente

rO

IT

staf

fare

the

only

one

spr

esen

tlat

eat

nig

ht

As

part

oft

heir

dut

ies

they

al

soh

ave

elec

tron

ica

cces

sto

the

CLA

IMS3

info

rmat

ion

syst

em

As

afu

nctio

nof

the

elec

tron

ica

cces

san

dth

eph

ysic

alla

yout

oft

heS

ervi

ce

Cent

erO

ITp

erso

nnel

hav

eac

cess

to

CLA

IMS3

as

wel

las

the

phys

ical

file

sin

the

build

ing

U

SCIS

sho

uld

cons

ider

the

min

im

umle

velo

facc

ess

(leas

tpriv

ile

ge)n

eede

dfo

ral

lper

sonn

elto

ac

com

plis

hth

eir

job

dutie

sT

hir

teen

per

cent

(49)

oft

hein

side

rs

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sev

iola

ted

ane

edto

kno

win

ord

erto

per

pe

trat

eth

eir

crim

esi

nclu

ding

st

ealin

gPI

Iand

pro

prie

tary

in

form

atio

nI

nad

ditio

ns

ever

al

insi

ders

com

mitt

edth

eir

crim

es

whi

lew

orki

ngo

nth

eni

ghts

hift

w

here

they

enj

oyed

ar

educ

ed

leve

lofs

crut

iny

Unr

estr

icte

del

ectr

onic

and

phy

sica

lacc

ess

to

such

hig

hri

skd

ata

and

syst

ems

outs

ide

ofn

orm

alw

orki

ngh

ours

pr

esen

tsa

hig

hde

gree

ofr

isk

to


Sugg

este

dCo

unte

rmea

sure

s

USC

IS

Sinc

eU

SCIS

can

notd

eter

min

ew

hata

cces

sth

eU

SD

epar

tmen

tof

Sta

teg

rant

sto

FSN

son

its

sys

tem

sU

SCIS

sho

uld

cont

inue

to

use

tech

nica

lmea

sure

sto

pre

ve

ntu

naut

hori

zed

acce

ssw

hile

w

orki

ngw

ithc

ount

erin

telli

genc

epe

rson

nelt

ode

alw

iths

uspe

cted

fo

reig

nag

ents

wor

king

aro

und

US

gov

ernm

entf

acili

ties

A

few

insi

ders

inth

eca

ses

ana

lyze

dby

CER

Tus

edth

eir

un

revo

ked

acce

ssto

the

orga

niza

Polic

yor

Pra

ctic

eG

aps

Acc

ordi

ngto

one

inte

rvie

wee

som

eFS

Ns

onth

eCo

nsul

arA

ffai

rsn

etw

ork

are

susp

ecte

dto

be

wor

king

for

arm

sof

fore

ign

inte

llige

nce

ors

ecur

ity

agen

cies

U

SCIS

has

use

dte

chni

cal

met

hods

(eg

fir

ewal

ls)t

oen

sure

th

atU

SCIS

sys

tem

sar

epr

otec

ted

from

any

inte

rcon

nect

ions

with

the

US

Dep

artm

ento

fSta

tersquos

net

wor

ks

This

sin

gle

poin

toff

ailu

rem

akes

it

diff

icul

tto

reco

ver

from

am

alic

ious

ac

ton

this

par

ticul

ars

yste

m

Polic

yan

dor

Sec

urit

yM

easu

re

The

US

Dep

artm

ento

fSta

teC

onsu

la

rA

ffai

rsn

etw

ork

gran

tsa

cces

sto

FSN

sw

orki

ngin

em

bass

ies

and

con

su

late

san

dit

conn

ects

toU

SCIS

sys

te

ms

Ther

eis

as

ingl

epe

rson

who

has

the

know

ledg

eof

and

res

pons

ibili

tyfo

rad

min

iste

ring

the

voic

emai

lsys

tem

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Are

aof

Con

cern

Acc

ess

Priv

ilege

sndash

Syst

emA

dmin

is

trat

or


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sfo

rU

SCIS

tionrsquo

sph

one

syst

emto

har

mth

eor

gani

zatio

nI

non

eca

set

he

entir

ecu

stom

ers

ervi

cev

oice

m

ails

yste

mw

asr

edir

ecte

dto

a

porn

ogra

phic

pho

nes

ite

Ina

not

her

der

ogat

ory

com

men

ts

abou

tthe

org

aniz

atio

nw

ere

re

cord

eda

ndp

laye

dfo

rev

ery

voic

em

ailb

ox

USC

ISs

houl

dpl

ace

addi

tiona

lst

affi

nth

ero

leo

fadm

inis

trat

ors

for

the

USC

ISv

oice

mai

lsys

tem

Th

isw

ould

allo

wU

SCIS

toim

pl

emen

tsom

efo

rmo

fsep

ara

tion

ofd

utie

so

rat

the

very

le

ast

min

imal

che

cks

and

bal

ance

sto

pre

vent

tam

peri

ngw

ith

the

voic

emai

lsys

tem

U

SCIS

sho

uld

ensu

reth

atit

man

ag

esa

ccou

nts

and

pass

wor

dsfo

rin

tern

als

yste

ms

such

as

voic

em

ail

asw

ella

sex

tern

ala

cco

unts

O

nein

side

rdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

cha

nged

the

dom

ain

nam

esy

stem

reg

istr

yfo

rhis

or

gani

zatio

nrsquos

web

site

so

that

vis

ito

rsw

ere

sent

toa

por

nogr

aphi

c


Sugg

este

dCo

unte

rmea

sure

sw

ebsi

te

Thes

ety

pes

ofa

ccou

nts

are

used

ver

yin

freq

uent

lya

nd

are

ofte

nno

tinc

lude

din

form

al

term

inat

ion

proc

edur

es

USC

ISs

houl

dco

ordi

nate

with

D

HS

pers

onne

lto

ensu

reth

at

desi

red

USC

ISs

ecur

ityp

olic

ies

are

enfo

rced

for

pers

onne

lac

cess

ing

USC

ISs

yste

ms

and

data

Se

ven

perc

ent(

26)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

toa

ttac

kin

par

tbec

ause

of

insu

ffic

ient

mon

itori

ngo

fext

er

nala

cces

s

Polic

yor

Pra

ctic

eG

aps

A

lthou

ghc

onne

ctin

ga

pers

onal

lap

top

toa

USC

ISn

etw

ork

via

are

mot

eco

nnec

tion

may

or

may

not

be

bloc

ked

the

SNO

Cw

asn

otc

onfid

ent

itw

ould

be

bloc

ked

beca

use

itdo

es

notc

ontr

olth

ata

cces

sI

tis

poss

ible

th

ata

use

rco

uld

conn

ectw

itha

per

so

nalm

achi

neif

DH

Sal

low

edit

Polic

yan

dor

Sec

urit

yM

easu

re

Port

sec

urity

wou

ldp

reve

nta

use

rfr

omc

onne

ctin

ga

pers

onal

mac

hine

di

rect

lyto

aU

SCIS

net

wor

kT

his

secu

rity

mec

hani

smis

han

dled

by

the

SNO

C

Rem

ote

acce

sso

nth

eot

herh

and

is

hand

led

byD

HS

USC

ISh

asa

cces

sto

ve

ryli

mite

din

form

atio

nin

clud

ing

logs

for

rem

ote

conn

ectio

nsb

eca

use

ofc

ontr

acts

tipul

atio

nsw

ith

Spri

nt

The

asse

ssm

entt

eam

re

ceiv

edc

onfli

ctin

gop

inio

nsa

bout

w

heth

era

per

sona

lmac

hine

cou

ld

bec

onne

cted

with

ar

emot

eac

coun

t

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Secu

rity

Net

wor

kO

pera

ti

ons

Cent

er

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Man

agem

ento

fRe

mot

eA

cces

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

The

cont

ract

ors

resp

onsi

ble

for

VIS

have

impl

emen

ted

ast

rict

acc

ess

cont

rols

olut

ion

with

Fir

epas

san

dit

appe

ars

toa

ccom

plis

hits

goa

lofe

nsu

ring

that

onl

yth

epr

oper

per

sonn

el

are

gran

ted

acce

ssa

ndth

atth

eyp

er

form

aut

hori

zed

actio

nso

nce

they

ar

eco

nnec

ted

Unf

ortu

nate

lyt

hey

are

the

only

con

trac

tors

and

sys

tem

us

ing

Fire

pass

and

itw

illn

otb

eus

ed

once

the

mov

eis

mad

eto

Ste

nnis

Sp

ace

Cent

er

They

are

uns

ure

of

wha

tcon

trol

sw

illb

eus

eda

tSte

nnis

Sugg

este

dCo

unte

rmea

sure

s

Impl

emen

ting

aFi

repa

sss

olut

ion

for

allU

SCIS

sys

tem

sm

ight

not

be

cos

tef

fect

ive

USC

ISm

an

agem

ents

houl

dat

leas

texa

min

eth

eri

skp

osed

toth

em

ostc

ritic

al

syst

ems

and

impl

emen

taF

ire

pass

like

sol

utio

nfo

rth

ose

that

re

quir

ere

mot

eac

cess

A

sst

ated

ab

ove

one

inte

nin

side

rsd

ocu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

seu

sed

the

crea

tion

ofu

nkno

wn

path

sin

to

orga

niza

tion

syst

ems

pro

per

mea

sure

sm

ight

hav

epr

even

ted

man

yof

thos

ein

stan

ces


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Non

Sys

tem

Ad

USC

ISL

eade

rshi

pA

ccor

ding

too

nein

terv

iew

eeF

SNs

An

FSN

who

isa

sys

tem

adm

inis

trat

or

Ten

perc

ent(

39)o

fins

ider

sm

inis

trat

ors

Wit

h

are

syst

ema

dmin

istr

ator

son

som

efo

rU

SD

epar

tmen

tofS

tate

sys

tem

sdo

cum

ente

din

the

CERT

Insi

der

A

utho

rize

dA

cces

sIn

form

atio

nTe

chno

logy

U

SD

epar

tmen

tofS

tate

sys

tem

sin

do

esn

otn

eces

sari

lyh

ave

adm

inis

tra

Thre

atC

ase

data

base

took

ad

toA

dmin

istr

ator

em

bass

ies

orc

onsu

late

sab

road

to

rri

ghts

on

USC

ISs

yste

ms

One

in

vant

age

ofin

suff

icie

nta

cces

sA

ccou

nts

The

US

Dep

artm

ento

fSta

teh

as

terv

iew

eee

xpre

ssed

con

cern

how

co

ntro

lsto

con

duct

thei

rcr

imes

au

thor

ized

acc

ess

for

som

eFS

Ns

to

ever

tha

tan

adm

inis

trat

orw

hois

a

USC

ISs

houl

dex

amin

eU

SCIS

sys

so

me

USC

ISs

yste

ms

need

edfo

rth

eci

tizen

ofa

fore

ign

coun

try

coul

des

te

ma

cces

sfo

rU

SD

epar

tmen

tpe

rfor

man

ceo

fthe

ird

utie

s

cala

tep

rivi

lege

sor

use

soc

iale

ngi

ofS

tate

sys

tem

adm

inis

trat

ors

ne

erin

gta

ctic

sto

gai

nun

auth

oriz

ed

asw

ella

sho

wth

ose

conn

ectio

ns

acce

ssto

USC

ISs

yste

ms

ar

em

onito

red

orlo

gged

Th

ey

sh

ould

als

ow

ork

with

the

US

Dep

artm

ento

fSta

teto

und

er

stan

dits

pro

cess

esfo

rgr

antin

g

FSN

sac

cess

toU

SD

epar

tmen

t

ofS

tate

sys

tem

s


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

Lea

ders

hip

Ther

ear

ecu

rren

tlyn

olim

itso

nTh

ela

cko

flim

itsp

lace

don

req

uest

Th

ere

shou

ldb

elo

gica

lcon

trol

s

w

hich

Af

iles

ana

djud

icat

orc

anr

ein

gA

file

sin

NFT

Sm

aya

llow

adj

udi

tod

etec

tldquoex

trao

rdin

aryrdquo

or

sus

Info

rmat

ion

Tech

nolo

gy

ques

tin

the

Nat

iona

lFile

Tra

ckin

gca

tors

tor

eque

sta

file

by

nam

eev

en

pici

ous

file

tran

sfer

req

uest

sI

n

Syst

em(N

FTS)

if

they

sho

uld

notb

eac

cess

ing

that

on

eU

SCIS

cas

eth

ein

side

rre

fil

e

ques

ted

afil

etr

ansf

erto

ar

egio

nfo

ran

indi

vidu

alw

hose

file

sw

ere

ina

noth

err

egio

nan

dw

hose

form

sha

dbe

enp

revi

ousl

yde

ni

ed


cri

tilt

om

itiga

ting

the

insi

der

rsc

arri

edo

uta

nat

tack

ta

nce

mal

icio

usin

side

rsu

sed

uste

nsur

end

enf

orce

cn

have

dev

eff

ects

on

ano

ras

tatin

gta

r

nom

alou

sin

crea

sein

net

ay

Sugg

este

dCo

unte

rmea

sure

s

ca sn

toc

ompe

titor

sor

con

spir

ator

sO

rgan

izat

ions

mth

ate

mpl

oyee

sr

esou

rces

inc

ludi

ngin

form

atio

nas

sets

aom

plia

nce

sen

sitiv

ebu

tunc

lass

ified

or

prop

rie

y)is

cri

tical

tom

itiga

ting

an

am

onito

ring

net

wor

ktr

affic

mh

elp

prot

ectc

ontr

olle

d

side

unc

lass

ified

or

prop

riet

ary)

isea

led

circ

umst

ance

sin

whi

chin

tern

ales

In

som

ein

ss

tora

ged

evic

tion

mal

icio

usin

side

rsc

ab

y

mou

nts

ofd

ata

dow

nloa

ded

orou

ghT

h

Polic

yor

Pra

ctic

eG

aps

a re

ono

fCon

trol

led

Info

rmat

ion

ntro

lled

info

rmat

ion

(ie

inf

orm

atio

nth

atis

cla

ssifi

eds

ensi

tive

but

CER

Tr

thre

atr

isk

too

rgan

izat

ions

A

var

iety

ofi

nsid

erth

reat

cas

ess

tudi

edb

yev

thro

ugh

thd

ownl

oad

ofin

form

atio

nto

por

tabl

em

edia

or

exe

unau

thor

ized

ptt

acks

or

toc

omm

unic

ate

sens

itive

info

rmat

ioun

ders

tan

tcon

stitu

tes

acce

ptab

leu

seo

fcom

pany

dpo

licie

sre

gard

ing

wha

thro

ugh

teed

info

rma

chni

calm

eans

Th

eun

auth

oriz

ede

xfilt

ratio

nof

con

trol

l(i

ei

nfor

mat

ion

that

isc

lass

ifie

gani

zatio

nP

rote

ctin

gco

ntro

lled

info

rmat

ion

dth

reat

ris

kto

org

aniz

atio

ns

impl

emen

ted

netw

ork

mon

itori

ngs

trat

egie

sth

atw

ould

det

ectl

arge

wor

ktr

affi

by

tota

lvol

ume

orty

peo

ftra

ffic

(eg

by

ce

ither

por

tor

prot

ocol

)n

Polic

yan

dor

Sec

urit

yM

easu

Resp

onsi

ble

Pers

onne

lIn

form

atio

nTe

chno

logy

ncer

nlo

adto

Prot

ecti

Prot

ectin

gco

emai

lto

lan

thei

ra

the

insi

der

USC

ISh

as

info

rmat

io

Are

aof

Co

Dat

aD

own

Med

ia


sure

s

po

1

pria

yte

lld

be

func

he

T ed

s

ecu

itted

em

os

ogs

el

vity

by

org

za

ani

ot

sbe

nter

mea

side

rtw

o

hori

zed

inap

pro

uev

ices

co

bite

dfr

omsy

stem

s

bit

epr

ohi fa

hec

ont

oc

gn

are

per

m hus

eso

fta

ndth

cti

ciou

sa

ngth

es

her

exhi

bitin

glm

alic

iou

Cou

uld

con

ora

ut ed

thes

ed

pro

hi SSC

Iy

ar

rity

aw

aren

ess

ampa

i

evic

es lb

elo

gged

uspi

ted

for

ss

leav

i

ntia

te

Sugg

este

d

Ss

o

ptf

1)E

xce

ces

that

ar

ete

chni

cally

Ung

in

that

the

shou

nte

ldb

et

2)If

USB

dfo

ru

nal

set

held

empl

oyee pl

tion

em

oyee

sign

sof

po c

ore

t

USC

Ih

tions

stan

trac

k

tioni

fact

shou

audi

havi

ns

ider

un

t

of

wor

k

ssed

de

s

onvi

ctio ns

tne

i eng

tel

He

acce

rder

to

Prac

tice

Gap

mth

eU

SCIS

CTa

skF

orc

sho

wed

tha

oe d

ant

pe

rfor

me

sig

nific

aam

oof

ficia

lbus

ines

sin

clud

ill

apto

p

sona

mai

lin

ond

e

Polic

yor

Ac

ase

fro

onh

isp

ersy

stem

sa

sure

pmen

tSC

IS

gov

(G

FE)

orS

ecur

ity

Mea

per

aga

inst

usi

ng

son

ompu

ter

equi

cial

dut

ies

for

Ub

edo

new

ithm

entf

urni

shed

ent

ern

quip

me

Polic

yan

d

Ther

eis

ap

olic

yd

cal

lyo

wne

top

erfo

rmo

ffi

Tele

wor

ksh

ould

on

ly

nel

ble

Pers

on

Resp

onsi

o

ern

Are

aof

Con

c dt

Dat

aD

ownl

oaor

Fro

mH

ome


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sve

lop

asy

stem

that

he

was

rew

arde

d

fo

rpr

oduc

ing

The

rea

ren

ote

chni

cal

co

ntro

lsto

cat

chth

isa

ctiv

ityu

nles

s

the

devi

ceis

phy

sica

llyp

lugg

edin

to

the

netw

ork

Prot

ecti

ngC

riti

cal

Info

rmat

ion

Tech

nolo

gy

The

SNO

Cre

spon

dsto

spi

llso

fPII

USC

ISr

espo

nds

toP

IIsp

illag

es

Fi

les

whi

cho

ccur

on

aw

eekl

yba

sis

The

ofte

nen

ough

that

its

staf

fis

wel

l

info

rmat

ion

abou

tthe

inci

dent

is

ve

rsed

inr

espo

nse

proc

edur

es

tran

sfer

red

from

the

data

ow

ner

U

nfor

tuna

tely

the

freq

uenc

yto

w

hob

ecom

esa

war

eof

the

spill

to

w

hich

inci

dent

soc

cur

and

the

the

OSI

whi

chc

reat

esa

Ser

ious

In

re

spon

sep

roce

dure

sin

pla

ced

o

cide

ntR

epor

t(SI

R)th

atit

forw

ards

nots

eem

tor

educ

eth

enu

mbe

rto

the

Priv

acy

Off

icer

and

fina

llyto

Th

ere

spon

see

ffor

tto

aPI

Ispi

llage

of

inci

dent

sor

pro

vide

aut

oth

eSN

OC

in

volv

esm

any

part

ies

and

appe

ars

to

mat

edd

etec

tion

whe

nsp

illag

ebe

ac

ompl

icat

edp

roce

ssfo

ran

eve

nt

occu

rs

that

hap

pens

on

aw

eekl

yba

sis

Thou

ghth

ese

spill

ages

are

acc

iden

tal

even

ts


Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

sho

uld

cont

inue

this

pra

ctic

eas

par

tofi

tsin

cide

ntr

esp

onse

pro

cedu

res

Inc

orpo

rat

ing

ana

ppro

pria

tele

velo

fm

onito

ring

wou

lda

lso

bea

pru

de

ntm

easu

re

Polic

yor

Pra

ctic

eG

aps

This

pra

ctic

eap

pear

sto

be

done

con

si

sten

tly

Polic

yan

dor

Sec

urit

yM

easu

re

Acc

ess

ton

etw

ork

reso

urce

sis

ter

min

ated

imm

edia

tely

whe

na

spill

or

mis

cond

ucti

ssu

spec

ted

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Aud

it

Mon

itor

B

acku

p

Reco

very

Insi

der

thre

atr

esea

rch

cond

ucte

dby

CER

Tha

ssh

own

that

logg

ing

mon

itori

nga

nda

uditi

nge

mpl

oyee

onl

ine

actio

nsc

anp

rovi

dea

nor

gani

za

tion

the

oppo

rtun

ityto

dis

cove

ran

din

vest

igat

esu

spic

ious

insi

der

activ

ityb

efor

em

ore

seri

ous

cons

eque

nces

ens

ue

Org

aniz

atio

nss

houl

dle

ver

age

auto

mat

edp

roce

sses

and

tool

sw

hene

ver

poss

ible

M

oreo

ver

net

wor

kau

ditin

gsh

ould

be

ongo

ing

and

cond

ucte

dra

ndom

lya

nde

m

ploy

ees

shou

ldb

eaw

are

that

cer

tain

act

iviti

esa

rer

egul

arly

mon

itore

dT

his

empl

oyee

aw

aren

ess

can

pote

ntia

llys

erve

as

ade

terr

entt

oin

side

rth

reat

s

Prev

entin

gin

side

rat

tack

sis

the

first

line

ofd

efen

se

Non

ethe

less

eff

ectiv

eba

ckup

and

rec

over

ypr

oces

ses

need

tob

ein

pla

cea

ndo

pera

tion

ally

eff

ectiv

eso

that

ifa

co m

prom

ise

occu

rsb

usin

ess

oper

atio

nsc

anb

esu

stai

ned

with

min

imal

inte

rrup

tion

In

one

case

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sea

nin

side

rw

asa

ble

tom

agni

fyth

eim

pact

ofh

isa

ttac

kby

acc

essi

nga

ndd

estr

oyin

gba

ckup

med

ia

Org

aniz

a


Ina

dditi

ont

heS

NO

Cla

cks

the

reso

urce

sto

focu

son

mon

itori

ngfo

rsu

spic

ious

insi

der

activ

ityf

ocus

ing

inst

ead

prim

arily

on

prot

ectio

nfr

om

exte

rnal

inci

dent

s

Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sM

odifi

cati

on

In

form

atio

nTe

chno

logy

Lo

gfil

esa

rea

cces

sibl

eby

the

do

D

isab

ling

Log

File

sm

ain

adm

inis

trat

ors

and

syst

em

adm

inis

trat

ors

ofe

ach

resp

ectiv

e

syst

em

USC

ISs

houl

dse

ndc

ritic

allo

gsto

a

cent

raliz

edlo

gse

rver

and

pro

te

ctth

elo

gfil

esto

per

mit

afo

re

nsic

rec

onst

r uct

ion

ofn

etw

ork

orh

ost

base

dev

ents

In

form

atio

nTe

chno

logy

Th

ela

cko

fcon

sist

ency

for

wha

tis

Alth

ough

six

per

cent

(23)

oft

he

logg

eda

cros

sU

SCIS

ser

vers

sys

tem

s

insi

ders

doc

umen

ted

inth

eCE

RT

appl

icat

ions

and

wor

ksta

tions

isc

on

Insi

der

Thre

atC

ase

data

base

cern

ing

Sev

eral

par

ties

addr

esse

dw

ere

able

tom

odify

ord

isab

le


tions

nee

dto

con

side

rth

eim

port

ance

ofb

acku

pan

dre

cove

ryp

roce

sses

and

car

em

ustb

eta

ken

that

bac

kups

are

per

form

edr

egul

arly

pro

te

cted

and

test

edto

ens

ure

busi

ness

con

tinui

tyin

the

even

tofd

amag

eto

or

loss

ofc

entr

aliz

edd

ata

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

slo

gfil

es

Mon

itor

ing

Susp

ici

ous

Act

ivit

y

Info

rmat

ion

Tech

nolo

gy

are

som

etim

esli

mite

dto

24

hour

sor

less

ofc

olle

ctio

n

the

fact

that

ITp

erso

nnel

mus

tbe

able

top

hysi

cally

rea

cha

mac

hine

in

atim

ely

fash

ion

ifth

eyh

ope

toc

ap

ture

logs

rel

ated

toa

nin

cide

nt

This

as

sum

ptio

nm

akes

itli

kely

that

cri

tica

llog

info

rmat

ion

will

be

mis

sed


Sugg

este

dCo

unte

rmea

sure

s

Polic

yor

Pra

ctic

eG

aps

Polic

yan

dor

Sec

urit

yM

easu

re

Dat

abas

ead

min

istr

ator

sar

ere

spon

si

ble

for

mon

itori

nga

nda

lert

ing

whe

nda

taa

cces

sat

tem

pts

are

mad

eto

cri

tical

dat

ain

USC

ISd

ata

base

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

sU

SCIS

sho

uld

cons

ider

cle

arly

de

finin

gth

ere

spon

sibi

lity

ofd

ata

base

adm

inis

trat

ors

and

the

SNO

Cfo

rm

onito

ring

ale

rtin

g

and

resp

ondi

ngto

una

utho

rize

dda

taa

cces

sO

nce

the

resp

onsi

bi

lity

isa

ssig

ned

the

appr

opri

ate

grou

psh

ould

dili

gent

lyp

reve

nt

dete

cta

ndr

espo

ndto

una

utho

riz

edd

ata

acce

ssm

odifi

catio

n

and

exfil

trat

ion

atte

mpt

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

mon

itors

and

filte

rs

inbo

und

and

outb

ound

net

wor

ktr

affic

Th

iss

trat

egy

may

pre

ve

nto

rde

tect

the

unau

thor

ized

tr

ansf

ero

fUSC

ISd

ata

outs

ide

the

orga

niza

tion

Man

yin

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

sew

ere

able

toc

omm

itth

eir

mal

icio

usa

ctiv

ities

usi

ngla

ptop

s

Polic

yor

Pra

ctic

eG

aps

Net

wor

ktr

affic

filte

ring

ish

appe

ning

on

lyo

nin

boun

dtr

affic

not

out

boun

dtr

affic

Th

ere

sour

ces

don

ote

xist

toe

xam

ine

ou

tbou

ndtr

affic

onl

yin

boun

dtr

affic

Fu

rthe

rmor

eth

ein

trus

ion

dete

ctio

nsy

stem

sar

eno

topt

imiz

edto

det

ect

secu

rity

eve

nts

Polic

yan

dor

Sec

urit

yM

easu

re

USC

ISh

asth

eab

ility

toc

reat

ein

bo

und

firew

allr

ules

tofi

lter

pote

ntia

llym

alic

ious

net

wor

ktr

affic

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

incl

udes

fore

nsic

to

ols

toa

idin

vest

igat

ions

Ins

ixp

erce

nt(2

2)o

fthe

cas

es

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

heim

pact

of

the

crim

ew

asm

agni

fied

be

caus

eof

insu

ffic

ient

bac

kups

Polic

yor

Pra

ctic

eG

aps

The

SNO

Cha

sha

dpr

oble

ms

iden

tify

ing

the

root

cau

seo

fan

affe

cted

w

orks

tatio

nor

use

rbe

caus

eof

the

lack

ofn

etw

ork

fore

nsic

app

licat

ions

Id

eally

the

SN

OC

shou

ldb

eab

leto

tr

ace

netw

ork

traf

ficfr

oms

ourc

eto

de

stin

atio

nan

dw

atch

act

ivity

It

has

a

stan

dal

one

fore

nsic

cap

abili

tyb

ut

noth

ing

onth

ene

twor

k

Tabl

etop

exe

rcis

esm

ayn

otg

ive

USC

ISa

true

indi

catio

nof

its

abili

tyto

re

cove

rfr

oma

sys

tem

icfa

ilure

W

hen

poss

ible

bac

kups

sho

uld

be

impl

emen

ted

ons

imila

rha

rdw

are

to

ensu

reth

atth

eba

ckup

tape

isfu

nc

tiona

land

the

back

upis

ope

ratio

nal

Polic

yan

dor

Sec

urit

yM

easu

re

The

SNO

Cis

res

pons

ible

for

dete

rm

inin

gth

ero

otc

ause

ofa

nin

cide

nt

incl

udin

gus

ing

fore

nsic

tool

sto

id

entif

yaf

fect

edw

orks

tatio

nsd

esk

tops

and

lapt

ops

Ba

ckup

test

ing

for

man

ysy

stem

soc

curs

onc

epe

rye

ar

Ins

ome

case

s

the

back

ups

are

only

test

edw

itha

ta

blet

ope

xerc

ise

and

don

otu

se

sim

ilar

orid

entic

alh

ardw

are

toth

at

used

inth

epr

oduc

tion

envi

ronm

ent

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Back

ups


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Info

rmat

ion

Tech

nolo

gy

Year

sof

bac

kup

tape

sar

eke

pto

nsi

tea

tthe

Ver

mon

tSer

vice

Cen

ter

an

dsy

stem

adm

inis

trat

ors

have

ac

cess

toth

ese

back

upfi

les

Adm

inis

trat

ors

who

hav

eac

cess

to

the

back

upta

pes

wou

ldb

eab

leto

Back

upm

edia

sho

uld

bec

on

trol

led

care

fully

doc

umen

ted

an

dst

ored

off

site

with

lim

ited

acce

ss

With

outt

hose

con

trol

s

USC

ISc

anno

tbe

sure

its

back

ups

will

giv

eit

the

abili

tyto

rec

over

ss

ecur

ity o wn

Proa

ctiv

ely

addr

essi

ngk

now

nse

curi

tyv

ulne

rabi

litie

ssh

ould

be

apr

iori

tyfo

ran

yor

gani

zatio

nse

ekin

gto

miti

gate

the

risk

ofi

nsid

erth

reat

sa

wel

las

exte

rnal

thre

ats

Cas

est

udie

sha

ves

how

nth

atm

alic

ious

insi

ders

fol

low

ing

term

inat

ion

will

som

etim

ese

xplo

itkn

own

tech

nica

lho

uld

have

ap

roce

sst

vuln

erab

ilitie

sth

atth

eyk

now

hav

eno

tbee

npa

tche

dto

obt

ain

syst

ema

cces

san

dca

rry

outa

nat

tack

O

rgan

izat

ions

sdr

ess

kno

ensu

reth

ato

pera

ting

syst

ems

and

othe

rso

ftw

are

have

bee

nha

rden

edo

rpa

tche

din

ati

mel

ym

anne

rw

hen

poss

ible

Fa

ilure

toa

dvu

lner

abili

ties

prov

ides

an

insi

der

ampl

eop

port

unity

and

pat

hway

sfo

rat

tack

mak

ing

itm

ore

diff

icul

tfor

an

orga

niza

tion

top

rote

ctit

self

Tech

nica

lSec

urit

yV

ulne

rabi

litie

s


ount

erm

easu

res

Sugg

este

dC


ceG

aps

Polic

yor

Pra

cti

The

pres

ence

of

host

pe

rim

eter

and

m

prot

ectio

nfo

rCI

Sin

al

war

epu

tsU

Sa

rela

tivel

yse

curd

ing

rep

ositi

onr

ega

oads

m

alic

ious

dow

nl

Polic

yan

dor

Se

easu

re

curi

tyM

Th

eO

ITr

elie

son

tan

ism

sto

w

om

ech

wnl

ode

tect

the

doad

of

licio

us

ma

code

1)

DH

S

nte

mon

itors

the

Ig

atrn

etw

aya

nd

e

2)

orks

ta

age

nto

nw

tio

ns

ale

rts

mm

edi

the

OIT

iat

ely

upon

dis

cov

wn

mal

er

yof

kno

war

eT

heO

ITs

hth

epo

rt

uts

dow

n

tob

lock

mal

ici

ere

ap

ous

code

wh

prop

riat

e

sin

stal

la

als

ode

tect

nel

Resp

onsi

ble

Pers

onog

yIn

form

atio

nTe

chno

l ogy

Info

rmat

ion

Tech

nol

Are

ac

ofC

oner

ne

Add

rss

ino

wn

ngK

Secu

rer

it

yV

uln

ies

abili

t

eA

ddr

ssi

now

nng

KSe

cur

er

ity

Vul

nie

sab

ilit

Sugg

este

dCo

unte

rmea

sure

s

Tw

elve

per

cent

(46)

oft

hec

ases

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

invo

lve

user

sab

usin

gad

min

istr

ator

pri

vi

lege

sto

sab

otag

esy

stem

sor

da

ta

Alth

ough

USC

ISu

sers

nee

dfo

rad

min

istr

ator

righ

tsto

inst

allo

rru

nau

thor

ized

sof

twar

eth

eO

IT

shou

ldc

onsi

der

givi

ngu

sers

se

para

tea

dmin

istr

ator

acc

ount

sfo

rth

ese

expl

icit

purp

oses

U

sers

co

uld

then

use

non

adm

inis

trat

or

acco

unts

for

thei

rda

ilyw

ork

Th

isw

ould

gre

atly

min

imiz

eth

eri

sko

fmal

war

eco

mpr

omis

e

Polic

yor

Pra

ctic

eG

aps

Am

itiga

ting

fact

or

is

that

the

depa

rtin

gem

ploy

eew

ould

ne

edp

hysi

cala

cces

sto

the

syst

emto

lo

gin

A

use

rw

itha

dmin

istr

ator

pri

vile

ges

mus

tnot

rel

yso

lely

on

auto

mat

ic

mec

hani

sms

tos

afeg

uard

his

or

her

com

pute

rA

dmin

istr

ator

rig

hts

give

in

adve

rten

tlyd

ownl

oade

dm

alw

are

the

abili

tyto

com

plet

ely

com

prom

ise

asy

stem

som

etim

esw

ithou

tthe

kn

owle

dge

ofth

eus

er

Polic

yan

dor

Sec

urit

yM

easu

re

tion

ofm

alic

ious

cod

efr

omU

SBs

and

othe

rm

edia

USC

ISu

sers

hav

elo

cala

dmin

istr

ator

ri

ghts

on

thei

row

nm

achi

nes

Thi

sal

low

sus

ers

toin

stal

lsof

twar

eon

th

eirs

yste

ms

So

me

auth

oriz

eds

oftw

are

does

re

quir

ead

min

istr

ator

rig

hts

toin

stal

l

Som

eap

plic

atio

nsa

ctua

llyr

equi

re

adm

inis

trat

orri

ghts

tor

un

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Unm

anag

edS

ys

tem

s


Conf

igur

atio

nM

anag

emen

t

Effe

ctiv

eco

nfig

urat

ion

man

agem

enth

elps

ens

ure

the

accu

racy

int

egri

tya

ndd

ocum

enta

tion

ofa

llco

mpu

ter

and

netw

ork

syst

emc

onfig

ura

tions

A

wid

eva

riet

yof

cas

esin

the

CERT

Insi

der

Thre

atC

ase

data

base

doc

umen

tins

ider

sw

hor

elie

dhe

avily

on

the

mis

conf

igur

atio

nof

sys

te

ms

The

yhi

ghlig

htth

ene

edfo

rst

rong

erm

ore

effe

ctiv

eim

plem

enta

tion

ofa

utom

ated

con

figur

atio

nm

anag

emen

tcon

trol

sO

rgan

izat

ions

sh

ould

als

oco

nsid

erc

onsi

sten

tdef

initi

ona

nde

nfor

cem

ento

fapp

rove

dco

nfig

urat

ions

Ch

ange

sor

dev

iatio

nsfr

omth

eap

prov

edc

onfig

urat

ion

base

line

shou

ldb

elo

gged

so

they

can

be

inve

stig

ated

for

pote

ntia

lmal

icio

usin

tent

Co

nfig

urat

ion

man

agem

enta

lso

appl

ies

tos

oftw

are

sou

rce

code

and

app

licat

ion

files

O

rgan

izat

ions

that

do

note

nfor

cec

onfig

urat

ion

ma n

agem

enta

cros

sth

een

terp

rise

are

ope

ning

vul

nera

bilit

ies

for

expl

oitb

yte

chni

cali

nsid

ers

with

suf

ficie

ntm

otiv

atio

nan

da

lack

ofe

thic

s

The

OIT

has

ac

onfig

urat

ion

man

agem

entp

olic

yth

atp

rovi

des

base

line

soft

war

eco

nfig

urat

ions

for

USC

ISd

eskt

ops

and

lapt

ops

The

OIT

sca

ns

for

inco

rrec

to

utda

ted

or

unp

atch

edv

ersi

ons

ofs

oftw

are

onth

eap

prov

eds

oftw

are

list

The

OIT

kee

pstr

ack

ofd

iffer

entb

asel

ines

for

diff

er

entc

ontr

acts

D

espi

tetr

acki

nga

nda

rig

orou

sco

nfig

urat

ion

man

agem

entp

olic

yth

eO

ITh

asd

iffic

ulty

kee

ping

trac

kof

the

901

50d

iffer

ents

ys

tem

imag

esin

the

USC

ISe

nvir

onm

ent

Rog

ues

oftw

are

orm

alw

are

iso

ften

dis

cove

red

thro

ugh

ade

liber

ate

man

uals

can

rat

her

than

thro

ugh

ana

utom

ated

pro

cess

To

mak

eth

ista

skm

ore

diff

icul

tth

ere

have

bee

nU

SCIS

em

ploy

ees

with

sen

iori

tyo

rin

fluen

cew

hoa

rea

ble

tou

selo

cal

adm

inis

trat

orp

rivi

lege

sto

inst

alls

oftw

are

for

the

sake

ofc

onve

nien

ce

Conc

erns

reg

ardi

ngc

onfig

urat

ion

man

agem

entm

ake

itdi

ffic

ultf

orth

eO

ITto

ad e

quat

ely

prev

ent

det

ect

and

res

pond

tor

ogue

sof

twar

eor

m

alw

are

usin

gits

cur

rent

pro

cedu

res

We

sugg

ests

ome

cons

ider

atio

nsfo

rle

vera

ging

exi

stin

gde

ploy

men

tsa

ndm

odify

ing

inci

dent

res

pons

epr

actic

esto

incr

ease

eff

ectiv

enes

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

The

OIT

has

ac

onfig

urat

ion

man

ag

emen

tpol

icy

for

soft

war

eco

nfig

ura

tion

base

lines

Th

eO

ITs

cans

for

inco

rrec

to

utda

ted

or

unpa

tche

dve

rsio

nso

fsof

twar

eon

the

ap

Des

pite

rig

orou

sco

nfig

urat

ion

man

ag

emen

tpol

icy

the

OIT

has

diff

icul

ty

keep

ing

trac

kof

the

90to

150

diff

er

ents

yste

mim

ages

inth

eU

SCIS

env

iro

nmen

tR

ogue

sof

twar

eor

mal

war

e

Seve

ntee

nca

ses

docu

men

ted

in

the

CERT

Insi

der

Thre

atC

ase

da

taba

sein

volv

eus

ers

expl

oitin

gth

ela

cko

rw

eakn

ess

ofa

con

fig

urat

ion

man

agem

ents

yste

m


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

spr

oved

sof

twar

elis

tT

heO

ITk

eeps

tr

ack

ofd

iffer

entb

asel

ines

for

dif

fere

ntc

ontr

acts

iso

ften

dis

cove

red

thro

ugh

ade

liber

at

em

anua

lsca

nra

ther

than

thro

ugh

ana

utom

ated

pro

cess

toc

arry

out

thei

rat

tack

s

The

OIT

cou

ldle

vera

geth

eex

ist

ing

ePO

dep

loym

entt

oco

mpl

em

enti

tsc

onfig

urat

ion

man

age

men

teff

orts

eP

Oc

and

efin

ea

base

line

for

soft

war

eap

plic

atio

ns

and

aler

ton

any

devi

atio

nsfr

om

that

bas

elin

e

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ins

ome

case

sin

divi

dual

sw

iths

en

iori

tyo

rin

fluen

cea

rea

ble

tou

se

adm

inis

trat

orp

rivi

lege

sto

inst

all

soft

war

efo

rth

esa

keo

fcon

veni

ence

USC

ISs

houl

den

sure

that

con

fig

urat

ion

polic

yis

con

sist

ently

co

mm

unic

ated

and

enf

orce

dth

roug

hout

the

orga

niza

tion

Ev

ens

enio

rle

ader

ship

sho

uld

notb

eab

leto

cas

ually

cir

cum

ve

ntth

ese

polic

ies

with

outg

oing

th

roug

hth

epr

oper

cha

nnel

sas

de

fined

by

the

conf

igur

atio

nm

anag

emen

tpol

icy

Conf

igur

atio

nM

anag

emen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Serv

ice

Cent

ers

are

resp

onsi

ble

for

lock

ing

dow

nde

skto

psto

pre

vent

un

auth

oriz

eds

oftw

are

from

runn

ing

The

lock

dow

npr

oces

sre

lies

onh

um

anin

terv

entio

nI

fcal

lvol

ume

to

the

Serv

ice

Cent

eris

hea

vyt

his

may

in

crea

ser

espo

nse

time

toa

nun

ac

cept

able

leve

l

The

OIT

sho

uld

expl

ore

way

sto

au

tom

ate

lock

dow

nof

pot

en

tially

com

prom

ised

sys

tem

sT

his

wou

ldr

equi

rea

car

eful

bal

ance

of

ser

vice

ver

sus

secu

rity

O

nth

ese

rvic

esi

ded

elay

edr

espo

nse

by

the

Serv

ice

Cent

erm

ayr

esul

tin

loss

ofp

rodu

ctiv

ity

On

the

secu

ri

tys

ide

del

ayed

res

pons

eco

uld


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sle

adto

sys

tem

com

prom

ise

M

anag

emen

tsho

uld

eval

uate

the

risk

sof

ac

ompr

omis

ean

dw

eigh

th

ose

risk

sag

ains

tthe

pot

entia

lco

nseq

uenc

eso

fser

vice

dis

rup

tion


Appendix H Acronyms



107

Appendix H Acronyms


108


109






110






Congress


111



OIG HOTLINE







Recommendation12 25


25

Recommendation14 25


Recommendation16 26

Recommendation17 26







Appendixes 28









ExecutiveSummary







Background









Objective






Scope


































Transformation








HumanResources











ExitProcedures




PhysicalSecurity











BusinessProcesses








CLAIMS3LAN


FDNSDS


IncidentResponse



IncidentManagement




SoftwareEngineering

CodeReviews







AccountManagement









AccessControl

























Recommendations















Recommendation12


Recommendation14




Recommendation16

Recommendation17







Appendixes










AppendixHAcronyms














Ap

pen

dix

AO

rgan

izat

ion

al

Risk

Man

agem

ent

Co

mm

unic

atio

n

Secu

rity

Pro

cess

Impr

ovem

ent

USC

ISis

ina

diff

icul

tpos

ition

Pa

rto

fits

mis

sion

isto

pro

vide

cus

tom

ers

ervi

ceto

thos

ese

ekin

gim

mig

ratio

nan

dci

tizen

ship

ben

efits

from

the

US

Gov

ernm

ent

How

ever

iti

sch

alle

ngin

gto

opt

imiz

ebu

sine

ssp

roce

sses

for

cust

omer

ser

vice

whi

lea

tthe

sam

etim

eim

plem

entin

gpr

otec

tiv

em

easu

res

toc

ount

erth

eri

skp

osed

by

gran

ting

thos

eve

ryb

enef

its

Man

yU

SCIS

em

ploy

ees

inte

rvie

wed

for

this

ass

essm

enti

dent

ified

the

orga

niza

tionrsquo

spr

imar

yri

ska

sal

low

ing

the

next

terr

oris

tto

live

and

wor

kle

gally

inth

eU

nite

dSt

ates

Th

eyd

esir

ehe

lpin

iden

tifyi

nga

ndim

ple

men

ting

inte

rnal

con

trol

sto

cou

nter

that

ris

kS

ome

ofth

ein

terv

iew

ees

how

ever

mdashev

ens

ome

ofth

eIS

SOs

and

data

ow

ners

mdashfo

cuse

don

leak

ag

eof

PII

asth

eir

prim

ary

conc

ern

Aft

erd

elvi

ngin

toth

em

atte

rw

ithth

eas

sess

men

ttea

mt

hey

cam

eto

und

erst

and

the

risk

pos

edb

yex

po

sure

or

mis

use

ofc

ritic

ald

ata

asth

egr

eate

str

isk

face

dby

USC

ISp

rim

arily

bec

ause

suc

ha

secu

rity

bre

ach

coul

dre

sult

ina

llow

ing

ate

rror

isti

nto

the

coun

try

Ac

ritic

alis

sue

for

USC

ISis

ens

urin

gth

een

tire

orga

niza

tion

isr

isk

awar

ea

ndim

plem

entin

ga

form

alr

isk

man

agem

entp

roce

ssto

add

ress

ris

kco

nsis

tent

lya

ndc

ontin

ually

acr

oss

the

ente

rpri

se

Ther

edo

esn

ota

ppea

rto

be

aco

nsis

tent

und

erst

andi

ngo

fthe

bro

ads

pect

rum

ofr

isks

faci

ng

USC

IS

The

asse

ssm

entt

eam

was

told

ther

eis

no

ente

rpri

sew

ide

risk

man

agem

entp

rogr

ama

tUSC

IS

OIT

per

form

sri

skm

anag

emen

tfor

ITa

nd

Fina

ncia

lMan

agem

entp

erfo

rms

risk

man

agem

entf

orfi

nanc

ialm

atte

rsb

utn

oon

ew

asa

war

eof

any

ent

erpr

ise

wid

eef

fort

sI

nad

ditio

ne

ach

field

off

ice

and

serv

ice

cent

era

ppea

rsto

ope

rate

fair

lyin

depe

nden

tly

Itis

impo

rtan

tfor

thos

eor

gani

zatio

nsto

wor

kto

geth

erto

iden

tify

pri

or

itize

and

add

ress

ris

kO

ngoi

ngc

omm

unic

atio

nbe

twee

nal

lcom

pone

nts

ofU

SCIS

will

hel

pen

sure

that

new

thre

ats

att

ack

vect

ors

and

cou

nte

rmea

sure

sar

eco

mm

unic

ated

and

han

dled

eff

ectiv

ely

bya

ll

Ina

dditi

onU

SCIS

em

ploy

ees

and

cont

ract

ors

hold

the

keys

too

neo

fthe

wor

ldrsquos

mos

tcov

eted

kin

gdom

smdashU

Sc

itize

nshi

pT

his

mak

ese

mpl

oy

ees

and

cont

ract

ors

attr

activ

eta

rget

sfo

rre

crui

tmen

tB

ecau

seo

fthe

sen

sitiv

ena

ture

ofU

SCIS

mis

sion

som

eof

its

empl

oyee

san

dco

ntra

ctor

s


have

bee

nta

rget

sfo

rre

crui

tmen

tfor

thef

tor

unau

thor

ized

mod

ifica

tion

ofU

SCIS

dat

aA

llem

ploy

ees

shou

ldb

eaw

are

ofth

eco

nseq

uenc

eso

fpa

rtic

ipat

ing

infr

aud

agai

nstU

SCIS

Th

eys

houl

dal

sob

ein

stru

cted

on

how

tor

epor

tsol

icita

tions

mad

eto

com

mit

frau

d

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEn

terp

rise

Ris

kM

anag

emen

t

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Indi

vidu

alo

rgan

izat

ions

with

inU

SCIS

do

ris

km

anag

emen

trel

ated

toth

eir

part

icul

ard

omai

nF

orin

stan

ceI

Tdo

esr

isk

man

agem

entf

rom

an

IT

pers

pect

ive

and

the

Fina

ncia

lMan

ag

emen

tdoe

sfin

anci

alr

isk

man

ag

emen

t

USC

ISp

erso

nnel

sta

ted

ther

eis

no

ente

rpri

ser

isk

man

agem

entp

roce

ss

for

anal

yzin

gth

eor

gani

zatio

nrsquos

over

al

lris

k

We

sugg

estt

hatU

SCIS

inst

itute

an

ent

erpr

ise

risk

man

agem

ent

prog

ram

W

ithou

tac

omm

on

visi

onfo

rri

skm

anag

emen

tth

eIS

SOs

and

allo

rgan

izat

ions

w

ithin

USC

ISc

anno

teff

ectiv

ely

unde

rsta

ndth

eri

ske

nvir

onm

ent

and

wor

kto

geth

erto

eff

ectiv

ely

miti

gate

ris

k

Inin

terv

iew

ss

ome

USC

ISs

taff

in

clud

ing

som

eIS

SOs

dat

aow

ners

an

dO

ITs

taff

see

med

tov

iew

loss

of

PIIa

sth

em

osti

mpo

rtan

tins

ider

th

reat

ris

kA

llof

the

asse

ssm

ent

ques

tions

wer

ean

swer

edin

the

con

text

ofl

oss

ofP

II

Whe

nw

eas

ked

spec

ifica

llyw

hatt

hey

see

asth

ebi

gges

tins

ider

thre

atr

isk

ev

eryo

nes

eem

edto

agr

eeit

isc

rea

tion

ofr

ealc

itize

nshi

pdo

cum

ents

for

peop

lew

hos

houl

dno

thav

eth

em

In

fact

int

ervi

ewee

sat

the

Verm

ont

Serv

ice

Cent

erc

ateg

oriz

edth

efu

nc

tions

cha

ract

eriz

edb

yth

ehi

ghes

tris

kas

follo

ws

1)

Unl

awfu

lalie

nin

the

Uni

ted

Stat

es

gran

ted

non

imm

igra

nts

tatu

s

2)S

omeo

new

ithn

onim

mig

rant

st

atus

gra

nted

per

man

entr

esid

ency

w

hich

mea

nsh

eor

she

can

live

and

w

ork

inde

finite

lyin

the

Uni

ted

Stat

es

Aga

ina

nen

terp

rise

ris

km

an

agem

entp

rogr

amw

ille

nsur

eth

ate

very

one

acro

ssU

SCIS

is

wor

king

toge

ther

tom

itiga

teth

ehi

ghes

tpri

ority

ris

ks

Ther

ear

ere

gula

tions

and

law

ssu

rrou

nd

ing

prot

ectio

nof

PII

but

focu

sin

gpr

imar

ilyo

nth

atis

sue

can

lead

toa

fals

ese

nse

ofs

ecur

ity

ifot

her

mor

eim

port

antr

isk

ar

eas

are

give

nle

ssa

tten

tion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dal

soc

anp

etiti

onfo

rre

lativ

es

The

Verm

ontS

ervi

ceC

ente

ris

im

plem

entin

gse

para

tion

ofd

utie

sfo

rpe

rfor

min

gfu

nctio

ns

1an

d2

ab

ove

(gra

ntin

gno

nim

mig

rant

st

atus

and

mov

ing

som

eone

from

no

nim

mig

rant

sta

tus

top

erm

anen

tre

side

ncy)

so

that

one

USC

ISa

djud

ica

tor

alon

eca

nnot

take

an

appl

ican

tfr

omu

nlaw

fult

ope

rman

entr

esi

dent

Th

ese

two

func

tions

will

be

perf

orm

eda

tdiff

eren

tphy

sica

lloc

atio

ns2

9m

iles

apar

t

The

Verm

ontS

ervi

ceC

ente

rhas

not

ha

dan

adj

udic

ator

who

per

form

ed

both

func

tions

1

and

2fo

rth

esa

me

appl

ican

t

This

dec

isio

nde

mon

stra

tes

that

le

ader

ship

att

heV

erm

ontS

er

vice

Cen

terr

ecog

nize

sth

esi

gni

fican

tris

kof

cre

atin

gle

gal

citiz

ensh

ipd

ocum

ents

fori

llega

lal

iens

and

ista

king

ste

psto

m

itiga

teth

atr

isk

How

ever

our

in

side

rth

reat

ass

essm

enth

as

unco

vere

dot

her

issu

esth

at

coul

dbe

add

ress

edto

miti

gate

th

atr

isk

Aga

ina

form

alr

isk

anal

ysis

wou

lde

nabl

eU

SCIS

to

thor

ough

lye

xam

ine

the

issu

es

and

prio

ritiz

eco

unte

rmea

sure

sus

ing

afo

rmal

pro

cess

Fo

rex

am

ple

an

alte

rnat

ive

toth

eph

ysic

alm

ove

coul

dbe

toim

pl

emen

tan

audi

tmec

hani

smto

lo

okfo

rad

judi

cato

rsw

hop

er

form

edb

oth

func

tions

1

and

2

for

the

sam

eap

plic

ant

Ente

rpri

seW

ide

Com

mun

icat

ion

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ther

eis

no

cons

iste

ncy

ofc

ontr

ols

from

one

ser

vice

cen

ter

toth

ene

xt

We

wer

eto

ldth

eye

ach

oper

ate

fair

ly

inde

pend

ently

USC

ISw

ould

ben

efit

from

ong

oin

gco

mm

unic

atio

nsa

bout

ris

kba

sed

issu

esb

etw

een

the

ser

vice

cen

ters

Fo

rin

stan

ce

com

mun

icat

ions

con

cern

ing

prob

lem

se

ffec

tive

coun

ter

mea

sure

sm

odifi

catio

nsto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sbu

sine

ssp

roce

sses

or

idea

sfo

rco

unte

ring

incr

ease

dri

skc

ould

le

adto

an

impr

oved

ris

kpo

stur

efo

rth

een

tire

USC

ISe

nter

pris

e

Cont

inua

lSec

urit

yPr

oces

sIm

prov

em

ent

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

The

USC

ISC

onvi

ctio

nsT

ask

Forc

eis

an

exc

elle

ntfo

rum

for

anal

yzin

gpa

st

crim

inal

cas

esa

ndd

eter

min

ing

mea

sure

sth

ats

houl

dbe

inst

itute

dto

pre

vent

sim

ilar

crim

esin

the

fu

ture

Ther

eis

no

proc

ess

for

follo

win

gup

on

ac

ase

afte

rthe

Off

ice

ofS

peci

al

Inve

stig

atio

n(O

SI)f

inis

hes

anin

vest

iga

tion

Th

eCo

nvic

tions

Tas

kFo

rce

isth

eon

ly

proc

ess

we

foun

dfo

rfor

mal

trac

king

an

alys

isa

ndp

roce

ssim

prov

emen

tba

sed

ona

ctua

linc

iden

ts

The

as

sess

men

ttea

ma

sked

var

ious

gro

ups

ifth

ere

isa

nyfo

llow

up

toin

cide

nts

fo

rin

stan

ceim

plem

entin

gau

tom

ated

sc

ript

sor

con

trol

sto

det

ectt

hes

ame

inci

dent

inth

efu

ture

Th

ete

amc

ould

no

tfin

da

sing

lep

erso

nw

hok

now

sof

su

cha

nac

tivity

Man

yex

ampl

eso

fem

ploy

eem

isco

ndu

ctc

ited

toth

eas

sess

men

ttea

m

coul

dea

sily

hav

ebe

end

etec

ted

or

even

pre

vent

edv

iaa

utom

ated

con

tr

ols

In

add

ition

the

reis

no

mec

hani

smfo

rco

mm

unic

atin

gis

sues

out

side

ofa

In

nea

rly2

5(9

1)o

fthe

cas

esin

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

hein

side

rw

asa

ble

to

carr

you

tthe

cri

me

beca

use

of

inad

equa

tea

uditi

ngo

fcri

tical

pr

oces

ses

in2

8of

thes

eca

ses

it

was

bec

ause

ofi

nade

quat

eau

ditin

gof

irre

gula

rpr

oces

ses

In

29

ofth

eca

ses

the

orga

niza

tio

nha

dre

peat

edin

cide

nts

ofa

si

mila

rna

ture

A

utom

ated

sc

ript

sar

ean

exc

elle

ntm

echa

ni

smfo

rde

tect

ing

susp

icio

us

tran

sact

ions

as

wel

las

hone

st

mis

take

sU

SCIS

sho

uld

cons

ider

a

form

alp

roce

ssfo

ran

alys

iso

fth

eO

SIrsquos

find

ings

and

the

deve

lop

men

tofa

utom

ated

che

cks

impl

emen

ted

natio

nally


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sgi

ven

serv

ice

cent

er

U

SCIS

Em

ploy

ees

are

Pote

ntia

lTar

ge

tsfo

rRe

crui

tm

ent

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

No

evid

ence

pro

vide

d

Som

eU

SCIS

em

ploy

ees

inte

rvie

wed

ha

ver

ecei

ved

are

ques

tfor

ass

ista

nce

from

afr

iend

rel

ativ

eo

rst

rang

er

seek

ing

top

rom

ote

aca

sefo

rso

me

form

ofa

pplic

ant

One

adj

udic

ator

sa

idh

edo

esn

otte

llot

hers

who

he

wor

ksfo

rH

owev

ert

hed

istin

ctiv

egr

een

park

ing

stic

ker

onh

isc

arc

ould

in

as

mal

ltow

nlik

eBu

rlin

gton

VT

re

veal

the

iden

tity

ofh

ise

mpl

oyer

U

SCIS

per

sonn

ela

reth

eref

ore

unus

ual

lyv

ulne

rabl

eto

sol

icita

tion

byo

ut

side

rs

Twen

tyn

ine

perc

ento

fthe

in

side

rsin

the

CERT

Insi

der

Thre

at

Case

dat

abas

ew

ere

recr

uite

dby

ou

tsid

ers

toc

omm

itth

eir

crim

es

USC

ISs

houl

dco

nsid

er

incr

easi

ngth

ese

curi

tya

war

ene

sstr

aini

ngp

rovi

ded

toU

SCIS

em

ploy

ees

and

cont

ract

ors

The

tr

aini

ngs

houl

dbe

con

tinuo

us

incl

udin

gpo

rtio

nsin

tend

edto

ra

ise

awar

enes

sof

the

pote

ntia

lta

rget

that

USC

ISe

mpl

oyee

spr

esen

tA

llem

ploy

ees

shou

ld

bea

war

eof

the

cons

eque

nces

of

par

ticip

atin

gin

frau

dag

ains

tU

SCIS

as

wel

las

how

tor

epor

tso

licita

tions

mad

eto

com

mit

frau

d

Tran

sfor

mat

ion

USC

ISL

eade

rshi

p D

ata

Ow

ners

In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Tran

sfor

mat

ion

isa

larg

ebu

sine

ss

proc

ess

reen

gine

erin

gef

fort

inU

SCIS

th

atis

pri

mar

ilyfo

cuse

don

impr

oved

cu

stom

ers

ervi

cea

ndfr

aud

dete

ctio

nF

ore

xam

ple

the

asse

ssm

ent

team

was

told

that

Tra

nsfo

rmat

ion

will

aut

omat

ical

lyv

alid

ate

data

in

CLA

IMS

agai

nsto

ther

ext

erna

lsys

te

ms

(eg

IC

Ean

dFB

I)a

ndth

at

secu

rity

req

uire

men

tsa

ndc

ontr

ols

Tran

sfor

mat

ion

was

men

tione

din

m

osti

nter

view

sfo

rth

isa

sses

smen

t

Ita

ppea

rsth

atU

SCIS

isr

elyi

ngh

eavi

ly

upon

Tra

nsfo

rmat

ion

toc

orre

ctm

any

ofth

epr

oble

ms

resu

lting

from

lega

cy

syst

ems

How

ever

iti

sun

clea

rw

heth

erin

tern

alp

erso

nnel

sec

urity

an

din

form

atio

nse

curi

tyc

once

rns

will

bein

clud

edin

this

pro

gram

This

rel

ianc

eon

as

ingl

eef

fort

m

akes

the

effe

ctiv

enes

sof

this

ef

fort

ver

yim

port

ant

USC

IS

shou

ldc

onsi

der

the

Tran

sfor

ma

tion

proj

ectf

rom

an

ente

rpris

ew

ide

pers

pect

ive

Iti

sim

port

ant

for

itto

use

afo

rmal

req

uire

m

ents

gat

herin

gpr

oces

sin

or

der

toe

ffec

tivel

ym

itiga

teb

oth

inte

rnal

and

ext

erna

lthr

eats


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

veb

een

iden

tifie

dby

cur

rent

C3

LAN

dat

aow

ners

Read

ing

the

Tran

sfor

mat

ion

requ

ire

men

tsd

ocum

enta

tion

itis

not

cle

ar

that

insi

ders

are

con

side

red

inth

ese

curi

tyr

equi

rem

ents

for

prev

entio

nan

dde

tect

ion

offr

aud

orn

atio

nal

secu

rity

inU

SCIS

sys

tem

s

Pers

onne

lsec

urity

sho

uld

be

incl

uded

as

wel

las

info

rmat

ion

secu

rity

to

ensu

reth

atth

eap

pr

opri

ate

inte

rnal

con

trol

sar

ein

pl

ace

tor

educ

eth

eri

skp

osed

by

mal

icio

usin

side

rs


Trai

ning

and

Aw

aren

ess

Itis

ess

entia

ltha

tsec

urity

aw

aren

ess

trai

ning

be

cons

iste

ntly

pro

vide

dto

all

empl

oyee

sto

ens

ure

that

sec

urity

pol

icie

san

dpr

actic

esa

rein

stitu

tio

naliz

edth

roug

hout

an

orga

niza

tion

Man

ytim

esc

owor

kers

and

sup

ervi

sors

are

the

first

peo

ple

too

bser

vec

once

rnin

gbe

havi

ore

xhib

ited

by

mal

icio

usin

side

rs

Failu

reb

yco

wor

kers

or

othe

rsin

an

orga

niza

tion

tor

epor

tcon

cern

ing

beha

vior

was

ap

rim

ary

reas

onin

side

rsin

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

tos

etu

por

car

ryo

utth

eir

atta

cks

USC

ISs

houl

dco

ntin

ueto

pro

vide

sec

urity

aw

aren

ess

trai

ning

toa

llem

ploy

ees

and

cont

ract

ors

acro

ssth

egl

obe

Thi

str

aini

ngs

houl

dbe

con

sis

tent

lya

pplie

dto

eac

hsi

tew

itha

con

sist

entm

essa

geo

fsec

urity

ofU

SCIS

peo

ple

sys

tem

sa

ndd

ata

Iti

sim

pera

tive

that

all

USC

ISe

mpl

oyee

sbe

re

spon

sibl

efo

rac

hiev

ing

the

mis

sion

ofU

SCIS

and

pro

tect

ing

the

criti

cala

sset

sto

the

high

este

xten

tpos

sibl

e

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sTr

aini

ngo

rSk

ills

Requ

ired

ofT

hose

in

App

oint

edS

ecu

rity

Rol

es

USC

ISL

eade

rshi

p

USC

ISh

asa

trai

ning

pro

cess

thro

ugh

anin

form

atio

nsy

stem

sse

curi

ty

man

ager

(ISS

M)

USC

ISr

elie

she

av

ilyo

nco

ntra

ctor

sto

pro

vide

ade

qu

atel

ytr

aine

dst

aff

Man

yIS

SOs

are

notw

ellv

erse

din

se

curi

ty

ISSO

sar

ecu

rren

tlyin

an

educ

atio

npr

oces

sb

utIS

SOs

are

typi

ca

llyn

ots

ecur

ityw

atch

dogs

ISSO

sm

usth

ave

prop

ertr

aini

ng

ino

rder

tok

eep

upw

ithth

eev

erc

hang

ing

info

rmat

ion

secu

ri

tye

nvir

onm

enta

ndto

be

able

to

dea

lwith

the

myr

iad

tech

no

logi

esa

ndto

ols

avai

labl

eto

th

em

App

ropr

iate

bud

get

shou

ldb

eal

loca

ted

forI

SSO

tr

aini

ngi

nclu

ding

ven

dor

spec

ific

trai

ning

(eg

M

cAfe

ean

dCi

sco)

and

indu

stry

spe

cific

tr

aini

ng(e

g

SAN

S)


Ap

pen

dix

BH

um

anR

esou

rces

Empl

oyee

Issu

es

An

orga

niza

tionrsquo

sap

proa

chto

red

ucin

gin

side

rth

reat

sho

uld

focu

son

pro

activ

ely

man

agin

gem

ploy

eeis

sues

and

beh

avio

rs

This

con

cept

beg

ins

with

eff

ectiv

ehi

ring

pro

cess

esa

ndb

ackg

roun

din

vest

igat

ions

tos

cree

npo

tent

ialc

andi

date

sO

rgan

izat

ions

sho

uld

also

trai

nsu

perv

isor

sto

m

onito

ran

dre

spon

dto

beh

avio

rso

fcon

cern

by

curr

ente

mpl

oyee

sS

ome

case

sfr

omth

eCE

RTIn

sid e

rTh

reat

Cas

eda

taba

ser

evea

led

that

sus

pi

ciou

sac

tivity

was

not

iced

inth

ew

orkp

lace

but

not

act

edu

pon

Org

aniz

atio

nss

houl

des

tabl

ish

aw

ello

rgan

ized

and

pro

fess

iona

lmet

hod

for

hand

ling

nega

tive

empl

oym

enti

ssue

san

den

suri

ngth

ath

uman

res

ourc

epo

licy

viol

atio

nsa

rea

ddre

ssed

Org

aniz

atio

nali

ssue

sre

late

dto

func

tions

sha

red

byH

Ran

dse

curi

typ

erso

nnel

are

att

heh

eart

ofi

nsid

err

isk

man

agem

ent

Em

ploy

ees

cree

ning

an

dse

lect

ion

isv

italt

opr

even

ting

cand

idat

esw

ithk

now

nbe

havi

oral

ris

kfa

ctor

sfr

ome

nter

ing

the

orga

niza

tion

or

ifth

eyd

oe

nsur

ing

that

th

ese

risk

sar

eun

ders

tood

and

mon

itore

dC

lear

pol

icy

guid

elin

esa

ddre

ssin

gbo

thp

erm

itted

and

pro

hibi

ted

empl

oyee

beh

avio

rar

evi

talt

ori

sk

dete

ctio

nan

dm

onito

ring

and

cle

arr

equi

rem

ents

for

ensu

ring

em

ploy

eesrsquo

kno

wle

dge

ofth

ese

guid

elin

esa

ree

ssen

tialt

oth

eir

succ

ess

In

addi

tio

nr

epor

tso

fpol

icy

ques

tions

and

vio

latio

nsn

eed

tob

esy

stem

atic

ally

rec

orde

dso

that

man

agem

ent

HR

and

sec

urity

per

sonn

elc

ana

ppr

oach

cas

ede

cisi

ons

with

com

plet

eba

ckgr

ound

info

rmat

ion

Ana

lysi

sof

thes

ere

port

sac

ross

indi

vidu

als

and

depa

rtm

ents

can

sup

ply

vita

lkno

wle

dge

ofp

robl

ema

reas

bey

ond

indi

vidu

alc

ases

Re

latio

nshi

ps

inw

hich

HR

sec

urity

and

man

agem

entp

erso

nnel

col

labo

rate

as

educ

ator

san

dco

nsul

tant

sar

evi

talt

oea

rly

dete

ctio

nan

def

fect

ive

man

age

men

tofe

mpl

oyee

spo

sing

an

insi

der

risk

Th

ene

edfo

rcl

ear

polic

ies

com

plet

epe

rson

nelr

isk

data

and

clo

sem

anag

emen

tH

Rse

curi

tyc

olla

bo

ratio

nis

rar

ely

grea

ter

than

whe

nha

ndlin

gem

ploy

eete

rmin

atio

nis

sues

whe

ther

vol

unta

ryo

rin

volu

ntar

y

CERT

sug

gest

sen

hanc

emen

tsto

the

USC

ISh

irin

gan

dte

rmin

atio

npr

oces

ses

For

exa

mpl

eU

SCIS

sho

uld

cons

ider

add

ition

als

cree

ning

for

high

ri

skp

ositi

ons

suc

has

adj

udic

ator

sU

SCIS

sho

uld

als o

con

side

rbe

com

ing

mor

ein

volv

edin

vet

ting

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)p

rior

tog

rant


ing

them

acc

ess

toU

SCIS

cri

tical

sys

tem

san

dda

ta

Fina

llyU

SCIS

sho

uld

cons

ider

ado

ptin

gan

ent

erpr

ise

wid

eex

itpr

oced

ure

toe

nsur

eco

nsis

te

ntte

rmin

atio

nof

all

empl

oyee

san

dco

ntra

ctor

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPr

eEm

ploy

men

tSc

reen

ing

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

No

evid

ence

pro

vide

d

The

empl

oyee

scr

eeni

ngp

roce

ssla

cks

any

form

ofp

sych

olog

ical

scr

eeni

ng

for

ara

nge

ofp

ositi

ons

incl

udin

gad

ju

dica

tors

Five

per

cent

(18)

oft

hein

side

rs

inth

eCE

RTd

atab

ase

had

poss

ibl

eps

ycho

logi

cali

ssue

sU

SCIS

sh

ould

con

side

rin

clud

ing

psy

chol

ogic

alte

stin

gas

par

toft

h e

new

hir

epr

oces

sfo

rse

lect

pos

itio

nsi

nclu

ding

adj

udic

ator

s

Giv

enth

esi

gnifi

cant

soc

ialp

res

sure

son

adj

udic

ator

san

dth

ere

lativ

ela

cko

fmon

itori

ngfo

rin

side

rri

ski

tsee

ms

impo

rtan

tto

impr

ove

this

asp

ecto

fscr

een

ing

Hum

anR

esou

rces

App

lican

tsa

rea

ssig

ned

ara

ting

by

HR

the

ratin

gis

use

dto

ran

kap

pli

cant

s

Ther

eis

cur

rent

lyn

oau

ditl

ogth

at

wou

ldc

aptu

rein

stan

ces

inw

hich

so

meo

nein

HR

chan

ged

ara

ting

to

enab

les

omeo

neto

get

hir

edm

ore

easi

ly

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

udit

log

totr

a ck

the

cand

idat

era

tings

and

ale

rtw

hen

cand

idat

era

tings

are

cha

nged

by

som

eone

inH

R


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Ifa

pers

onal

issu

e(e

g

subs

tanc

eab

use

rel

ativ

ely

larg

efin

anci

alin

de

bted

ness

)aris

esd

urin

gPe

rson

nel

Secu

rity

rsquos(P

ERSE

Crsquos)

scr

eeni

ng

PERS

ECm

ayis

sue

ale

tter

ofa

dvis

em

entt

oth

eca

ndid

ate

and

clea

rth

at

pers

onfo

rhir

eP

ERSE

RCis

hes

itant

to

sha

ren

egat

ive

info

rmat

ion

abou

tap

plic

ants

with

USC

ISb

eca u

seo

fpr

ivac

yco

ncer

ns

Beca

use

ofth

ese

conc

erns

am

anag

erm

ayn

otk

now

th

ats

omeo

neis

com

ing

into

ap

osi

tion

with

ah

isto

ryo

falc

ohol

and

or

drug

abu

sef

inan

cial

inde

bted

ness

et

c

The

priv

acy

wal

lbet

wee

nPE

RSEC

and

fie

ldp

erso

nnel

con

cern

edw

ithh

irin

gis

trou

blin

gI

tis

diff

icul

tfor

PER

SEC

repr

esen

tativ

esto

indi

cate

thei

rco

nce

rns

abou

tpot

entia

lhir

esw

hoh

ave

risk

fact

ors

that

do

notc

ross

adj

udic

atio

ngu

idel

ines

for

disq

ualif

icat

ion

USC

ISs

houl

dco

nsid

era

dditi

onal

sc

reen

ing

for

adju

dica

tors

U

SCIS

sho

uld

bem

ore

invo

lved

in

dec

idin

gw

hois

gra

nted

au

thor

ized

acc

ess

beca

use

ofth

ese

nsiti

ven

atur

eof

the

syst

ems

and

data

tha t

USC

ISm

anag

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Each

fiel

dof

fice

dete

rmin

esw

heth

er

orn

otto

mee

tan

appl

ican

tfac

eto

fa

ceb

efor

ehi

ring

Ther

ew

asa

nim

pres

sion

ath

eadq

uar

ters

that

nea

rly1

00

oft

hose

hir

ed

bym

anag

ers

are

inte

rvie

wed

but

re

pres

enta

tives

inB

urlin

gton

Ver

m

ontt

old

uso

ther

wis

eT

his

gap

be

twee

npe

rcep

tion

(the

reis

not

ap

ol

icy

stat

ing

this

mus

tbe

done

)and

re

ality

iso

fcon

cern

Ther

eha

veb

een

know

nin

stan

ces

in

whi

cha

pplic

ants

wer

eon

lys

cree

ned

USC

ISs

houl

dre

quir

ein

terv

iew

sfo

ral

lpos

ition

sT

hein

terv

iew

sne

edto

be

cond

ucte

dby

som

eon

ein

volv

edin

the

day

tod

ay

supe

rvis

ion

ofth

epo

sitio

nto

be

fille

d


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

son

pap

ero

rove

rth

eph

one

befo

re

bein

ghi

red

Sta

ndar

dop

erat

ing

pro

cedu

res

are

notf

ollo

wed

ata

llfie

ld

offic

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

PERS

ECv

ets

fede

rale

mpl

oyee

san

dco

ntra

ctor

s(w

itha

min

imum

bac

kgr

ound

inve

stig

atio

n)

USC

ISr

elie

son

the

US

Dep

artm

ent

ofS

tate

tov

etfo

reig

nna

tiona

lem

pl

oyee

sw

how

ork

ate

mba

ssie

sor

co

nsul

ates

abr

oad

FSN

sin

som

ein

stan

ces

are

gra

nted

ac

coun

tso

nU

SCIS

info

rmat

ion

sys

tem

sI

fFSN

sne

eda

cces

sto

DH

Ssy

ste

ms

(incl

udin

gU

SCIS

)cur

rent

lyt

his

acce

ssm

ustb

eap

prov

edb

yth

eCS

O

and

CIO

for

DH

ST

his

prac

tice

was

no

talw

ays

follo

wed

con

sist

ently

in

the

past

so

ther

em

ayb

eFS

Ns

who

w

ere

gran

ted

acce

ssw

ithou

tall

the

curr

entv

ettin

gan

dap

prov

als

U

SCIS

sho

uld

cons

ider

be c

omin

gm

ore

invo

lved

inv

ettin

gof

FSN

spr

ior

tog

rant

ing

them

acc

ess

to

USC

ISs

yste

ms

In

addi

tion

U

SCIS

sho

uld

audi

tcur

rent

FSN

sw

itha

cces

sto

USC

ISs

yste

ms

and

ensu

reth

ata

ppro

pria

te

vett

ing

was

per

form

ed

Cand

idat

eCe

rtifi

ca

tion

Ver

ifica

tion

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

USC

ISd

oes

noth

ave

ast

anda

rdp

ro

cedu

refo

rve

rifyi

ngth

ece

rtifi

catio

ns

ofjo

bap

plic

ants

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ast

epin

the

new

hir

epr

oces

sto

ver

ifyc

ertif

icat

ions

of

allc

andi

date

sA

few

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eab

le


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sto

obt

ain

posi

tions

ino

rgan

iza

tions

by

prov

idin

gfa

lsifi

edc

erti

ficat

ions

Empl

oyee

and

Co

ntra

ctor

Ter

mi

nati

on

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Exit

proc

edur

esa

rer

ecen

tlyd

evel

op

eda

ndi

nso

me

case

ss

tillu

nder

de

velo

pmen

t(ie

fo

rmal

exi

tpro

ce

dure

sar

eex

pect

edto

be

rele

ased

in

3m

onth

s)

This

gap

may

man

ifest

itse

lfin

the

inco

nsis

tent

col

lect

ion

ofb

adge

sla

pto

psm

obile

dev

ices

and

oth

erU

SCIS

eq

uipm

ent

USC

ISs

houl

dco

nsid

era

dopt

ing

ane

nter

pris

ew

ide

exit

proc

edu

reto

ens

ure

cons

iste

ntte

rmi

natio

nof

all

empl

oyee

san

dco

ntr

acto

rs

Ita

ppea

rsth

ere

spon

sibi

lity

for

ensu

ring

that

em

ploy

ees

and

cont

ract

ors

are

term

inat

edr

ests

sol

ely

with

the

man

ager

It

als

oap

pear

sdi

ffer

en

tman

ager

sfo

llow

diff

eren

tpr

oced

ures

toe

nsur

eth

ata

cce

ssis

dis

able

dan

deq

uipm

ent

isr

etur

ned

ase

mpl

oyee

san

dco

ntra

ctor

sle

ave

USC

IS

Empl

oyee

and

Co

ntra

ctor

Man

da

tory

Dru

gTe

stin

g

Hum

anR

esou

rces

All

fede

ralp

ositi

ons

are

subj

ectt

odr

ugte

stin

gb

uto

nly

forn

ewh

ires

Acc

ordi

ngto

aU

SCIS

Con

vict

ions

Tas

kFo

rce

inve

stig

atio

nca

sec

all

cont

rac

tor

posi

tions

do

notr

equi

red

rug

test

in

g

Fift

een

insi

ders

doc

umen

ted

in

the

CERT

Insi

der

Thre

atC

ase

data

base

exh

ibite

dsu

bsta

nce

abus

eU

SCIS

sho

uld

cons

ider

im

plem

entin

gm

anda

tory

pos

thi

red

rug

test

ing

for

alle

mpl

oy

ees

and

cont

ract

ors


Ap

pen

dix

CP

hys

ical

Sec

uri

ty

Fiel

dof

fices

A

cces

sFo

llow

ing

Term

inat

ion

Se

curi

tyo

fPhy

sica

lCas

eFi

les

Som

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

exp

loite

dph

ysic

als

ecur

ityv

ulne

rabi

litie

s

Som

ew

ere

able

tog

ain

acce

ss

too

rgan

izat

ion

faci

litie

sou

tsid

eof

nor

mal

wor

king

hou

rsto

ste

alc

ontr

olle

din

form

atio

nor

toe

xact

rev

enge

on

the

orga

niza

tion

bys

abot

agin

gcr

itica

lope

ratio

ns

Phys

ical

sec

urity

can

als

opr

ovid

ean

othe

rla

yer

ofd

efen

sea

gain

stte

rmin

ated

insi

ders

who

wis

hto

reg

ain

phys

ical

acc

ess

to

atta

ck

Just

as

with

ele

ctro

nic

secu

rity

how

ever

for

mer

em

ploy

ees

have

bee

nsu

cces

sful

inw

orki

nga

roun

dth

eir

orga

niza

tionrsquo

sph

ysic

als

ecu

rity

mea

sure

sI

tis

impo

rtan

tfor

org

aniz

atio

nsto

man

age

phys

ical

sec

urity

for

full

time

par

ttim

ea

ndte

mpo

rary

em

ploy

ees

con

trac

tors

and

co

ntra

ctla

bore

rs

USC

ISP

hysi

calS

ecur

ityh

asm

ade

sign

ifica

ntp

rogr

ess

prot

ectin

gU

SCIS

faci

litie

san

das

sets

inth

ena

tiona

lcap

italr

egio

n(N

CR)s

ince

Janu

ary

2008

whe

nit

stoo

dup

an

ewp

hysi

cals

ecur

ityp

rogr

am

Alth

ough

phy

sica

lsec

urity

inth

eN

CRis

con

sist

ently

dir

ecte

dan

den

forc

edb

yPh

ysic

al

Secu

rity

eac

hfie

ldo

ffic

ese

tsit

sow

npo

licie

san

dac

cess

con

trol

sI

nad

ditio

ng

aps

inte

rmin

atio

npr

oced

ures

hav

ere

sulte

din

ong

oing

phy

sica

lac

cess

follo

win

gte

rmin

atio

nF

inal

lyi

ssue

sco

ncer

ning

the

secu

rity

ofp

hysi

calc

ase

files

sho

uld

bec

onsi

dere

das

par

tofa

USC

ISr

isk

man

age

men

tstr

ateg

y

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPh

ysic

alS

ecur

ity

ofF

ield

Off

ices

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

USC

ISis

inth

epr

oces

sof

put

ting

ane

wa

cces

sco

ntro

lsys

tem

inp

lace

fo

rth

eN

CR

Befo

reit

doe

sit

will

di

sabl

eac

cess

for

anyo

new

hoh

as

notu

sed

phys

ical

acc

ess

inm

ore

Each

USC

ISfa

cilit

yha

sits

ow

n

polic

ies

and

acce

ssc

ontr

ols

syst

ems

Som

efie

ldo

ffic

esw

ithin

USC

ISh

ave

acce

ss

cont

rols

yste

ms

oth

ers

don

ot

Not

al

loff

ices

inth

efie

ldh

ave

elec

tron

ic

Fort

yof

the

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

took

adv

an

tage

ofi

nade

quat

eph

ysic

als

ecu

rity

toc

arry

out

thei

rcr

imes

El

ectr

onic

acc

ess

cont

rols

pro

vide


Sugg

este

dCo

unte

rmea

sure

slo

gsth

atc

ould

be

usef

ulin

inve

s

tigat

ions

ofi

llici

tact

ivity

out

side

of

nor

mal

wor

king

hou

rs

USC

IS

shou

ldc

onsi

der

deve

lopi

nge

nte

rpri

sew

ide

phys

ical

sec

urity

pr

oced

ures

rol

ltho

seo

utto

ea

chfi

eld

offic

ea

ndr

equi

rea

ph

ysic

als

ecur

ityr

epre

sent

ativ

eat

eac

hsi

teto

ens

ure

cons

iste

nt

enfo

rcem

ento

fthe

pol

icie

s

USC

ISs

houl

dco

nsid

erp

rohi

bitin

gea

chfi

eld

offic

efr

omd

evel

opin

gsi

tes

peci

ficp

olic

ies

and

rem

ov

ing

enfo

rcem

entc

ontr

olfr

om

each

site

In1

0ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

follo

win

gte

rmin

atio

ndu

eto

fa

ilure

ton

otify

sec

urity

em

pl

oyee

san

dbu

sine

ssp

artn

ers

of

the

term

inat

ion

To

cont

rola

cce

ssto

USC

ISfa

cilit

ies

itis

im

port

antf

orU

SCIS

toc

ompa

re

curr

ente

mpl

oyee

san

dco

ntra

cto

rsto

the

auth

oriz

eda

cces

slis

t

Polic

yor

Pra

ctic

eG

aps

acce

ssc

ontr

ols

ndashso

me

only

hav

elo

cks

and

keys

N

ote

very

USC

ISs

iteh

asa

phy

sica

lse

curi

tyr

epre

sent

ativ

eW

here

no

re

pres

enta

tive

isp

rese

ntt

his

resp

on

sibi

lity

falls

on

othe

rm

anag

emen

t pe

rson

nelw

hom

ayn

otb

eeq

uipp

ed

toh

andl

eth

ese

issu

esp

rope

rly

and

repo

rtth

emin

ati

mel

ym

anne

r

So

me

man

ager

str

ack

who

acc

esse

s

wha

twhe

nan

dot

hers

do

not

Ac

cord

ing

toP

hysi

calS

ecur

ityin

Ver

m

ont

onl

y20

o

fvio

latio

nsa

reb

ein

gre

port

edto

sec

urity

Polic

yan

dor

Sec

urit

yM

easu

re

than

12

mon

ths

as

wel

las

anyo

ne

nolo

nger

em

ploy

edb

yU

SCIS

It

als

opl

ans

one

xam

inin

gal

lacc

ount

sth

at

have

not

use

dph

ysic

ala

cces

sin

m

ore

than

30

days

Se

curi

tyo

ffie

ldo

ffic

esfa

llsu

nder

th

eFi

eld

Secu

rity

Div

isio

n(F

SD)

The

O

ffic

eof

Sec

urity

and

Inte

grity

(OSI

)re

cent

lyd

evel

oped

an

insp

ectio

nw

orkb

ook

and

isfi

eld

test

ing

itw

ith

FSD

U

SCIS

Fie

ldS

ecur

ityD

ivis

ion

isp

lan

ning

top

uta

sec

urity

rep

rese

ntat

ive

ine

very

fiel

dof

fice

Ite

xpec

tstw

oto

thre

etim

esm

ore

repo

rts

ofv

iola

tio

nso

nce

itha

sa

repr

esen

tativ

ein

ever

ylo

catio

n

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

Phys

ical

Acc

ess

Follo

win

gTe

rmi

nati

on


Sugg

este

dCo

unte

rmea

sure

s

ine

ach

faci

lityrsquo

sac

cess

con

trol

syst

em

D

isab

ling

phys

ical

acc

ess

tofa

cili

ties

whe

nem

ploy

ees

and

con

trac

tors

term

inat

eis

ess

entia

lto

prot

ectin

gU

SCIS

em

ploy

ees

and

faci

litie

sU

SCIS

sho

uld

cons

ider

au

tom

atin

gth

ere

voca

tion

of

empl

oyee

and

con

trac

tor

phys

ica

lacc

ess

whe

na

term

inat

ion

occu

rs

The

term

inat

ion

chec

klis

tsh

ould

incl

ude

ano

tific

atio

nto

ph

ysic

als

ecur

itys

oph

ysic

ala

cce

ssc

anb

edi

sabl

ed

Cons

ider

con

sist

ente

nfor

cem

ent

and

inve

stig

atio

nof

USC

ISp

hysi

ca

lsec

urity

inci

dent

sA

llal

erts

sh

ould

be

inve

stig

ated

and

Polic

yor

Pra

ctic

eG

aps

Secu

rity

gua

rds

ats

itelo

catio

nsh

ave

on

occ

asio

nig

nore

ddo

orp

ropp

ed

open

ala

rms

beca

use

thef

thas

trad

itio

nally

bee

na

very

sm

allp

robl

ema

t

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

No

Two

Pers

on

Cont

rol


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sU

SCIS

docu

men

ted

ifth

eal

erti

sde

emed

unn

eces

sary

then

it

shou

ldb

edi

scon

tinue

dA

llse

cu

rity

vio

latio

nss

houl

dbe

trac

ked

ina

cen

tral

rep

osito

rys

oa

com

pl

ete

hist

ory

for

each

indi

vidu

alis

av

aila

ble

Aft

erH

ours

Acc

ess

Phys

ical

Sec

urit

y

Aut

hori

zed

Acc

ess

Mos

tacc

ess

is2

4ho

urs

ada

y7

days

a

wee

kndash

Tw

enty

nin

eof

the

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seu

sed

phys

ical

acc

ess

outs

ide

ofn

orm

alw

orki

ngh

ours

toa

tta

ck

USC

ISs

houl

dco

nsid

erim

pl

emen

ting

ana

cces

sco

ntro

lsy

stem

that

gra

nts

acce

ssc

om

men

sura

tew

ithth

epo

sitio

nan

em

ploy

eeo

rcon

trac

tor

fills

If

apo

sitio

ndo

esn

otr

equi

rea

cces

sou

tsid

eof

nor

mal

wor

king

hou

rs

the

acce

ssc

ontr

ols

yste

ms

houl

dpr

ohib

itsu

cha

cces

san

dlo

gun

su

cces

sful

acc

ess

atte

mpt

s

Secu

rity

ofP

hysi

ca

lCas

eFi

les

Phys

ical

Sec

urit

y

Prot

ectio

nof

USC

ISC

ase

File

Dat

a

Phys

ical

file

sw

ere

obse

rved

inc

rate

sst

acke

din

the

hallw

ays

inth

eVe

rm

ontS

ervi

ceC

ente

rA

ccor

ding

toa

nin

terv

iew

att

heS

ervi

ceC

ente

ra

ny

one

coul

dw

alk

outw

itha

ldquocr

ate

fullrdquo

of

file

saf

ter

hour

se

spec

ially

ify

ou

are

ate

lew

orke

r

USC

ISa

ssum

esit

sca

sefi

led

ata

is

secu

reb

ecau

seit

sem

ploy

ees

and

cont

ract

ors

have

ac

lear

ance

or

hav

eha

da

back

grou

ndc

heck

It

isim

port

antt

ono

teth

at4

9in

side

rsd

ocum

ente

din

the

CERT

da

taba

sev

iola

ted

need

to

know


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ca

sefi

les

are

assu

med

tob

ese

cure

on

ceth

eya

rec

onta

ined

with

ina

Ser

vi

ceC

ente

rb

utth

eyc

ould

be

phys

ica

llya

ltere

dor

sto

len

bya

nyon

ew

ith

phys

ical

acc

ess

toth

efa

cilit

y

One

inte

rvie

wee

sta

ted

that

adj

udic

ato

rsty

pica

llyh

ave

50to

100

file

ssc

at

tere

dar

ound

thei

rof

fice

ord

esk

So

me

are

trac

ked

and

som

em

ayn

ot

be

Adj

udic

ator

sco

nduc

tint

ervi

ews

with

app

lican

tsin

thei

rof

fices

and

th

eym

ight

leav

eap

plic

ants

une

sco

rted

inth

eir

offic

esw

ithth

eca

se

files

whe

nfo

rin

stan

cem

akin

gco

pie

sor

att

endi

ngto

oth

erU

SCIS

bus

ine

ss

Acc

ordi

ngto

the

sam

ein

terv

iew

eei

non

efie

ldo

ffic

en

atur

aliz

atio

nce

rtifi

ca

tes

pas

spor

tsa

ndc

redi

tcar

din

fo

rmat

ion

has

been

foun

din

gar

bage

ca

nsin

the

hallw

ay

Adj

udic

ator

spi

cku

pth

eir

case

sin

an

enve

lope

inth

eir

mai

lbox

D

urin

gth

esi

tev

isit

the

asse

ssm

entt

eam

ob

serv

edth

em

ailr

oom

att

heV

erm

ont

Serv

ice

Cent

eru

natt

ende

dbe

twee

n

polic

ies

inth

eco

mm

issi

ono

fth

eir

crim

es

Ther

efor

er

elyi

ng

onc

lear

ance

sal

one

can

bev

ery

dang

erou

s

Thir

teen

insi

ders

doc

umen

ted

in

the

CERT

dat

abas

est

ole

phys

ical

pr

oper

tyb

elon

ging

toth

eor

gani

za

tion

CER

Tsu

gges

tsU

SCIS

con

si

der

the

cons

eque

nces

oft

heft

or

una

utho

rize

dac

cess

top

hysi

ca

lcas

efil

esa

ndm

ake

ari

sk

base

dde

cisi

onr

egar

ding

pot

en

tialp

olic

yan

dpr

oced

ure

chan

ges

Th

ere

are

stan

dard

pol

icie

san

dpr

oced

ures

forh

andl

ing

sens

itive

in

form

atio

nb

uta

str

ong

educ

atio

nalc

ampa

ign

isn

eede

dto

en

sure

the

prot

ectio

nof

dat

a


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

ssh

ifts

(app

roxi

mat

ely

3p

m)

Whe

nad

judi

cato

rsfi

nish

with

afi

let

hey

retu

rnit

toa

dro

pof

fspo

tT

hea

sse

ssm

entt

eam

obs

erve

dth

ose

spot

s

whi

cha

rein

the

open

and

una

tte

nded

A

djud

icat

ors

may

kee

pca

ses

over

nigh

tand

usu

ally

ret

urn

them

w

ithin

1w

eek

Tele

wor

kers

at

Serv

ice

Cent

ers

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

One

hun

dred

eig

hty

nine

peo

ple

at

the

Verm

ontS

ervi

ceC

ente

rare

au

thor

ized

tow

ork

from

hom

eT

hese

em

ploy

ees

pick

up

files

att

heV

er

mon

tSer

vice

Cen

ter

and

take

them

ho

me

The

yw

ork

2da

ysp

erw

eek

in

the

Serv

ice

Cent

era

nd3

day

spe

rw

eek

ath

ome

USC

ISp

ays

anu

nan

noun

ced

visi

tto

allh

omes

toin

ven

tory

the

empl

oyee

srsquofi

les

atle

ast

quar

terl

yT

hese

em

ploy

ees

mus

tha

vea

lock

edfa

cilit

yin

thei

rho

me

and

mus

talw

ays

have

the

abili

tyto

re

turn

the

files

toth

eSe

rvic

eCe

nter

w

ithin

4h

ours

The

cont

rolo

fUSC

ISd

ata

whe

nit

leav

esth

eVe

rmon

tSer

vice

Cen

ter

is

diff

icul

tto

enfo

rce

Em

ploy

ees

mus

tha

vea

ppro

pria

tes

tora

gefa

cilit

ies

bu

tthe

yco

uld

easi

lyc

opy

USC

ISd

ata

and

shar

eit

with

una

utho

rize

din

di

vidu

als

Twen

tyn

ine

perc

ento

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

taba

sew

ere

recr

uite

dby

out

si

ders

toc

omm

itth

eir

crim

e

Mos

toft

hese

insi

ders

com

mitt

ed

the

crim

efo

rfin

anci

alg

ain

Iti

sim

port

antt

hatU

SCIS

rec

ogni

ze

the

pote

ntia

lfor

recr

uitm

ent

an

dth

ela

cko

fcon

trol

exe

rcis

ed

over

sen

sitiv

eda

taa

tadj

udic

ato

rsrsquor

esid

ence

s


Ap

pen

dix

DB

usi

nes

sP

roce

sses

Tech

nica

lCon

trol

s

Aut

hori

zati

onv

iaP

ICS

A

ccou

ntM

anag

emen

t

Av

arie

tyo

fcas

esfr

omth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sed

ocum

enti

nsid

era

ttac

ksw

here

gap

sin

bus

ines

spr

oces

ses

prov

ided

ap

athw

ay

for

atta

ck

Enfo

rcin

gse

para

tion

ofd

utie

san

dth

epr

inci

ple

ofle

astp

rivi

lege

are

pro

ven

met

hods

for

limiti

nga

utho

rize

dac

cess

by

insi

ders

Id

eal

lyo

rgan

izat

ions

sho

uld

incl

ude

sepa

ratio

nof

dut

ies

inth

ede

sign

ofk

eyb

usin

ess

proc

esse

san

dfu

nctio

nsa

nde

nfor

ceth

emv

iate

chni

cala

nd

nont

echn

ical

mea

ns

Acc

ess

cont

rolb

ased

on

sepa

ratio

nof

dut

ies

and

leas

tpri

vile

gei

nbo

thth

eph

ysic

ala

ndv

irtu

ale

nvir

onm

ents

is

cruc

ialt

om

itiga

ting

the

risk

ofi

nsid

era

ttac

kT

hese

con

cept

sal

one

will

not

elim

inat

eth

eth

reat

pos

edb

yin

side

rst

hey

are

how

ever

ano

ther

laye

rin

the

defe

nsiv

epo

stur

eof

an

orga

niza

tion

Beca

use

ofth

ese

nsiti

ven

atur

eof

the

USC

ISm

issi

ons

ome

ofit

sem

ploy

ees

and

cont

ract

ors

are

targ

ets

for

recr

uitm

entf

orth

efto

run

auth

or

ized

mod

ifica

tion

ofU

SCIS

dat

aT

wen

tyn

ine

perc

ento

fthe

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

we r

ere

crui

ted

byo

utsi

ders

toc

omm

itth

eir

crim

eM

osto

fthe

sein

side

rsc

omm

itted

the

crim

efo

rfin

anci

alg

ain

Cri

tical

USC

ISb

usin

ess

proc

esse

ssh

ould

incl

ude

tech

nica

lcon

trol

sto

en

forc

ese

para

tion

ofd

utie

san

ddu

alc

ontr

olto

red

uce

the

risk

ofi

nsid

erfr

aud

In

addi

tion

pot

entia

lvul

nera

bilit

ies

surr

ound

the

use

ofth

eIC

EPI

CSs

yste

mfo

rau

thor

izat

ion

for

criti

calU

SCIS

sys

tem

sA

lthou

ghP

ICS

iso

utsi

deth

eco

ntro

lofU

SCIS

CER

Tre

com

men

dsth

atU

SCIS

exp

lore

the

poss

ibili

tyo

faud

iting

and

con

trol

ling

auth

oriz

atio

nsin

PIC

Sfo

rcr

itica

lUSC

ISs

yste

ms

Fin

ally

acc

ount

man

agem

enti

ssue

sre

late

dto

cri

tical

sys

te

ms

shou

ldb

eco

nsid

ered

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

utho

riza

tion

for

USC

ISC

riti

calS

ys

tem

sth

roug

hP

ICS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Seve

ralc

ritic

alU

SCIS

sys

tem

sar

etie

dto

PIC

Sfo

raut

hent

icat

ion

whi

ch

isa

dmin

istr

ated

by

the

ICE

PI

CSlo

gsa

ccou

ntc

reat

ions

whe

nth

eac

coun

tsw

ere

crea

ted

wha

tro

les

appl

ied

toth

eac

coun

tse

tc

PICS

per

mits

use

rso

utsi

deo

fUSC

ISto

au

thor

ize

user

sfo

ran

yU

SCIS

app

lica

tion

tied

toP

ICS

Tw

oth

ousa

ndlo

cal

PICS

off

icer

s(L

POs)

inth

eIC

Ean

dU

SCIS

can

cre

ate

new

acc

ount

sin

PIC

Sfo

rem

ploy

ees

loca

ted

atth

eir

site

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

utho

riza

tion

proc

es

san

dsy

stem

that

ena

bles

itto

co

ntro

lwho

isg

rant

e da

cces

sto

U

SCIS

sys

tem

san

dda

ta


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLP

Os

cont

rola

cces

sfo

rshe

riff

sp

eti

tione

rsC

BPD

OJ

TSA

DH

SO

IGT

er

rori

smT

ask

Forc

ea

ndo

ther

s

Acc

ount

sar

eba

sed

onp

erso

nnel

re

cord

so

LPO

sca

nnot

cre

ate

acco

unts

fo

ran

yone

who

isn

ota

nem

ploy

eea

tth

eir

site

H

owev

erP

ICS

adm

inis

tra

tors

can

cre

ate

acco

unts

for

anyo

ne

wor

king

att

heir

site

for

any

syst

em

tied

toP

ICS

CERT

sug

gest

sth

atU

SCIS

val

ida

tec

urre

ntP

ICS

acco

unts

and

ro

les

agai

nstc

urre

nte

mpl

oyee

lis

ts

Ten

perc

ent(

37)o

fth e

in

side

rsd

ocum

ente

din

the

CERT

da

taba

seh

ade

xces

sive

pri

vi

lege

sw

hich

ena

bled

them

to

atta

ck

Ina

dditi

on

b

ecau

seldquo

priv

ilege

cr

eeprdquo

ena

bled

afe

w(s

ix)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

tab a

seto

car

ryo

utth

eir

crim

es


Sugg

este

dCo

unte

rmea

sure

s

Twen

tyfo

ur(6

per

cent

)oft

he

insi

ders

doc

umen

ted

inth

eCE

RT

data

base

wer

eab

leto

car

ryo

ut

thei

rcr

imes

bec

ause

insi

ders

sh

ared

acc

ount

and

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bse

asie

ran

dto

incr

ease

pro

du

ctiv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tio

nsa

ndp

ossi

bly

impl

emen

tst

rong

era

uthe

ntic

atio

nto

ma k

esh

arin

gac

coun

tsm

ore

diff

icul

t

Polic

yor

Pra

ctic

eG

aps

VIS

adm

inis

trat

ors

ine

xter

nalc

ompa

ni

eso

rag

enci

esh

ave

been

cau

ght

le

ttin

gm

ultip

lee

mpl

oyee

sus

eth

e

sa

me

VIS

acco

unt

but

USC

ISh

asn

o ab

ility

tota

kea

nya

ctio

nT

hea

cco

unts

ena

ble

empl

oyee

sto

val

idat

ePI

Iand

citi

zens

hip

info

rmat

ion

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

Mod

ifica

tions

by

VIS

user

sto

cri

tical

da

taa

relo

gged

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

VIS

Ac

coun

ts

Logg

ing

Aud

itin

g

and

Ale

rtin

gin

VIS

Ver

ifica

tion

Info

rmat

ion

Syst

em(V


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Com

pute

rLi

nked

App

licat

ion

Info

rmat

ion

Man

agem

ent

Syst

em(C

LAIM

S)3

LA

N

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Su

gges

ted

Coun

term

easu

res

Self

Sele

ctio

nof

A

djud

icat

ion

Case

s

ISSO

s D

ata

Ow

ners

Adj

udic

ator

sca

nse

lfse

lect

cas

es

(acc

ordi

ngto

an

inte

rvie

wc

once

rn

ing

anin

tern

alin

cide

ntth

ato

ccur

red

atth

eU

SCIS

and

inte

rvie

ws

with

da

tao

wne

rsa

tthe

Ver

mon

tSer

vice

Ce

nter

)

With

inth

eSe

rvic

eCe

nter

sa

djud

ica

tors

hav

evi

rtua

llyu

nlim

ited

acce

ssto

ap

plic

antf

ilesmdash

ther

ear

eno

nee

dto

kn

owli

mita

tions

or

cont

rols

top

re

vent

an

adju

dica

tor

from

acc

essi

ng

sens

itive

info

rmat

ion

and

repo

rtin

git

too

utsi

ders

or

mod

ifyin

ga

file

(ent

er

ing

anin

valid

dec

isio

n)

Adj

udic

ator

sca

nal

soa

ppro

vea

cas

eth

atis

not

ass

igne

dto

them

Th

ere

is

noti

ebe

twee

nth

eca

sem

anag

emen

tsy

stem

(ie

N

atio

nalF

ileT

rack

ing

Syst

emo

rN

FTS)

and

the

case

adj

udi

catio

nsy

stem

(ie

CL

AIM

S)

Inth

ein

tern

alc

ase

that

occ

urre

dat

U

SCIS

the

per

petr

ator

cir

cum

vent

ed

the

inte

rvie

wp

roce

ssfo

r14

mon

ths

ndash

USC

ISs

houl

dco

nsid

erim

ple

men

ting

tech

nica

lcon

trol

sto

pr

ohib

itad

judi

cato

rsfr

oms

elf

sele

ctin

gca

ses

toa

djud

icat

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

she

app

rove

dldquon

osh

owrdquo

case

sT

here

w

ere

noc

ontr

ols

tod

etec

tthi

s

Ina

dditi

ona

djud

icat

ors

can

adju

di

cate

any

type

ofc

ase

eve

nth

ough

th

eya

ree

ach

assi

gned

cer

tain

type

sof

ben

efits

cas

esfo

rad

judi

catio

n

Emph

asis

on

Cus

tom

erS

ervi

ceO

ver

Risk

Dat

aO

wne

rs

No

evid

ence

pro

vide

d

One

inte

rvie

wee

att

heV

erm

ontD

ata

Cent

ers

aid

that

ldquost

atsrdquo

can

be

ast

rain

esp

ecia

llyfo

rne

wh

ires

al

thou

ghth

eyd

oge

ta9

0da

ygr

ace

peri

od

USC

ISs

houl

dus

eca

utio

nin

em

ph

asiz

ing

cust

omer

ser

vice

as

the

only

per

form

ance

met

ric

beca

use

this

cou

lde

ncou

rage

la

cko

fatt

entio

nto

ris

kre

late

dac

tiviti

es(s

uch

asa

ccur

ate

adju

di

catio

nde

cisi

ons)

Lack

ofS

epar

atio

nof

Dut

ies

in

CLA

IMS

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Curr

ently

all

decl

ined

req

uest

sfo

rbe

nefit

sar

ere

view

edb

ya

supe

rvi

sor

H

owev

ert

here

was

ad

iscr

ep

ancy

dur

ing

inte

rvie

ws

adj

udic

ator

ssa

idth

ats

uper

viso

rss

topp

edlo

okin

gat

all

deni

als

beca

use

they

are

too

busy

Su

perv

isor

sal

sor

ecei

vea

rep

orto

fal

ladj

udic

atio

nde

cisi

ons

ente

red

by

ana

djud

icat

orfo

ra

form

type

that

th

ead

judi

cato

rdo

esn

otn

orm

ally

ap

prov

e

Onl

ya

rand

oms

ampl

eof

app

rove

dad

judi

catio

nde

cisi

ons

isr

evie

wed

For

som

eca

ses

(for

inst

ance

vic

tims

case

s)a

sen

ior

adju

dica

tor

has

to

revi

ewth

ede

cisi

ona

fter

the

adju

dica

to

ren

ters

itt

hen

the

supe

rvis

orr

evi

ews

itT

his

isa

man

ually

enf

orce

dpr

oces

s

Ther

ew

asa

noth

erd

iscr

epan

cy

in

inte

rvie

ws

the

adju

dica

tors

sai

dth

at

USC

ISs

houl

dco

nsid

erim

ple

men

ting

auto

mat

edp

roce

sses

to

prev

enta

ndd

etec

tfra

ud

Man

ag

emen

tind

icat

edit

wou

ldli

ke

tos

eea

utom

ated

tech

nica

len

forc

emen

toft

her

evie

wa

nd

appr

oval

pro

cess

Inn

earl y

ten

perc

ent(

39)o

fthe

ca

ses

docu

men

ted

inth

eCE

RT

data

base

ins

ider

sto

oka

dvan


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s W

hen

adju

dica

tors

are

intr

aini

ng

they

are

und

er1

00

rev

iew

Th

ey

are

intr

aini

ngo

na

spec

ific

type

of

case

for

atle

ast6

mon

ths

A

uditi

ngfo

rim

prop

erly

gra

nted

be

nefit

sis

bas

edo

nsa

mpl

ing

and

or

blin

dqu

ality

ass

uran

ce(Q

A)a

ccor

din

gldquot

oA

rmy

stan

dard

srdquoa

fter

the

fact

A

rand

omly

sel

ecte

d30

cas

es

per

quar

ter

are

also

rev

iew

edb

yldquos

iste

rce

nter

srdquo

QA

pro

cess

var

ies

offic

eby

off

ice

(no

natio

nalp

roce

ss)

Th

isQ

Ah

asb

een

done

fort

hep

ast

year

and

ah

alf

Inth

eVe

rmon

tfie

ld

offic

ee

ach

supe

rvis

orp

ulls

atl

east

10

cas

esp

era

djud

icat

orp

erm

onth

Th

eyr

evie

wd

ecis

ion

rela

ted

issu

es

secu

rity

rel

ated

issu

esa

ndp

roce

du

rali

ssue

s(d

idth

eyfo

llow

the

righ

tst

eps

)T

hey

also

look

for

less

ons

lear

ned

The

pri

mar

ypu

rpos

eof

QA

is

toid

entif

yth

ene

edfo

rre

med

ial

trai

ning

rath

erth

and

elib

erat

efr

aud

So

me

case

sar

em

ore

than

10

00

page

ss

oev

ery

deta

ilca

nnot

be

prac

tical

lyr

evie

wed

for

ever

yca

se

cler

ksp

ullc

ases

ac

oupl

eof

tim

esp

er

mon

thndash

ac

erta

inn

umbe

rof

cas

es

per

empl

oyee

Th

ose

case

sar

epa

ssed

toQ

Aw

hor

evie

ws

the

case

s

QA

then

sen

dsfe

edba

ckto

the

supe

rvi

sor

and

adju

dica

tor

ifth

eyfi

nd

som

ethi

ngth

atd

oes

notl

ook

righ

t

tage

ofi

nsuf

ficie

nts

epar

atio

nof

du

ties

toc

arr y

out

thei

rcr

imes

U

SCIS

sho

uld

care

fully

con

side

rth

ebi

gges

tris

kto

the

orga

niza

tio

nM

any

ofth

eU

SCIS

em

pl

oyee

sin

terv

iew

edfo

rth

isa

sse

ssm

enti

dent

ified

the

prim

ary

risk

for

the

orga

niza

tion

asa

llo

win

gth

ene

xtte

rror

istt

oliv

ean

dw

ork

lega

llyin

the

Uni

ted

Stat

es

They

des

ire

assi

stan

cein

id

entif

ying

and

impl

emen

ting

inte

rnal

con

trol

sto

cou

nter

that

ri

sk

Aud

iting

eve

ryd

enie

dre

ques

tin

dica

tes

that

the

bigg

estr

isk

to

USC

ISis

toin

corr

ectly

den

ya

bene

fitto

an

appl

ican

trat

her

than

tog

rant

ab

enef

itto

som

eon

ew

hod

oes

notd

eser

veit

IfU

SCIS

agr

ees

that

gra

ntin

gle

gald

ocum

ents

toil

lega

lapp

lica

nts

iso

neo

fthe

big

gest

ris

ks

toth

eor

gani

zatio

nth

enit

sh

ould

con

side

rre

quir

ing

dual


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sau

thor

izat

ion

for

thes

ead

judi

ca

tion

deci

sion

s

Lack

ofA

utom

ated

Ch

ecks

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Verm

ontI

Tha

sdo

ned

ata

swee

ps

afte

rit

foun

dso

met

hing

sus

pici

ous

W

hen

itha

sdo

nes

oit

has

foun

dm

ore

ofth

esa

me

activ

ity

Ther

ear

eno

aut

omat

edc

heck

s(t

here

w

illb

ein

Tra

nsfo

rmat

ion)

Chec

ksth

atd

oex

ista

rem

anag

eda

tth

elo

call

evel

rat

her

than

ale

rtin

gto

th

ehe

adqu

arte

rsle

vel

Inn

early

twen

tyf

ive

perc

ent

(91)

ofc

ases

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

ca

rry

outt

hec

rim

ebe

caus

eof

in

adeq

uate

aud

iting

ofc

ritic

al

proc

esse

sin

28

case

sit

was

be

caus

eof

inad

equa

tea

uditi

ng

ofir

regu

lar

proc

esse

sI

n29

of

the

case

sth

eor

gani

zatio

nha

dre

peat

edin

cide

nts

ofa

sim

ilar

natu

re

Aut

omat

eds

crip

tsa

re

ane

xcel

lent

mec

hani

smfo

rde

te

ctin

gsu

spic

ious

tran

sact

ions

as

wel

las

hone

stm

ista

kes

U

SCIS

sho

uld

cons

ider

afo

rmal

pr

oces

sfo

ran

alyz

ing

the

OSI

rsquos

findi

ngs

and

deve

lopi

nga

uto

mat

edc

heck

sth

ata

rer

olle

dou

tna

tiona

lly

Phys

ical

Sec

urit

yof

Ca

seF

iles

Dat

aO

wne

rs

Adj

udic

ator

s

No

evid

ence

pro

vide

d

The

NFT

Str

acks

mill

ions

off

iles

It

was

des

crib

edh

owev

era

sa

very

la

rge

war

ehou

sew

here

file

sdo

occ

a

Ten

perc

ent(

40)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

sec

arri

edo

utth

eir

crim

esb

y


C

ER

T | S

OFT

WA

RE

EN

GIN

EE

RIN

G IN

STI

TUTE

| 55

Sugg

este

dCo

unte

rmea

sure

s

the

sam

eap

plic

ant

C3LA

Nw

illb

ere

tired

as

part

of

Tran

sfor

mat

ion

C4

will

als

obe

re

tired

A

cop

yof

sec

urity

con

tr

ols

and

requ

irem

ents

has

bee

npr

ovid

edb

yC3

LAN

dat

aow

ners

to

Tra

nsfo

rmat

ion

Iti

sim

por

tant

for

the

Tran

sfor

mat

ion

team

tom

ake

risk

bas

edd

eci

sion

sin

Tra

nsfo

rmat

ion

desi

gn

and

deve

lopm

ent

Polic

yor

Pra

ctic

eG

aps

T

hen

ewH

Rfo

rmh

asn

otb

een

soci

aliz

edo

rw

idel

yad

vert

ised

It

is

upto

the

COTR

san

dsu

perv

isor

sto

co

nsis

tent

lyr

eque

stth

ata

cces

sbe

di

sabl

edw

hen

ane

mpl

oyee

or

con

trac

tor

nolo

nger

nee

dsa

cces

s

Polic

yan

dor

Sec

urit

yM

easu

re

Curr

ently

eve

rym

onth

USC

ISc

om

pare

sth

eH

uman

Res

ourc

esa

ttri

tion

lista

gain

stth

eC3

LA

Na

ccou

ntli

st

and

disa

bles

inac

tive

empl

oyee

ac

coun

ts

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

cces

sto

CL

AIM

S


Are

aof

Con

cern

Non

Att

ribu

tion

fo

rD

BAA

ccou

nts

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Pend

ing

Redu

ctio

nin

For

cefo

rD

ata

Entr

yCl

erks

Dat

aO

wne

rs

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

Dat

aen

try

cler

ksw

illb

elo

sing

thei

rjo

bsw

hen

they

mov

eto

Loc

kBox

w

hich

will

take

ove

rth

efu

nctio

nal

ityo

facc

eptin

gre

mitt

ance

sfo

rbe

nefit

app

lican

ts

Itw

ass

tate

dth

atth

eda

tae

ntry

cle

rks

mig

htb

ehi

red

away

tow

ork

atth

eor

gani

za

tion

whi

chp

erfo

rms

that

func

tio

n

USC

ISs

houl

dbe

aw

are

ofth

ein

crea

sed

insi

der

risk

inth

efa

ce

ofn

egat

ive

orga

niza

tiona

lev

ents

like

this

It

sho

uld

con

side

rpr

oact

ive

step

sto

dec

reas

est

ress

inth

ew

orkp

lace

and

to

ease

pot

entia

lfin

anci

alb

urde

ns

that

cou

ldm

ake

empl

oyee

sm

ore

susc

eptib

leto

rec

ruitm

ent

byo

utsi

ders

Shar

ing

Acc

ount

sin

CLA

IMS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aEn

try

Cler

ks

The

NFT

Sw

illn

otle

tcle

rks

log

inif

th

eyh

ave

notu

sed

the

syst

emfo

ra

cert

ain

num

ber

ofd

ays

Ac

lerk

rsquosc

ube

mat

ew

illlo

gin

for

thei

rcu

bem

ate

ifit

isth

een

dof

the

day

and

ITh

asg

one

hom

efo

rthe

day

Twen

tyf

our

(6

)oft

hein

side

rs

docu

men

ted

inth

eCE

RTd

ata

base

wer

eab

leto

car

ryo

utth

eir

crim

esb

ecau

sein

side

rss

hare

dac

coun

tand

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bs

easi

era

ndto

incr

ease

pro

duct

iv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tions

an

dpo

ssib

lyim

plem

ents

tron

ger

auth

entic

atio

nto

mak

eac

coun

tsh

arin

gm

ore

diff

icul

t


Sugg

este

dCo

unte

rmea

sure

s

Ten

perc

ent(

39)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seto

oka

dvan

tage

ofi

nsuf

fici

enta

cces

sco

ntro

ls

USC

IS

shou

ldc

onsi

der

redu

cing

the

num

ber

ofp

rivi

lege

dac

coun

ts

with

acc

ess

toth

eFD

NS

DS

If

the

num

ber

ofs

uper

user

ac

coun

tsw

ere

redu

ced

then

en

hanc

eda

uditi

ngc

ould

be

em

ploy

edo

ntr

ansa

ctio

ns

cond

ucte

dus

ing

thos

eac

coun

ts

Polic

yor

Pra

ctic

eG

aps

b

ut

ther

ear

ena

tiona

lcon

trol

sto

ens

ure

th

atc

eleb

ritie

srsquofi

les

are

notb

eing

ac

cess

ed

Ther

eis

ala

rge

supe

ruse

rco

mm

unity

m

ore

than

thirt

ype

rcen

tofa

llFD

NS

DS

user

sw

itha

cces

sto

the

FDN

SD

S

Thes

eac

coun

tsh

ave

exte

nsiv

epo

wer

a

mal

icio

uss

uper

user

can

com

plet

ely

dele

tea

rec

ord

orm

odify

the

sum

m

ary

offi

ndin

gs

Polic

yan

dor

Sec

urit

yM

easu

re

The

FDN

SD

Sis

ac

entr

alr

epos

itory

of

frau

dan

dna

tiona

lsec

urity

inve

stig

atio

ns

This

sys

tem

hol

dsa

ppli

cant

san

dpe

titio

ners

as

wel

las

PII

Th

ere

isa

lso

ana

tiona

lsec

urity

tab

N

oev

iden

cep

rovi

ded

nnel

logy

logy

sibl

ePe

rso

wne

rs

tion

Tec

hno

wne

rs

tion

Tec

hno

Resp

onD

ata

O In

form

a

Dat

aO

Info

rma

rn

sac

ges

eCo

ncn e

Priv

ilD

S

Are

aof

ng

oLo

ggi

fTra

tion

s

Elev

ated

N

Sto

FD

Frau

dD

etec

tion

and

Nat

ural

izat

ion

Syst

emndash

Dat

aSy

stem

(FD

NS

DS)


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Unk

now

n

Conn

ecti

ons

to

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Failu

reto

Add

ress

Kn

own

Secu

rity

V

ulne

rabi

litie

s

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Ther

eis

no

auto

mat

edp

atch

ing

be

caus

eof

the

age

ofth

ese

rver

san

dth

eap

plic

atio

nO

nly

criti

calp

atch

es

are

appl

ied

forf

ear

ofc

rash

ing

the

serv

ers

Thir

teen

insi

ders

inth

eCE

RT

data

base

exp

loite

dkn

own

secu

ri

tyv

ulne

rabi

litie

sth

atw

ere

not

addr

esse

dby

the

orga

niza

tion

U

SCIS

sho

uld

cons

ider

upg

radi

ng

the

FDN

SD

Ssi

nce

thes

evu

lner

ab

ilitie

sin

crea

ser

isk

ofa

ttac

kfr

omo

utsi

dea

ndin

side

Prod

ucti

onD

ata

Ava

ilabl

eto

Con

tr

acto

rsin

Dev

el

opm

ent

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

CSC

has

prod

uctio

nda

tain

the

deve

lop

men

tenv

iron

men

te

ven

thou

ghit

sh

ould

not

hav

eac

cess

top

rodu

ctio

nda

ta

Onl

yon

ein

side

rdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

ses

tole

pro

duct

ion

data

th

ats

houl

dno

thav

ebe

ena

vail

able

tod

evel

oper

sin

the

deve

lop

men

tenv

iron

men

tH

owev

er

itw

ase

xtre

mel

yse

nsiti

ved

ata

with

ver

yst

rict

con

trol

sin

the

prod

uctio

nen

viro

nmen

ta

nd

was

not

sub

ject

toth

ose

sam

eco

ntro

lsin

the

deve

lopm

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sen

viro

nmen

tT

his

isv

ery

sim

ilar

toth

esi

tuat

ion

atU

SCIS

U

SCIS

sh

ould

exa

min

eda

tab

eing

use

din

the

rem

ote

con

trac

tor

owne

dde

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

vel

ofs

ecur

ityc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data

Conf

igur

atio

nM

anag

emen

tan

dor

Cha

nge

Cont

rolP

roce

ss

Not

Enf

orce

d

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Dev

elop

ers

cann

otr

elea

sen

ewe

xec

utab

les

as

epar

ate

syst

ema

dmin

is

trat

orh

asto

pus

hth

emo

ut

Cont

ract

ors

som

etim

esr

elea

sec

ode

tofi

xpr

oble

ms

with

outf

ollo

win

gth

ech

ange

man

agem

entp

roce

ss

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

ofl

ack

ofa

de

quat

eco

nfig

urat

ion

man

age

men

tU

SCIS

has

afo

rmal

con

fig

urat

ion

man

agem

entp

roce

ss

Itis

impo

rtan

tto

enfo

rce

itsu

se

for

alle

mpl

oyee

san

dco

ntra

cto

rs

Oth

erw

ise

itw

illb

eex

tr

emel

ydi

ffic

ultt

oin

vest

igat

ea

crim

eco

mm

itted

usi

ngfl

aws

inte

ntio

nally

inje

cted

into

sou

rce

code

by

aco

ntra

ctor


Ap

pen

dix

EI

nci

den

tR

esp

onse

Inci

dent

Man

agem

ent

Se

curi

tyA

war

enes

s

Conc

erni

ngB

ehav

iors

Thro

ugh

case

ana

lysi

sC

ERT

has

note

dth

atp

roce

dure

sfo

rre

spon

ding

top

oten

tiali

nsid

erin

cide

nts

pres

entu

niqu

ech

alle

nges

an

inci

dent

re

spon

sep

lan

for

insi

der

inci

dent

sdi

ffer

sfr

oma

res

pons

epl

anfo

rin

cide

nts

caus

edb

yan

ext

erna

latt

acke

rI

nad

ditio

nin

adeq

uate

det

ectio

nan

dre

spon

seto

sec

urity

vio

latio

nsc

ould

em

bold

enth

ein

side

rm

akin

gth

eor

gani

zatio

nev

enm

ore

vuln

erab

leto

an

insi

der

crim

eI

nfa

cti

n18

of

the

case

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

the

org

aniz

atio

nex

peri

ence

dre

peat

insi

der

inci

dent

sof

as

imila

rna

ture

In

si

der

inci

dent

man

agem

ents

houl

dle

vera

gee

xist

ing

secu

rity

pol

icie

san

dfo

rmal

pro

cedu

res

for

hand

ling

polic

yvi

olat

ions

So

me

ofth

eca

ses

from

the

CERT

Insi

d er

Thre

atC

ase

data

base

illu

stra

tein

side

rat

tack

sin

whi

cha

nor

gani

zatio

nrsquos

lack

ofi

ncid

entr

espo

nse

proc

edur

esli

mite

dits

ab

ility

tom

anag

eits

res

pons

eef

fort

som

etim

ese

ven

resu

lting

inm

ultip

lec

rim

inal

act

sby

the

sam

ein

side

r

USC

ISis

ac

ompl

exo

rgan

izat

ion

with

man

ydi

ffer

entc

ompo

nent

sin

volv

edin

det

ectin

gtr

acki

ngi

nves

tigat

ing

and

follo

win

gup

on

empl

oyee

m

isco

nduc

tT

his

com

plex

itya

ndw

idel

ydi

stri

bute

dfu

nctio

ncr

eate

sa

situ

atio

nin

whi

chit

isv

ery

diff

icul

tto

obta

ina

com

plet

epi

ctur

eof

an

in

divi

dual

rsquosin

side

rth

reat

ris

kle

vel

Bec

ause

oft

his

itis

pra

ctic

ally

impo

ssib

lefo

rU

SCIS

toim

plem

enta

pro

activ

epr

ogra

mto

miti

gate

insi

der

thre

at

CERT

str

ongl

yre

com

men

dsth

atU

SCIS

cre

ate

ace

ntra

lrep

osito

ryo

fem

ploy

eem

isco

nduc

tso

itca

nde

tect

indi

cato

rso

finc

reas

ing

in

side

rth

reat

ris

kan

dm

itiga

teth

ema

squ

ickl

yas

pos

sibl

e

Furt

herm

ore

81

ofth

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

edc

once

rnin

gbe

havi

ors

inth

ew

orkp

lace

pri

orto

or

whi

lec

arry

ing

out

thei

rcr

imin

ala

ctiv

ities

onl

ine

Sup

ervi

sors

and

em

ploy

ees

shou

ldb

etr

aine

dto

rec

ogni

zea

ndr

espo

ndto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

and

oth

erm

alic

ious

insi

der

acts

Ev

enif

itis

not

pos

sibl

eto

req

uire

non

sup

ervi

sors

to

repo

rtc

o nce

rns

this

tr

aini

ngm

ayin

crea

seth

efr

eque

ncy

ofr

epor

ting

and

the

dete

rren

ceo

fins

ider

act

ions


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLa

cko

fCen

tral

Re

posi

tory

ofE

m

ploy

eeM

isco

nduc

t

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

IfFi

eld

Secu

rity

rec

eive

sa

Sign

ifica

nt

Inci

dent

Rep

ort(

SIR)

the

nit

inve

sti

gate

sE

mpl

oyee

mis

cond

ucti

sth

en

repo

rted

toO

ffic

eof

Sec

urity

and

In

tegr

ity(O

SI)

Ifth

eO

SIin

vest

igat

ion

subs

tant

iate

san

em

ploy

eersquos

mis

con

duct

itp

rovi

des

Coun

teri

ntel

ligen

ce

(CI)

am

onth

lyr

epor

tI

tals

opr

ovid

es

the

empl

oyee

rsquosm

anag

emen

tac

opy

CI

iss

tart

ing

tog

etm

ore

repo

rts

of

acce

ptab

leu

sev

iola

tions

and

sec

urity

vi

olat

ions

It

trac

kse

very

thin

gin

a

file

for

late

rus

ein

rei

nves

tigat

ions

La

bor

Empl

oyee

Rel

atio

ns(L

ER)h

asa

re

cord

oft

here

port

sit

rece

ives

of

mis

cond

uct

com

plai

nts

agai

nsta

nem

ploy

eer

ule

viol

atio

nsa

nds

oon

H

Rm

aint

ains

the

Off

icia

lPer

sonn

el

File

whi

chc

onta

ins

reco

rds

ofs

us

pens

ions

etc

LE

Rco

ntac

tsH

Ron

ly

for

thos

ety

pes

ofa

ctio

ns

Th

eO

SIe

valu

ates

all

com

plai

nts

itre

ceiv

esa

ndlo

gsth

emin

toth

eca

se

man

agem

ents

yste

m

Ita

ssig

nsth

em

toa

fiel

dof

fice

Att

hatp

oint

any

co

mpl

aint

sar

eth

ere

spon

sibi

lity

of

the

spec

iala

gent

inc

harg

eat

the

field

of

fice

The

fiel

dof

fice

inve

stig

ates

Ther

eis

no

sing

lep

lace

tog

ofo

ran

em

ploy

eersquos

dis

cipl

inar

yre

cord

sT

he

num

ber

ofo

rgan

izat

ions

invo

lved

an

dm

anag

emen

tofr

ecor

dsis

ver

yco

mpl

exa

ndd

istr

ibut

edth

roug

hout

th

eor

gani

zatio

n

Acc

ordi

ngto

Phy

sica

lSec

urity

the

fie

ldo

ffic

edo

esn

otte

llth

eO

SI

abou

tpro

blem

sndashth

eO

SIfi

nds

out

whe

nit

ldquohits

the

pres

srdquo

For

exa

m

ple

the

OSI

isn

otin

form

edo

fad

is

grun

tled

syst

ema

dmin

istr

ator

who

is

exhi

bitin

gco

ncer

ning

beh

avio

rs

USC

ISs

houl

dco

nsid

err

equi

ring

m

anda

tory

rep

ortin

gof

all

inci

de

nts

toth

eO

SI

This

com

mu

nica

tion

stre

amw

illa

llow

the

OSI

tog

etin

volv

eda

sea

rly

as

poss

ible

and

tod

ocum

enta

nd

mai

ntai

na

cent

ralr

epos

itory

of

alli

ncid

ents

Th

isc

entr

alr

epo

sito

ryis

cri

tical

for

ade

quat

ely

man

agin

gin

side

rth

reat

sin

USC

IS


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dse

nds

the

case

for

corr

ectiv

eac

tio

nto

the

regi

onal

dir

ecto

rin

the

chai

nof

com

man

da

ndth

enth

ere

gi

onal

dir

ecto

rret

urns

am

anag

emen

tre

port

ofa

ctio

nto

the

spec

iala

gent

in

cha

rge

Th

eO

SIc

onta

cts

the

DH

SO

IGfo

rpo

te

ntia

llyc

rim

inal

beh

avio

ror

ser

ious

m

isco

nduc

tI

fthe

DH

SO

IGtu

rns

the

case

dow

nth

enit

iss

entt

oth

efie

ld

offic

eor

tola

we

nfor

cem

ent

Th

ePe

rson

nelS

ecur

ityd

ivis

ion

(PER

SEC)

not

ifies

the

OSI

mon

thly

of

arre

sts

(tra

cked

inth

eca

sem

anag

em

ents

yste

m)a

ndth

eO

SIn

otifi

es

PERS

ECo

finv

estig

atio

ns

Trac

king

ofO

nlin

eIn

cide

nts

Info

rmat

ion

Tech

nolo

gy

Com

pute

ror

net

wor

kvi

olat

ion

inci

de

nts

are

trac

ked

bya

Rem

edy

sys

tem

tied

toa

uni

que

com

pute

rid

enti

fier

rath

erth

ana

use

rin

an

atte

mpt

to

kee

pPI

Iout

oft

heti

cket

Itis

diff

icul

tto

tiea

nev

entt

oa

par

ticul

arp

erso

nE

ven

ifth

eid

entit

yof

an

off

ende

ris

know

nr

epea

toff

end

ers

are

nott

rack

edin

any

aut

omat

ed

orc

orre

late

dw

ay

USC

ISs

houl

dco

nsid

erin

clud

ing

user

info

rmat

ion

for

each

inci

de

nts

oth

atr

epea

toff

ende

rs

can

bee

asily

iden

tifie

da

sre

pe

ato

ffen

ses

coul

din

dica

tea

nin

side

rof

hig

her

risk

Cons

iste

ncy

inR

esp

onse

toS

ecur

ity

Vio

lati

ons

and

Con

cern

ing

Beha

vior

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

eis

no

requ

ired

trai

ning

for

su

perv

isor

son

how

tor

espo

ndto

a

rang

eof

beh

avio

rsa

ssoc

iate

dw

ith

man

yfo

rms

ofin

side

rri

sk

Co

mpu

ter

use

viol

atio

nsa

ren

ot

Eigh

tyo

neo

fthe

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

ed

conc

erni

ngb

ehav

iors

pri

orto

or

whi

lec

arry

ing

outt

heir

cri

min

al

activ

ities

Em

ploy

ees

shou

ldb

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

ndle

dco

nsis

tent

lya

cros

sde

part

m

ents

sup

ervi

sors

and

type

ofe

m

ploy

ee

Egre

giou

svi

olat

ions

are

re

ferr

edto

the

OSI

for

afu

llin

vest

igat

ion

but

the

crite

rion

for

deci

ding

whe

nth

atis

war

rant

edis

a

gutr

eact

ion

trai

ned

tor

ecog

nize

and

re

spon

dto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

an

dot

her

insi

der

acts

Ev

enif

it

isn

otp

ossi

ble

tor

equi

ren

on

supe

rvis

ors

tor

epor

tcon

cern

s

this

trai

ning

may

incr

ease

the

freq

uenc

yof

repo

rtin

gan

dde

te

rren

ceo

fins

ider

act

ions

US

Dep

artm

ento

fSt

ate

Inve

stig

atio

ns

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

OSI

Inve

stig

atio

nsh

ave

been

sub

ject

to

alle

gatio

nso

fvio

latio

nsin

volv

ing

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)

but

the

OIS

rel

ies

onth

eU

SD

epar

tmen

tof

Sta

teto

inve

stig

ate

USC

ISh

asn

ovi

sibi

lity

into

US

De

part

men

tofS

tate

inve

stig

atio

ns

FSN

sw

hoh

ave

acce

ssto

USC

IS

syst

ems

and

data

sho

uld

be

incl

uded

ina

nin

side

rth

reat

risk

m

itiga

tion

stra

tegy

Prep

arat

ion

for

Neg

ativ

eW

ork

Rela

ted

Even

ts

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

edo

not

app

ear

tob

ean

ygu

ide

lines

tra

inin

go

rpe

rson

nela

vaila

ble

toe

valu

ate

empl

oyee

insi

der

risk

be

fore

or

afte

rfre

quen

tlyp

reci

pita

tin

gev

ents

suc

has

term

inat

ion

de

mot

ions

tra

nsfe

rso

rot

her

disa

ppo

intm

ents

or

unm

ete

xpec

tatio

ns

Ther

eal

sod

oes

nota

ppea

rto

bea

gr

oup

char

ged

with

eva

luat

ing

in

side

rri

skfr

omo

rgan

izat

iona

leve

nts

ord

evel

opm

ents

aff

ectin

ggr

oups

of

empl

oyee

ss

uch

asr

eloc

atio

nsc

on

trac

tcha

nges

lay

offs

and

reo

rgan

iza

tions

Fift

yfiv

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

had

neg

ativ

eem

pl

oym

enti

ssue

sN

inet

yfo

ur

had

ach

ange

ine

mpl

oym

ent

stat

usp

rior

toth

eir

atta

cks

20

had

com

pens

atio

nor

ben

efit

issu

esa

nd6

5w

ere

disg

runt

led

Su

perv

isor

ssh

ould

be

trai

ned

in

thes

eri

skin

dica

tors

Th

ere

shou

lda

lso

bea

nav

aila

ble

pane

lofs

peci

alis

tsfr

omth

eO

SI

orth

eLa

bor

Empl

oyee

Rel

atio

ns(L

ER)t

rain

edto

ass

ess

such

ris

k


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Si

mila

rsp

ecia

lists

sho

uld

be

avai

labl

eto

par

ticip

ate

inp

lan

ning

and

exe

cutio

nof

res

pons

epl

ans

inp

repa

ratio

nfo

rne

ga

tive

wor

kpla

cee

vent

sth

atp

ote

ntia

llyc

ould

lead

tod

isgr

un

tlem

enta

mon

gth

ew

orkf

orce

at

USC

IS

Cont

ract

orM

an

agem

ent

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Hum

anR

esou

rces

Pers

onne

lscr

eeni

ngp

roce

dure

sfo

rco

ntra

ctor

sar

esi

mila

rto

thos

efo

rem

ploy

ees

Cont

ract

ing

com

pani

esa

rer

equi

red

tor

epor

tany

adv

erse

info

rmat

ion

rega

rdin

gth

eir

empl

oyee

sim

med

iat

ely

(ina

llco

ntra

cts)

LER

has

noin

volv

emen

twith

con

tr

acto

rs

They

hav

eno

rec

ord

of

cont

ract

orm

isbe

havi

ors

orc

om

plai

nts

agai

nstc

ontr

acto

rs

Supe

rvis

ors

the

OSI

LER

and

oth

ers

conc

erne

dw

itho

rgan

izat

iona

lsec

uri

tym

ayb

ela

rgel

yun

awar

eof

in

side

rri

sks

rela

ted

toc

ontr

acto

rs

Cont

ract

ors

are

nots

ubje

ctto

gov

er

nmen

tmon

itori

ngo

rris

kas

sess

m

ent

Ac

ontr

acto

ron

ac

ritic

als

ys

tem

may

dev

elop

or

have

sig

nific

ant

insi

der

risk

fact

ors

that

may

rem

ain

unkn

own

tog

over

nmen

tem

ploy

ees

due

tola

cko

frep

ortin

gre

quir

em

ents

Sixt

ytw

oof

the

insi

ders

doc

um

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eco

ntr

acto

rs

USC

ISc

ontr

actm

an

agem

ents

taff

sho

uld

cons

ider

th

ene

edfo

rre

port

ing

ara

nge

ofp

oten

tiali

ndic

ator

sof

insi

der

risk

am

ong

cont

ract

sta

ff

Inci

de

ntr

espo

nse

plan

ssh

ould

in

clud

ere

spon

seto

em

ploy

ee

and

cont

ract

oris

sues

Empl

oyee

or

Con

trac

tor

Conc

erni

ng

Beha

vior

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Byp

olic

yit

ise

very

em

ploy

eersquos

re

spon

sibi

lity

tor

epor

tsus

pici

ous

be

havi

oro

rm

isco

nduc

tS

uper

viso

rs

Self

repo

rted

dru

gus

ea

rres

ta

nd

asso

ciat

ions

with

fore

ign

natio

nals

du

ring

em

ploy

men

tare

sen

tto

the

Supe

rvis

ors

need

tob

eno

tifie

dim

med

iate

lyw

hen

ane

mpl

oyee

re

port

sdr

ugu

sea

rres

tso

r


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Labo

rEm

ploy

eeR

elat

ions

who

obs

erve

con

cern

ing

ors

uspi

ciou

sbe

havi

orr

epor

titt

oLE

Ror

the

OSI

Fo

rlo

wle

velm

isco

nduc

tL

ERa

dvis

es

the

field

off

ice

man

agem

ento

nha

ndl

ing

the

mat

ter

LER

rep

orts

mor

ese

riou

sm

isco

nduc

twith

mor

ese

vere

co

nseq

uenc

esto

HR

M

isco

nduc

tcan

als

obe

rep

orte

dvi

aSi

gnifi

cant

Inci

dent

Rep

orts

(SIR

s)

SIRs

are

sen

tto

Phys

ical

Sec

urity

or

to

the

OSI

for

inve

stig

atio

n

IfCI

dis

cove

rss

omet

hing

sus

pici

ous

duri

nga

rei

nves

tigat

ion

itin

form

sth

eem

ploy

eersquos

sup

ervi

sor

The

su

perv

isor

wor

ksw

ithL

ERa

ndc

ouns

el

tod

ecid

eon

follo

wu

pac

tions

OSI

Th

eO

SIs

ends

res

ults

tos

uper

vi

sor

follo

win

gin

vest

igat

ion

asso

ciat

ion

with

fore

ign

natio

nal

ss

oth

eyh

ave

ana

ccur

ate

perc

eptio

nof

the

risk

ass

oci

ated

with

eac

hof

thei

rem

ploy

ee

sI

nad

ditio

n1

8of

the

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se

had

poss

ible

psy

chol

ogic

alis

su

es

Inc

olla

bora

tion

with

the

OSI

and

LER

sup

ervi

sors

con

fr

ontin

gem

ploy

ees

who

dis

play

co

ncer

ning

beh

avio

rss

houl

dha

veth

eab

ility

tor

emov

eth

em

from

the

wor

kfor

cep

endi

nga

m

edic

alo

rps

ycho

logi

cal

eval

uatio

nto

det

erm

ine

whe

ther

they

hav

ea

diso

rder

or

illne

ssth

atm

ayim

pair

thei

rtr

ustw

orth

ines

sor

judg

men

tor

mak

eth

ema

dan

gert

oth

em

selv

eso

rot

hers

Si

mila

rly

em

po

wer

ing

supe

rvis

ors

tom

ake

ane

mpl

oyee

ass

ista

nce

pro

gram

ref

erra

land

eva

luat

ion

man

dato

ryi

nco

llabo

ratio

nw

ithL

ERo

rth

eO

SIm

ight

hel

pre

mov

eat

ris

kin

divi

dual

sfr

om

the

wor

kfor

ceu

ntil

they

can

sa

fely

and

sec

urel

yre

turn


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEl

ectr

onic

Inve

sti

gati

ons

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Mos

talle

gatio

nsr

epor

ted

toth

eO

SI

are

notv

ery

tech

nica

lth

eO

ITp

ro

vide

sfo

rens

ics

uppo

rtfo

rin

vest

iga

tions

(pri

mar

ilyd

atab

ase

tran

sac

tions

)

PERS

ECh

asn

ever

ask

edth

eO

ITto

re

view

au

serrsquo

son

line

activ

ity

Onl

yon

epe

rson

inO

SIis

qua

lifie

dto

do

afo

rens

icin

spec

tion

USC

ISs

houl

dco

nsid

erin

clud

ing

the

OIT

inin

vest

igat

ions

ofs

us

pici

ous

activ

ity

CERT

rsquosin

side

rth

reat

res

earc

hha

ssh

own

that

no

ntec

hnic

alc

once

rnin

gbe

hav

iors

can

be

asso

ciat

edw

ith

onlin

ecr

imin

ala

ctiv

ity

It

wou

ldb

ebe

nefic

ialt

och

eck

for

past

tech

nica

lsec

urity

vio

la

tions

and

hav

eth

eO

ITa

naly

ze

curr

ento

nlin

eac

tivity

as

part

of

the

OSI

inve

stig

atio

ns


t

efe

w de ti

nth

eca

ses

docu

men

ted

inth

eCE

RTd

atab

ase

inje

cted

cod

ein

tos

ourc

eco

deto

faci

lita

but

ina

ase

the

coo

utb

yso

f

L

oggi

ng

Cri

tica

lDat

aCo

ntro

ls

urce

cod

ew

ere

inte

nded

tos

abot

age

the

orga

niza

tionrsquo

ssy

stem

sc

ases

the

code

n

ino

nec

was

set

toe

xecu

tefo

llow

ing

the

insi

derrsquo

ste

rmin

atio

SCIS

rec

ogni

zeth

epo

dbe

car

ried

tent

iali

llici

tact

ivity

that

cou

lr

the

mos

tcri

tical

sys

tem

san

dsy

stem

com

pone

nts

Cod

eRe

view

s

Conf

igur

atio

nM

anag

emen

t

side

rsb

oth

empl

oyee

san

dco

ntra

ctor

snd

ITs

abot

age

In

mos

tcas

est

hem

odifi

catio

nsto

so

faci

litat

efr

aud

In

man

yde

was

use

dto

impo

rtan

ttha

tUfo

ra

year

bef

ore

final

lye

xecu

ting

Iti

ser

sa

ndim

plem

enta

ppro

pria

tec

ontr

ols

par

ticul

arly

fo

ciou

sin

frau

da

sth

eco

plan

ted

eng

ine

Mal

ibo

thca

sew

as

war

e

Ap

pen

dix

FS

oftw

are

Engi

nee

rin


Are

aof

Con

cern

C

ode

Re

view

s

Resp

onsi

ble

Pers

onne

lIS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Cont

ract

ors

are

requ

ired

tom

aint

ain

ace

rtai

nle

velo

fpro

cess

mat

urity

(C

MM

ILev

el3

)to

bein

com

plia

nce

with

USC

ISp

olic

ies

So

urce

cod

eis

res

tric

ted

toth

ose

with

the

need

tok

now

Ve

rsio

nM

anag

eris

use

dto

con

trol

an

dtr

ack

chan

ges

tos

ourc

eco

de

Sepa

ratio

nof

dut

ies

isim

plem

ente

din

the

soft

war

ere

leas

epr

oces

sC

SC

chec

ksn

ews

ourc

eco

dein

toV

ersi

on

Man

ager

aU

SCIS

em

ploy

eec

heck

sou

tthe

sou

rce

code

and

rel

ease

sit

into

pro

duct

ion

Th

eU

SCIS

DBA

mov

esn

ewd

atab

ase

obje

cts

into

the

prod

uctio

nda

ta

base

Polic

yor

Pra

ctic

eG

aps

Ano

ther

inte

rvie

wee

men

tione

dth

at

anldquo

East

ere

ggrdquo

was

foun

din

sou

rce

code

aft

erth

eco

ntra

ctw

asg

iven

toa

ne

wc

ompa

ny4

Sugg

este

dCo

unte

rmea

sure

s

4 Av

irtu

alE

aste

reg

gis

an

inte

ntio

nalh

idde

nm

essa

gej

oke

orfe

atur

ein

ap

rogr

amm

ovie

boo

ke

tc


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

and

orC

hang

eCo

ntro

lPro

cess

N

otE

nfor

ced

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

No

evid

ence

pro

vide

d

Whe

nco

ntra

ctor

sde

velo

pso

ftw

are

rem

otel

yth

eya

res

uppo

sed

tor

egis

te

rco

dein

Ver

sion

Man

ager

but

this

is

not

alw

ays

done

con

sist

ently

Co

ntra

ctor

sso

met

imes

rel

ease

cod

eto

fix

prob

lem

sw

ithou

tfol

low

ing

the

chan

gem

anag

emen

tpro

cess

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

oft

hela

cko

fade

qu

ate

conf

igur

atio

nm

anag

emen

t

Soft

war

eEn

gine

er

ing

Cont

rols

inth

eSe

rvic

eCe

nter

s

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

ISSO

s

No

evid

ence

pro

vide

d

Soft

war

eis

bei

ngd

evel

oped

inth

eSe

rvic

eCe

nter

sw

ithou

tcon

sist

ently

en

forc

ing

the

sam

ech

ange

man

age

men

tpro

cess

ese

nfor

ced

atth

ena

tio

nal(

ente

rpris

e)le

vel

The

cen

ters

us

ea

code

rep

osito

ryb

utn

otV

ersi

on

Man

ager

to

trac

kso

ftw

are

chan

ges

Th

eyd

ope

err

evie

ws

ofc

ode

and

belie

veth

ate

nter

pris

eco

ntro

lsfo

rco

der

evie

wa

rem

ore

deta

iled

(al

thou

ghth

atb

elie

fapp

ears

tob

efa

lse

ac

cord

ing

toin

terv

iew

sat

hea

dqua

rte

rs)

USC

ISs

houl

dco

nsid

erc

onsi

sten

tpo

licie

san

dpr

oced

ures

for

soft

w

are

engi

neer

ing

for

the

entir

een

terp

rise

inc

ludi

ngth

eSe

rvic

eCe

nter

s

Mos

tins

ider

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data


A

rea

ofC

once

rn

Resp

onsi

ble

Pers

onne

lPo

licy

and

orS

ecur

ity

Mea

sure

Po

licy

orP

ract

ice

Gap

sSu

gges

ted

Coun

term

easu

res

Dat

aO

wne

rs

ba

sew

ere

dete

cted

or

iden

tifie

d

usin

gso

me

kind

ofs

yste

mlo

g

Info

rmat

ion

Tech

nolo

gy

Lo

gsu

sed

incl

ude

data

base

logs

appl

icat

ion

logs

sys

tem

logs

re

mot

eac

cess

logs

and

man

y

othe

rs

Prod

ucti

onD

ata

in

ISSO

sD

evel

opm

enta

ndp

rodu

ctio

nsy

sIn

som

eca

ses

con

trac

tors

hav

eac

O

nly

one

insi

der

docu

men

ted

in

Dev

elop

men

tEnv

i

tem

ssh

ould

be

sepa

rate

inte

rms

of

cess

tob

oth

syst

ems

incl

udin

gpr

oth

eCE

RTIn

side

rTh

reat

Cas

eda


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sro

nmen

t

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

data

sha

ring

and

acc

ess

cont

rol

duct

ion

data

inth

ede

velo

pmen

ten

viro

nmen

t

taba

ses

tole

pro

duct

ion

data

that

sh

ould

not

hav

ebe

ena

vaila

ble

to

deve

lope

rsin

the

deve

lopm

ent

envi

ronm

ent

How

ever

itw

as

extr

emel

yse

nsiti

ved

ata

with

ve

rys

tric

tcon

trol

sin

the

prod

uc

tion

envi

ronm

ent

and

was

not

su

bjec

tto

thos

esa

me

cont

rols

in

the

deve

lopm

ente

nvir

onm

ent

Th

isis

ver

ysi

mila

rto

the

situ

atio

nat

USC

IS

USC

ISs

houl

dex

am

ine

data

bei

ngu

sed

inth

ede

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

velo

fse

curi

tyc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Ap

pen

dix

GI

nfo

rmat

ion

Tec

hn

olog

y

Acc

ount

Man

agem

ent

Rese

arch

has

dem

onst

rate

dth

atif

an

orga

niza

tionrsquo

sco

mpu

ter

acco

unts

can

be

com

prom

ised

ins

ider

sha

vea

nop

port

unity

toc

ircu

mve

ntm

an

uala

nda

utom

ated

con

trol

mec

hani

sms

inte

nded

top

reve

ntin

side

rat

tack

sE

ffec

tive

com

pute

rac

coun

tand

pas

swor

dm

anag

emen

tpol

icie

san

dpr

actic

esa

rec

ritic

alto

impe

dea

nin

side

rrsquos

abili

tyto

use

the

orga

niza

tionrsquo

ssy

stem

sfo

rill

icit

purp

oses

In

av

arie

tyo

fcas

esd

ocum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sei

nsid

ers

expl

oite

dpa

ssw

ord

vuln

erab

ilitie

ss

hare

dac

coun

tsa

ndb

ackd

oor

acco

unts

toc

arry

out

att

acks

It

isim

port

antf

oro

rgan

izat

ions

toli

mit

com

pute

rac

coun

tsto

thos

eth

ata

rea

bsol

utel

yne

cess

ary

usi

ngs

tric

tpro

cedu

res

and

tech

nica

lcon

trol

sth

atfa

cilit

ate

attr

ibut

ion

ofa

llon

line

activ

itya

ssoc

iate

dw

ithe

a ch

acco

untt

oan

indi

vidu

alu

ser

Fur

ther

mor

ea

nor

gani

zatio

nrsquos

acco

unta

nd

pass

wor

dm

anag

emen

tpol

icie

sm

ustb

eap

plie

dco

nsis

tent

lya

cros

sth

een

terp

rise

toin

clud

eco

ntra

ctor

ss

ubco

ntra

ctor

sa

ndv

endo

rsw

hoh

ave

acce

ssto

the

orga

niza

tionrsquo

sin

form

atio

nsy

stem

sor

net

wor

ks

Ins

ome

area

sc

ompu

ter

acco

unts

are

man

aged

fair

lyw

ella

tUSC

IS

USC

ISis

impl

emen

ting

Hom

elan

dSe

curi

tyP

resi

dent

ialD

irec

tive

12(H

SPD

12

)for

phy

sica

land

ele

ctro

nic

acco

untm

anag

emen

tI

nad

ditio

nm

osts

hare

dac

coun

tsa

rec

ontr

olle

dan

dal

lact

ions

per

form

edu

sing

thos

eac

coun

tsc

anb

eat

trib

uted

toa

sin

gle

user

H

owev

ers

ome

acco

untm

anag

emen

tlie

sou

tsid

eth

eco

ntro

lofU

SCIS

Th

i sp

rese

nts

ahi

ghd

egre

eof

ris

kF

irst

ofa

lla

ccou

nts

and

acce

ssfo

rFS

Ns

shou

ldb

eco

nsid

ered

car

eful

lyb

yU

SCIS

A

lthou

ghF

SNs

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

ch

anne

lsw

hich

req

uire

sau

thor

izat

ion

byth

eCS

Oa

ndC

IOo

fDH

Ss

uch

pape

rwor

kw

asn

ots

ubm

itted

con

sist

ently

pri

orto

200

7A

sa

resu

lt

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

tF

urth

erm

ore

an

FSN

acc

ount

and

aU

S

citiz

enfe

dera

lem

ploy

eea

ccou

ntc

anno

tbe

dist

ingu

ishe

don

ceit

isc

reat

ed

Alth

ough

acc

ount

nam

ing

conv

entio

nsa

red

icta

ted

byD

HS

and

the

US

Dep

artm

ento

fSta

teU

SCIS

cou

ldr

eque

sta

nam

ing

conv

entio

nto

diff

eren

tiate

bet

wee

nFS

Na

ndU

Sc

itize

nfe

dera

lem

ploy

eea

ccou

nts

In

addi

tion

USC

ISs

houl

dco

nsis

tent

lytr

ack

the

auth

oriz

atio

nan

dcr

eatio

nof

all

USC

ISa

ccou

nts

To

dete

rmin

eif

unau

thor

ized

or

lega

cya

ccou

nts

exis

tU

SCIS

sho

uld

cons

ider

con

duct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSta

tep

erso

nnel

tov

alid

ate

alle

xist

ing

FSN

ac

coun

ts


Seco

nda

cces

sto

som

ecr

itica

lUSC

ISs

yste

ms

isc

ontr

olle

dby

the

Pass

wor

dIs

suan

cea

ndC

ontr

olS

yste

m(P

ICS)

Th

epu

rpos

eof

PIC

Sis

tofa

cili

tate

the

adm

inis

trat

ion

ofu

sern

ames

and

pas

swor

dsto

cer

tain

ICE

and

USC

ISin

form

atio

nsy

stem

sO

nea

rea

ofc

once

rnr

egar

ding

PIC

Sis

that

it

isa

dmin

iste

red

byIC

Ea

ndth

ere

are

mor

eth

an2

000

Loc

alP

ICS

Off

icer

s(L

POs)

acr

oss

vari

ous

com

pone

nts

ofD

HS

The

seL

POs

use

PICS

to

gran

taut

hori

zed

acce

ssto

ICE

and

USC

ISs

yste

ms

for

the

pers

onne

latt

heir

res

pect

ive

site

or

agen

cys

uch

aslo

cals

heri

ffs

pet

ition

ers

Cus

tom

san

dBo

rder

Pat

rol(

CBP)

Dep

artm

ento

fJus

tice

(DO

J)T

rans

port

atio

nSe

curi

tyA

dmin

istr

atio

n(T

SA)

Terr

oris

mT

ask

Forc

ea

ndD

HS

OIG

Ea

ch

LPO

can

gra

nta

cces

sto

any

sys

tem

con

trol

led

byP

ICS

In

othe

rw

ords

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

rany

oft

heir

sta

ffto

an

yU

SCIS

sys

tem

Fu

rthe

rmor

eU

SCIS

has

no

visi

bilit

yin

tow

hoh

asa

cces

sto

its

syst

ems

Giv

enth

edi

stri

bute

dna

ture

ofa

ccou

nta

dmin

istr

atio

nit

isv

ery

diff

icul

tfor

USC

ISd

ata

owne

rsa

ndO

ITs

taff

tom

anag

eau

thor

izat

ion

ofu

ser

acco

unts

toU

SCIS

cri

tical

sys

tem

sF

inal

lyt

hep

roc

ess

for

com

mun

icat

ing

chan

ges

ine

mpl

oyee

sta

tus

and

disa

blin

gac

coun

tsv

arie

sw

idel

yam

ong

indi

vidu

alfi

eld

offic

esS

ervi

ceC

ente

rsa

ndo

ffic

esin

the

NCR

D

orm

anta

ccou

nts

prov

ide

aco

nven

ient

unk

now

nac

cess

pat

hfo

rcu

rren

tand

form

ere

mpl

oyee

sto

use

for

illic

itac

tivity

Ala

cko

fcon

sist

ency

exi

sts

inth

eap

plic

atio

nof

acc

ount

man

agem

entp

ract

ices

und

erth

eco

ntro

lofU

SCIS

Fo

rex

ampl

ed

isab

ling

orte

rmin

at

ing

acco

unts

for

empl

oyee

sis

not

alw

ays

com

plet

edin

ati

mel

ym

anne

rup

onth

eem

ploy

eersquos

cha

nge

ins

tatu

sT

his

lack

ofc

onsi

sten

cyis

mad

ew

orse

whe

nde

cent

raliz

edL

POs

acro

ssU

SCIS

do

notf

ollo

wth

esa

me

proc

edur

es

Ino

ther

cas

ese

mpl

oyee

sar

ere

tain

ing

acce

ssa

fter

atr

ansf

er

whe

nth

eys

houl

dno

tw

hich

req

uire

sth

elo

sing

and

gai

ning

sup

e rvi

sors

ton

otify

pro

per

acco

untm

anag

emen

tper

sonn

el

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

ccou

ntE

stab

lis

hmen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ino

rder

for

FSN

sto

gai

nac

cess

to

USC

ISs

yste

ms

they

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

cha

nnel

s

whi

che

vent

ually

req

uire

sau

thor

iza

tion

byth

eCS

Oa

ndC

IOo

fDH

S

Prio

rto

200

7w

aive

rpa

perw

ork

for

FSN

sre

ques

ting

acco

unta

cces

sw

as

nots

ubm

itted

con

sist

ently

A

sa

re

sult

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

t

USC

ISs

houl

dco

nsid

erc

ondu

ct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSt

ate

pers

onne

lto

valid

ate

all

exis

ting

FSN

acc

ount

s

Info

rmat

ion

Tech

nolo

gy

Diff

eren

tper

sonn

ela

rer

espo

nsib

le

for

acco

untc

reat

ion

and

dele

tion

acro

ssth

een

tire

ente

rpri

sed

epe

ndin

gon

the

syst

emo

rne

twor

kin

Dat

abas

ead

min

istr

ator

sm

ayb

eab

le

toc

reat

ean

dde

lete

dat

abas

ean

dap

plic

atio

nac

coun

tsw

ithou

tas

ec

ond

pers

onv

erify

ing

that

act

ion

Beca

use

data

base

adm

inis

trat

ors

have

acc

ess

tos

uch

criti

cald

ata

U

SCIS

sho

uld

cons

ider

sep

arat

ing

the

task

ofa

utho

rizi

nga

cces

sto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

squ

estio

n

USC

ISd

atab

ases

from

the

task

of

man

agin

gth

eda

tain

the

data

ba

ses

Thi

sse

para

tion

ofd

utie

sm

ayr

educ

eth

eri

sko

fad

ata

base

adm

inis

trat

orc

reat

ing

an

unau

thor

ized

acc

ount

and

usi

ng

that

acc

ount

toc

arry

out

am

ali

ciou

sac

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ac

ompu

ter

acco

unti

ses

tabl

ishe

don

lya

fter

an

umbe

rof

cri

teri

aha

ve

been

met

inc

ludi

ngs

ecur

itya

war

ene

sstr

aini

ng

Ina

dditi

onto

the

step

sre

quire

dof

al

lper

sonn

elfo

rac

coun

tacc

ess

co

ntra

ctor

sha

veto

go

thro

ugh

extr

ast

eps

som

eof

whi

chin

clud

eve

rifi

catio

nby

the

COTR

Com

pute

racc

ount

acc

ess

iss

ome

times

gra

nted

bef

ore

secu

rity

aw

are

ness

trai

ning

isc

ompl

eted

Th

isp

rac

tice

may

be

true

esp

ecia

llyfo

rco

ntra

ctor

ss

ince

the

onb

oard

ing

proc

ess

depe

nds

onth

eco

ntra

ctin

gag

ency

and

the

COTR

tov

erify

that

th

etr

aini

ngis

com

plet

ed

USC

ISs

houl

dco

nsid

err

equi

ring

co

mpu

ter

secu

rity

aw

aren

ess

trai

ning

for

allp

erso

nnel

ndashfu

lltim

eem

ploy

ees

par

ttim

eem

pl

oyee

sa

ndc

ontr

acto

rsndash

and

ve

rify

that

itis

com

plet

ebe

fore

cr

eatin

gan

ysy

stem

acc

ount

sfo

rth

ese

pers

onne

l

Acc

ount

Man

age

men

tG

ener

al

Info

rmat

ion

Tech

nolo

gy

PICS

isa

dmin

iste

red

byIC

Ew

hich

ha

sov

er2

000

LPO

sac

ross

var

ious

co

mpo

nent

sof

DH

ST

hese

LPO

sar

ere

spon

sibl

efo

rgra

ntin

gau

thor

ized

ac

cess

toP

ICS

for

the

pers

onne

lat

thei

rre

spec

tive

wor

ksi

tes

Eac

hLP

Oc

ang

rant

acc

ess

toa

nys

yste

m

cont

rolle

dby

PIC

SI

not

her

wor

ds

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

ran

yof

thei

rst

afft

o

Alth

ough

the

PICS

acc

ount

pro

cess

re

quir

esth

eac

coun

tto

beli

nked

toa

va

lide

mpl

oyee

PIC

Sad

min

istr

ator

sco

uld

crea

teu

naut

hori

zed

acco

unts

in

the

nam

eof

val

ide

mpl

oyee

sw

ith

outt

heir

kno

wle

dge

Inv

alid

acc

ount

sar

ety

pica

llyfl

agge

don

lyw

hen

the

acco

unti

sdo

rman

tfor

ac

erta

inp

eri

odo

ftim

eA

nLP

Oc

ana

lso

assi

gn

righ

tsfo

ran

ysy

stem

con

trol

led

by

In1

2of

the

case

sdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

ins

uffic

ient

acc

ount

m

anag

emen

tena

bled

the

insi

der

sto

com

mit

thei

rcr

imes

U

SCIS

sho

uld

cons

ider

con

duct

in

gac

coun

taud

itsa

tthe

loca

lsi

tele

vel

whi

chw

ould

allo

wth

eva

lidat

ion

ofc

urre

ntP

ICS

ac

coun

tsa

ndr

oles

ver

sus

curr

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

yU

SCIS

sys

tem

PICS

empl

oyee

list

s

Furt

herm

ore

ICE

adm

inis

ters

this

USC

ISs

houl

dex

plor

ea

mea

nso

fsy

stem

and

cou

lda

ffec

tUSC

ISr

e

segr

egat

ing

acco

untm

anag

eco

rds

unbe

know

nstt

oU

SCIS

men

tin

PICS

so

that

LPO

sca

nad

min

iste

rac

coun

tso

nly

for

thei

row

nor

gani

zatio

nrsquos

syst

ems

In

oth

erw

ords

USC

ISL

POs

wou

ldo

nly

bea

ble

toa

dmin

iste

rau

thor

izat

ions

for

USC

ISs

yste

ms

inP

ICS

and

ICE

LPO

sw

ould

onl

ybe

abl

eto

adm

inis

ter

auth

oriz

atio

nsfo

rIC

Esy

stem

s

Info

rmat

ion

Tech

nolo

gy

Acc

ount

man

agem

enti

sha

ndle

dby

a

num

ber

ofd

iffer

entg

roup

sac

ross

U

SCIS

A

lthou

ghth

ere

isa

nef

fort

to

cent

raliz

eac

coun

tman

agem

ent

lo

cala

ndr

egio

nalo

ffic

eso

fUSC

IS

have

his

tori

cally

don

eth

eir

own

ac

coun

tman

agem

ent

Ifan

acc

ount

has

not

bee

nus

edfo

ra

cert

ain

peri

odo

ftim

eit

isa

uto

mat

ical

lyd

isab

led

The

tim

epe

riod

st

ated

by

vari

ous

inte

rvie

wee

sva

rie

dfr

om3

06

0o

r90

days


Sugg

este

dCo

unte

rmea

sure

s

Six

insi

ders

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

wer

eab

leto

car

ryo

utth

eir

illeg

ala

ctiv

ities

bec

ause

ofldquo

priv

ile

gec

reep

rdquoU

SCIS

sho

uld

revi

ew

acco

untm

anag

emen

tpro

ce

dure

sto

ens

ure

that

the

step

scu

rren

tlyta

ken

tor

emov

eor

al

ter

acco

unta

cces

sar

eco

m

plet

ean

dbe

ing

cons

iste

ntly

fol

low

ed

Inp

artic

ular

the

pro

ce

dure

sus

edw

hen

som

eone

ch

ange

slo

catio

nso

rde

part

m

ents

with

inU

SCIS

sho

uld

be

exam

ined

A

sem

ploy

ees

tran

sfe

rth

roug

hout

an

agen

cyt

hey

shou

ldn

otb

eac

cum

ulat

ing

priv

ile

ges

The

ysh

ould

onl

yre

tain

pr

ivile

ges

com

men

sura

tew

ith

thei

rjo

bre

spon

sibi

litie

s

Twel

vep

erce

nt(4

6)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

seu

sed

syst

ema

dmin

istr

ator

pri

vile

ges

tos

abot

age

syst

ems

ord

ata

sh

ared

acc

ount

sw

ere

used

by

insi

ders

follo

win

gte

rmin

atio

nin

Polic

yor

Pra

ctic

eG

aps

The

issu

eof

acc

ount

man

agem

entf

or

empl

oyee

tran

sfer

sis

not

bei

nga

d

dres

sed

ina

con

sist

entm

anne

rT

he

O

ITr

elie

son

not

ifica

tion

bye

ither

the

ne

wo

rol

dsu

perv

isor

whe

nan

em

ploy

eetr

ansf

ers

but

ther

eha

veb

een

ca

ses

inU

SCIS

inw

hich

em

ploy

ees

have

ret

aine

dac

cess

whe

nth

ey

shou

ldn

oth

ave

Th

ough

itw

ould

req

uire

phy

sica

lac

cess

toa

USC

ISm

achi

net

hatf

orm

er

Polic

yan

dor

Sec

urit

yM

easu

re

Whe

nan

em

ploy

eem

oves

from

one

po

sitio

nto

ano

ther

or

tran

sfer

sto

an

othe

rdep

artm

ent

the

man

age

men

tin

thos

ede

part

men

tsm

ust

initi

ate

the

requ

ired

com

pute

rac

coun

tcha

nges

Ther

ear

eop

erat

ing

syst

emim

ages

us

edth

roug

hout

USC

ISth

atp

erm

itan

adm

inis

trat

orto

inst

alla

sta

nda

rdc

onfig

urat

ion

ofa

nop

erat

ing

syst

ema

nda

ccom

pany

ing

soft

war

e

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Chan

ging

Pas

sw

ord

ofS

hare

dA

ccou

ntU

pon

Term

inat

ion


Sugg

este

dCo

unte

rmea

sure

s

14c

ases

A

lthou

gha

nad

min

is

trat

orw

ould

nee

dph

ysic

ala

cce

ssto

ap

iece

ofe

quip

men

t

The

lack

ofc

onsi

sten

cya

nd

awar

enes

sof

the

stan

dard

pro

ce

dure

sm

ayp

erm

itth

eac

coun

tof

an

insi

der

tob

eus

edfo

llow

ing

term

inat

ion

Term

inat

ing

acco

unts

eve

n2

wee

ksfo

llow

ing

term

inat

ion

may

Polic

yor

Pra

ctic

eG

aps

adm

inis

trat

orw

ould

hav

ead

min

istr

ato

rri

ghts

toG

FE

Itis

cle

arfr

omin

terv

iew

sw

ithU

SCIS

pe

rson

nelt

hata

sin

gle

proc

ess

isn

ei

ther

und

erst

ood

norf

ollo

wed

for

dis

ab

ling

acco

unts

follo

win

gan

em

pl

oyee

orc

ontr

acto

rte

rmin

atio

n

The

proc

edur

esu

sed

are

notc

onsi

ste

ntb

etw

een

supe

rvis

ors

orfi

eld

of

fices

and

for

fede

rale

mpl

oyee

sve

rsu

sco

ntra

ctor

sS

omet

imes

the

exit

clea

ranc

efo

rmm

akes

itto

the

OIT

an

dso

met

imes

itd

oes

not

The

OIT

rsquos

task

ism

ade

even

mor

edi

ffic

ultb

yth

efa

ctth

atit

wou

ldn

eed

tok

now

ex

actly

whi

cha

ccou

nts

anin

divi

dual

ha

sac

cess

to

Thou

ghth

isp

roce

ssis

fair

lye

ffec

tive

it

pote

ntia

llya

llow

sun

auth

oriz

ed

Polic

yan

dor

Sec

urit

yM

easu

re

The

OIT

typi

cally

isn

otifi

edo

fan

acco

untt

erm

inat

ion

ino

neo

fthr

ee

way

s

1)A

sta

ndar

dfo

rmc

alle

dan

exi

tcl

eara

nce

form

is

dist

ribu

ted

and

sign

edb

yot

her

part

ies

suc

has

Hu

man

Res

ourc

esa

ndth

eO

ffic

eof

Se

curi

tya

ndIn

tegr

ity(O

SI)

Thi

sfo

rmle

tsth

eO

ITk

now

that

an

em

ploy

eersquos

acc

ount

ssh

ould

be

dis

able

dor

term

inat

ed

2)T

hes

uper

viso

rof

the

depa

rtin

gem

ploy

eec

onta

cts

the

OIT

dire

ctly

an

din

form

sth

emo

fthe

em

ploy

eersquos

de

part

ure

3)

Whe

na

cont

ract

oris

invo

lved

it

is

the

resp

onsi

bilit

yof

the

COTR

to

info

rmth

eO

IT

The

OIT

rec

eive

san

ldquoat

triti

onli

strdquo

ever

y2

wee

ks

Whe

nth

isli

stis

re

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Upo

nEm

ploy

ee

Term

inat

ion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sH

uman

Res

ourc

es

ceiv

eda

man

ualc

heck

isd

one

to

ensu

reth

ate

mpl

oyee

sw

hoh

ave

depa

rted

inth

ela

st2

wee

ksh

ave

thei

rac

coun

tacc

ess

dele

ted

acce

ssfo

r2

wee

ksfo

llow

ing

term

ina

tion

Bec

ause

this

isa

man

ualp

roc

ess

ther

eis

cur

rent

lyn

oau

tom

atic

w

ayto

ens

ure

that

ith

appe

ns

USC

IS

pers

onne

lcite

dan

inst

ance

inw

hich

th

ese

proc

edur

esfa

iled

for

ane

m

ploy

eew

how

aste

rmin

ated

as

aco

ntr

acto

ran

dla

ter

hire

das

afe

dera

lem

ploy

ee

notb

een

ough

top

reve

ntu

nau

thor

ized

orc

rimin

ala

ctiv

ity

As

soon

as

HR

isa

war

eof

the

chan

gea

mor

eau

tom

ated

m

echa

nism

ofd

elet

ing

thes

eac

coun

tss

houl

dbe

impl

em

ente

d

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Dur

ing

Empl

oyee

Le

ave

ofA

bsen

ces

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

LPO

sw

ork

inth

eir

resp

ectiv

ere

gion

sor

off

ices

and

are

dec

entr

aliz

edb

yna

ture

Th

epo

licie

san

dpr

oced

ures

fo

llow

edo

ften

dep

end

onh

ow

thin

gsh

ave

been

don

ehi

stor

ical

lyin

th

atp

artic

ular

off

ice

Beca

use

acco

unta

utho

riza

tion

pro

cedu

res

are

nots

tand

ardi

zed

thro

ugho

uta

llor

gani

zatio

nsu

sing

the

PICS

sL

POs

acro

ssth

een

tire

USC

IS

ente

rpri

seh

ave

notb

een

cons

iste

nt

inh

owth

eyh

ave

hand

led

acco

unt

dele

tion

follo

win

gem

ploy

eete

rmin

atio

n

Ther

eis

no

offic

ialg

uida

nce

orp

rac

tice

inth

epr

oper

way

tos

uspe

nd

acce

ssfo

ran

em

ploy

eeo

na

leav

eof

ab

senc

eI

non

eca

sep

rovi

ded

by

USC

ISa

nem

ploy

eer

etai

ned

acce

ss

toc

ritic

als

yste

ms

even

aft

erb

eing

pl

aced

on

ana

dmin

istr

ativ

ele

ave

of

abse

nce

USC

ISs

houl

dco

ntin

ueit

sef

fort

sto

cen

tral

ize

orr

educ

eth

enu

m

ber

ofL

POs

ino

rder

for

stan

dard

pr

oced

ures

tob

efo

llow

ed

Ifth

isc

anno

tbe

acco

mpl

ishe

d

stan

dard

pro

cedu

res

shou

ldb

epu

blis

hed

inst

ruct

eda

ndc

onsi

ste

ntly

enf

orce

d

Afe

win

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

ser

etai

ned

acce

ssto

org

aniz

atio

nsy

stem

sw

hile

on

ale

ave

of

abse

nce

and

used

that

acc

ess

to

stea

linf

orm

atio

nor

com

mit

frau

dU

SCIS

sho

uld

impl

emen

ta

polic

yto

out

line

exac

tlyw

hat

shou

ldb

edo

new

hen

ago

vern

m

ente

mpl

oyee

or

cont

ract

or

goes

on

ale

ave

ofa

bsen

cec

on


Sugg

este

dCo

unte

rmea

sure

ssi

deri

ngth

eri

sks

vers

usb

enef

its

ofa

llow

ing

syst

ema

cces

s

Acc

ess

toth

ese

acco

unts

sho

uld

bec

aref

ully

doc

umen

ted

and

trac

ked

soth

atc

rede

ntia

lsc

an

bec

hang

edif

som

eone

inth

at

rest

rict

edg

roup

no

long

erw

ar

rant

sac

cess

Polic

yor

Pra

ctic

eG

aps

Alth

ough

con

cern

has

bee

nex

pres

sed

ab

outt

hee

xist

ence

oft

hese

ac

co

unts

the

bus

ines

sju

stifi

catio

nha

sta

ken

prec

eden

ceo

vert

her

isk

bein

g

assu

med

Polic

yan

dor

Sec

urit

yM

easu

re

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

Acc

ount

an

dPa

ssw

ord

In

form

atio

n

Acc

ess

Cont

rol

An

orga

niza

tionrsquo

sla

cko

fsuf

ficie

nta

cces

sco

ntro

lmec

hani

sms

was

ac

omm

onth

eme

inm

any

ofth

ein

side

rth

reat

cas

ese

xam

ined

by

CERT

In

si

ders

hav

ebe

ena

ble

toe

xplo

itex

cess

ive

priv

ilege

sto

gai

nac

cess

tos

yste

ms

and

info

rmat

ion

they

oth

erw

ise

wou

ldn

oth

ave

been

aut

hori

zed

toa

cces

sA

dditi

onal

lyi

nsid

ers

have

bee

nkn

own

tou

ser

emot

eac

cess

aft

erte

rmin

atio

nto

att

ack

ano

rgan

izat

ionrsquo

sin

tern

aln

etw

ork

Org

ani

zatio

nss

houl

den

sure

that

net

wor

km

onito

ring

and

logg

ing

ise

nabl

edfo

rex

tern

ala

cces

sM

onito

ring

ofn

etw

ork

activ

ityis

ext

rem

ely

impo

rta

nte

spec

ially

inth

epe

riod

bet

wee

nem

ploy

eer

esig

natio

nan

dte

rmin

atio

n

Giv

enth

edi

stri

bute

dna

ture

ofa

cces

sau

thor

izat

ion

via

PICS

ICE

and

the

US

Dep

artm

ento

fSta

ten

onU

SCIS

em

ploy

ees

and

cont

ract

ors

coul

dbe

gra

nted

acc

ess

toU

SCIS

cri

tical

sys

tem

sI

tis

poss

ible

that

the

non

USC

ISe

mpl

oyee

san

dco

ntra

ctor

sha

ven

otb

een

thro

ugh

the

rigo

rous

pr

eem

ploy

men

tscr

eeni

ngr

equi

red

ofU

SCIS

em

ploy

ees

and

cont

ract

ors

par

ticul

arly

thos

egr

ante

dac

cess

thro

ugh

the

US

Dep

artm

ento

fSta

te

for

acce

ssfr

ome

mba

ssie

sov

erse

as

USC

ISs

houl

dco

nsid

erth

eri

skth

ese

insi

ders

pos

eto

the

prot

ectio

nof

the

criti

calU

SCIS

dat

aan

dsy

stem

s

and

impl

emen

tpro

tect

ion

mec

hani

sms

toli

mit

the

dam

age

that

thes

ein

side

rsm

ight

cau

se


Oth

era

cces

sco

ntro

liss

ues

that

sho

uld

bec

onsi

dere

din

clud

eun

rest

rict

eda

cces

sto

som

ecr

itica

lsys

tem

sby

OIT

sta

ffl

ack

ofc

onsi

sten

tpro

ces

ses

for

man

agin

gem

ploy

eea

cces

sas

they

mov

efr

omo

ned

epar

tmen

tto

the

next

with

inU

SCIS

abi

lity

tou

sep

erso

nalc

ompu

ters

for

USC

IS

wor

ka

ndla

cko

fmon

itori

nga

ndc

ontr

ols

for

som

ecr

itica

lsys

tem

adm

inis

trat

ion

func

tions

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

cces

sCo

ntro

l

Fore

ign

Serv

ice

Nat

iona

ls

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

O

ffic

eof

Sec

urit

yan

dIn

te

grit

y

Curr

ently

aF

orei

gnS

ervi

ceN

atio

nal

(FSN

)req

uiri

nga

cces

sto

USC

ISs

ys

tem

ssu

bmits

pap

erw

ork

incl

udin

ga

wai

ver

thro

ugh

the

USC

ISd

irec

tor

and

the

CIO

and

CSO

ofD

HS

Alth

ough

the

asse

ssm

entt

eam

was

ab

leto

get

lim

ited

visi

bilit

yin

toth

is

prac

tice

its

eem

sto

be

alig

ned

with

th

epo

licy

Ift

rue

ith

asg

iven

USC

IS

and

DH

Sbe

tter

vis

ibili

tyin

toth

isa

ctiv

ity

The

prac

tice

shou

ldb

eco

ntin

ued

and

expa

nded

as

need

edto

in

form

all

rele

vant

USC

ISp

erso

nne

l

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

Pe

rson

nelS

ecur

ity

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Whe

nFS

Ns

requ

ire

acce

ssto

USC

IS

syst

ems

ine

mba

ssie

san

dco

nsul

ates

ab

road

the

yar

eve

tted

by

the

US

D

epar

tmen

tofS

tate

Beca

use

the

US

Dep

artm

ento

fSta

te

isp

erfo

rmin

gth

eve

ttin

gpr

oces

s

USC

ISh

asv

ery

little

con

trol

or

visi

bil

ityin

toth

epr

oces

sfo

rgr

antin

gFS

Ns

acce

ssto

USC

ISs

yste

ms

and

net

wor

ks

Inte

rvie

wee

sst

ated

that

in

som

eca

ses

FSN

sha

vea

dmin

istr

ativ

eco

ntro

love

rso

me

syst

ems

and

that

in

oth

erc

ases

the

yar

ese

rvin

gas

in

form

atio

nsy

stem

sec

urity

off

icer

s(IS

SOs)

USC

ISs

houl

dga

ina

bet

ter

un

ders

tand

ing

ofth

eU

SD

epar

tm

ento

fSta

tersquos

vet

ting

proc

ess

and

clar

ifyit

sow

nre

quir

emen

ts

for

gran

ting

and

trac

king

acc

ess

for

FSN

sto

USC

ISs

yste

ms

If

cont

inue

dac

cess

isr

equi

red

the

proc

edur

esto

doc

umen

tand

co

ntro

ltha

tacc

ess

shou

ldb

ene

gotia

ted

with

the

US

De

part

men

tofS

tate

and

con

sis

tent

lye

nfor

ced

Info

rmat

ion

Tech

nolo

gy

Onc

ea

trad

ition

alu

ser

acco

unti

scr

eate

dth

ere

isli

ttle

ton

ow

ayto

di

stin

guis

han

FSN

acc

ount

from

one

be

long

ing

toa

US

citi

zen

Beca

use

anF

SNa

ccou

ntis

not

dis

tin

guis

habl

efr

omo

ther

acc

ount

sit

w

ould

be

extr

emel

ydi

ffic

ultt

oas

so

ciat

esp

ecifi

con

line

activ

ities

with

ac

coun

tsb

elon

ging

toF

SNs

Em

ail

USC

ISs

houl

dco

nsid

erw

heth

er

orn

otit

wan

tsth

eab

ility

tod

is

tingu

ish

wha

tonl

ine

activ

ities

an

dac

cess

esF

SNs

are

enga

ging

in

If

soi

tsho

uld

inco

rpor

ate


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sad

dres

ses

appe

arth

esa

me

and

viol

atio

nac

tiviti

esw

ould

not

eas

ilyb

eat

trib

uted

toa

nFS

N

thos

est

eps

into

the

proc

edur

es

men

tione

dab

ove

Info

rmat

ion

Tech

nolo

gy

DH

Sis

inth

epr

oces

sof

bui

ldin

ga

secu

rein

tran

etc

alle

dO

neN

et

whi

chw

illb

ette

ren

able

info

rmat

ion

shar

ing

amon

gD

HS

com

pone

nts

Th

isp

roje

ctw

illb

een

able

dby

inte

rco

nnec

tion

agre

emen

tsb

etw

een

segm

ents

Onc

eth

eap

prop

riat

ein

terc

onne

ctio

nag

reem

ents

are

inp

lace

itw

illb

eha

rder

tor

estr

icta

cces

sfo

rFSN

sto

sp

ecifi

csy

stem

s(e

g

Shar

ePoi

nt)

USC

ISs

houl

dm

ake

ade

term

ina

tion

abou

twhe

ther

or

notF

SN

acce

sss

houl

dbe

any

diff

eren

tfr

omo

ther

sim

ilar

acco

unts

of

US

citi

zens

If

the

lack

ofr

est

rict

ions

isu

nacc

epta

ble

that

is

sue

shou

ldb

ebr

ough

tto

DH

Spe

rson

nelr

espo

nsib

lefo

rim

pl

emen

ting

the

One

Net

sol

utio

n

Acc

ess

cont

rols

Ther

ear

ebu

sine

ssp

roce

ssa

ndr

eso

urce

s(e

g

PICS

CLA

IMS

3a

nd

CLA

IMS

4)th

ata

res

hare

dw

ithIC

E

This

par

tner

ship

isa

nar

tifac

toft

he

past

and

cur

rent

rel

atio

nshi

psb

etw

een

depa

rtm

ents

with

inD

HS

For

thes

esh

ared

res

ourc

esto

func

tio

npr

oper

lyt

hey

requ

ire

care

ful

coor

dina

tion

whi

chd

oes

nott

ake

plac

ein

all

case

sF

ore

xam

ple

USC

IS

does

not

rec

eive

ac

opy

ofth

efo

rmal

ac

cess

req

uest

sub

mitt

edto

ICE

for

anIC

Eem

ploy

eeto

acc

ess

aU

SCIS

sy

stem

USC

ISs

houl

dca

refu

llyd

ocum

ent

wha

tacc

ess

isb

eing

gra

nted

to

any

part

ies

exte

rnal

toU

SCIS

If

addi

tiona

lcoo

rdin

atio

nis

re

quir

edi

tsho

uld

bed

one

with

th

ere

leva

ntd

epar

tmen

tso

fD

HS

For

cert

ain

info

rmat

ion

syst

ems

lo

cala

ndr

emot

elo

gins

are

not

per

m

itted

bet

wee

nth

eho

urs

of1

130

p

ma

nd6

00

am

Th

isp

ract

ice

clos

ely

adhe

res

toth

epo

licy

for

spec

ific

syst

ems

Enfo

rcin

ga

man

dato

rya

cces

spe

riod

may

hel

pen

sure

that

a

mal

icio

usin

side

ris

not

usi

ngs

ys

tem

sw

hen

supe

rvis

ion

isle

ss

ened

Ei

ghtp

erce

nt(2

9)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sus

eda

cces

sou

tsid

eof

nor

mal

w

orki

ngh

ours

toc

arry

out

thei

rill

icit

activ

ities

Whe

nan

em

ploy

eea

ttem

pts

tolo

gin

toa

res

tric

ted

syst

emd

urin

gof

fpe

akh

ours

an

auto

mat

ice

mai

lno

tice

iss

entb

yth

eO

ITto

per

sons

in

the

empl

oyee

rsquosm

anag

emen

tch

ain

ofc

omm

and

This

pra

ctic

eis

not

con

sist

enta

cros

sal

lsys

tem

san

dis

not

par

tofo

ther

in

cide

ntr

espo

nse

proc

edur

es

USC

ISs

houl

dco

nsid

erim

ple

men

ting

this

pra

ctic

ein

toth

ela

rger

sys

tem

ofi

ncid

entr

esp

onse

to

incl

ude

corr

elat

ion

with

oth

ere

vent

san

dov

era

pe

riod

oft

ime

Acc

ess

Priv

ilege

sndash

Gen

eral

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Att

heV

erm

ontS

ervi

ceC

ente

rO

IT

staf

fare

the

only

one

spr

esen

tlat

eat

nig

ht

As

part

oft

heir

dut

ies

they

al

soh

ave

elec

tron

ica

cces

sto

the

CLA

IMS3

info

rmat

ion

syst

em

As

afu

nctio

nof

the

elec

tron

ica

cces

san

dth

eph

ysic

alla

yout

oft

heS

ervi

ce

Cent

erO

ITp

erso

nnel

hav

eac

cess

to

CLA

IMS3

as

wel

las

the

phys

ical

file

sin

the

build

ing

U

SCIS

sho

uld

cons

ider

the

min

im

umle

velo

facc

ess

(leas

tpriv

ile

ge)n

eede

dfo

ral

lper

sonn

elto

ac

com

plis

hth

eir

job

dutie

sT

hir

teen

per

cent

(49)

oft

hein

side

rs

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sev

iola

ted

ane

edto

kno

win

ord

erto

per

pe

trat

eth

eir

crim

esi

nclu

ding

st

ealin

gPI

Iand

pro

prie

tary

in

form

atio

nI

nad

ditio

ns

ever

al

insi

ders

com

mitt

edth

eir

crim

es

whi

lew

orki

ngo

nth

eni

ghts

hift

w

here

they

enj

oyed

ar

educ

ed

leve

lofs

crut

iny

Unr

estr

icte

del

ectr

onic

and

phy

sica

lacc

ess

to

such

hig

hri

skd

ata

and

syst

ems

outs

ide

ofn

orm

alw

orki

ngh

ours

pr

esen

tsa

hig

hde

gree

ofr

isk

to


Sugg

este

dCo

unte

rmea

sure

s

USC

IS

Sinc

eU

SCIS

can

notd

eter

min

ew

hata

cces

sth

eU

SD

epar

tmen

tof

Sta

teg

rant

sto

FSN

son

its

sys

tem

sU

SCIS

sho

uld

cont

inue

to

use

tech

nica

lmea

sure

sto

pre

ve

ntu

naut

hori

zed

acce

ssw

hile

w

orki

ngw

ithc

ount

erin

telli

genc

epe

rson

nelt

ode

alw

iths

uspe

cted

fo

reig

nag

ents

wor

king

aro

und

US

gov

ernm

entf

acili

ties

A

few

insi

ders

inth

eca

ses

ana

lyze

dby

CER

Tus

edth

eir

un

revo

ked

acce

ssto

the

orga

niza

Polic

yor

Pra

ctic

eG

aps

Acc

ordi

ngto

one

inte

rvie

wee

som

eFS

Ns

onth

eCo

nsul

arA

ffai

rsn

etw

ork

are

susp

ecte

dto

be

wor

king

for

arm

sof

fore

ign

inte

llige

nce

ors

ecur

ity

agen

cies

U

SCIS

has

use

dte

chni

cal

met

hods

(eg

fir

ewal

ls)t

oen

sure

th

atU

SCIS

sys

tem

sar

epr

otec

ted

from

any

inte

rcon

nect

ions

with

the

US

Dep

artm

ento

fSta

tersquos

net

wor

ks

This

sin

gle

poin

toff

ailu

rem

akes

it

diff

icul

tto

reco

ver

from

am

alic

ious

ac

ton

this

par

ticul

ars

yste

m

Polic

yan

dor

Sec

urit

yM

easu

re

The

US

Dep

artm

ento

fSta

teC

onsu

la

rA

ffai

rsn

etw

ork

gran

tsa

cces

sto

FSN

sw

orki

ngin

em

bass

ies

and

con

su

late

san

dit

conn

ects

toU

SCIS

sys

te

ms

Ther

eis

as

ingl

epe

rson

who

has

the

know

ledg

eof

and

res

pons

ibili

tyfo

rad

min

iste

ring

the

voic

emai

lsys

tem

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Are

aof

Con

cern

Acc

ess

Priv

ilege

sndash

Syst

emA

dmin

is

trat

or


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sfo

rU

SCIS

tionrsquo

sph

one

syst

emto

har

mth

eor

gani

zatio

nI

non

eca

set

he

entir

ecu

stom

ers

ervi

cev

oice

m

ails

yste

mw

asr

edir

ecte

dto

a

porn

ogra

phic

pho

nes

ite

Ina

not

her

der

ogat

ory

com

men

ts

abou

tthe

org

aniz

atio

nw

ere

re

cord

eda

ndp

laye

dfo

rev

ery

voic

em

ailb

ox

USC

ISs

houl

dpl

ace

addi

tiona

lst

affi

nth

ero

leo

fadm

inis

trat

ors

for

the

USC

ISv

oice

mai

lsys

tem

Th

isw

ould

allo

wU

SCIS

toim

pl

emen

tsom

efo

rmo

fsep

ara

tion

ofd

utie

so

rat

the

very

le

ast

min

imal

che

cks

and

bal

ance

sto

pre

vent

tam

peri

ngw

ith

the

voic

emai

lsys

tem

U

SCIS

sho

uld

ensu

reth

atit

man

ag

esa

ccou

nts

and

pass

wor

dsfo

rin

tern

als

yste

ms

such

as

voic

em

ail

asw

ella

sex

tern

ala

cco

unts

O

nein

side

rdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

cha

nged

the

dom

ain

nam

esy

stem

reg

istr

yfo

rhis

or

gani

zatio

nrsquos

web

site

so

that

vis

ito

rsw

ere

sent

toa

por

nogr

aphi

c


Sugg

este

dCo

unte

rmea

sure

sw

ebsi

te

Thes

ety

pes

ofa

ccou

nts

are

used

ver

yin

freq

uent

lya

nd

are

ofte

nno

tinc

lude

din

form

al

term

inat

ion

proc

edur

es

USC

ISs

houl

dco

ordi

nate

with

D

HS

pers

onne

lto

ensu

reth

at

desi

red

USC

ISs

ecur

ityp

olic

ies

are

enfo

rced

for

pers

onne

lac

cess

ing

USC

ISs

yste

ms

and

data

Se

ven

perc

ent(

26)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

toa

ttac

kin

par

tbec

ause

of

insu

ffic

ient

mon

itori

ngo

fext

er

nala

cces

s

Polic

yor

Pra

ctic

eG

aps

A

lthou

ghc

onne

ctin

ga

pers

onal

lap

top

toa

USC

ISn

etw

ork

via

are

mot

eco

nnec

tion

may

or

may

not

be

bloc

ked

the

SNO

Cw

asn

otc

onfid

ent

itw

ould

be

bloc

ked

beca

use

itdo

es

notc

ontr

olth

ata

cces

sI

tis

poss

ible

th

ata

use

rco

uld

conn

ectw

itha

per

so

nalm

achi

neif

DH

Sal

low

edit

Polic

yan

dor

Sec

urit

yM

easu

re

Port

sec

urity

wou

ldp

reve

nta

use

rfr

omc

onne

ctin

ga

pers

onal

mac

hine

di

rect

lyto

aU

SCIS

net

wor

kT

his

secu

rity

mec

hani

smis

han

dled

by

the

SNO

C

Rem

ote

acce

sso

nth

eot

herh

and

is

hand

led

byD

HS

USC

ISh

asa

cces

sto

ve

ryli

mite

din

form

atio

nin

clud

ing

logs

for

rem

ote

conn

ectio

nsb

eca

use

ofc

ontr

acts

tipul

atio

nsw

ith

Spri

nt

The

asse

ssm

entt

eam

re

ceiv

edc

onfli

ctin

gop

inio

nsa

bout

w

heth

era

per

sona

lmac

hine

cou

ld

bec

onne

cted

with

ar

emot

eac

coun

t

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Secu

rity

Net

wor

kO

pera

ti

ons

Cent

er

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Man

agem

ento

fRe

mot

eA

cces

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

The

cont

ract

ors

resp

onsi

ble

for

VIS

have

impl

emen

ted

ast

rict

acc

ess

cont

rols

olut

ion

with

Fir

epas

san

dit

appe

ars

toa

ccom

plis

hits

goa

lofe

nsu

ring

that

onl

yth

epr

oper

per

sonn

el

are

gran

ted

acce

ssa

ndth

atth

eyp

er

form

aut

hori

zed

actio

nso

nce

they

ar

eco

nnec

ted

Unf

ortu

nate

lyt

hey

are

the

only

con

trac

tors

and

sys

tem

us

ing

Fire

pass

and

itw

illn

otb

eus

ed

once

the

mov

eis

mad

eto

Ste

nnis

Sp

ace

Cent

er

They

are

uns

ure

of

wha

tcon

trol

sw

illb

eus

eda

tSte

nnis

Sugg

este

dCo

unte

rmea

sure

s

Impl

emen

ting

aFi

repa

sss

olut

ion

for

allU

SCIS

sys

tem

sm

ight

not

be

cos

tef

fect

ive

USC

ISm

an

agem

ents

houl

dat

leas

texa

min

eth

eri

skp

osed

toth

em

ostc

ritic

al

syst

ems

and

impl

emen

taF

ire

pass

like

sol

utio

nfo

rth

ose

that

re

quir

ere

mot

eac

cess

A

sst

ated

ab

ove

one

inte

nin

side

rsd

ocu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

seu

sed

the

crea

tion

ofu

nkno

wn

path

sin

to

orga

niza

tion

syst

ems

pro

per

mea

sure

sm

ight

hav

epr

even

ted

man

yof

thos

ein

stan

ces


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Non

Sys

tem

Ad

USC

ISL

eade

rshi

pA

ccor

ding

too

nein

terv

iew

eeF

SNs

An

FSN

who

isa

sys

tem

adm

inis

trat

or

Ten

perc

ent(

39)o

fins

ider

sm

inis

trat

ors

Wit

h

are

syst

ema

dmin

istr

ator

son

som

efo

rU

SD

epar

tmen

tofS

tate

sys

tem

sdo

cum

ente

din

the

CERT

Insi

der

A

utho

rize

dA

cces

sIn

form

atio

nTe

chno

logy

U

SD

epar

tmen

tofS

tate

sys

tem

sin

do

esn

otn

eces

sari

lyh

ave

adm

inis

tra

Thre

atC

ase

data

base

took

ad

toA

dmin

istr

ator

em

bass

ies

orc

onsu

late

sab

road

to

rri

ghts

on

USC

ISs

yste

ms

One

in

vant

age

ofin

suff

icie

nta

cces

sA

ccou

nts

The

US

Dep

artm

ento

fSta

teh

as

terv

iew

eee

xpre

ssed

con

cern

how

co

ntro

lsto

con

duct

thei

rcr

imes

au

thor

ized

acc

ess

for

som

eFS

Ns

to

ever

tha

tan

adm

inis

trat

orw

hois

a

USC

ISs

houl

dex

amin

eU

SCIS

sys

so

me

USC

ISs

yste

ms

need

edfo

rth

eci

tizen

ofa

fore

ign

coun

try

coul

des

te

ma

cces

sfo

rU

SD

epar

tmen

tpe

rfor

man

ceo

fthe

ird

utie

s

cala

tep

rivi

lege

sor

use

soc

iale

ngi

ofS

tate

sys

tem

adm

inis

trat

ors

ne

erin

gta

ctic

sto

gai

nun

auth

oriz

ed

asw

ella

sho

wth

ose

conn

ectio

ns

acce

ssto

USC

ISs

yste

ms

ar

em

onito

red

orlo

gged

Th

ey

sh

ould

als

ow

ork

with

the

US

Dep

artm

ento

fSta

teto

und

er

stan

dits

pro

cess

esfo

rgr

antin

g

FSN

sac

cess

toU

SD

epar

tmen

t

ofS

tate

sys

tem

s


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

Lea

ders

hip

Ther

ear

ecu

rren

tlyn

olim

itso

nTh

ela

cko

flim

itsp

lace

don

req

uest

Th

ere

shou

ldb

elo

gica

lcon

trol

s

w

hich

Af

iles

ana

djud

icat

orc

anr

ein

gA

file

sin

NFT

Sm

aya

llow

adj

udi

tod

etec

tldquoex

trao

rdin

aryrdquo

or

sus

Info

rmat

ion

Tech

nolo

gy

ques

tin

the

Nat

iona

lFile

Tra

ckin

gca

tors

tor

eque

sta

file

by

nam

eev

en

pici

ous

file

tran

sfer

req

uest

sI

n

Syst

em(N

FTS)

if

they

sho

uld

notb

eac

cess

ing

that

on

eU

SCIS

cas

eth

ein

side

rre

fil

e

ques

ted

afil

etr

ansf

erto

ar

egio

nfo

ran

indi

vidu

alw

hose

file

sw

ere

ina

noth

err

egio

nan

dw

hose

form

sha

dbe

enp

revi

ousl

yde

ni

ed


cri

tilt

om

itiga

ting

the

insi

der

rsc

arri

edo

uta

nat

tack

ta

nce

mal

icio

usin

side

rsu

sed

uste

nsur

end

enf

orce

cn

have

dev

eff

ects

on

ano

ras

tatin

gta

r

nom

alou

sin

crea

sein

net

ay

Sugg

este

dCo

unte

rmea

sure

s

ca sn

toc

ompe

titor

sor

con

spir

ator

sO

rgan

izat

ions

mth

ate

mpl

oyee

sr

esou

rces

inc

ludi

ngin

form

atio

nas

sets

aom

plia

nce

sen

sitiv

ebu

tunc

lass

ified

or

prop

rie

y)is

cri

tical

tom

itiga

ting

an

am

onito

ring

net

wor

ktr

affic

mh

elp

prot

ectc

ontr

olle

d

side

unc

lass

ified

or

prop

riet

ary)

isea

led

circ

umst

ance

sin

whi

chin

tern

ales

In

som

ein

ss

tora

ged

evic

tion

mal

icio

usin

side

rsc

ab

y

mou

nts

ofd

ata

dow

nloa

ded

orou

ghT

h

Polic

yor

Pra

ctic

eG

aps

a re

ono

fCon

trol

led

Info

rmat

ion

ntro

lled

info

rmat

ion

(ie

inf

orm

atio

nth

atis

cla

ssifi

eds

ensi

tive

but

CER

Tr

thre

atr

isk

too

rgan

izat

ions

A

var

iety

ofi

nsid

erth

reat

cas

ess

tudi

edb

yev

thro

ugh

thd

ownl

oad

ofin

form

atio

nto

por

tabl

em

edia

or

exe

unau

thor

ized

ptt

acks

or

toc

omm

unic

ate

sens

itive

info

rmat

ioun

ders

tan

tcon

stitu

tes

acce

ptab

leu

seo

fcom

pany

dpo

licie

sre

gard

ing

wha

thro

ugh

teed

info

rma

chni

calm

eans

Th

eun

auth

oriz

ede

xfilt

ratio

nof

con

trol

l(i

ei

nfor

mat

ion

that

isc

lass

ifie

gani

zatio

nP

rote

ctin

gco

ntro

lled

info

rmat

ion

dth

reat

ris

kto

org

aniz

atio

ns

impl

emen

ted

netw

ork

mon

itori

ngs

trat

egie

sth

atw

ould

det

ectl

arge

wor

ktr

affi

by

tota

lvol

ume

orty

peo

ftra

ffic

(eg

by

ce

ither

por

tor

prot

ocol

)n

Polic

yan

dor

Sec

urit

yM

easu

Resp

onsi

ble

Pers

onne

lIn

form

atio

nTe

chno

logy

ncer

nlo

adto

Prot

ecti

Prot

ectin

gco

emai

lto

lan

thei

ra

the

insi

der

USC

ISh

as

info

rmat

io

Are

aof

Co

Dat

aD

own

Med

ia


sure

s

po

1

pria

yte

lld

be

func

he

T ed

s

ecu

itted

em

os

ogs

el

vity

by

org

za

ani

ot

sbe

nter

mea

side

rtw

o

hori

zed

inap

pro

uev

ices

co

bite

dfr

omsy

stem

s

bit

epr

ohi fa

hec

ont

oc

gn

are

per

m hus

eso

fta

ndth

cti

ciou

sa

ngth

es

her

exhi

bitin

glm

alic

iou

Cou

uld

con

ora

ut ed

thes

ed

pro

hi SSC

Iy

ar

rity

aw

aren

ess

ampa

i

evic

es lb

elo

gged

uspi

ted

for

ss

leav

i

ntia

te

Sugg

este

d

Ss

o

ptf

1)E

xce

ces

that

ar

ete

chni

cally

Ung

in

that

the

shou

nte

ldb

et

2)If

USB

dfo

ru

nal

set

held

empl

oyee pl

tion

em

oyee

sign

sof

po c

ore

t

USC

Ih

tions

stan

trac

k

tioni

fact

shou

audi

havi

ns

ider

un

t

of

wor

k

ssed

de

s

onvi

ctio ns

tne

i eng

tel

He

acce

rder

to

Prac

tice

Gap

mth

eU

SCIS

CTa

skF

orc

sho

wed

tha

oe d

ant

pe

rfor

me

sig

nific

aam

oof

ficia

lbus

ines

sin

clud

ill

apto

p

sona

mai

lin

ond

e

Polic

yor

Ac

ase

fro

onh

isp

ersy

stem

sa

sure

pmen

tSC

IS

gov

(G

FE)

orS

ecur

ity

Mea

per

aga

inst

usi

ng

son

ompu

ter

equi

cial

dut

ies

for

Ub

edo

new

ithm

entf

urni

shed

ent

ern

quip

me

Polic

yan

d

Ther

eis

ap

olic

yd

cal

lyo

wne

top

erfo

rmo

ffi

Tele

wor

ksh

ould

on

ly

nel

ble

Pers

on

Resp

onsi

o

ern

Are

aof

Con

c dt

Dat

aD

ownl

oaor

Fro

mH

ome


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sve

lop

asy

stem

that

he

was

rew

arde

d

fo

rpr

oduc

ing

The

rea

ren

ote

chni

cal

co

ntro

lsto

cat

chth

isa

ctiv

ityu

nles

s

the

devi

ceis

phy

sica

llyp

lugg

edin

to

the

netw

ork

Prot

ecti

ngC

riti

cal

Info

rmat

ion

Tech

nolo

gy

The

SNO

Cre

spon

dsto

spi

llso

fPII

USC

ISr

espo

nds

toP

IIsp

illag

es

Fi

les

whi

cho

ccur

on

aw

eekl

yba

sis

The

ofte

nen

ough

that

its

staf

fis

wel

l

info

rmat

ion

abou

tthe

inci

dent

is

ve

rsed

inr

espo

nse

proc

edur

es

tran

sfer

red

from

the

data

ow

ner

U

nfor

tuna

tely

the

freq

uenc

yto

w

hob

ecom

esa

war

eof

the

spill

to

w

hich

inci

dent

soc

cur

and

the

the

OSI

whi

chc

reat

esa

Ser

ious

In

re

spon

sep

roce

dure

sin

pla

ced

o

cide

ntR

epor

t(SI

R)th

atit

forw

ards

nots

eem

tor

educ

eth

enu

mbe

rto

the

Priv

acy

Off

icer

and

fina

llyto

Th

ere

spon

see

ffor

tto

aPI

Ispi

llage

of

inci

dent

sor

pro

vide

aut

oth

eSN

OC

in

volv

esm

any

part

ies

and

appe

ars

to

mat

edd

etec

tion

whe

nsp

illag

ebe

ac

ompl

icat

edp

roce

ssfo

ran

eve

nt

occu

rs

that

hap

pens

on

aw

eekl

yba

sis

Thou

ghth

ese

spill

ages

are

acc

iden

tal

even

ts


Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

sho

uld

cont

inue

this

pra

ctic

eas

par

tofi

tsin

cide

ntr

esp

onse

pro

cedu

res

Inc

orpo

rat

ing

ana

ppro

pria

tele

velo

fm

onito

ring

wou

lda

lso

bea

pru

de

ntm

easu

re

Polic

yor

Pra

ctic

eG

aps

This

pra

ctic

eap

pear

sto

be

done

con

si

sten

tly

Polic

yan

dor

Sec

urit

yM

easu

re

Acc

ess

ton

etw

ork

reso

urce

sis

ter

min

ated

imm

edia

tely

whe

na

spill

or

mis

cond

ucti

ssu

spec

ted

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Aud

it

Mon

itor

B

acku

p

Reco

very

Insi

der

thre

atr

esea

rch

cond

ucte

dby

CER

Tha

ssh

own

that

logg

ing

mon

itori

nga

nda

uditi

nge

mpl

oyee

onl

ine

actio

nsc

anp

rovi

dea

nor

gani

za

tion

the

oppo

rtun

ityto

dis

cove

ran

din

vest

igat

esu

spic

ious

insi

der

activ

ityb

efor

em

ore

seri

ous

cons

eque

nces

ens

ue

Org

aniz

atio

nss

houl

dle

ver

age

auto

mat

edp

roce

sses

and

tool

sw

hene

ver

poss

ible

M

oreo

ver

net

wor

kau

ditin

gsh

ould

be

ongo

ing

and

cond

ucte

dra

ndom

lya

nde

m

ploy

ees

shou

ldb

eaw

are

that

cer

tain

act

iviti

esa

rer

egul

arly

mon

itore

dT

his

empl

oyee

aw

aren

ess

can

pote

ntia

llys

erve

as

ade

terr

entt

oin

side

rth

reat

s

Prev

entin

gin

side

rat

tack

sis

the

first

line

ofd

efen

se

Non

ethe

less

eff

ectiv

eba

ckup

and

rec

over

ypr

oces

ses

need

tob

ein

pla

cea

ndo

pera

tion

ally

eff

ectiv

eso

that

ifa

co m

prom

ise

occu

rsb

usin

ess

oper

atio

nsc

anb

esu

stai

ned

with

min

imal

inte

rrup

tion

In

one

case

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sea

nin

side

rw

asa

ble

tom

agni

fyth

eim

pact

ofh

isa

ttac

kby

acc

essi

nga

ndd

estr

oyin

gba

ckup

med

ia

Org

aniz

a


Ina

dditi

ont

heS

NO

Cla

cks

the

reso

urce

sto

focu

son

mon

itori

ngfo

rsu

spic

ious

insi

der

activ

ityf

ocus

ing

inst

ead

prim

arily

on

prot

ectio

nfr

om

exte

rnal

inci

dent

s

Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sM

odifi

cati

on

In

form

atio

nTe

chno

logy

Lo

gfil

esa

rea

cces

sibl

eby

the

do

D

isab

ling

Log

File

sm

ain

adm

inis

trat

ors

and

syst

em

adm

inis

trat

ors

ofe

ach

resp

ectiv

e

syst

em

USC

ISs

houl

dse

ndc

ritic

allo

gsto

a

cent

raliz

edlo

gse

rver

and

pro

te

ctth

elo

gfil

esto

per

mit

afo

re

nsic

rec

onst

r uct

ion

ofn

etw

ork

orh

ost

base

dev

ents

In

form

atio

nTe

chno

logy

Th

ela

cko

fcon

sist

ency

for

wha

tis

Alth

ough

six

per

cent

(23)

oft

he

logg

eda

cros

sU

SCIS

ser

vers

sys

tem

s

insi

ders

doc

umen

ted

inth

eCE

RT

appl

icat

ions

and

wor

ksta

tions

isc

on

Insi

der

Thre

atC

ase

data

base

cern

ing

Sev

eral

par

ties

addr

esse

dw

ere

able

tom

odify

ord

isab

le


tions

nee

dto

con

side

rth

eim

port

ance

ofb

acku

pan

dre

cove

ryp

roce

sses

and

car

em

ustb

eta

ken

that

bac

kups

are

per

form

edr

egul

arly

pro

te

cted

and

test

edto

ens

ure

busi

ness

con

tinui

tyin

the

even

tofd

amag

eto

or

loss

ofc

entr

aliz

edd

ata

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

slo

gfil

es

Mon

itor

ing

Susp

ici

ous

Act

ivit

y

Info

rmat

ion

Tech

nolo

gy

are

som

etim

esli

mite

dto

24

hour

sor

less

ofc

olle

ctio

n

the

fact

that

ITp

erso

nnel

mus

tbe

able

top

hysi

cally

rea

cha

mac

hine

in

atim

ely

fash

ion

ifth

eyh

ope

toc

ap

ture

logs

rel

ated

toa

nin

cide

nt

This

as

sum

ptio

nm

akes

itli

kely

that

cri

tica

llog

info

rmat

ion

will

be

mis

sed


Sugg

este

dCo

unte

rmea

sure

s

Polic

yor

Pra

ctic

eG

aps

Polic

yan

dor

Sec

urit

yM

easu

re

Dat

abas

ead

min

istr

ator

sar

ere

spon

si

ble

for

mon

itori

nga

nda

lert

ing

whe

nda

taa

cces

sat

tem

pts

are

mad

eto

cri

tical

dat

ain

USC

ISd

ata

base

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

sU

SCIS

sho

uld

cons

ider

cle

arly

de

finin

gth

ere

spon

sibi

lity

ofd

ata

base

adm

inis

trat

ors

and

the

SNO

Cfo

rm

onito

ring

ale

rtin

g

and

resp

ondi

ngto

una

utho

rize

dda

taa

cces

sO

nce

the

resp

onsi

bi

lity

isa

ssig

ned

the

appr

opri

ate

grou

psh

ould

dili

gent

lyp

reve

nt

dete

cta

ndr

espo

ndto

una

utho

riz

edd

ata

acce

ssm

odifi

catio

n

and

exfil

trat

ion

atte

mpt

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

mon

itors

and

filte

rs

inbo

und

and

outb

ound

net

wor

ktr

affic

Th

iss

trat

egy

may

pre

ve

nto

rde

tect

the

unau

thor

ized

tr

ansf

ero

fUSC

ISd

ata

outs

ide

the

orga

niza

tion

Man

yin

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

sew

ere

able

toc

omm

itth

eir

mal

icio

usa

ctiv

ities

usi

ngla

ptop

s

Polic

yor

Pra

ctic

eG

aps

Net

wor

ktr

affic

filte

ring

ish

appe

ning

on

lyo

nin

boun

dtr

affic

not

out

boun

dtr

affic

Th

ere

sour

ces

don

ote

xist

toe

xam

ine

ou

tbou

ndtr

affic

onl

yin

boun

dtr

affic

Fu

rthe

rmor

eth

ein

trus

ion

dete

ctio

nsy

stem

sar

eno

topt

imiz

edto

det

ect

secu

rity

eve

nts

Polic

yan

dor

Sec

urit

yM

easu

re

USC

ISh

asth

eab

ility

toc

reat

ein

bo

und

firew

allr

ules

tofi

lter

pote

ntia

llym

alic

ious

net

wor

ktr

affic

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

incl

udes

fore

nsic

to

ols

toa

idin

vest

igat

ions

Ins

ixp

erce

nt(2

2)o

fthe

cas

es

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

heim

pact

of

the

crim

ew

asm

agni

fied

be

caus

eof

insu

ffic

ient

bac

kups

Polic

yor

Pra

ctic

eG

aps

The

SNO

Cha

sha

dpr

oble

ms

iden

tify

ing

the

root

cau

seo

fan

affe

cted

w

orks

tatio

nor

use

rbe

caus

eof

the

lack

ofn

etw

ork

fore

nsic

app

licat

ions

Id

eally

the

SN

OC

shou

ldb

eab

leto

tr

ace

netw

ork

traf

ficfr

oms

ourc

eto

de

stin

atio

nan

dw

atch

act

ivity

It

has

a

stan

dal

one

fore

nsic

cap

abili

tyb

ut

noth

ing

onth

ene

twor

k

Tabl

etop

exe

rcis

esm

ayn

otg

ive

USC

ISa

true

indi

catio

nof

its

abili

tyto

re

cove

rfr

oma

sys

tem

icfa

ilure

W

hen

poss

ible

bac

kups

sho

uld

be

impl

emen

ted

ons

imila

rha

rdw

are

to

ensu

reth

atth

eba

ckup

tape

isfu

nc

tiona

land

the

back

upis

ope

ratio

nal

Polic

yan

dor

Sec

urit

yM

easu

re

The

SNO

Cis

res

pons

ible

for

dete

rm

inin

gth

ero

otc

ause

ofa

nin

cide

nt

incl

udin

gus

ing

fore

nsic

tool

sto

id

entif

yaf

fect

edw

orks

tatio

nsd

esk

tops

and

lapt

ops

Ba

ckup

test

ing

for

man

ysy

stem

soc

curs

onc

epe

rye

ar

Ins

ome

case

s

the

back

ups

are

only

test

edw

itha

ta

blet

ope

xerc

ise

and

don

otu

se

sim

ilar

orid

entic

alh

ardw

are

toth

at

used

inth

epr

oduc

tion

envi

ronm

ent

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Back

ups


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Info

rmat

ion

Tech

nolo

gy

Year

sof

bac

kup

tape

sar

eke

pto

nsi

tea

tthe

Ver

mon

tSer

vice

Cen

ter

an

dsy

stem

adm

inis

trat

ors

have

ac

cess

toth

ese

back

upfi

les

Adm

inis

trat

ors

who

hav

eac

cess

to

the

back

upta

pes

wou

ldb

eab

leto

Back

upm

edia

sho

uld

bec

on

trol

led

care

fully

doc

umen

ted

an

dst

ored

off

site

with

lim

ited

acce

ss

With

outt

hose

con

trol

s

USC

ISc

anno

tbe

sure

its

back

ups

will

giv

eit

the

abili

tyto

rec

over

ss

ecur

ity o wn

Proa

ctiv

ely

addr

essi

ngk

now

nse

curi

tyv

ulne

rabi

litie

ssh

ould

be

apr

iori

tyfo

ran

yor

gani

zatio

nse

ekin

gto

miti

gate

the

risk

ofi

nsid

erth

reat

sa

wel

las

exte

rnal

thre

ats

Cas

est

udie

sha

ves

how

nth

atm

alic

ious

insi

ders

fol

low

ing

term

inat

ion

will

som

etim

ese

xplo

itkn

own

tech

nica

lho

uld

have

ap

roce

sst

vuln

erab

ilitie

sth

atth

eyk

now

hav

eno

tbee

npa

tche

dto

obt

ain

syst

ema

cces

san

dca

rry

outa

nat

tack

O

rgan

izat

ions

sdr

ess

kno

ensu

reth

ato

pera

ting

syst

ems

and

othe

rso

ftw

are

have

bee

nha

rden

edo

rpa

tche

din

ati

mel

ym

anne

rw

hen

poss

ible

Fa

ilure

toa

dvu

lner

abili

ties

prov

ides

an

insi

der

ampl

eop

port

unity

and

pat

hway

sfo

rat

tack

mak

ing

itm

ore

diff

icul

tfor

an

orga

niza

tion

top

rote

ctit

self

Tech

nica

lSec

urit

yV

ulne

rabi

litie

s


ount

erm

easu

res

Sugg

este

dC


ceG

aps

Polic

yor

Pra

cti

The

pres

ence

of

host

pe

rim

eter

and

m

prot

ectio

nfo

rCI

Sin

al

war

epu

tsU

Sa

rela

tivel

yse

curd

ing

rep

ositi

onr

ega

oads

m

alic

ious

dow

nl

Polic

yan

dor

Se

easu

re

curi

tyM

Th

eO

ITr

elie

son

tan

ism

sto

w

om

ech

wnl

ode

tect

the

doad

of

licio

us

ma

code

1)

DH

S

nte

mon

itors

the

Ig

atrn

etw

aya

nd

e

2)

orks

ta

age

nto

nw

tio

ns

ale

rts

mm

edi

the

OIT

iat

ely

upon

dis

cov

wn

mal

er

yof

kno

war

eT

heO

ITs

hth

epo

rt

uts

dow

n

tob

lock

mal

ici

ere

ap

ous

code

wh

prop

riat

e

sin

stal

la

als

ode

tect

nel

Resp

onsi

ble

Pers

onog

yIn

form

atio

nTe

chno

l ogy

Info

rmat

ion

Tech

nol

Are

ac

ofC

oner

ne

Add

rss

ino

wn

ngK

Secu

rer

it

yV

uln

ies

abili

t

eA

ddr

ssi

now

nng

KSe

cur

er

ity

Vul

nie

sab

ilit

Sugg

este

dCo

unte

rmea

sure

s

Tw

elve

per

cent

(46)

oft

hec

ases

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

invo

lve

user

sab

usin

gad

min

istr

ator

pri

vi

lege

sto

sab

otag

esy

stem

sor

da

ta

Alth

ough

USC

ISu

sers

nee

dfo

rad

min

istr

ator

righ

tsto

inst

allo

rru

nau

thor

ized

sof

twar

eth

eO

IT

shou

ldc

onsi

der

givi

ngu

sers

se

para

tea

dmin

istr

ator

acc

ount

sfo

rth

ese

expl

icit

purp

oses

U

sers

co

uld

then

use

non

adm

inis

trat

or

acco

unts

for

thei

rda

ilyw

ork

Th

isw

ould

gre

atly

min

imiz

eth

eri

sko

fmal

war

eco

mpr

omis

e

Polic

yor

Pra

ctic

eG

aps

Am

itiga

ting

fact

or

is

that

the

depa

rtin

gem

ploy

eew

ould

ne

edp

hysi

cala

cces

sto

the

syst

emto

lo

gin

A

use

rw

itha

dmin

istr

ator

pri

vile

ges

mus

tnot

rel

yso

lely

on

auto

mat

ic

mec

hani

sms

tos

afeg

uard

his

or

her

com

pute

rA

dmin

istr

ator

rig

hts

give

in

adve

rten

tlyd

ownl

oade

dm

alw

are

the

abili

tyto

com

plet

ely

com

prom

ise

asy

stem

som

etim

esw

ithou

tthe

kn

owle

dge

ofth

eus

er

Polic

yan

dor

Sec

urit

yM

easu

re

tion

ofm

alic

ious

cod

efr

omU

SBs

and

othe

rm

edia

USC

ISu

sers

hav

elo

cala

dmin

istr

ator

ri

ghts

on

thei

row

nm

achi

nes

Thi

sal

low

sus

ers

toin

stal

lsof

twar

eon

th

eirs

yste

ms

So

me

auth

oriz

eds

oftw

are

does

re

quir

ead

min

istr

ator

rig

hts

toin

stal

l

Som

eap

plic

atio

nsa

ctua

llyr

equi

re

adm

inis

trat

orri

ghts

tor

un

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Unm

anag

edS

ys

tem

s


Conf

igur

atio

nM

anag

emen

t

Effe

ctiv

eco

nfig

urat

ion

man

agem

enth

elps

ens

ure

the

accu

racy

int

egri

tya

ndd

ocum

enta

tion

ofa

llco

mpu

ter

and

netw

ork

syst

emc

onfig

ura

tions

A

wid

eva

riet

yof

cas

esin

the

CERT

Insi

der

Thre

atC

ase

data

base

doc

umen

tins

ider

sw

hor

elie

dhe

avily

on

the

mis

conf

igur

atio

nof

sys

te

ms

The

yhi

ghlig

htth

ene

edfo

rst

rong

erm

ore

effe

ctiv

eim

plem

enta

tion

ofa

utom

ated

con

figur

atio

nm

anag

emen

tcon

trol

sO

rgan

izat

ions

sh

ould

als

oco

nsid

erc

onsi

sten

tdef

initi

ona

nde

nfor

cem

ento

fapp

rove

dco

nfig

urat

ions

Ch

ange

sor

dev

iatio

nsfr

omth

eap

prov

edc

onfig

urat

ion

base

line

shou

ldb

elo

gged

so

they

can

be

inve

stig

ated

for

pote

ntia

lmal

icio

usin

tent

Co

nfig

urat

ion

man

agem

enta

lso

appl

ies

tos

oftw

are

sou

rce

code

and

app

licat

ion

files

O

rgan

izat

ions

that

do

note

nfor

cec

onfig

urat

ion

ma n

agem

enta

cros

sth

een

terp

rise

are

ope

ning

vul

nera

bilit

ies

for

expl

oitb

yte

chni

cali

nsid

ers

with

suf

ficie

ntm

otiv

atio

nan

da

lack

ofe

thic

s

The

OIT

has

ac

onfig

urat

ion

man

agem

entp

olic

yth

atp

rovi

des

base

line

soft

war

eco

nfig

urat

ions

for

USC

ISd

eskt

ops

and

lapt

ops

The

OIT

sca

ns

for

inco

rrec

to

utda

ted

or

unp

atch

edv

ersi

ons

ofs

oftw

are

onth

eap

prov

eds

oftw

are

list

The

OIT

kee

pstr

ack

ofd

iffer

entb

asel

ines

for

diff

er

entc

ontr

acts

D

espi

tetr

acki

nga

nda

rig

orou

sco

nfig

urat

ion

man

agem

entp

olic

yth

eO

ITh

asd

iffic

ulty

kee

ping

trac

kof

the

901

50d

iffer

ents

ys

tem

imag

esin

the

USC

ISe

nvir

onm

ent

Rog

ues

oftw

are

orm

alw

are

iso

ften

dis

cove

red

thro

ugh

ade

liber

ate

man

uals

can

rat

her

than

thro

ugh

ana

utom

ated

pro

cess

To

mak

eth

ista

skm

ore

diff

icul

tth

ere

have

bee

nU

SCIS

em

ploy

ees

with

sen

iori

tyo

rin

fluen

cew

hoa

rea

ble

tou

selo

cal

adm

inis

trat

orp

rivi

lege

sto

inst

alls

oftw

are

for

the

sake

ofc

onve

nien

ce

Conc

erns

reg

ardi

ngc

onfig

urat

ion

man

agem

entm

ake

itdi

ffic

ultf

orth

eO

ITto

ad e

quat

ely

prev

ent

det

ect

and

res

pond

tor

ogue

sof

twar

eor

m

alw

are

usin

gits

cur

rent

pro

cedu

res

We

sugg

ests

ome

cons

ider

atio

nsfo

rle

vera

ging

exi

stin

gde

ploy

men

tsa

ndm

odify

ing

inci

dent

res

pons

epr

actic

esto

incr

ease

eff

ectiv

enes

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

The

OIT

has

ac

onfig

urat

ion

man

ag

emen

tpol

icy

for

soft

war

eco

nfig

ura

tion

base

lines

Th

eO

ITs

cans

for

inco

rrec

to

utda

ted

or

unpa

tche

dve

rsio

nso

fsof

twar

eon

the

ap

Des

pite

rig

orou

sco

nfig

urat

ion

man

ag

emen

tpol

icy

the

OIT

has

diff

icul

ty

keep

ing

trac

kof

the

90to

150

diff

er

ents

yste

mim

ages

inth

eU

SCIS

env

iro

nmen

tR

ogue

sof

twar

eor

mal

war

e

Seve

ntee

nca

ses

docu

men

ted

in

the

CERT

Insi

der

Thre

atC

ase

da

taba

sein

volv

eus

ers

expl

oitin

gth

ela

cko

rw

eakn

ess

ofa

con

fig

urat

ion

man

agem

ents

yste

m


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

spr

oved

sof

twar

elis

tT

heO

ITk

eeps

tr

ack

ofd

iffer

entb

asel

ines

for

dif

fere

ntc

ontr

acts

iso

ften

dis

cove

red

thro

ugh

ade

liber

at

em

anua

lsca

nra

ther

than

thro

ugh

ana

utom

ated

pro

cess

toc

arry

out

thei

rat

tack

s

The

OIT

cou

ldle

vera

geth

eex

ist

ing

ePO

dep

loym

entt

oco

mpl

em

enti

tsc

onfig

urat

ion

man

age

men

teff

orts

eP

Oc

and

efin

ea

base

line

for

soft

war

eap

plic

atio

ns

and

aler

ton

any

devi

atio

nsfr

om

that

bas

elin

e

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ins

ome

case

sin

divi

dual

sw

iths

en

iori

tyo

rin

fluen

cea

rea

ble

tou

se

adm

inis

trat

orp

rivi

lege

sto

inst

all

soft

war

efo

rth

esa

keo

fcon

veni

ence

USC

ISs

houl

den

sure

that

con

fig

urat

ion

polic

yis

con

sist

ently

co

mm

unic

ated

and

enf

orce

dth

roug

hout

the

orga

niza

tion

Ev

ens

enio

rle

ader

ship

sho

uld

notb

eab

leto

cas

ually

cir

cum

ve

ntth

ese

polic

ies

with

outg

oing

th

roug

hth

epr

oper

cha

nnel

sas

de

fined

by

the

conf

igur

atio

nm

anag

emen

tpol

icy

Conf

igur

atio

nM

anag

emen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Serv

ice

Cent

ers

are

resp

onsi

ble

for

lock

ing

dow

nde

skto

psto

pre

vent

un

auth

oriz

eds

oftw

are

from

runn

ing

The

lock

dow

npr

oces

sre

lies

onh

um

anin

terv

entio

nI

fcal

lvol

ume

to

the

Serv

ice

Cent

eris

hea

vyt

his

may

in

crea

ser

espo

nse

time

toa

nun

ac

cept

able

leve

l

The

OIT

sho

uld

expl

ore

way

sto

au

tom

ate

lock

dow

nof

pot

en

tially

com

prom

ised

sys

tem

sT

his

wou

ldr

equi

rea

car

eful

bal

ance

of

ser

vice

ver

sus

secu

rity

O

nth

ese

rvic

esi

ded

elay

edr

espo

nse

by

the

Serv

ice

Cent

erm

ayr

esul

tin

loss

ofp

rodu

ctiv

ity

On

the

secu

ri

tys

ide

del

ayed

res

pons

eco

uld


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sle

adto

sys

tem

com

prom

ise

M

anag

emen

tsho

uld

eval

uate

the

risk

sof

ac

ompr

omis

ean

dw

eigh

th

ose

risk

sag

ains

tthe

pot

entia

lco

nseq

uenc

eso

fser

vice

dis

rup

tion


Appendix H Acronyms



107

Appendix H Acronyms


108


109






110






Congress


111



OIG HOTLINE







ExecutiveSummary







Background









Objective






Scope


































Transformation








HumanResources











ExitProcedures




PhysicalSecurity











BusinessProcesses








CLAIMS3LAN


FDNSDS


IncidentResponse



IncidentManagement




SoftwareEngineering

CodeReviews







AccountManagement









AccessControl

























Recommendations















Recommendation12


Recommendation14




Recommendation16

Recommendation17







Appendixes










AppendixHAcronyms














Ap

pen

dix

AO

rgan

izat

ion

al

Risk

Man

agem

ent

Co

mm

unic

atio

n

Secu

rity

Pro

cess

Impr

ovem

ent

USC

ISis

ina

diff

icul

tpos

ition

Pa

rto

fits

mis

sion

isto

pro

vide

cus

tom

ers

ervi

ceto

thos

ese

ekin

gim

mig

ratio

nan

dci

tizen

ship

ben

efits

from

the

US

Gov

ernm

ent

How

ever

iti

sch

alle

ngin

gto

opt

imiz

ebu

sine

ssp

roce

sses

for

cust

omer

ser

vice

whi

lea

tthe

sam

etim

eim

plem

entin

gpr

otec

tiv

em

easu

res

toc

ount

erth

eri

skp

osed

by

gran

ting

thos

eve

ryb

enef

its

Man

yU

SCIS

em

ploy

ees

inte

rvie

wed

for

this

ass

essm

enti

dent

ified

the

orga

niza

tionrsquo

spr

imar

yri

ska

sal

low

ing

the

next

terr

oris

tto

live

and

wor

kle

gally

inth

eU

nite

dSt

ates

Th

eyd

esir

ehe

lpin

iden

tifyi

nga

ndim

ple

men

ting

inte

rnal

con

trol

sto

cou

nter

that

ris

kS

ome

ofth

ein

terv

iew

ees

how

ever

mdashev

ens

ome

ofth

eIS

SOs

and

data

ow

ners

mdashfo

cuse

don

leak

ag

eof

PII

asth

eir

prim

ary

conc

ern

Aft

erd

elvi

ngin

toth

em

atte

rw

ithth

eas

sess

men

ttea

mt

hey

cam

eto

und

erst

and

the

risk

pos

edb

yex

po

sure

or

mis

use

ofc

ritic

ald

ata

asth

egr

eate

str

isk

face

dby

USC

ISp

rim

arily

bec

ause

suc

ha

secu

rity

bre

ach

coul

dre

sult

ina

llow

ing

ate

rror

isti

nto

the

coun

try

Ac

ritic

alis

sue

for

USC

ISis

ens

urin

gth

een

tire

orga

niza

tion

isr

isk

awar

ea

ndim

plem

entin

ga

form

alr

isk

man

agem

entp

roce

ssto

add

ress

ris

kco

nsis

tent

lya

ndc

ontin

ually

acr

oss

the

ente

rpri

se

Ther

edo

esn

ota

ppea

rto

be

aco

nsis

tent

und

erst

andi

ngo

fthe

bro

ads

pect

rum

ofr

isks

faci

ng

USC

IS

The

asse

ssm

entt

eam

was

told

ther

eis

no

ente

rpri

sew

ide

risk

man

agem

entp

rogr

ama

tUSC

IS

OIT

per

form

sri

skm

anag

emen

tfor

ITa

nd

Fina

ncia

lMan

agem

entp

erfo

rms

risk

man

agem

entf

orfi

nanc

ialm

atte

rsb

utn

oon

ew

asa

war

eof

any

ent

erpr

ise

wid

eef

fort

sI

nad

ditio

ne

ach

field

off

ice

and

serv

ice

cent

era

ppea

rsto

ope

rate

fair

lyin

depe

nden

tly

Itis

impo

rtan

tfor

thos

eor

gani

zatio

nsto

wor

kto

geth

erto

iden

tify

pri

or

itize

and

add

ress

ris

kO

ngoi

ngc

omm

unic

atio

nbe

twee

nal

lcom

pone

nts

ofU

SCIS

will

hel

pen

sure

that

new

thre

ats

att

ack

vect

ors

and

cou

nte

rmea

sure

sar

eco

mm

unic

ated

and

han

dled

eff

ectiv

ely

bya

ll

Ina

dditi

onU

SCIS

em

ploy

ees

and

cont

ract

ors

hold

the

keys

too

neo

fthe

wor

ldrsquos

mos

tcov

eted

kin

gdom

smdashU

Sc

itize

nshi

pT

his

mak

ese

mpl

oy

ees

and

cont

ract

ors

attr

activ

eta

rget

sfo

rre

crui

tmen

tB

ecau

seo

fthe

sen

sitiv

ena

ture

ofU

SCIS

mis

sion

som

eof

its

empl

oyee

san

dco

ntra

ctor

s


have

bee

nta

rget

sfo

rre

crui

tmen

tfor

thef

tor

unau

thor

ized

mod

ifica

tion

ofU

SCIS

dat

aA

llem

ploy

ees

shou

ldb

eaw

are

ofth

eco

nseq

uenc

eso

fpa

rtic

ipat

ing

infr

aud

agai

nstU

SCIS

Th

eys

houl

dal

sob

ein

stru

cted

on

how

tor

epor

tsol

icita

tions

mad

eto

com

mit

frau

d

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEn

terp

rise

Ris

kM

anag

emen

t

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Indi

vidu

alo

rgan

izat

ions

with

inU

SCIS

do

ris

km

anag

emen

trel

ated

toth

eir

part

icul

ard

omai

nF

orin

stan

ceI

Tdo

esr

isk

man

agem

entf

rom

an

IT

pers

pect

ive

and

the

Fina

ncia

lMan

ag

emen

tdoe

sfin

anci

alr

isk

man

ag

emen

t

USC

ISp

erso

nnel

sta

ted

ther

eis

no

ente

rpri

ser

isk

man

agem

entp

roce

ss

for

anal

yzin

gth

eor

gani

zatio

nrsquos

over

al

lris

k

We

sugg

estt

hatU

SCIS

inst

itute

an

ent

erpr

ise

risk

man

agem

ent

prog

ram

W

ithou

tac

omm

on

visi

onfo

rri

skm

anag

emen

tth

eIS

SOs

and

allo

rgan

izat

ions

w

ithin

USC

ISc

anno

teff

ectiv

ely

unde

rsta

ndth

eri

ske

nvir

onm

ent

and

wor

kto

geth

erto

eff

ectiv

ely

miti

gate

ris

k

Inin

terv

iew

ss

ome

USC

ISs

taff

in

clud

ing

som

eIS

SOs

dat

aow

ners

an

dO

ITs

taff

see

med

tov

iew

loss

of

PIIa

sth

em

osti

mpo

rtan

tins

ider

th

reat

ris

kA

llof

the

asse

ssm

ent

ques

tions

wer

ean

swer

edin

the

con

text

ofl

oss

ofP

II

Whe

nw

eas

ked

spec

ifica

llyw

hatt

hey

see

asth

ebi

gges

tins

ider

thre

atr

isk

ev

eryo

nes

eem

edto

agr

eeit

isc

rea

tion

ofr

ealc

itize

nshi

pdo

cum

ents

for

peop

lew

hos

houl

dno

thav

eth

em

In

fact

int

ervi

ewee

sat

the

Verm

ont

Serv

ice

Cent

erc

ateg

oriz

edth

efu

nc

tions

cha

ract

eriz

edb

yth

ehi

ghes

tris

kas

follo

ws

1)

Unl

awfu

lalie

nin

the

Uni

ted

Stat

es

gran

ted

non

imm

igra

nts

tatu

s

2)S

omeo

new

ithn

onim

mig

rant

st

atus

gra

nted

per

man

entr

esid

ency

w

hich

mea

nsh

eor

she

can

live

and

w

ork

inde

finite

lyin

the

Uni

ted

Stat

es

Aga

ina

nen

terp

rise

ris

km

an

agem

entp

rogr

amw

ille

nsur

eth

ate

very

one

acro

ssU

SCIS

is

wor

king

toge

ther

tom

itiga

teth

ehi

ghes

tpri

ority

ris

ks

Ther

ear

ere

gula

tions

and

law

ssu

rrou

nd

ing

prot

ectio

nof

PII

but

focu

sin

gpr

imar

ilyo

nth

atis

sue

can

lead

toa

fals

ese

nse

ofs

ecur

ity

ifot

her

mor

eim

port

antr

isk

ar

eas

are

give

nle

ssa

tten

tion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dal

soc

anp

etiti

onfo

rre

lativ

es

The

Verm

ontS

ervi

ceC

ente

ris

im

plem

entin

gse

para

tion

ofd

utie

sfo

rpe

rfor

min

gfu

nctio

ns

1an

d2

ab

ove

(gra

ntin

gno

nim

mig

rant

st

atus

and

mov

ing

som

eone

from

no

nim

mig

rant

sta

tus

top

erm

anen

tre

side

ncy)

so

that

one

USC

ISa

djud

ica

tor

alon

eca

nnot

take

an

appl

ican

tfr

omu

nlaw

fult

ope

rman

entr

esi

dent

Th

ese

two

func

tions

will

be

perf

orm

eda

tdiff

eren

tphy

sica

lloc

atio

ns2

9m

iles

apar

t

The

Verm

ontS

ervi

ceC

ente

rhas

not

ha

dan

adj

udic

ator

who

per

form

ed

both

func

tions

1

and

2fo

rth

esa

me

appl

ican

t

This

dec

isio

nde

mon

stra

tes

that

le

ader

ship

att

heV

erm

ontS

er

vice

Cen

terr

ecog

nize

sth

esi

gni

fican

tris

kof

cre

atin

gle

gal

citiz

ensh

ipd

ocum

ents

fori

llega

lal

iens

and

ista

king

ste

psto

m

itiga

teth

atr

isk

How

ever

our

in

side

rth

reat

ass

essm

enth

as

unco

vere

dot

her

issu

esth

at

coul

dbe

add

ress

edto

miti

gate

th

atr

isk

Aga

ina

form

alr

isk

anal

ysis

wou

lde

nabl

eU

SCIS

to

thor

ough

lye

xam

ine

the

issu

es

and

prio

ritiz

eco

unte

rmea

sure

sus

ing

afo

rmal

pro

cess

Fo

rex

am

ple

an

alte

rnat

ive

toth

eph

ysic

alm

ove

coul

dbe

toim

pl

emen

tan

audi

tmec

hani

smto

lo

okfo

rad

judi

cato

rsw

hop

er

form

edb

oth

func

tions

1

and

2

for

the

sam

eap

plic

ant

Ente

rpri

seW

ide

Com

mun

icat

ion

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ther

eis

no

cons

iste

ncy

ofc

ontr

ols

from

one

ser

vice

cen

ter

toth

ene

xt

We

wer

eto

ldth

eye

ach

oper

ate

fair

ly

inde

pend

ently

USC

ISw

ould

ben

efit

from

ong

oin

gco

mm

unic

atio

nsa

bout

ris

kba

sed

issu

esb

etw

een

the

ser

vice

cen

ters

Fo

rin

stan

ce

com

mun

icat

ions

con

cern

ing

prob

lem

se

ffec

tive

coun

ter

mea

sure

sm

odifi

catio

nsto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sbu

sine

ssp

roce

sses

or

idea

sfo

rco

unte

ring

incr

ease

dri

skc

ould

le

adto

an

impr

oved

ris

kpo

stur

efo

rth

een

tire

USC

ISe

nter

pris

e

Cont

inua

lSec

urit

yPr

oces

sIm

prov

em

ent

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

The

USC

ISC

onvi

ctio

nsT

ask

Forc

eis

an

exc

elle

ntfo

rum

for

anal

yzin

gpa

st

crim

inal

cas

esa

ndd

eter

min

ing

mea

sure

sth

ats

houl

dbe

inst

itute

dto

pre

vent

sim

ilar

crim

esin

the

fu

ture

Ther

eis

no

proc

ess

for

follo

win

gup

on

ac

ase

afte

rthe

Off

ice

ofS

peci

al

Inve

stig

atio

n(O

SI)f

inis

hes

anin

vest

iga

tion

Th

eCo

nvic

tions

Tas

kFo

rce

isth

eon

ly

proc

ess

we

foun

dfo

rfor

mal

trac

king

an

alys

isa

ndp

roce

ssim

prov

emen

tba

sed

ona

ctua

linc

iden

ts

The

as

sess

men

ttea

ma

sked

var

ious

gro

ups

ifth

ere

isa

nyfo

llow

up

toin

cide

nts

fo

rin

stan

ceim

plem

entin

gau

tom

ated

sc

ript

sor

con

trol

sto

det

ectt

hes

ame

inci

dent

inth

efu

ture

Th

ete

amc

ould

no

tfin

da

sing

lep

erso

nw

hok

now

sof

su

cha

nac

tivity

Man

yex

ampl

eso

fem

ploy

eem

isco

ndu

ctc

ited

toth

eas

sess

men

ttea

m

coul

dea

sily

hav

ebe

end

etec

ted

or

even

pre

vent

edv

iaa

utom

ated

con

tr

ols

In

add

ition

the

reis

no

mec

hani

smfo

rco

mm

unic

atin

gis

sues

out

side

ofa

In

nea

rly2

5(9

1)o

fthe

cas

esin

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

hein

side

rw

asa

ble

to

carr

you

tthe

cri

me

beca

use

of

inad

equa

tea

uditi

ngo

fcri

tical

pr

oces

ses

in2

8of

thes

eca

ses

it

was

bec

ause

ofi

nade

quat

eau

ditin

gof

irre

gula

rpr

oces

ses

In

29

ofth

eca

ses

the

orga

niza

tio

nha

dre

peat

edin

cide

nts

ofa

si

mila

rna

ture

A

utom

ated

sc

ript

sar

ean

exc

elle

ntm

echa

ni

smfo

rde

tect

ing

susp

icio

us

tran

sact

ions

as

wel

las

hone

st

mis

take

sU

SCIS

sho

uld

cons

ider

a

form

alp

roce

ssfo

ran

alys

iso

fth

eO

SIrsquos

find

ings

and

the

deve

lop

men

tofa

utom

ated

che

cks

impl

emen

ted

natio

nally


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sgi

ven

serv

ice

cent

er

U

SCIS

Em

ploy

ees

are

Pote

ntia

lTar

ge

tsfo

rRe

crui

tm

ent

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

No

evid

ence

pro

vide

d

Som

eU

SCIS

em

ploy

ees

inte

rvie

wed

ha

ver

ecei

ved

are

ques

tfor

ass

ista

nce

from

afr

iend

rel

ativ

eo

rst

rang

er

seek

ing

top

rom

ote

aca

sefo

rso

me

form

ofa

pplic

ant

One

adj

udic

ator

sa

idh

edo

esn

otte

llot

hers

who

he

wor

ksfo

rH

owev

ert

hed

istin

ctiv

egr

een

park

ing

stic

ker

onh

isc

arc

ould

in

as

mal

ltow

nlik

eBu

rlin

gton

VT

re

veal

the

iden

tity

ofh

ise

mpl

oyer

U

SCIS

per

sonn

ela

reth

eref

ore

unus

ual

lyv

ulne

rabl

eto

sol

icita

tion

byo

ut

side

rs

Twen

tyn

ine

perc

ento

fthe

in

side

rsin

the

CERT

Insi

der

Thre

at

Case

dat

abas

ew

ere

recr

uite

dby

ou

tsid

ers

toc

omm

itth

eir

crim

es

USC

ISs

houl

dco

nsid

er

incr

easi

ngth

ese

curi

tya

war

ene

sstr

aini

ngp

rovi

ded

toU

SCIS

em

ploy

ees

and

cont

ract

ors

The

tr

aini

ngs

houl

dbe

con

tinuo

us

incl

udin

gpo

rtio

nsin

tend

edto

ra

ise

awar

enes

sof

the

pote

ntia

lta

rget

that

USC

ISe

mpl

oyee

spr

esen

tA

llem

ploy

ees

shou

ld

bea

war

eof

the

cons

eque

nces

of

par

ticip

atin

gin

frau

dag

ains

tU

SCIS

as

wel

las

how

tor

epor

tso

licita

tions

mad

eto

com

mit

frau

d

Tran

sfor

mat

ion

USC

ISL

eade

rshi

p D

ata

Ow

ners

In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Tran

sfor

mat

ion

isa

larg

ebu

sine

ss

proc

ess

reen

gine

erin

gef

fort

inU

SCIS

th

atis

pri

mar

ilyfo

cuse

don

impr

oved

cu

stom

ers

ervi

cea

ndfr

aud

dete

ctio

nF

ore

xam

ple

the

asse

ssm

ent

team

was

told

that

Tra

nsfo

rmat

ion

will

aut

omat

ical

lyv

alid

ate

data

in

CLA

IMS

agai

nsto

ther

ext

erna

lsys

te

ms

(eg

IC

Ean

dFB

I)a

ndth

at

secu

rity

req

uire

men

tsa

ndc

ontr

ols

Tran

sfor

mat

ion

was

men

tione

din

m

osti

nter

view

sfo

rth

isa

sses

smen

t

Ita

ppea

rsth

atU

SCIS

isr

elyi

ngh

eavi

ly

upon

Tra

nsfo

rmat

ion

toc

orre

ctm

any

ofth

epr

oble

ms

resu

lting

from

lega

cy

syst

ems

How

ever

iti

sun

clea

rw

heth

erin

tern

alp

erso

nnel

sec

urity

an

din

form

atio

nse

curi

tyc

once

rns

will

bein

clud

edin

this

pro

gram

This

rel

ianc

eon

as

ingl

eef

fort

m

akes

the

effe

ctiv

enes

sof

this

ef

fort

ver

yim

port

ant

USC

IS

shou

ldc

onsi

der

the

Tran

sfor

ma

tion

proj

ectf

rom

an

ente

rpris

ew

ide

pers

pect

ive

Iti

sim

port

ant

for

itto

use

afo

rmal

req

uire

m

ents

gat

herin

gpr

oces

sin

or

der

toe

ffec

tivel

ym

itiga

teb

oth

inte

rnal

and

ext

erna

lthr

eats


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

veb

een

iden

tifie

dby

cur

rent

C3

LAN

dat

aow

ners

Read

ing

the

Tran

sfor

mat

ion

requ

ire

men

tsd

ocum

enta

tion

itis

not

cle

ar

that

insi

ders

are

con

side

red

inth

ese

curi

tyr

equi

rem

ents

for

prev

entio

nan

dde

tect

ion

offr

aud

orn

atio

nal

secu

rity

inU

SCIS

sys

tem

s

Pers

onne

lsec

urity

sho

uld

be

incl

uded

as

wel

las

info

rmat

ion

secu

rity

to

ensu

reth

atth

eap

pr

opri

ate

inte

rnal

con

trol

sar

ein

pl

ace

tor

educ

eth

eri

skp

osed

by

mal

icio

usin

side

rs


Trai

ning

and

Aw

aren

ess

Itis

ess

entia

ltha

tsec

urity

aw

aren

ess

trai

ning

be

cons

iste

ntly

pro

vide

dto

all

empl

oyee

sto

ens

ure

that

sec

urity

pol

icie

san

dpr

actic

esa

rein

stitu

tio

naliz

edth

roug

hout

an

orga

niza

tion

Man

ytim

esc

owor

kers

and

sup

ervi

sors

are

the

first

peo

ple

too

bser

vec

once

rnin

gbe

havi

ore

xhib

ited

by

mal

icio

usin

side

rs

Failu

reb

yco

wor

kers

or

othe

rsin

an

orga

niza

tion

tor

epor

tcon

cern

ing

beha

vior

was

ap

rim

ary

reas

onin

side

rsin

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

tos

etu

por

car

ryo

utth

eir

atta

cks

USC

ISs

houl

dco

ntin

ueto

pro

vide

sec

urity

aw

aren

ess

trai

ning

toa

llem

ploy

ees

and

cont

ract

ors

acro

ssth

egl

obe

Thi

str

aini

ngs

houl

dbe

con

sis

tent

lya

pplie

dto

eac

hsi

tew

itha

con

sist

entm

essa

geo

fsec

urity

ofU

SCIS

peo

ple

sys

tem

sa

ndd

ata

Iti

sim

pera

tive

that

all

USC

ISe

mpl

oyee

sbe

re

spon

sibl

efo

rac

hiev

ing

the

mis

sion

ofU

SCIS

and

pro

tect

ing

the

criti

cala

sset

sto

the

high

este

xten

tpos

sibl

e

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sTr

aini

ngo

rSk

ills

Requ

ired

ofT

hose

in

App

oint

edS

ecu

rity

Rol

es

USC

ISL

eade

rshi

p

USC

ISh

asa

trai

ning

pro

cess

thro

ugh

anin

form

atio

nsy

stem

sse

curi

ty

man

ager

(ISS

M)

USC

ISr

elie

she

av

ilyo

nco

ntra

ctor

sto

pro

vide

ade

qu

atel

ytr

aine

dst

aff

Man

yIS

SOs

are

notw

ellv

erse

din

se

curi

ty

ISSO

sar

ecu

rren

tlyin

an

educ

atio

npr

oces

sb

utIS

SOs

are

typi

ca

llyn

ots

ecur

ityw

atch

dogs

ISSO

sm

usth

ave

prop

ertr

aini

ng

ino

rder

tok

eep

upw

ithth

eev

erc

hang

ing

info

rmat

ion

secu

ri

tye

nvir

onm

enta

ndto

be

able

to

dea

lwith

the

myr

iad

tech

no

logi

esa

ndto

ols

avai

labl

eto

th

em

App

ropr

iate

bud

get

shou

ldb

eal

loca

ted

forI

SSO

tr

aini

ngi

nclu

ding

ven

dor

spec

ific

trai

ning

(eg

M

cAfe

ean

dCi

sco)

and

indu

stry

spe

cific

tr

aini

ng(e

g

SAN

S)


Ap

pen

dix

BH

um

anR

esou

rces

Empl

oyee

Issu

es

An

orga

niza

tionrsquo

sap

proa

chto

red

ucin

gin

side

rth

reat

sho

uld

focu

son

pro

activ

ely

man

agin

gem

ploy

eeis

sues

and

beh

avio

rs

This

con

cept

beg

ins

with

eff

ectiv

ehi

ring

pro

cess

esa

ndb

ackg

roun

din

vest

igat

ions

tos

cree

npo

tent

ialc

andi

date

sO

rgan

izat

ions

sho

uld

also

trai

nsu

perv

isor

sto

m

onito

ran

dre

spon

dto

beh

avio

rso

fcon

cern

by

curr

ente

mpl

oyee

sS

ome

case

sfr

omth

eCE

RTIn

sid e

rTh

reat

Cas

eda

taba

ser

evea

led

that

sus

pi

ciou

sac

tivity

was

not

iced

inth

ew

orkp

lace

but

not

act

edu

pon

Org

aniz

atio

nss

houl

des

tabl

ish

aw

ello

rgan

ized

and

pro

fess

iona

lmet

hod

for

hand

ling

nega

tive

empl

oym

enti

ssue

san

den

suri

ngth

ath

uman

res

ourc

epo

licy

viol

atio

nsa

rea

ddre

ssed

Org

aniz

atio

nali

ssue

sre

late

dto

func

tions

sha

red

byH

Ran

dse

curi

typ

erso

nnel

are

att

heh

eart

ofi

nsid

err

isk

man

agem

ent

Em

ploy

ees

cree

ning

an

dse

lect

ion

isv

italt

opr

even

ting

cand

idat

esw

ithk

now

nbe

havi

oral

ris

kfa

ctor

sfr

ome

nter

ing

the

orga

niza

tion

or

ifth

eyd

oe

nsur

ing

that

th

ese

risk

sar

eun

ders

tood

and

mon

itore

dC

lear

pol

icy

guid

elin

esa

ddre

ssin

gbo

thp

erm

itted

and

pro

hibi

ted

empl

oyee

beh

avio

rar

evi

talt

ori

sk

dete

ctio

nan

dm

onito

ring

and

cle

arr

equi

rem

ents

for

ensu

ring

em

ploy

eesrsquo

kno

wle

dge

ofth

ese

guid

elin

esa

ree

ssen

tialt

oth

eir

succ

ess

In

addi

tio

nr

epor

tso

fpol

icy

ques

tions

and

vio

latio

nsn

eed

tob

esy

stem

atic

ally

rec

orde

dso

that

man

agem

ent

HR

and

sec

urity

per

sonn

elc

ana

ppr

oach

cas

ede

cisi

ons

with

com

plet

eba

ckgr

ound

info

rmat

ion

Ana

lysi

sof

thes

ere

port

sac

ross

indi

vidu

als

and

depa

rtm

ents

can

sup

ply

vita

lkno

wle

dge

ofp

robl

ema

reas

bey

ond

indi

vidu

alc

ases

Re

latio

nshi

ps

inw

hich

HR

sec

urity

and

man

agem

entp

erso

nnel

col

labo

rate

as

educ

ator

san

dco

nsul

tant

sar

evi

talt

oea

rly

dete

ctio

nan

def

fect

ive

man

age

men

tofe

mpl

oyee

spo

sing

an

insi

der

risk

Th

ene

edfo

rcl

ear

polic

ies

com

plet

epe

rson

nelr

isk

data

and

clo

sem

anag

emen

tH

Rse

curi

tyc

olla

bo

ratio

nis

rar

ely

grea

ter

than

whe

nha

ndlin

gem

ploy

eete

rmin

atio

nis

sues

whe

ther

vol

unta

ryo

rin

volu

ntar

y

CERT

sug

gest

sen

hanc

emen

tsto

the

USC

ISh

irin

gan

dte

rmin

atio

npr

oces

ses

For

exa

mpl

eU

SCIS

sho

uld

cons

ider

add

ition

als

cree

ning

for

high

ri

skp

ositi

ons

suc

has

adj

udic

ator

sU

SCIS

sho

uld

als o

con

side

rbe

com

ing

mor

ein

volv

edin

vet

ting

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)p

rior

tog

rant


ing

them

acc

ess

toU

SCIS

cri

tical

sys

tem

san

dda

ta

Fina

llyU

SCIS

sho

uld

cons

ider

ado

ptin

gan

ent

erpr

ise

wid

eex

itpr

oced

ure

toe

nsur

eco

nsis

te

ntte

rmin

atio

nof

all

empl

oyee

san

dco

ntra

ctor

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPr

eEm

ploy

men

tSc

reen

ing

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

No

evid

ence

pro

vide

d

The

empl

oyee

scr

eeni

ngp

roce

ssla

cks

any

form

ofp

sych

olog

ical

scr

eeni

ng

for

ara

nge

ofp

ositi

ons

incl

udin

gad

ju

dica

tors

Five

per

cent

(18)

oft

hein

side

rs

inth

eCE

RTd

atab

ase

had

poss

ibl

eps

ycho

logi

cali

ssue

sU

SCIS

sh

ould

con

side

rin

clud

ing

psy

chol

ogic

alte

stin

gas

par

toft

h e

new

hir

epr

oces

sfo

rse

lect

pos

itio

nsi

nclu

ding

adj

udic

ator

s

Giv

enth

esi

gnifi

cant

soc

ialp

res

sure

son

adj

udic

ator

san

dth

ere

lativ

ela

cko

fmon

itori

ngfo

rin

side

rri

ski

tsee

ms

impo

rtan

tto

impr

ove

this

asp

ecto

fscr

een

ing

Hum

anR

esou

rces

App

lican

tsa

rea

ssig

ned

ara

ting

by

HR

the

ratin

gis

use

dto

ran

kap

pli

cant

s

Ther

eis

cur

rent

lyn

oau

ditl

ogth

at

wou

ldc

aptu

rein

stan

ces

inw

hich

so

meo

nein

HR

chan

ged

ara

ting

to

enab

les

omeo

neto

get

hir

edm

ore

easi

ly

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

udit

log

totr

a ck

the

cand

idat

era

tings

and

ale

rtw

hen

cand

idat

era

tings

are

cha

nged

by

som

eone

inH

R


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Ifa

pers

onal

issu

e(e

g

subs

tanc

eab

use

rel

ativ

ely

larg

efin

anci

alin

de

bted

ness

)aris

esd

urin

gPe

rson

nel

Secu

rity

rsquos(P

ERSE

Crsquos)

scr

eeni

ng

PERS

ECm

ayis

sue

ale

tter

ofa

dvis

em

entt

oth

eca

ndid

ate

and

clea

rth

at

pers

onfo

rhir

eP

ERSE

RCis

hes

itant

to

sha

ren

egat

ive

info

rmat

ion

abou

tap

plic

ants

with

USC

ISb

eca u

seo

fpr

ivac

yco

ncer

ns

Beca

use

ofth

ese

conc

erns

am

anag

erm

ayn

otk

now

th

ats

omeo

neis

com

ing

into

ap

osi

tion

with

ah

isto

ryo

falc

ohol

and

or

drug

abu

sef

inan

cial

inde

bted

ness

et

c

The

priv

acy

wal

lbet

wee

nPE

RSEC

and

fie

ldp

erso

nnel

con

cern

edw

ithh

irin

gis

trou

blin

gI

tis

diff

icul

tfor

PER

SEC

repr

esen

tativ

esto

indi

cate

thei

rco

nce

rns

abou

tpot

entia

lhir

esw

hoh

ave

risk

fact

ors

that

do

notc

ross

adj

udic

atio

ngu

idel

ines

for

disq

ualif

icat

ion

USC

ISs

houl

dco

nsid

era

dditi

onal

sc

reen

ing

for

adju

dica

tors

U

SCIS

sho

uld

bem

ore

invo

lved

in

dec

idin

gw

hois

gra

nted

au

thor

ized

acc

ess

beca

use

ofth

ese

nsiti

ven

atur

eof

the

syst

ems

and

data

tha t

USC

ISm

anag

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Each

fiel

dof

fice

dete

rmin

esw

heth

er

orn

otto

mee

tan

appl

ican

tfac

eto

fa

ceb

efor

ehi

ring

Ther

ew

asa

nim

pres

sion

ath

eadq

uar

ters

that

nea

rly1

00

oft

hose

hir

ed

bym

anag

ers

are

inte

rvie

wed

but

re

pres

enta

tives

inB

urlin

gton

Ver

m

ontt

old

uso

ther

wis

eT

his

gap

be

twee

npe

rcep

tion

(the

reis

not

ap

ol

icy

stat

ing

this

mus

tbe

done

)and

re

ality

iso

fcon

cern

Ther

eha

veb

een

know

nin

stan

ces

in

whi

cha

pplic

ants

wer

eon

lys

cree

ned

USC

ISs

houl

dre

quir

ein

terv

iew

sfo

ral

lpos

ition

sT

hein

terv

iew

sne

edto

be

cond

ucte

dby

som

eon

ein

volv

edin

the

day

tod

ay

supe

rvis

ion

ofth

epo

sitio

nto

be

fille

d


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

son

pap

ero

rove

rth

eph

one

befo

re

bein

ghi

red

Sta

ndar

dop

erat

ing

pro

cedu

res

are

notf

ollo

wed

ata

llfie

ld

offic

es

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

PERS

ECv

ets

fede

rale

mpl

oyee

san

dco

ntra

ctor

s(w

itha

min

imum

bac

kgr

ound

inve

stig

atio

n)

USC

ISr

elie

son

the

US

Dep

artm

ent

ofS

tate

tov

etfo

reig

nna

tiona

lem

pl

oyee

sw

how

ork

ate

mba

ssie

sor

co

nsul

ates

abr

oad

FSN

sin

som

ein

stan

ces

are

gra

nted

ac

coun

tso

nU

SCIS

info

rmat

ion

sys

tem

sI

fFSN

sne

eda

cces

sto

DH

Ssy

ste

ms

(incl

udin

gU

SCIS

)cur

rent

lyt

his

acce

ssm

ustb

eap

prov

edb

yth

eCS

O

and

CIO

for

DH

ST

his

prac

tice

was

no

talw

ays

follo

wed

con

sist

ently

in

the

past

so

ther

em

ayb

eFS

Ns

who

w

ere

gran

ted

acce

ssw

ithou

tall

the

curr

entv

ettin

gan

dap

prov

als

U

SCIS

sho

uld

cons

ider

be c

omin

gm

ore

invo

lved

inv

ettin

gof

FSN

spr

ior

tog

rant

ing

them

acc

ess

to

USC

ISs

yste

ms

In

addi

tion

U

SCIS

sho

uld

audi

tcur

rent

FSN

sw

itha

cces

sto

USC

ISs

yste

ms

and

ensu

reth

ata

ppro

pria

te

vett

ing

was

per

form

ed

Cand

idat

eCe

rtifi

ca

tion

Ver

ifica

tion

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

USC

ISd

oes

noth

ave

ast

anda

rdp

ro

cedu

refo

rve

rifyi

ngth

ece

rtifi

catio

ns

ofjo

bap

plic

ants

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ast

epin

the

new

hir

epr

oces

sto

ver

ifyc

ertif

icat

ions

of

allc

andi

date

sA

few

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eab

le


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sto

obt

ain

posi

tions

ino

rgan

iza

tions

by

prov

idin

gfa

lsifi

edc

erti

ficat

ions

Empl

oyee

and

Co

ntra

ctor

Ter

mi

nati

on

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Exit

proc

edur

esa

rer

ecen

tlyd

evel

op

eda

ndi

nso

me

case

ss

tillu

nder

de

velo

pmen

t(ie

fo

rmal

exi

tpro

ce

dure

sar

eex

pect

edto

be

rele

ased

in

3m

onth

s)

This

gap

may

man

ifest

itse

lfin

the

inco

nsis

tent

col

lect

ion

ofb

adge

sla

pto

psm

obile

dev

ices

and

oth

erU

SCIS

eq

uipm

ent

USC

ISs

houl

dco

nsid

era

dopt

ing

ane

nter

pris

ew

ide

exit

proc

edu

reto

ens

ure

cons

iste

ntte

rmi

natio

nof

all

empl

oyee

san

dco

ntr

acto

rs

Ita

ppea

rsth

ere

spon

sibi

lity

for

ensu

ring

that

em

ploy

ees

and

cont

ract

ors

are

term

inat

edr

ests

sol

ely

with

the

man

ager

It

als

oap

pear

sdi

ffer

en

tman

ager

sfo

llow

diff

eren

tpr

oced

ures

toe

nsur

eth

ata

cce

ssis

dis

able

dan

deq

uipm

ent

isr

etur

ned

ase

mpl

oyee

san

dco

ntra

ctor

sle

ave

USC

IS

Empl

oyee

and

Co

ntra

ctor

Man

da

tory

Dru

gTe

stin

g

Hum

anR

esou

rces

All

fede

ralp

ositi

ons

are

subj

ectt

odr

ugte

stin

gb

uto

nly

forn

ewh

ires

Acc

ordi

ngto

aU

SCIS

Con

vict

ions

Tas

kFo

rce

inve

stig

atio

nca

sec

all

cont

rac

tor

posi

tions

do

notr

equi

red

rug

test

in

g

Fift

een

insi

ders

doc

umen

ted

in

the

CERT

Insi

der

Thre

atC

ase

data

base

exh

ibite

dsu

bsta

nce

abus

eU

SCIS

sho

uld

cons

ider

im

plem

entin

gm

anda

tory

pos

thi

red

rug

test

ing

for

alle

mpl

oy

ees

and

cont

ract

ors


Ap

pen

dix

CP

hys

ical

Sec

uri

ty

Fiel

dof

fices

A

cces

sFo

llow

ing

Term

inat

ion

Se

curi

tyo

fPhy

sica

lCas

eFi

les

Som

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

exp

loite

dph

ysic

als

ecur

ityv

ulne

rabi

litie

s

Som

ew

ere

able

tog

ain

acce

ss

too

rgan

izat

ion

faci

litie

sou

tsid

eof

nor

mal

wor

king

hou

rsto

ste

alc

ontr

olle

din

form

atio

nor

toe

xact

rev

enge

on

the

orga

niza

tion

bys

abot

agin

gcr

itica

lope

ratio

ns

Phys

ical

sec

urity

can

als

opr

ovid

ean

othe

rla

yer

ofd

efen

sea

gain

stte

rmin

ated

insi

ders

who

wis

hto

reg

ain

phys

ical

acc

ess

to

atta

ck

Just

as

with

ele

ctro

nic

secu

rity

how

ever

for

mer

em

ploy

ees

have

bee

nsu

cces

sful

inw

orki

nga

roun

dth

eir

orga

niza

tionrsquo

sph

ysic

als

ecu

rity

mea

sure

sI

tis

impo

rtan

tfor

org

aniz

atio

nsto

man

age

phys

ical

sec

urity

for

full

time

par

ttim

ea

ndte

mpo

rary

em

ploy

ees

con

trac

tors

and

co

ntra

ctla

bore

rs

USC

ISP

hysi

calS

ecur

ityh

asm

ade

sign

ifica

ntp

rogr

ess

prot

ectin

gU

SCIS

faci

litie

san

das

sets

inth

ena

tiona

lcap

italr

egio

n(N

CR)s

ince

Janu

ary

2008

whe

nit

stoo

dup

an

ewp

hysi

cals

ecur

ityp

rogr

am

Alth

ough

phy

sica

lsec

urity

inth

eN

CRis

con

sist

ently

dir

ecte

dan

den

forc

edb

yPh

ysic

al

Secu

rity

eac

hfie

ldo

ffic

ese

tsit

sow

npo

licie

san

dac

cess

con

trol

sI

nad

ditio

ng

aps

inte

rmin

atio

npr

oced

ures

hav

ere

sulte

din

ong

oing

phy

sica

lac

cess

follo

win

gte

rmin

atio

nF

inal

lyi

ssue

sco

ncer

ning

the

secu

rity

ofp

hysi

calc

ase

files

sho

uld

bec

onsi

dere

das

par

tofa

USC

ISr

isk

man

age

men

tstr

ateg

y

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sPh

ysic

alS

ecur

ity

ofF

ield

Off

ices

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

USC

ISis

inth

epr

oces

sof

put

ting

ane

wa

cces

sco

ntro

lsys

tem

inp

lace

fo

rth

eN

CR

Befo

reit

doe

sit

will

di

sabl

eac

cess

for

anyo

new

hoh

as

notu

sed

phys

ical

acc

ess

inm

ore

Each

USC

ISfa

cilit

yha

sits

ow

n

polic

ies

and

acce

ssc

ontr

ols

syst

ems

Som

efie

ldo

ffic

esw

ithin

USC

ISh

ave

acce

ss

cont

rols

yste

ms

oth

ers

don

ot

Not

al

loff

ices

inth

efie

ldh

ave

elec

tron

ic

Fort

yof

the

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

took

adv

an

tage

ofi

nade

quat

eph

ysic

als

ecu

rity

toc

arry

out

thei

rcr

imes

El

ectr

onic

acc

ess

cont

rols

pro

vide


Sugg

este

dCo

unte

rmea

sure

slo

gsth

atc

ould

be

usef

ulin

inve

s

tigat

ions

ofi

llici

tact

ivity

out

side

of

nor

mal

wor

king

hou

rs

USC

IS

shou

ldc

onsi

der

deve

lopi

nge

nte

rpri

sew

ide

phys

ical

sec

urity

pr

oced

ures

rol

ltho

seo

utto

ea

chfi

eld

offic

ea

ndr

equi

rea

ph

ysic

als

ecur

ityr

epre

sent

ativ

eat

eac

hsi

teto

ens

ure

cons

iste

nt

enfo

rcem

ento

fthe

pol

icie

s

USC

ISs

houl

dco

nsid

erp

rohi

bitin

gea

chfi

eld

offic

efr

omd

evel

opin

gsi

tes

peci

ficp

olic

ies

and

rem

ov

ing

enfo

rcem

entc

ontr

olfr

om

each

site

In1

0ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

follo

win

gte

rmin

atio

ndu

eto

fa

ilure

ton

otify

sec

urity

em

pl

oyee

san

dbu

sine

ssp

artn

ers

of

the

term

inat

ion

To

cont

rola

cce

ssto

USC

ISfa

cilit

ies

itis

im

port

antf

orU

SCIS

toc

ompa

re

curr

ente

mpl

oyee

san

dco

ntra

cto

rsto

the

auth

oriz

eda

cces

slis

t

Polic

yor

Pra

ctic

eG

aps

acce

ssc

ontr

ols

ndashso

me

only

hav

elo

cks

and

keys

N

ote

very

USC

ISs

iteh

asa

phy

sica

lse

curi

tyr

epre

sent

ativ

eW

here

no

re

pres

enta

tive

isp

rese

ntt

his

resp

on

sibi

lity

falls

on

othe

rm

anag

emen

t pe

rson

nelw

hom

ayn

otb

eeq

uipp

ed

toh

andl

eth

ese

issu

esp

rope

rly

and

repo

rtth

emin

ati

mel

ym

anne

r

So

me

man

ager

str

ack

who

acc

esse

s

wha

twhe

nan

dot

hers

do

not

Ac

cord

ing

toP

hysi

calS

ecur

ityin

Ver

m

ont

onl

y20

o

fvio

latio

nsa

reb

ein

gre

port

edto

sec

urity

Polic

yan

dor

Sec

urit

yM

easu

re

than

12

mon

ths

as

wel

las

anyo

ne

nolo

nger

em

ploy

edb

yU

SCIS

It

als

opl

ans

one

xam

inin

gal

lacc

ount

sth

at

have

not

use

dph

ysic

ala

cces

sin

m

ore

than

30

days

Se

curi

tyo

ffie

ldo

ffic

esfa

llsu

nder

th

eFi

eld

Secu

rity

Div

isio

n(F

SD)

The

O

ffic

eof

Sec

urity

and

Inte

grity

(OSI

)re

cent

lyd

evel

oped

an

insp

ectio

nw

orkb

ook

and

isfi

eld

test

ing

itw

ith

FSD

U

SCIS

Fie

ldS

ecur

ityD

ivis

ion

isp

lan

ning

top

uta

sec

urity

rep

rese

ntat

ive

ine

very

fiel

dof

fice

Ite

xpec

tstw

oto

thre

etim

esm

ore

repo

rts

ofv

iola

tio

nso

nce

itha

sa

repr

esen

tativ

ein

ever

ylo

catio

n

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

Phys

ical

Acc

ess

Follo

win

gTe

rmi

nati

on


Sugg

este

dCo

unte

rmea

sure

s

ine

ach

faci

lityrsquo

sac

cess

con

trol

syst

em

D

isab

ling

phys

ical

acc

ess

tofa

cili

ties

whe

nem

ploy

ees

and

con

trac

tors

term

inat

eis

ess

entia

lto

prot

ectin

gU

SCIS

em

ploy

ees

and

faci

litie

sU

SCIS

sho

uld

cons

ider

au

tom

atin

gth

ere

voca

tion

of

empl

oyee

and

con

trac

tor

phys

ica

lacc

ess

whe

na

term

inat

ion

occu

rs

The

term

inat

ion

chec

klis

tsh

ould

incl

ude

ano

tific

atio

nto

ph

ysic

als

ecur

itys

oph

ysic

ala

cce

ssc

anb

edi

sabl

ed

Cons

ider

con

sist

ente

nfor

cem

ent

and

inve

stig

atio

nof

USC

ISp

hysi

ca

lsec

urity

inci

dent

sA

llal

erts

sh

ould

be

inve

stig

ated

and

Polic

yor

Pra

ctic

eG

aps

Secu

rity

gua

rds

ats

itelo

catio

nsh

ave

on

occ

asio

nig

nore

ddo

orp

ropp

ed

open

ala

rms

beca

use

thef

thas

trad

itio

nally

bee

na

very

sm

allp

robl

ema

t

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Are

aof

Con

cern

No

Two

Pers

on

Cont

rol


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sU

SCIS

docu

men

ted

ifth

eal

erti

sde

emed

unn

eces

sary

then

it

shou

ldb

edi

scon

tinue

dA

llse

cu

rity

vio

latio

nss

houl

dbe

trac

ked

ina

cen

tral

rep

osito

rys

oa

com

pl

ete

hist

ory

for

each

indi

vidu

alis

av

aila

ble

Aft

erH

ours

Acc

ess

Phys

ical

Sec

urit

y

Aut

hori

zed

Acc

ess

Mos

tacc

ess

is2

4ho

urs

ada

y7

days

a

wee

kndash

Tw

enty

nin

eof

the

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seu

sed

phys

ical

acc

ess

outs

ide

ofn

orm

alw

orki

ngh

ours

toa

tta

ck

USC

ISs

houl

dco

nsid

erim

pl

emen

ting

ana

cces

sco

ntro

lsy

stem

that

gra

nts

acce

ssc

om

men

sura

tew

ithth

epo

sitio

nan

em

ploy

eeo

rcon

trac

tor

fills

If

apo

sitio

ndo

esn

otr

equi

rea

cces

sou

tsid

eof

nor

mal

wor

king

hou

rs

the

acce

ssc

ontr

ols

yste

ms

houl

dpr

ohib

itsu

cha

cces

san

dlo

gun

su

cces

sful

acc

ess

atte

mpt

s

Secu

rity

ofP

hysi

ca

lCas

eFi

les

Phys

ical

Sec

urit

y

Prot

ectio

nof

USC

ISC

ase

File

Dat

a

Phys

ical

file

sw

ere

obse

rved

inc

rate

sst

acke

din

the

hallw

ays

inth

eVe

rm

ontS

ervi

ceC

ente

rA

ccor

ding

toa

nin

terv

iew

att

heS

ervi

ceC

ente

ra

ny

one

coul

dw

alk

outw

itha

ldquocr

ate

fullrdquo

of

file

saf

ter

hour

se

spec

ially

ify

ou

are

ate

lew

orke

r

USC

ISa

ssum

esit

sca

sefi

led

ata

is

secu

reb

ecau

seit

sem

ploy

ees

and

cont

ract

ors

have

ac

lear

ance

or

hav

eha

da

back

grou

ndc

heck

It

isim

port

antt

ono

teth

at4

9in

side

rsd

ocum

ente

din

the

CERT

da

taba

sev

iola

ted

need

to

know


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ca

sefi

les

are

assu

med

tob

ese

cure

on

ceth

eya

rec

onta

ined

with

ina

Ser

vi

ceC

ente

rb

utth

eyc

ould

be

phys

ica

llya

ltere

dor

sto

len

bya

nyon

ew

ith

phys

ical

acc

ess

toth

efa

cilit

y

One

inte

rvie

wee

sta

ted

that

adj

udic

ato

rsty

pica

llyh

ave

50to

100

file

ssc

at

tere

dar

ound

thei

rof

fice

ord

esk

So

me

are

trac

ked

and

som

em

ayn

ot

be

Adj

udic

ator

sco

nduc

tint

ervi

ews

with

app

lican

tsin

thei

rof

fices

and

th

eym

ight

leav

eap

plic

ants

une

sco

rted

inth

eir

offic

esw

ithth

eca

se

files

whe

nfo

rin

stan

cem

akin

gco

pie

sor

att

endi

ngto

oth

erU

SCIS

bus

ine

ss

Acc

ordi

ngto

the

sam

ein

terv

iew

eei

non

efie

ldo

ffic

en

atur

aliz

atio

nce

rtifi

ca

tes

pas

spor

tsa

ndc

redi

tcar

din

fo

rmat

ion

has

been

foun

din

gar

bage

ca

nsin

the

hallw

ay

Adj

udic

ator

spi

cku

pth

eir

case

sin

an

enve

lope

inth

eir

mai

lbox

D

urin

gth

esi

tev

isit

the

asse

ssm

entt

eam

ob

serv

edth

em

ailr

oom

att

heV

erm

ont

Serv

ice

Cent

eru

natt

ende

dbe

twee

n

polic

ies

inth

eco

mm

issi

ono

fth

eir

crim

es

Ther

efor

er

elyi

ng

onc

lear

ance

sal

one

can

bev

ery

dang

erou

s

Thir

teen

insi

ders

doc

umen

ted

in

the

CERT

dat

abas

est

ole

phys

ical

pr

oper

tyb

elon

ging

toth

eor

gani

za

tion

CER

Tsu

gges

tsU

SCIS

con

si

der

the

cons

eque

nces

oft

heft

or

una

utho

rize

dac

cess

top

hysi

ca

lcas

efil

esa

ndm

ake

ari

sk

base

dde

cisi

onr

egar

ding

pot

en

tialp

olic

yan

dpr

oced

ure

chan

ges

Th

ere

are

stan

dard

pol

icie

san

dpr

oced

ures

forh

andl

ing

sens

itive

in

form

atio

nb

uta

str

ong

educ

atio

nalc

ampa

ign

isn

eede

dto

en

sure

the

prot

ectio

nof

dat

a


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

ssh

ifts

(app

roxi

mat

ely

3p

m)

Whe

nad

judi

cato

rsfi

nish

with

afi

let

hey

retu

rnit

toa

dro

pof

fspo

tT

hea

sse

ssm

entt

eam

obs

erve

dth

ose

spot

s

whi

cha

rein

the

open

and

una

tte

nded

A

djud

icat

ors

may

kee

pca

ses

over

nigh

tand

usu

ally

ret

urn

them

w

ithin

1w

eek

Tele

wor

kers

at

Serv

ice

Cent

ers

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

One

hun

dred

eig

hty

nine

peo

ple

at

the

Verm

ontS

ervi

ceC

ente

rare

au

thor

ized

tow

ork

from

hom

eT

hese

em

ploy

ees

pick

up

files

att

heV

er

mon

tSer

vice

Cen

ter

and

take

them

ho

me

The

yw

ork

2da

ysp

erw

eek

in

the

Serv

ice

Cent

era

nd3

day

spe

rw

eek

ath

ome

USC

ISp

ays

anu

nan

noun

ced

visi

tto

allh

omes

toin

ven

tory

the

empl

oyee

srsquofi

les

atle

ast

quar

terl

yT

hese

em

ploy

ees

mus

tha

vea

lock

edfa

cilit

yin

thei

rho

me

and

mus

talw

ays

have

the

abili

tyto

re

turn

the

files

toth

eSe

rvic

eCe

nter

w

ithin

4h

ours

The

cont

rolo

fUSC

ISd

ata

whe

nit

leav

esth

eVe

rmon

tSer

vice

Cen

ter

is

diff

icul

tto

enfo

rce

Em

ploy

ees

mus

tha

vea

ppro

pria

tes

tora

gefa

cilit

ies

bu

tthe

yco

uld

easi

lyc

opy

USC

ISd

ata

and

shar

eit

with

una

utho

rize

din

di

vidu

als

Twen

tyn

ine

perc

ento

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

taba

sew

ere

recr

uite

dby

out

si

ders

toc

omm

itth

eir

crim

e

Mos

toft

hese

insi

ders

com

mitt

ed

the

crim

efo

rfin

anci

alg

ain

Iti

sim

port

antt

hatU

SCIS

rec

ogni

ze

the

pote

ntia

lfor

recr

uitm

ent

an

dth

ela

cko

fcon

trol

exe

rcis

ed

over

sen

sitiv

eda

taa

tadj

udic

ato

rsrsquor

esid

ence

s


Ap

pen

dix

DB

usi

nes

sP

roce

sses

Tech

nica

lCon

trol

s

Aut

hori

zati

onv

iaP

ICS

A

ccou

ntM

anag

emen

t

Av

arie

tyo

fcas

esfr

omth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sed

ocum

enti

nsid

era

ttac

ksw

here

gap

sin

bus

ines

spr

oces

ses

prov

ided

ap

athw

ay

for

atta

ck

Enfo

rcin

gse

para

tion

ofd

utie

san

dth

epr

inci

ple

ofle

astp

rivi

lege

are

pro

ven

met

hods

for

limiti

nga

utho

rize

dac

cess

by

insi

ders

Id

eal

lyo

rgan

izat

ions

sho

uld

incl

ude

sepa

ratio

nof

dut

ies

inth

ede

sign

ofk

eyb

usin

ess

proc

esse

san

dfu

nctio

nsa

nde

nfor

ceth

emv

iate

chni

cala

nd

nont

echn

ical

mea

ns

Acc

ess

cont

rolb

ased

on

sepa

ratio

nof

dut

ies

and

leas

tpri

vile

gei

nbo

thth

eph

ysic

ala

ndv

irtu

ale

nvir

onm

ents

is

cruc

ialt

om

itiga

ting

the

risk

ofi

nsid

era

ttac

kT

hese

con

cept

sal

one

will

not

elim

inat

eth

eth

reat

pos

edb

yin

side

rst

hey

are

how

ever

ano

ther

laye

rin

the

defe

nsiv

epo

stur

eof

an

orga

niza

tion

Beca

use

ofth

ese

nsiti

ven

atur

eof

the

USC

ISm

issi

ons

ome

ofit

sem

ploy

ees

and

cont

ract

ors

are

targ

ets

for

recr

uitm

entf

orth

efto

run

auth

or

ized

mod

ifica

tion

ofU

SCIS

dat

aT

wen

tyn

ine

perc

ento

fthe

insi

ders

doc

umen

ted

inth

eCE

RTd

atab

ase

we r

ere

crui

ted

byo

utsi

ders

toc

omm

itth

eir

crim

eM

osto

fthe

sein

side

rsc

omm

itted

the

crim

efo

rfin

anci

alg

ain

Cri

tical

USC

ISb

usin

ess

proc

esse

ssh

ould

incl

ude

tech

nica

lcon

trol

sto

en

forc

ese

para

tion

ofd

utie

san

ddu

alc

ontr

olto

red

uce

the

risk

ofi

nsid

erfr

aud

In

addi

tion

pot

entia

lvul

nera

bilit

ies

surr

ound

the

use

ofth

eIC

EPI

CSs

yste

mfo

rau

thor

izat

ion

for

criti

calU

SCIS

sys

tem

sA

lthou

ghP

ICS

iso

utsi

deth

eco

ntro

lofU

SCIS

CER

Tre

com

men

dsth

atU

SCIS

exp

lore

the

poss

ibili

tyo

faud

iting

and

con

trol

ling

auth

oriz

atio

nsin

PIC

Sfo

rcr

itica

lUSC

ISs

yste

ms

Fin

ally

acc

ount

man

agem

enti

ssue

sre

late

dto

cri

tical

sys

te

ms

shou

ldb

eco

nsid

ered

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

utho

riza

tion

for

USC

ISC

riti

calS

ys

tem

sth

roug

hP

ICS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Seve

ralc

ritic

alU

SCIS

sys

tem

sar

etie

dto

PIC

Sfo

raut

hent

icat

ion

whi

ch

isa

dmin

istr

ated

by

the

ICE

PI

CSlo

gsa

ccou

ntc

reat

ions

whe

nth

eac

coun

tsw

ere

crea

ted

wha

tro

les

appl

ied

toth

eac

coun

tse

tc

PICS

per

mits

use

rso

utsi

deo

fUSC

ISto

au

thor

ize

user

sfo

ran

yU

SCIS

app

lica

tion

tied

toP

ICS

Tw

oth

ousa

ndlo

cal

PICS

off

icer

s(L

POs)

inth

eIC

Ean

dU

SCIS

can

cre

ate

new

acc

ount

sin

PIC

Sfo

rem

ploy

ees

loca

ted

atth

eir

site

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ana

utho

riza

tion

proc

es

san

dsy

stem

that

ena

bles

itto

co

ntro

lwho

isg

rant

e da

cces

sto

U

SCIS

sys

tem

san

dda

ta


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLP

Os

cont

rola

cces

sfo

rshe

riff

sp

eti

tione

rsC

BPD

OJ

TSA

DH

SO

IGT

er

rori

smT

ask

Forc

ea

ndo

ther

s

Acc

ount

sar

eba

sed

onp

erso

nnel

re

cord

so

LPO

sca

nnot

cre

ate

acco

unts

fo

ran

yone

who

isn

ota

nem

ploy

eea

tth

eir

site

H

owev

erP

ICS

adm

inis

tra

tors

can

cre

ate

acco

unts

for

anyo

ne

wor

king

att

heir

site

for

any

syst

em

tied

toP

ICS

CERT

sug

gest

sth

atU

SCIS

val

ida

tec

urre

ntP

ICS

acco

unts

and

ro

les

agai

nstc

urre

nte

mpl

oyee

lis

ts

Ten

perc

ent(

37)o

fth e

in

side

rsd

ocum

ente

din

the

CERT

da

taba

seh

ade

xces

sive

pri

vi

lege

sw

hich

ena

bled

them

to

atta

ck

Ina

dditi

on

b

ecau

seldquo

priv

ilege

cr

eeprdquo

ena

bled

afe

w(s

ix)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

da

tab a

seto

car

ryo

utth

eir

crim

es


Sugg

este

dCo

unte

rmea

sure

s

Twen

tyfo

ur(6

per

cent

)oft

he

insi

ders

doc

umen

ted

inth

eCE

RT

data

base

wer

eab

leto

car

ryo

ut

thei

rcr

imes

bec

ause

insi

ders

sh

ared

acc

ount

and

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bse

asie

ran

dto

incr

ease

pro

du

ctiv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tio

nsa

ndp

ossi

bly

impl

emen

tst

rong

era

uthe

ntic

atio

nto

ma k

esh

arin

gac

coun

tsm

ore

diff

icul

t

Polic

yor

Pra

ctic

eG

aps

VIS

adm

inis

trat

ors

ine

xter

nalc

ompa

ni

eso

rag

enci

esh

ave

been

cau

ght

le

ttin

gm

ultip

lee

mpl

oyee

sus

eth

e

sa

me

VIS

acco

unt

but

USC

ISh

asn

o ab

ility

tota

kea

nya

ctio

nT

hea

cco

unts

ena

ble

empl

oyee

sto

val

idat

ePI

Iand

citi

zens

hip

info

rmat

ion

Polic

yan

dor

Sec

urit

yM

easu

re

No

evid

ence

pro

vide

d

Mod

ifica

tions

by

VIS

user

sto

cri

tical

da

taa

relo

gged

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

VIS

Ac

coun

ts

Logg

ing

Aud

itin

g

and

Ale

rtin

gin

VIS

Ver

ifica

tion

Info

rmat

ion

Syst

em(V


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Com

pute

rLi

nked

App

licat

ion

Info

rmat

ion

Man

agem

ent

Syst

em(C

LAIM

S)3

LA

N

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Su

gges

ted

Coun

term

easu

res

Self

Sele

ctio

nof

A

djud

icat

ion

Case

s

ISSO

s D

ata

Ow

ners

Adj

udic

ator

sca

nse

lfse

lect

cas

es

(acc

ordi

ngto

an

inte

rvie

wc

once

rn

ing

anin

tern

alin

cide

ntth

ato

ccur

red

atth

eU

SCIS

and

inte

rvie

ws

with

da

tao

wne

rsa

tthe

Ver

mon

tSer

vice

Ce

nter

)

With

inth

eSe

rvic

eCe

nter

sa

djud

ica

tors

hav

evi

rtua

llyu

nlim

ited

acce

ssto

ap

plic

antf

ilesmdash

ther

ear

eno

nee

dto

kn

owli

mita

tions

or

cont

rols

top

re

vent

an

adju

dica

tor

from

acc

essi

ng

sens

itive

info

rmat

ion

and

repo

rtin

git

too

utsi

ders

or

mod

ifyin

ga

file

(ent

er

ing

anin

valid

dec

isio

n)

Adj

udic

ator

sca

nal

soa

ppro

vea

cas

eth

atis

not

ass

igne

dto

them

Th

ere

is

noti

ebe

twee

nth

eca

sem

anag

emen

tsy

stem

(ie

N

atio

nalF

ileT

rack

ing

Syst

emo

rN

FTS)

and

the

case

adj

udi

catio

nsy

stem

(ie

CL

AIM

S)

Inth

ein

tern

alc

ase

that

occ

urre

dat

U

SCIS

the

per

petr

ator

cir

cum

vent

ed

the

inte

rvie

wp

roce

ssfo

r14

mon

ths

ndash

USC

ISs

houl

dco

nsid

erim

ple

men

ting

tech

nica

lcon

trol

sto

pr

ohib

itad

judi

cato

rsfr

oms

elf

sele

ctin

gca

ses

toa

djud

icat

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

she

app

rove

dldquon

osh

owrdquo

case

sT

here

w

ere

noc

ontr

ols

tod

etec

tthi

s

Ina

dditi

ona

djud

icat

ors

can

adju

di

cate

any

type

ofc

ase

eve

nth

ough

th

eya

ree

ach

assi

gned

cer

tain

type

sof

ben

efits

cas

esfo

rad

judi

catio

n

Emph

asis

on

Cus

tom

erS

ervi

ceO

ver

Risk

Dat

aO

wne

rs

No

evid

ence

pro

vide

d

One

inte

rvie

wee

att

heV

erm

ontD

ata

Cent

ers

aid

that

ldquost

atsrdquo

can

be

ast

rain

esp

ecia

llyfo

rne

wh

ires

al

thou

ghth

eyd

oge

ta9

0da

ygr

ace

peri

od

USC

ISs

houl

dus

eca

utio

nin

em

ph

asiz

ing

cust

omer

ser

vice

as

the

only

per

form

ance

met

ric

beca

use

this

cou

lde

ncou

rage

la

cko

fatt

entio

nto

ris

kre

late

dac

tiviti

es(s

uch

asa

ccur

ate

adju

di

catio

nde

cisi

ons)

Lack

ofS

epar

atio

nof

Dut

ies

in

CLA

IMS

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Curr

ently

all

decl

ined

req

uest

sfo

rbe

nefit

sar

ere

view

edb

ya

supe

rvi

sor

H

owev

ert

here

was

ad

iscr

ep

ancy

dur

ing

inte

rvie

ws

adj

udic

ator

ssa

idth

ats

uper

viso

rss

topp

edlo

okin

gat

all

deni

als

beca

use

they

are

too

busy

Su

perv

isor

sal

sor

ecei

vea

rep

orto

fal

ladj

udic

atio

nde

cisi

ons

ente

red

by

ana

djud

icat

orfo

ra

form

type

that

th

ead

judi

cato

rdo

esn

otn

orm

ally

ap

prov

e

Onl

ya

rand

oms

ampl

eof

app

rove

dad

judi

catio

nde

cisi

ons

isr

evie

wed

For

som

eca

ses

(for

inst

ance

vic

tims

case

s)a

sen

ior

adju

dica

tor

has

to

revi

ewth

ede

cisi

ona

fter

the

adju

dica

to

ren

ters

itt

hen

the

supe

rvis

orr

evi

ews

itT

his

isa

man

ually

enf

orce

dpr

oces

s

Ther

ew

asa

noth

erd

iscr

epan

cy

in

inte

rvie

ws

the

adju

dica

tors

sai

dth

at

USC

ISs

houl

dco

nsid

erim

ple

men

ting

auto

mat

edp

roce

sses

to

prev

enta

ndd

etec

tfra

ud

Man

ag

emen

tind

icat

edit

wou

ldli

ke

tos

eea

utom

ated

tech

nica

len

forc

emen

toft

her

evie

wa

nd

appr

oval

pro

cess

Inn

earl y

ten

perc

ent(

39)o

fthe

ca

ses

docu

men

ted

inth

eCE

RT

data

base

ins

ider

sto

oka

dvan


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s W

hen

adju

dica

tors

are

intr

aini

ng

they

are

und

er1

00

rev

iew

Th

ey

are

intr

aini

ngo

na

spec

ific

type

of

case

for

atle

ast6

mon

ths

A

uditi

ngfo

rim

prop

erly

gra

nted

be

nefit

sis

bas

edo

nsa

mpl

ing

and

or

blin

dqu

ality

ass

uran

ce(Q

A)a

ccor

din

gldquot

oA

rmy

stan

dard

srdquoa

fter

the

fact

A

rand

omly

sel

ecte

d30

cas

es

per

quar

ter

are

also

rev

iew

edb

yldquos

iste

rce

nter

srdquo

QA

pro

cess

var

ies

offic

eby

off

ice

(no

natio

nalp

roce

ss)

Th

isQ

Ah

asb

een

done

fort

hep

ast

year

and

ah

alf

Inth

eVe

rmon

tfie

ld

offic

ee

ach

supe

rvis

orp

ulls

atl

east

10

cas

esp

era

djud

icat

orp

erm

onth

Th

eyr

evie

wd

ecis

ion

rela

ted

issu

es

secu

rity

rel

ated

issu

esa

ndp

roce

du

rali

ssue

s(d

idth

eyfo

llow

the

righ

tst

eps

)T

hey

also

look

for

less

ons

lear

ned

The

pri

mar

ypu

rpos

eof

QA

is

toid

entif

yth

ene

edfo

rre

med

ial

trai

ning

rath

erth

and

elib

erat

efr

aud

So

me

case

sar

em

ore

than

10

00

page

ss

oev

ery

deta

ilca

nnot

be

prac

tical

lyr

evie

wed

for

ever

yca

se

cler

ksp

ullc

ases

ac

oupl

eof

tim

esp

er

mon

thndash

ac

erta

inn

umbe

rof

cas

es

per

empl

oyee

Th

ose

case

sar

epa

ssed

toQ

Aw

hor

evie

ws

the

case

s

QA

then

sen

dsfe

edba

ckto

the

supe

rvi

sor

and

adju

dica

tor

ifth

eyfi

nd

som

ethi

ngth

atd

oes

notl

ook

righ

t

tage

ofi

nsuf

ficie

nts

epar

atio

nof

du

ties

toc

arr y

out

thei

rcr

imes

U

SCIS

sho

uld

care

fully

con

side

rth

ebi

gges

tris

kto

the

orga

niza

tio

nM

any

ofth

eU

SCIS

em

pl

oyee

sin

terv

iew

edfo

rth

isa

sse

ssm

enti

dent

ified

the

prim

ary

risk

for

the

orga

niza

tion

asa

llo

win

gth

ene

xtte

rror

istt

oliv

ean

dw

ork

lega

llyin

the

Uni

ted

Stat

es

They

des

ire

assi

stan

cein

id

entif

ying

and

impl

emen

ting

inte

rnal

con

trol

sto

cou

nter

that

ri

sk

Aud

iting

eve

ryd

enie

dre

ques

tin

dica

tes

that

the

bigg

estr

isk

to

USC

ISis

toin

corr

ectly

den

ya

bene

fitto

an

appl

ican

trat

her

than

tog

rant

ab

enef

itto

som

eon

ew

hod

oes

notd

eser

veit

IfU

SCIS

agr

ees

that

gra

ntin

gle

gald

ocum

ents

toil

lega

lapp

lica

nts

iso

neo

fthe

big

gest

ris

ks

toth

eor

gani

zatio

nth

enit

sh

ould

con

side

rre

quir

ing

dual


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sau

thor

izat

ion

for

thes

ead

judi

ca

tion

deci

sion

s

Lack

ofA

utom

ated

Ch

ecks

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Verm

ontI

Tha

sdo

ned

ata

swee

ps

afte

rit

foun

dso

met

hing

sus

pici

ous

W

hen

itha

sdo

nes

oit

has

foun

dm

ore

ofth

esa

me

activ

ity

Ther

ear

eno

aut

omat

edc

heck

s(t

here

w

illb

ein

Tra

nsfo

rmat

ion)

Chec

ksth

atd

oex

ista

rem

anag

eda

tth

elo

call

evel

rat

her

than

ale

rtin

gto

th

ehe

adqu

arte

rsle

vel

Inn

early

twen

tyf

ive

perc

ent

(91)

ofc

ases

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

ca

rry

outt

hec

rim

ebe

caus

eof

in

adeq

uate

aud

iting

ofc

ritic

al

proc

esse

sin

28

case

sit

was

be

caus

eof

inad

equa

tea

uditi

ng

ofir

regu

lar

proc

esse

sI

n29

of

the

case

sth

eor

gani

zatio

nha

dre

peat

edin

cide

nts

ofa

sim

ilar

natu

re

Aut

omat

eds

crip

tsa

re

ane

xcel

lent

mec

hani

smfo

rde

te

ctin

gsu

spic

ious

tran

sact

ions

as

wel

las

hone

stm

ista

kes

U

SCIS

sho

uld

cons

ider

afo

rmal

pr

oces

sfo

ran

alyz

ing

the

OSI

rsquos

findi

ngs

and

deve

lopi

nga

uto

mat

edc

heck

sth

ata

rer

olle

dou

tna

tiona

lly

Phys

ical

Sec

urit

yof

Ca

seF

iles

Dat

aO

wne

rs

Adj

udic

ator

s

No

evid

ence

pro

vide

d

The

NFT

Str

acks

mill

ions

off

iles

It

was

des

crib

edh

owev

era

sa

very

la

rge

war

ehou

sew

here

file

sdo

occ

a

Ten

perc

ent(

40)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

sec

arri

edo

utth

eir

crim

esb

y


C

ER

T | S

OFT

WA

RE

EN

GIN

EE

RIN

G IN

STI

TUTE

| 55

Sugg

este

dCo

unte

rmea

sure

s

the

sam

eap

plic

ant

C3LA

Nw

illb

ere

tired

as

part

of

Tran

sfor

mat

ion

C4

will

als

obe

re

tired

A

cop

yof

sec

urity

con

tr

ols

and

requ

irem

ents

has

bee

npr

ovid

edb

yC3

LAN

dat

aow

ners

to

Tra

nsfo

rmat

ion

Iti

sim

por

tant

for

the

Tran

sfor

mat

ion

team

tom

ake

risk

bas

edd

eci

sion

sin

Tra

nsfo

rmat

ion

desi

gn

and

deve

lopm

ent

Polic

yor

Pra

ctic

eG

aps

T

hen

ewH

Rfo

rmh

asn

otb

een

soci

aliz

edo

rw

idel

yad

vert

ised

It

is

upto

the

COTR

san

dsu

perv

isor

sto

co

nsis

tent

lyr

eque

stth

ata

cces

sbe

di

sabl

edw

hen

ane

mpl

oyee

or

con

trac

tor

nolo

nger

nee

dsa

cces

s

Polic

yan

dor

Sec

urit

yM

easu

re

Curr

ently

eve

rym

onth

USC

ISc

om

pare

sth

eH

uman

Res

ourc

esa

ttri

tion

lista

gain

stth

eC3

LA

Na

ccou

ntli

st

and

disa

bles

inac

tive

empl

oyee

ac

coun

ts

Resp

onsi

ble

Pers

onne

l

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

cces

sto

CL

AIM

S


Are

aof

Con

cern

Non

Att

ribu

tion

fo

rD

BAA

ccou

nts

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Pend

ing

Redu

ctio

nin

For

cefo

rD

ata

Entr

yCl

erks

Dat

aO

wne

rs

Hum

anR

esou

rces

No

evid

ence

pro

vide

d

Dat

aen

try

cler

ksw

illb

elo

sing

thei

rjo

bsw

hen

they

mov

eto

Loc

kBox

w

hich

will

take

ove

rth

efu

nctio

nal

ityo

facc

eptin

gre

mitt

ance

sfo

rbe

nefit

app

lican

ts

Itw

ass

tate

dth

atth

eda

tae

ntry

cle

rks

mig

htb

ehi

red

away

tow

ork

atth

eor

gani

za

tion

whi

chp

erfo

rms

that

func

tio

n

USC

ISs

houl

dbe

aw

are

ofth

ein

crea

sed

insi

der

risk

inth

efa

ce

ofn

egat

ive

orga

niza

tiona

lev

ents

like

this

It

sho

uld

con

side

rpr

oact

ive

step

sto

dec

reas

est

ress

inth

ew

orkp

lace

and

to

ease

pot

entia

lfin

anci

alb

urde

ns

that

cou

ldm

ake

empl

oyee

sm

ore

susc

eptib

leto

rec

ruitm

ent

byo

utsi

ders

Shar

ing

Acc

ount

sin

CLA

IMS

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Dat

aEn

try

Cler

ks

The

NFT

Sw

illn

otle

tcle

rks

log

inif

th

eyh

ave

notu

sed

the

syst

emfo

ra

cert

ain

num

ber

ofd

ays

Ac

lerk

rsquosc

ube

mat

ew

illlo

gin

for

thei

rcu

bem

ate

ifit

isth

een

dof

the

day

and

ITh

asg

one

hom

efo

rthe

day

Twen

tyf

our

(6

)oft

hein

side

rs

docu

men

ted

inth

eCE

RTd

ata

base

wer

eab

leto

car

ryo

utth

eir

crim

esb

ecau

sein

side

rss

hare

dac

coun

tand

pas

swor

din

form

atio

no

ften

tom

ake

thei

rjo

bs

easi

era

ndto

incr

ease

pro

duct

iv

ity

USC

ISs

houl

dco

nsid

erin

crea

sing

th

eco

nseq

uenc

esfo

rin

frac

tions

an

dpo

ssib

lyim

plem

ents

tron

ger

auth

entic

atio

nto

mak

eac

coun

tsh

arin

gm

ore

diff

icul

t


Sugg

este

dCo

unte

rmea

sure

s

Ten

perc

ent(

39)o

fthe

insi

ders

do

cum

ente

din

the

CERT

dat

aba

seto

oka

dvan

tage

ofi

nsuf

fici

enta

cces

sco

ntro

ls

USC

IS

shou

ldc

onsi

der

redu

cing

the

num

ber

ofp

rivi

lege

dac

coun

ts

with

acc

ess

toth

eFD

NS

DS

If

the

num

ber

ofs

uper

user

ac

coun

tsw

ere

redu

ced

then

en

hanc

eda

uditi

ngc

ould

be

em

ploy

edo

ntr

ansa

ctio

ns

cond

ucte

dus

ing

thos

eac

coun

ts

Polic

yor

Pra

ctic

eG

aps

b

ut

ther

ear

ena

tiona

lcon

trol

sto

ens

ure

th

atc

eleb

ritie

srsquofi

les

are

notb

eing

ac

cess

ed

Ther

eis

ala

rge

supe

ruse

rco

mm

unity

m

ore

than

thirt

ype

rcen

tofa

llFD

NS

DS

user

sw

itha

cces

sto

the

FDN

SD

S

Thes

eac

coun

tsh

ave

exte

nsiv

epo

wer

a

mal

icio

uss

uper

user

can

com

plet

ely

dele

tea

rec

ord

orm

odify

the

sum

m

ary

offi

ndin

gs

Polic

yan

dor

Sec

urit

yM

easu

re

The

FDN

SD

Sis

ac

entr

alr

epos

itory

of

frau

dan

dna

tiona

lsec

urity

inve

stig

atio

ns

This

sys

tem

hol

dsa

ppli

cant

san

dpe

titio

ners

as

wel

las

PII

Th

ere

isa

lso

ana

tiona

lsec

urity

tab

N

oev

iden

cep

rovi

ded

nnel

logy

logy

sibl

ePe

rso

wne

rs

tion

Tec

hno

wne

rs

tion

Tec

hno

Resp

onD

ata

O In

form

a

Dat

aO

Info

rma

rn

sac

ges

eCo

ncn e

Priv

ilD

S

Are

aof

ng

oLo

ggi

fTra

tion

s

Elev

ated

N

Sto

FD

Frau

dD

etec

tion

and

Nat

ural

izat

ion

Syst

emndash

Dat

aSy

stem

(FD

NS

DS)


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Unk

now

n

Conn

ecti

ons

to

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Failu

reto

Add

ress

Kn

own

Secu

rity

V

ulne

rabi

litie

s

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

Ther

eis

no

auto

mat

edp

atch

ing

be

caus

eof

the

age

ofth

ese

rver

san

dth

eap

plic

atio

nO

nly

criti

calp

atch

es

are

appl

ied

forf

ear

ofc

rash

ing

the

serv

ers

Thir

teen

insi

ders

inth

eCE

RT

data

base

exp

loite

dkn

own

secu

ri

tyv

ulne

rabi

litie

sth

atw

ere

not

addr

esse

dby

the

orga

niza

tion

U

SCIS

sho

uld

cons

ider

upg

radi

ng

the

FDN

SD

Ssi

nce

thes

evu

lner

ab

ilitie

sin

crea

ser

isk

ofa

ttac

kfr

omo

utsi

dea

ndin

side

Prod

ucti

onD

ata

Ava

ilabl

eto

Con

tr

acto

rsin

Dev

el

opm

ent

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

No

evid

ence

pro

vide

d

CSC

has

prod

uctio

nda

tain

the

deve

lop

men

tenv

iron

men

te

ven

thou

ghit

sh

ould

not

hav

eac

cess

top

rodu

ctio

nda

ta

Onl

yon

ein

side

rdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

ses

tole

pro

duct

ion

data

th

ats

houl

dno

thav

ebe

ena

vail

able

tod

evel

oper

sin

the

deve

lop

men

tenv

iron

men

tH

owev

er

itw

ase

xtre

mel

yse

nsiti

ved

ata

with

ver

yst

rict

con

trol

sin

the

prod

uctio

nen

viro

nmen

ta

nd

was

not

sub

ject

toth

ose

sam

eco

ntro

lsin

the

deve

lopm

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sen

viro

nmen

tT

his

isv

ery

sim

ilar

toth

esi

tuat

ion

atU

SCIS

U

SCIS

sh

ould

exa

min

eda

tab

eing

use

din

the

rem

ote

con

trac

tor

owne

dde

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

vel

ofs

ecur

ityc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data

Conf

igur

atio

nM

anag

emen

tan

dor

Cha

nge

Cont

rolP

roce

ss

Not

Enf

orce

d

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

Dev

elop

ers

cann

otr

elea

sen

ewe

xec

utab

les

as

epar

ate

syst

ema

dmin

is

trat

orh

asto

pus

hth

emo

ut

Cont

ract

ors

som

etim

esr

elea

sec

ode

tofi

xpr

oble

ms

with

outf

ollo

win

gth

ech

ange

man

agem

entp

roce

ss

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

ofl

ack

ofa

de

quat

eco

nfig

urat

ion

man

age

men

tU

SCIS

has

afo

rmal

con

fig

urat

ion

man

agem

entp

roce

ss

Itis

impo

rtan

tto

enfo

rce

itsu

se

for

alle

mpl

oyee

san

dco

ntra

cto

rs

Oth

erw

ise

itw

illb

eex

tr

emel

ydi

ffic

ultt

oin

vest

igat

ea

crim

eco

mm

itted

usi

ngfl

aws

inte

ntio

nally

inje

cted

into

sou

rce

code

by

aco

ntra

ctor


Ap

pen

dix

EI

nci

den

tR

esp

onse

Inci

dent

Man

agem

ent

Se

curi

tyA

war

enes

s

Conc

erni

ngB

ehav

iors

Thro

ugh

case

ana

lysi

sC

ERT

has

note

dth

atp

roce

dure

sfo

rre

spon

ding

top

oten

tiali

nsid

erin

cide

nts

pres

entu

niqu

ech

alle

nges

an

inci

dent

re

spon

sep

lan

for

insi

der

inci

dent

sdi

ffer

sfr

oma

res

pons

epl

anfo

rin

cide

nts

caus

edb

yan

ext

erna

latt

acke

rI

nad

ditio

nin

adeq

uate

det

ectio

nan

dre

spon

seto

sec

urity

vio

latio

nsc

ould

em

bold

enth

ein

side

rm

akin

gth

eor

gani

zatio

nev

enm

ore

vuln

erab

leto

an

insi

der

crim

eI

nfa

cti

n18

of

the

case

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

the

org

aniz

atio

nex

peri

ence

dre

peat

insi

der

inci

dent

sof

as

imila

rna

ture

In

si

der

inci

dent

man

agem

ents

houl

dle

vera

gee

xist

ing

secu

rity

pol

icie

san

dfo

rmal

pro

cedu

res

for

hand

ling

polic

yvi

olat

ions

So

me

ofth

eca

ses

from

the

CERT

Insi

d er

Thre

atC

ase

data

base

illu

stra

tein

side

rat

tack

sin

whi

cha

nor

gani

zatio

nrsquos

lack

ofi

ncid

entr

espo

nse

proc

edur

esli

mite

dits

ab

ility

tom

anag

eits

res

pons

eef

fort

som

etim

ese

ven

resu

lting

inm

ultip

lec

rim

inal

act

sby

the

sam

ein

side

r

USC

ISis

ac

ompl

exo

rgan

izat

ion

with

man

ydi

ffer

entc

ompo

nent

sin

volv

edin

det

ectin

gtr

acki

ngi

nves

tigat

ing

and

follo

win

gup

on

empl

oyee

m

isco

nduc

tT

his

com

plex

itya

ndw

idel

ydi

stri

bute

dfu

nctio

ncr

eate

sa

situ

atio

nin

whi

chit

isv

ery

diff

icul

tto

obta

ina

com

plet

epi

ctur

eof

an

in

divi

dual

rsquosin

side

rth

reat

ris

kle

vel

Bec

ause

oft

his

itis

pra

ctic

ally

impo

ssib

lefo

rU

SCIS

toim

plem

enta

pro

activ

epr

ogra

mto

miti

gate

insi

der

thre

at

CERT

str

ongl

yre

com

men

dsth

atU

SCIS

cre

ate

ace

ntra

lrep

osito

ryo

fem

ploy

eem

isco

nduc

tso

itca

nde

tect

indi

cato

rso

finc

reas

ing

in

side

rth

reat

ris

kan

dm

itiga

teth

ema

squ

ickl

yas

pos

sibl

e

Furt

herm

ore

81

ofth

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

edc

once

rnin

gbe

havi

ors

inth

ew

orkp

lace

pri

orto

or

whi

lec

arry

ing

out

thei

rcr

imin

ala

ctiv

ities

onl

ine

Sup

ervi

sors

and

em

ploy

ees

shou

ldb

etr

aine

dto

rec

ogni

zea

ndr

espo

ndto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

and

oth

erm

alic

ious

insi

der

acts

Ev

enif

itis

not

pos

sibl

eto

req

uire

non

sup

ervi

sors

to

repo

rtc

o nce

rns

this

tr

aini

ngm

ayin

crea

seth

efr

eque

ncy

ofr

epor

ting

and

the

dete

rren

ceo

fins

ider

act

ions


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sLa

cko

fCen

tral

Re

posi

tory

ofE

m

ploy

eeM

isco

nduc

t

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

IfFi

eld

Secu

rity

rec

eive

sa

Sign

ifica

nt

Inci

dent

Rep

ort(

SIR)

the

nit

inve

sti

gate

sE

mpl

oyee

mis

cond

ucti

sth

en

repo

rted

toO

ffic

eof

Sec

urity

and

In

tegr

ity(O

SI)

Ifth

eO

SIin

vest

igat

ion

subs

tant

iate

san

em

ploy

eersquos

mis

con

duct

itp

rovi

des

Coun

teri

ntel

ligen

ce

(CI)

am

onth

lyr

epor

tI

tals

opr

ovid

es

the

empl

oyee

rsquosm

anag

emen

tac

opy

CI

iss

tart

ing

tog

etm

ore

repo

rts

of

acce

ptab

leu

sev

iola

tions

and

sec

urity

vi

olat

ions

It

trac

kse

very

thin

gin

a

file

for

late

rus

ein

rei

nves

tigat

ions

La

bor

Empl

oyee

Rel

atio

ns(L

ER)h

asa

re

cord

oft

here

port

sit

rece

ives

of

mis

cond

uct

com

plai

nts

agai

nsta

nem

ploy

eer

ule

viol

atio

nsa

nds

oon

H

Rm

aint

ains

the

Off

icia

lPer

sonn

el

File

whi

chc

onta

ins

reco

rds

ofs

us

pens

ions

etc

LE

Rco

ntac

tsH

Ron

ly

for

thos

ety

pes

ofa

ctio

ns

Th

eO

SIe

valu

ates

all

com

plai

nts

itre

ceiv

esa

ndlo

gsth

emin

toth

eca

se

man

agem

ents

yste

m

Ita

ssig

nsth

em

toa

fiel

dof

fice

Att

hatp

oint

any

co

mpl

aint

sar

eth

ere

spon

sibi

lity

of

the

spec

iala

gent

inc

harg

eat

the

field

of

fice

The

fiel

dof

fice

inve

stig

ates

Ther

eis

no

sing

lep

lace

tog

ofo

ran

em

ploy

eersquos

dis

cipl

inar

yre

cord

sT

he

num

ber

ofo

rgan

izat

ions

invo

lved

an

dm

anag

emen

tofr

ecor

dsis

ver

yco

mpl

exa

ndd

istr

ibut

edth

roug

hout

th

eor

gani

zatio

n

Acc

ordi

ngto

Phy

sica

lSec

urity

the

fie

ldo

ffic

edo

esn

otte

llth

eO

SI

abou

tpro

blem

sndashth

eO

SIfi

nds

out

whe

nit

ldquohits

the

pres

srdquo

For

exa

m

ple

the

OSI

isn

otin

form

edo

fad

is

grun

tled

syst

ema

dmin

istr

ator

who

is

exhi

bitin

gco

ncer

ning

beh

avio

rs

USC

ISs

houl

dco

nsid

err

equi

ring

m

anda

tory

rep

ortin

gof

all

inci

de

nts

toth

eO

SI

This

com

mu

nica

tion

stre

amw

illa

llow

the

OSI

tog

etin

volv

eda

sea

rly

as

poss

ible

and

tod

ocum

enta

nd

mai

ntai

na

cent

ralr

epos

itory

of

alli

ncid

ents

Th

isc

entr

alr

epo

sito

ryis

cri

tical

for

ade

quat

ely

man

agin

gin

side

rth

reat

sin

USC

IS


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dse

nds

the

case

for

corr

ectiv

eac

tio

nto

the

regi

onal

dir

ecto

rin

the

chai

nof

com

man

da

ndth

enth

ere

gi

onal

dir

ecto

rret

urns

am

anag

emen

tre

port

ofa

ctio

nto

the

spec

iala

gent

in

cha

rge

Th

eO

SIc

onta

cts

the

DH

SO

IGfo

rpo

te

ntia

llyc

rim

inal

beh

avio

ror

ser

ious

m

isco

nduc

tI

fthe

DH

SO

IGtu

rns

the

case

dow

nth

enit

iss

entt

oth

efie

ld

offic

eor

tola

we

nfor

cem

ent

Th

ePe

rson

nelS

ecur

ityd

ivis

ion

(PER

SEC)

not

ifies

the

OSI

mon

thly

of

arre

sts

(tra

cked

inth

eca

sem

anag

em

ents

yste

m)a

ndth

eO

SIn

otifi

es

PERS

ECo

finv

estig

atio

ns

Trac

king

ofO

nlin

eIn

cide

nts

Info

rmat

ion

Tech

nolo

gy

Com

pute

ror

net

wor

kvi

olat

ion

inci

de

nts

are

trac

ked

bya

Rem

edy

sys

tem

tied

toa

uni

que

com

pute

rid

enti

fier

rath

erth

ana

use

rin

an

atte

mpt

to

kee

pPI

Iout

oft

heti

cket

Itis

diff

icul

tto

tiea

nev

entt

oa

par

ticul

arp

erso

nE

ven

ifth

eid

entit

yof

an

off

ende

ris

know

nr

epea

toff

end

ers

are

nott

rack

edin

any

aut

omat

ed

orc

orre

late

dw

ay

USC

ISs

houl

dco

nsid

erin

clud

ing

user

info

rmat

ion

for

each

inci

de

nts

oth

atr

epea

toff

ende

rs

can

bee

asily

iden

tifie

da

sre

pe

ato

ffen

ses

coul

din

dica

tea

nin

side

rof

hig

her

risk

Cons

iste

ncy

inR

esp

onse

toS

ecur

ity

Vio

lati

ons

and

Con

cern

ing

Beha

vior

s

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

eis

no

requ

ired

trai

ning

for

su

perv

isor

son

how

tor

espo

ndto

a

rang

eof

beh

avio

rsa

ssoc

iate

dw

ith

man

yfo

rms

ofin

side

rri

sk

Co

mpu

ter

use

viol

atio

nsa

ren

ot

Eigh

tyo

neo

fthe

insi

ders

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

dis

play

ed

conc

erni

ngb

ehav

iors

pri

orto

or

whi

lec

arry

ing

outt

heir

cri

min

al

activ

ities

Em

ploy

ees

shou

ldb

e


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

ndle

dco

nsis

tent

lya

cros

sde

part

m

ents

sup

ervi

sors

and

type

ofe

m

ploy

ee

Egre

giou

svi

olat

ions

are

re

ferr

edto

the

OSI

for

afu

llin

vest

igat

ion

but

the

crite

rion

for

deci

ding

whe

nth

atis

war

rant

edis

a

gutr

eact

ion

trai

ned

tor

ecog

nize

and

re

spon

dto

indi

cato

rso

fris

kfo

rvi

olen

ces

abot

age

frau

dth

eft

an

dot

her

insi

der

acts

Ev

enif

it

isn

otp

ossi

ble

tor

equi

ren

on

supe

rvis

ors

tor

epor

tcon

cern

s

this

trai

ning

may

incr

ease

the

freq

uenc

yof

repo

rtin

gan

dde

te

rren

ceo

fins

ider

act

ions

US

Dep

artm

ento

fSt

ate

Inve

stig

atio

ns

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

OSI

Inve

stig

atio

nsh

ave

been

sub

ject

to

alle

gatio

nso

fvio

latio

nsin

volv

ing

Fore

ign

Serv

ice

Nat

iona

ls(F

SN)

but

the

OIS

rel

ies

onth

eU

SD

epar

tmen

tof

Sta

teto

inve

stig

ate

USC

ISh

asn

ovi

sibi

lity

into

US

De

part

men

tofS

tate

inve

stig

atio

ns

FSN

sw

hoh

ave

acce

ssto

USC

IS

syst

ems

and

data

sho

uld

be

incl

uded

ina

nin

side

rth

reat

risk

m

itiga

tion

stra

tegy

Prep

arat

ion

for

Neg

ativ

eW

ork

Rela

ted

Even

ts

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Phys

ical

Sec

urit

y

No

evid

ence

pro

vide

d

Ther

edo

not

app

ear

tob

ean

ygu

ide

lines

tra

inin

go

rpe

rson

nela

vaila

ble

toe

valu

ate

empl

oyee

insi

der

risk

be

fore

or

afte

rfre

quen

tlyp

reci

pita

tin

gev

ents

suc

has

term

inat

ion

de

mot

ions

tra

nsfe

rso

rot

her

disa

ppo

intm

ents

or

unm

ete

xpec

tatio

ns

Ther

eal

sod

oes

nota

ppea

rto

bea

gr

oup

char

ged

with

eva

luat

ing

in

side

rri

skfr

omo

rgan

izat

iona

leve

nts

ord

evel

opm

ents

aff

ectin

ggr

oups

of

empl

oyee

ss

uch

asr

eloc

atio

nsc

on

trac

tcha

nges

lay

offs

and

reo

rgan

iza

tions

Fift

yfiv

ein

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

had

neg

ativ

eem

pl

oym

enti

ssue

sN

inet

yfo

ur

had

ach

ange

ine

mpl

oym

ent

stat

usp

rior

toth

eir

atta

cks

20

had

com

pens

atio

nor

ben

efit

issu

esa

nd6

5w

ere

disg

runt

led

Su

perv

isor

ssh

ould

be

trai

ned

in

thes

eri

skin

dica

tors

Th

ere

shou

lda

lso

bea

nav

aila

ble

pane

lofs

peci

alis

tsfr

omth

eO

SI

orth

eLa

bor

Empl

oyee

Rel

atio

ns(L

ER)t

rain

edto

ass

ess

such

ris

k


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Si

mila

rsp

ecia

lists

sho

uld

be

avai

labl

eto

par

ticip

ate

inp

lan

ning

and

exe

cutio

nof

res

pons

epl

ans

inp

repa

ratio

nfo

rne

ga

tive

wor

kpla

cee

vent

sth

atp

ote

ntia

llyc

ould

lead

tod

isgr

un

tlem

enta

mon

gth

ew

orkf

orce

at

USC

IS

Cont

ract

orM

an

agem

ent

USC

ISL

eade

rshi

p Ph

ysic

alS

ecur

ity

Hum

anR

esou

rces

Pers

onne

lscr

eeni

ngp

roce

dure

sfo

rco

ntra

ctor

sar

esi

mila

rto

thos

efo

rem

ploy

ees

Cont

ract

ing

com

pani

esa

rer

equi

red

tor

epor

tany

adv

erse

info

rmat

ion

rega

rdin

gth

eir

empl

oyee

sim

med

iat

ely

(ina

llco

ntra

cts)

LER

has

noin

volv

emen

twith

con

tr

acto

rs

They

hav

eno

rec

ord

of

cont

ract

orm

isbe

havi

ors

orc

om

plai

nts

agai

nstc

ontr

acto

rs

Supe

rvis

ors

the

OSI

LER

and

oth

ers

conc

erne

dw

itho

rgan

izat

iona

lsec

uri

tym

ayb

ela

rgel

yun

awar

eof

in

side

rri

sks

rela

ted

toc

ontr

acto

rs

Cont

ract

ors

are

nots

ubje

ctto

gov

er

nmen

tmon

itori

ngo

rris

kas

sess

m

ent

Ac

ontr

acto

ron

ac

ritic

als

ys

tem

may

dev

elop

or

have

sig

nific

ant

insi

der

risk

fact

ors

that

may

rem

ain

unkn

own

tog

over

nmen

tem

ploy

ees

due

tola

cko

frep

ortin

gre

quir

em

ents

Sixt

ytw

oof

the

insi

ders

doc

um

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

wer

eco

ntr

acto

rs

USC

ISc

ontr

actm

an

agem

ents

taff

sho

uld

cons

ider

th

ene

edfo

rre

port

ing

ara

nge

ofp

oten

tiali

ndic

ator

sof

insi

der

risk

am

ong

cont

ract

sta

ff

Inci

de

ntr

espo

nse

plan

ssh

ould

in

clud

ere

spon

seto

em

ploy

ee

and

cont

ract

oris

sues

Empl

oyee

or

Con

trac

tor

Conc

erni

ng

Beha

vior

USC

ISL

eade

rshi

p H

uman

Res

ourc

es

Byp

olic

yit

ise

very

em

ploy

eersquos

re

spon

sibi

lity

tor

epor

tsus

pici

ous

be

havi

oro

rm

isco

nduc

tS

uper

viso

rs

Self

repo

rted

dru

gus

ea

rres

ta

nd

asso

ciat

ions

with

fore

ign

natio

nals

du

ring

em

ploy

men

tare

sen

tto

the

Supe

rvis

ors

need

tob

eno

tifie

dim

med

iate

lyw

hen

ane

mpl

oyee

re

port

sdr

ugu

sea

rres

tso

r


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s Ph

ysic

alS

ecur

ity

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Labo

rEm

ploy

eeR

elat

ions

who

obs

erve

con

cern

ing

ors

uspi

ciou

sbe

havi

orr

epor

titt

oLE

Ror

the

OSI

Fo

rlo

wle

velm

isco

nduc

tL

ERa

dvis

es

the

field

off

ice

man

agem

ento

nha

ndl

ing

the

mat

ter

LER

rep

orts

mor

ese

riou

sm

isco

nduc

twith

mor

ese

vere

co

nseq

uenc

esto

HR

M

isco

nduc

tcan

als

obe

rep

orte

dvi

aSi

gnifi

cant

Inci

dent

Rep

orts

(SIR

s)

SIRs

are

sen

tto

Phys

ical

Sec

urity

or

to

the

OSI

for

inve

stig

atio

n

IfCI

dis

cove

rss

omet

hing

sus

pici

ous

duri

nga

rei

nves

tigat

ion

itin

form

sth

eem

ploy

eersquos

sup

ervi

sor

The

su

perv

isor

wor

ksw

ithL

ERa

ndc

ouns

el

tod

ecid

eon

follo

wu

pac

tions

OSI

Th

eO

SIs

ends

res

ults

tos

uper

vi

sor

follo

win

gin

vest

igat

ion

asso

ciat

ion

with

fore

ign

natio

nal

ss

oth

eyh

ave

ana

ccur

ate

perc

eptio

nof

the

risk

ass

oci

ated

with

eac

hof

thei

rem

ploy

ee

sI

nad

ditio

n1

8of

the

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se

had

poss

ible

psy

chol

ogic

alis

su

es

Inc

olla

bora

tion

with

the

OSI

and

LER

sup

ervi

sors

con

fr

ontin

gem

ploy

ees

who

dis

play

co

ncer

ning

beh

avio

rss

houl

dha

veth

eab

ility

tor

emov

eth

em

from

the

wor

kfor

cep

endi

nga

m

edic

alo

rps

ycho

logi

cal

eval

uatio

nto

det

erm

ine

whe

ther

they

hav

ea

diso

rder

or

illne

ssth

atm

ayim

pair

thei

rtr

ustw

orth

ines

sor

judg

men

tor

mak

eth

ema

dan

gert

oth

em

selv

eso

rot

hers

Si

mila

rly

em

po

wer

ing

supe

rvis

ors

tom

ake

ane

mpl

oyee

ass

ista

nce

pro

gram

ref

erra

land

eva

luat

ion

man

dato

ryi

nco

llabo

ratio

nw

ithL

ERo

rth

eO

SIm

ight

hel

pre

mov

eat

ris

kin

divi

dual

sfr

om

the

wor

kfor

ceu

ntil

they

can

sa

fely

and

sec

urel

yre

turn


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEl

ectr

onic

Inve

sti

gati

ons

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

Inte

gri

ty

Mos

talle

gatio

nsr

epor

ted

toth

eO

SI

are

notv

ery

tech

nica

lth

eO

ITp

ro

vide

sfo

rens

ics

uppo

rtfo

rin

vest

iga

tions

(pri

mar

ilyd

atab

ase

tran

sac

tions

)

PERS

ECh

asn

ever

ask

edth

eO

ITto

re

view

au

serrsquo

son

line

activ

ity

Onl

yon

epe

rson

inO

SIis

qua

lifie

dto

do

afo

rens

icin

spec

tion

USC

ISs

houl

dco

nsid

erin

clud

ing

the

OIT

inin

vest

igat

ions

ofs

us

pici

ous

activ

ity

CERT

rsquosin

side

rth

reat

res

earc

hha

ssh

own

that

no

ntec

hnic

alc

once

rnin

gbe

hav

iors

can

be

asso

ciat

edw

ith

onlin

ecr

imin

ala

ctiv

ity

It

wou

ldb

ebe

nefic

ialt

och

eck

for

past

tech

nica

lsec

urity

vio

la

tions

and

hav

eth

eO

ITa

naly

ze

curr

ento

nlin

eac

tivity

as

part

of

the

OSI

inve

stig

atio

ns


t

efe

w de ti

nth

eca

ses

docu

men

ted

inth

eCE

RTd

atab

ase

inje

cted

cod

ein

tos

ourc

eco

deto

faci

lita

but

ina

ase

the

coo

utb

yso

f

L

oggi

ng

Cri

tica

lDat

aCo

ntro

ls

urce

cod

ew

ere

inte

nded

tos

abot

age

the

orga

niza

tionrsquo

ssy

stem

sc

ases

the

code

n

ino

nec

was

set

toe

xecu

tefo

llow

ing

the

insi

derrsquo

ste

rmin

atio

SCIS

rec

ogni

zeth

epo

dbe

car

ried

tent

iali

llici

tact

ivity

that

cou

lr

the

mos

tcri

tical

sys

tem

san

dsy

stem

com

pone

nts

Cod

eRe

view

s

Conf

igur

atio

nM

anag

emen

t

side

rsb

oth

empl

oyee

san

dco

ntra

ctor

snd

ITs

abot

age

In

mos

tcas

est

hem

odifi

catio

nsto

so

faci

litat

efr

aud

In

man

yde

was

use

dto

impo

rtan

ttha

tUfo

ra

year

bef

ore

final

lye

xecu

ting

Iti

ser

sa

ndim

plem

enta

ppro

pria

tec

ontr

ols

par

ticul

arly

fo

ciou

sin

frau

da

sth

eco

plan

ted

eng

ine

Mal

ibo

thca

sew

as

war

e

Ap

pen

dix

FS

oftw

are

Engi

nee

rin


Are

aof

Con

cern

C

ode

Re

view

s

Resp

onsi

ble

Pers

onne

lIS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Polic

yan

dor

Sec

urit

yM

easu

re

Cont

ract

ors

are

requ

ired

tom

aint

ain

ace

rtai

nle

velo

fpro

cess

mat

urity

(C

MM

ILev

el3

)to

bein

com

plia

nce

with

USC

ISp

olic

ies

So

urce

cod

eis

res

tric

ted

toth

ose

with

the

need

tok

now

Ve

rsio

nM

anag

eris

use

dto

con

trol

an

dtr

ack

chan

ges

tos

ourc

eco

de

Sepa

ratio

nof

dut

ies

isim

plem

ente

din

the

soft

war

ere

leas

epr

oces

sC

SC

chec

ksn

ews

ourc

eco

dein

toV

ersi

on

Man

ager

aU

SCIS

em

ploy

eec

heck

sou

tthe

sou

rce

code

and

rel

ease

sit

into

pro

duct

ion

Th

eU

SCIS

DBA

mov

esn

ewd

atab

ase

obje

cts

into

the

prod

uctio

nda

ta

base

Polic

yor

Pra

ctic

eG

aps

Ano

ther

inte

rvie

wee

men

tione

dth

at

anldquo

East

ere

ggrdquo

was

foun

din

sou

rce

code

aft

erth

eco

ntra

ctw

asg

iven

toa

ne

wc

ompa

ny4

Sugg

este

dCo

unte

rmea

sure

s

4 Av

irtu

alE

aste

reg

gis

an

inte

ntio

nalh

idde

nm

essa

gej

oke

orfe

atur

ein

ap

rogr

amm

ovie

boo

ke

tc


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

and

orC

hang

eCo

ntro

lPro

cess

N

otE

nfor

ced

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

No

evid

ence

pro

vide

d

Whe

nco

ntra

ctor

sde

velo

pso

ftw

are

rem

otel

yth

eya

res

uppo

sed

tor

egis

te

rco

dein

Ver

sion

Man

ager

but

this

is

not

alw

ays

done

con

sist

ently

Co

ntra

ctor

sso

met

imes

rel

ease

cod

eto

fix

prob

lem

sw

ithou

tfol

low

ing

the

chan

gem

anag

emen

tpro

cess

In1

7ca

ses

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

the

insi

der

was

abl

eto

at

tack

bec

ause

oft

hela

cko

fade

qu

ate

conf

igur

atio

nm

anag

emen

t

Soft

war

eEn

gine

er

ing

Cont

rols

inth

eSe

rvic

eCe

nter

s

ISSO

s D

ata

Ow

ners

In

form

atio

nTe

chno

logy

ISSO

s

No

evid

ence

pro

vide

d

Soft

war

eis

bei

ngd

evel

oped

inth

eSe

rvic

eCe

nter

sw

ithou

tcon

sist

ently

en

forc

ing

the

sam

ech

ange

man

age

men

tpro

cess

ese

nfor

ced

atth

ena

tio

nal(

ente

rpris

e)le

vel

The

cen

ters

us

ea

code

rep

osito

ryb

utn

otV

ersi

on

Man

ager

to

trac

kso

ftw

are

chan

ges

Th

eyd

ope

err

evie

ws

ofc

ode

and

belie

veth

ate

nter

pris

eco

ntro

lsfo

rco

der

evie

wa

rem

ore

deta

iled

(al

thou

ghth

atb

elie

fapp

ears

tob

efa

lse

ac

cord

ing

toin

terv

iew

sat

hea

dqua

rte

rs)

USC

ISs

houl

dco

nsid

erc

onsi

sten

tpo

licie

san

dpr

oced

ures

for

soft

w

are

engi

neer

ing

for

the

entir

een

terp

rise

inc

ludi

ngth

eSe

rvic

eCe

nter

s

Mos

tins

ider

sdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data


A

rea

ofC

once

rn

Resp

onsi

ble

Pers

onne

lPo

licy

and

orS

ecur

ity

Mea

sure

Po

licy

orP

ract

ice

Gap

sSu

gges

ted

Coun

term

easu

res

Dat

aO

wne

rs

ba

sew

ere

dete

cted

or

iden

tifie

d

usin

gso

me

kind

ofs

yste

mlo

g

Info

rmat

ion

Tech

nolo

gy

Lo

gsu

sed

incl

ude

data

base

logs

appl

icat

ion

logs

sys

tem

logs

re

mot

eac

cess

logs

and

man

y

othe

rs

Prod

ucti

onD

ata

in

ISSO

sD

evel

opm

enta

ndp

rodu

ctio

nsy

sIn

som

eca

ses

con

trac

tors

hav

eac

O

nly

one

insi

der

docu

men

ted

in

Dev

elop

men

tEnv

i

tem

ssh

ould

be

sepa

rate

inte

rms

of

cess

tob

oth

syst

ems

incl

udin

gpr

oth

eCE

RTIn

side

rTh

reat

Cas

eda


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sro

nmen

t

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

data

sha

ring

and

acc

ess

cont

rol

duct

ion

data

inth

ede

velo

pmen

ten

viro

nmen

t

taba

ses

tole

pro

duct

ion

data

that

sh

ould

not

hav

ebe

ena

vaila

ble

to

deve

lope

rsin

the

deve

lopm

ent

envi

ronm

ent

How

ever

itw

as

extr

emel

yse

nsiti

ved

ata

with

ve

rys

tric

tcon

trol

sin

the

prod

uc

tion

envi

ronm

ent

and

was

not

su

bjec

tto

thos

esa

me

cont

rols

in

the

deve

lopm

ente

nvir

onm

ent

Th

isis

ver

ysi

mila

rto

the

situ

atio

nat

USC

IS

USC

ISs

houl

dex

am

ine

data

bei

ngu

sed

inth

ede

velo

pmen

tenv

iron

men

tand

ei

ther

san

itize

or

anon

ymiz

eth

eda

tao

renf

orce

the

sam

ele

velo

fse

curi

tyc

ontr

ols

exer

cise

dfo

rth

epr

oduc

tion

data


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s


Ap

pen

dix

GI

nfo

rmat

ion

Tec

hn

olog

y

Acc

ount

Man

agem

ent

Rese

arch

has

dem

onst

rate

dth

atif

an

orga

niza

tionrsquo

sco

mpu

ter

acco

unts

can

be

com

prom

ised

ins

ider

sha

vea

nop

port

unity

toc

ircu

mve

ntm

an

uala

nda

utom

ated

con

trol

mec

hani

sms

inte

nded

top

reve

ntin

side

rat

tack

sE

ffec

tive

com

pute

rac

coun

tand

pas

swor

dm

anag

emen

tpol

icie

san

dpr

actic

esa

rec

ritic

alto

impe

dea

nin

side

rrsquos

abili

tyto

use

the

orga

niza

tionrsquo

ssy

stem

sfo

rill

icit

purp

oses

In

av

arie

tyo

fcas

esd

ocum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sei

nsid

ers

expl

oite

dpa

ssw

ord

vuln

erab

ilitie

ss

hare

dac

coun

tsa

ndb

ackd

oor

acco

unts

toc

arry

out

att

acks

It

isim

port

antf

oro

rgan

izat

ions

toli

mit

com

pute

rac

coun

tsto

thos

eth

ata

rea

bsol

utel

yne

cess

ary

usi

ngs

tric

tpro

cedu

res

and

tech

nica

lcon

trol

sth

atfa

cilit

ate

attr

ibut

ion

ofa

llon

line

activ

itya

ssoc

iate

dw

ithe

a ch

acco

untt

oan

indi

vidu

alu

ser

Fur

ther

mor

ea

nor

gani

zatio

nrsquos

acco

unta

nd

pass

wor

dm

anag

emen

tpol

icie

sm

ustb

eap

plie

dco

nsis

tent

lya

cros

sth

een

terp

rise

toin

clud

eco

ntra

ctor

ss

ubco

ntra

ctor

sa

ndv

endo

rsw

hoh

ave

acce

ssto

the

orga

niza

tionrsquo

sin

form

atio

nsy

stem

sor

net

wor

ks

Ins

ome

area

sc

ompu

ter

acco

unts

are

man

aged

fair

lyw

ella

tUSC

IS

USC

ISis

impl

emen

ting

Hom

elan

dSe

curi

tyP

resi

dent

ialD

irec

tive

12(H

SPD

12

)for

phy

sica

land

ele

ctro

nic

acco

untm

anag

emen

tI

nad

ditio

nm

osts

hare

dac

coun

tsa

rec

ontr

olle

dan

dal

lact

ions

per

form

edu

sing

thos

eac

coun

tsc

anb

eat

trib

uted

toa

sin

gle

user

H

owev

ers

ome

acco

untm

anag

emen

tlie

sou

tsid

eth

eco

ntro

lofU

SCIS

Th

i sp

rese

nts

ahi

ghd

egre

eof

ris

kF

irst

ofa

lla

ccou

nts

and

acce

ssfo

rFS

Ns

shou

ldb

eco

nsid

ered

car

eful

lyb

yU

SCIS

A

lthou

ghF

SNs

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

ch

anne

lsw

hich

req

uire

sau

thor

izat

ion

byth

eCS

Oa

ndC

IOo

fDH

Ss

uch

pape

rwor

kw

asn

ots

ubm

itted

con

sist

ently

pri

orto

200

7A

sa

resu

lt

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

tF

urth

erm

ore

an

FSN

acc

ount

and

aU

S

citiz

enfe

dera

lem

ploy

eea

ccou

ntc

anno

tbe

dist

ingu

ishe

don

ceit

isc

reat

ed

Alth

ough

acc

ount

nam

ing

conv

entio

nsa

red

icta

ted

byD

HS

and

the

US

Dep

artm

ento

fSta

teU

SCIS

cou

ldr

eque

sta

nam

ing

conv

entio

nto

diff

eren

tiate

bet

wee

nFS

Na

ndU

Sc

itize

nfe

dera

lem

ploy

eea

ccou

nts

In

addi

tion

USC

ISs

houl

dco

nsis

tent

lytr

ack

the

auth

oriz

atio

nan

dcr

eatio

nof

all

USC

ISa

ccou

nts

To

dete

rmin

eif

unau

thor

ized

or

lega

cya

ccou

nts

exis

tU

SCIS

sho

uld

cons

ider

con

duct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSta

tep

erso

nnel

tov

alid

ate

alle

xist

ing

FSN

ac

coun

ts


Seco

nda

cces

sto

som

ecr

itica

lUSC

ISs

yste

ms

isc

ontr

olle

dby

the

Pass

wor

dIs

suan

cea

ndC

ontr

olS

yste

m(P

ICS)

Th

epu

rpos

eof

PIC

Sis

tofa

cili

tate

the

adm

inis

trat

ion

ofu

sern

ames

and

pas

swor

dsto

cer

tain

ICE

and

USC

ISin

form

atio

nsy

stem

sO

nea

rea

ofc

once

rnr

egar

ding

PIC

Sis

that

it

isa

dmin

iste

red

byIC

Ea

ndth

ere

are

mor

eth

an2

000

Loc

alP

ICS

Off

icer

s(L

POs)

acr

oss

vari

ous

com

pone

nts

ofD

HS

The

seL

POs

use

PICS

to

gran

taut

hori

zed

acce

ssto

ICE

and

USC

ISs

yste

ms

for

the

pers

onne

latt

heir

res

pect

ive

site

or

agen

cys

uch

aslo

cals

heri

ffs

pet

ition

ers

Cus

tom

san

dBo

rder

Pat

rol(

CBP)

Dep

artm

ento

fJus

tice

(DO

J)T

rans

port

atio

nSe

curi

tyA

dmin

istr

atio

n(T

SA)

Terr

oris

mT

ask

Forc

ea

ndD

HS

OIG

Ea

ch

LPO

can

gra

nta

cces

sto

any

sys

tem

con

trol

led

byP

ICS

In

othe

rw

ords

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

rany

oft

heir

sta

ffto

an

yU

SCIS

sys

tem

Fu

rthe

rmor

eU

SCIS

has

no

visi

bilit

yin

tow

hoh

asa

cces

sto

its

syst

ems

Giv

enth

edi

stri

bute

dna

ture

ofa

ccou

nta

dmin

istr

atio

nit

isv

ery

diff

icul

tfor

USC

ISd

ata

owne

rsa

ndO

ITs

taff

tom

anag

eau

thor

izat

ion

ofu

ser

acco

unts

toU

SCIS

cri

tical

sys

tem

sF

inal

lyt

hep

roc

ess

for

com

mun

icat

ing

chan

ges

ine

mpl

oyee

sta

tus

and

disa

blin

gac

coun

tsv

arie

sw

idel

yam

ong

indi

vidu

alfi

eld

offic

esS

ervi

ceC

ente

rsa

ndo

ffic

esin

the

NCR

D

orm

anta

ccou

nts

prov

ide

aco

nven

ient

unk

now

nac

cess

pat

hfo

rcu

rren

tand

form

ere

mpl

oyee

sto

use

for

illic

itac

tivity

Ala

cko

fcon

sist

ency

exi

sts

inth

eap

plic

atio

nof

acc

ount

man

agem

entp

ract

ices

und

erth

eco

ntro

lofU

SCIS

Fo

rex

ampl

ed

isab

ling

orte

rmin

at

ing

acco

unts

for

empl

oyee

sis

not

alw

ays

com

plet

edin

ati

mel

ym

anne

rup

onth

eem

ploy

eersquos

cha

nge

ins

tatu

sT

his

lack

ofc

onsi

sten

cyis

mad

ew

orse

whe

nde

cent

raliz

edL

POs

acro

ssU

SCIS

do

notf

ollo

wth

esa

me

proc

edur

es

Ino

ther

cas

ese

mpl

oyee

sar

ere

tain

ing

acce

ssa

fter

atr

ansf

er

whe

nth

eys

houl

dno

tw

hich

req

uire

sth

elo

sing

and

gai

ning

sup

e rvi

sors

ton

otify

pro

per

acco

untm

anag

emen

tper

sonn

el

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

ccou

ntE

stab

lis

hmen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ino

rder

for

FSN

sto

gai

nac

cess

to

USC

ISs

yste

ms

they

mus

tsub

mit

pape

rwor

kth

roug

hpr

oper

cha

nnel

s

whi

che

vent

ually

req

uire

sau

thor

iza

tion

byth

eCS

Oa

ndC

IOo

fDH

S

Prio

rto

200

7w

aive

rpa

perw

ork

for

FSN

sre

ques

ting

acco

unta

cces

sw

as

nots

ubm

itted

con

sist

ently

A

sa

re

sult

ther

em

ayb

eac

tive

acco

unts

for

whi

chth

ere

isli

ttle

ton

oac

coun

ting

for

the

crea

tion

ofth

eac

coun

t

USC

ISs

houl

dco

nsid

erc

ondu

ct

ing

ana

ccou

nta

udit

with

the

assi

stan

ceo

fUS

Dep

artm

ento

fSt

ate

pers

onne

lto

valid

ate

all

exis

ting

FSN

acc

ount

s

Info

rmat

ion

Tech

nolo

gy

Diff

eren

tper

sonn

ela

rer

espo

nsib

le

for

acco

untc

reat

ion

and

dele

tion

acro

ssth

een

tire

ente

rpri

sed

epe

ndin

gon

the

syst

emo

rne

twor

kin

Dat

abas

ead

min

istr

ator

sm

ayb

eab

le

toc

reat

ean

dde

lete

dat

abas

ean

dap

plic

atio

nac

coun

tsw

ithou

tas

ec

ond

pers

onv

erify

ing

that

act

ion

Beca

use

data

base

adm

inis

trat

ors

have

acc

ess

tos

uch

criti

cald

ata

U

SCIS

sho

uld

cons

ider

sep

arat

ing

the

task

ofa

utho

rizi

nga

cces

sto


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

squ

estio

n

USC

ISd

atab

ases

from

the

task

of

man

agin

gth

eda

tain

the

data

ba

ses

Thi

sse

para

tion

ofd

utie

sm

ayr

educ

eth

eri

sko

fad

ata

base

adm

inis

trat

orc

reat

ing

an

unau

thor

ized

acc

ount

and

usi

ng

that

acc

ount

toc

arry

out

am

ali

ciou

sac

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Ac

ompu

ter

acco

unti

ses

tabl

ishe

don

lya

fter

an

umbe

rof

cri

teri

aha

ve

been

met

inc

ludi

ngs

ecur

itya

war

ene

sstr

aini

ng

Ina

dditi

onto

the

step

sre

quire

dof

al

lper

sonn

elfo

rac

coun

tacc

ess

co

ntra

ctor

sha

veto

go

thro

ugh

extr

ast

eps

som

eof

whi

chin

clud

eve

rifi

catio

nby

the

COTR

Com

pute

racc

ount

acc

ess

iss

ome

times

gra

nted

bef

ore

secu

rity

aw

are

ness

trai

ning

isc

ompl

eted

Th

isp

rac

tice

may

be

true

esp

ecia

llyfo

rco

ntra

ctor

ss

ince

the

onb

oard

ing

proc

ess

depe

nds

onth

eco

ntra

ctin

gag

ency

and

the

COTR

tov

erify

that

th

etr

aini

ngis

com

plet

ed

USC

ISs

houl

dco

nsid

err

equi

ring

co

mpu

ter

secu

rity

aw

aren

ess

trai

ning

for

allp

erso

nnel

ndashfu

lltim

eem

ploy

ees

par

ttim

eem

pl

oyee

sa

ndc

ontr

acto

rsndash

and

ve

rify

that

itis

com

plet

ebe

fore

cr

eatin

gan

ysy

stem

acc

ount

sfo

rth

ese

pers

onne

l

Acc

ount

Man

age

men

tG

ener

al

Info

rmat

ion

Tech

nolo

gy

PICS

isa

dmin

iste

red

byIC

Ew

hich

ha

sov

er2

000

LPO

sac

ross

var

ious

co

mpo

nent

sof

DH

ST

hese

LPO

sar

ere

spon

sibl

efo

rgra

ntin

gau

thor

ized

ac

cess

toP

ICS

for

the

pers

onne

lat

thei

rre

spec

tive

wor

ksi

tes

Eac

hLP

Oc

ang

rant

acc

ess

toa

nys

yste

m

cont

rolle

dby

PIC

SI

not

her

wor

ds

LPO

sth

roug

hout

USC

ISa

ndIC

Eca

ngr

anta

cces

sfo

ran

yof

thei

rst

afft

o

Alth

ough

the

PICS

acc

ount

pro

cess

re

quir

esth

eac

coun

tto

beli

nked

toa

va

lide

mpl

oyee

PIC

Sad

min

istr

ator

sco

uld

crea

teu

naut

hori

zed

acco

unts

in

the

nam

eof

val

ide

mpl

oyee

sw

ith

outt

heir

kno

wle

dge

Inv

alid

acc

ount

sar

ety

pica

llyfl

agge

don

lyw

hen

the

acco

unti

sdo

rman

tfor

ac

erta

inp

eri

odo

ftim

eA

nLP

Oc

ana

lso

assi

gn

righ

tsfo

ran

ysy

stem

con

trol

led

by

In1

2of

the

case

sdo

cum

ente

din

th

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

ins

uffic

ient

acc

ount

m

anag

emen

tena

bled

the

insi

der

sto

com

mit

thei

rcr

imes

U

SCIS

sho

uld

cons

ider

con

duct

in

gac

coun

taud

itsa

tthe

loca

lsi

tele

vel

whi

chw

ould

allo

wth

eva

lidat

ion

ofc

urre

ntP

ICS

ac

coun

tsa

ndr

oles

ver

sus

curr

ent


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

yU

SCIS

sys

tem

PICS

empl

oyee

list

s

Furt

herm

ore

ICE

adm

inis

ters

this

USC

ISs

houl

dex

plor

ea

mea

nso

fsy

stem

and

cou

lda

ffec

tUSC

ISr

e

segr

egat

ing

acco

untm

anag

eco

rds

unbe

know

nstt

oU

SCIS

men

tin

PICS

so

that

LPO

sca

nad

min

iste

rac

coun

tso

nly

for

thei

row

nor

gani

zatio

nrsquos

syst

ems

In

oth

erw

ords

USC

ISL

POs

wou

ldo

nly

bea

ble

toa

dmin

iste

rau

thor

izat

ions

for

USC

ISs

yste

ms

inP

ICS

and

ICE

LPO

sw

ould

onl

ybe

abl

eto

adm

inis

ter

auth

oriz

atio

nsfo

rIC

Esy

stem

s

Info

rmat

ion

Tech

nolo

gy

Acc

ount

man

agem

enti

sha

ndle

dby

a

num

ber

ofd

iffer

entg

roup

sac

ross

U

SCIS

A

lthou

ghth

ere

isa

nef

fort

to

cent

raliz

eac

coun

tman

agem

ent

lo

cala

ndr

egio

nalo

ffic

eso

fUSC

IS

have

his

tori

cally

don

eth

eir

own

ac

coun

tman

agem

ent

Ifan

acc

ount

has

not

bee

nus

edfo

ra

cert

ain

peri

odo

ftim

eit

isa

uto

mat

ical

lyd

isab

led

The

tim

epe

riod

st

ated

by

vari

ous

inte

rvie

wee

sva

rie

dfr

om3

06

0o

r90

days


Sugg

este

dCo

unte

rmea

sure

s

Six

insi

ders

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

ta

base

wer

eab

leto

car

ryo

utth

eir

illeg

ala

ctiv

ities

bec

ause

ofldquo

priv

ile

gec

reep

rdquoU

SCIS

sho

uld

revi

ew

acco

untm

anag

emen

tpro

ce

dure

sto

ens

ure

that

the

step

scu

rren

tlyta

ken

tor

emov

eor

al

ter

acco

unta

cces

sar

eco

m

plet

ean

dbe

ing

cons

iste

ntly

fol

low

ed

Inp

artic

ular

the

pro

ce

dure

sus

edw

hen

som

eone

ch

ange

slo

catio

nso

rde

part

m

ents

with

inU

SCIS

sho

uld

be

exam

ined

A

sem

ploy

ees

tran

sfe

rth

roug

hout

an

agen

cyt

hey

shou

ldn

otb

eac

cum

ulat

ing

priv

ile

ges

The

ysh

ould

onl

yre

tain

pr

ivile

ges

com

men

sura

tew

ith

thei

rjo

bre

spon

sibi

litie

s

Twel

vep

erce

nt(4

6)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

seu

sed

syst

ema

dmin

istr

ator

pri

vile

ges

tos

abot

age

syst

ems

ord

ata

sh

ared

acc

ount

sw

ere

used

by

insi

ders

follo

win

gte

rmin

atio

nin

Polic

yor

Pra

ctic

eG

aps

The

issu

eof

acc

ount

man

agem

entf

or

empl

oyee

tran

sfer

sis

not

bei

nga

d

dres

sed

ina

con

sist

entm

anne

rT

he

O

ITr

elie

son

not

ifica

tion

bye

ither

the

ne

wo

rol

dsu

perv

isor

whe

nan

em

ploy

eetr

ansf

ers

but

ther

eha

veb

een

ca

ses

inU

SCIS

inw

hich

em

ploy

ees

have

ret

aine

dac

cess

whe

nth

ey

shou

ldn

oth

ave

Th

ough

itw

ould

req

uire

phy

sica

lac

cess

toa

USC

ISm

achi

net

hatf

orm

er

Polic

yan

dor

Sec

urit

yM

easu

re

Whe

nan

em

ploy

eem

oves

from

one

po

sitio

nto

ano

ther

or

tran

sfer

sto

an

othe

rdep

artm

ent

the

man

age

men

tin

thos

ede

part

men

tsm

ust

initi

ate

the

requ

ired

com

pute

rac

coun

tcha

nges

Ther

ear

eop

erat

ing

syst

emim

ages

us

edth

roug

hout

USC

ISth

atp

erm

itan

adm

inis

trat

orto

inst

alla

sta

nda

rdc

onfig

urat

ion

ofa

nop

erat

ing

syst

ema

nda

ccom

pany

ing

soft

war

e

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Chan

ging

Pas

sw

ord

ofS

hare

dA

ccou

ntU

pon

Term

inat

ion


Sugg

este

dCo

unte

rmea

sure

s

14c

ases

A

lthou

gha

nad

min

is

trat

orw

ould

nee

dph

ysic

ala

cce

ssto

ap

iece

ofe

quip

men

t

The

lack

ofc

onsi

sten

cya

nd

awar

enes

sof

the

stan

dard

pro

ce

dure

sm

ayp

erm

itth

eac

coun

tof

an

insi

der

tob

eus

edfo

llow

ing

term

inat

ion

Term

inat

ing

acco

unts

eve

n2

wee

ksfo

llow

ing

term

inat

ion

may

Polic

yor

Pra

ctic

eG

aps

adm

inis

trat

orw

ould

hav

ead

min

istr

ato

rri

ghts

toG

FE

Itis

cle

arfr

omin

terv

iew

sw

ithU

SCIS

pe

rson

nelt

hata

sin

gle

proc

ess

isn

ei

ther

und

erst

ood

norf

ollo

wed

for

dis

ab

ling

acco

unts

follo

win

gan

em

pl

oyee

orc

ontr

acto

rte

rmin

atio

n

The

proc

edur

esu

sed

are

notc

onsi

ste

ntb

etw

een

supe

rvis

ors

orfi

eld

of

fices

and

for

fede

rale

mpl

oyee

sve

rsu

sco

ntra

ctor

sS

omet

imes

the

exit

clea

ranc

efo

rmm

akes

itto

the

OIT

an

dso

met

imes

itd

oes

not

The

OIT

rsquos

task

ism

ade

even

mor

edi

ffic

ultb

yth

efa

ctth

atit

wou

ldn

eed

tok

now

ex

actly

whi

cha

ccou

nts

anin

divi

dual

ha

sac

cess

to

Thou

ghth

isp

roce

ssis

fair

lye

ffec

tive

it

pote

ntia

llya

llow

sun

auth

oriz

ed

Polic

yan

dor

Sec

urit

yM

easu

re

The

OIT

typi

cally

isn

otifi

edo

fan

acco

untt

erm

inat

ion

ino

neo

fthr

ee

way

s

1)A

sta

ndar

dfo

rmc

alle

dan

exi

tcl

eara

nce

form

is

dist

ribu

ted

and

sign

edb

yot

her

part

ies

suc

has

Hu

man

Res

ourc

esa

ndth

eO

ffic

eof

Se

curi

tya

ndIn

tegr

ity(O

SI)

Thi

sfo

rmle

tsth

eO

ITk

now

that

an

em

ploy

eersquos

acc

ount

ssh

ould

be

dis

able

dor

term

inat

ed

2)T

hes

uper

viso

rof

the

depa

rtin

gem

ploy

eec

onta

cts

the

OIT

dire

ctly

an

din

form

sth

emo

fthe

em

ploy

eersquos

de

part

ure

3)

Whe

na

cont

ract

oris

invo

lved

it

is

the

resp

onsi

bilit

yof

the

COTR

to

info

rmth

eO

IT

The

OIT

rec

eive

san

ldquoat

triti

onli

strdquo

ever

y2

wee

ks

Whe

nth

isli

stis

re

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Upo

nEm

ploy

ee

Term

inat

ion


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sH

uman

Res

ourc

es

ceiv

eda

man

ualc

heck

isd

one

to

ensu

reth

ate

mpl

oyee

sw

hoh

ave

depa

rted

inth

ela

st2

wee

ksh

ave

thei

rac

coun

tacc

ess

dele

ted

acce

ssfo

r2

wee

ksfo

llow

ing

term

ina

tion

Bec

ause

this

isa

man

ualp

roc

ess

ther

eis

cur

rent

lyn

oau

tom

atic

w

ayto

ens

ure

that

ith

appe

ns

USC

IS

pers

onne

lcite

dan

inst

ance

inw

hich

th

ese

proc

edur

esfa

iled

for

ane

m

ploy

eew

how

aste

rmin

ated

as

aco

ntr

acto

ran

dla

ter

hire

das

afe

dera

lem

ploy

ee

notb

een

ough

top

reve

ntu

nau

thor

ized

orc

rimin

ala

ctiv

ity

As

soon

as

HR

isa

war

eof

the

chan

gea

mor

eau

tom

ated

m

echa

nism

ofd

elet

ing

thes

eac

coun

tss

houl

dbe

impl

em

ente

d

Dis

ablin

gA

ccou

nts

orC

onne

ctio

ns

Dur

ing

Empl

oyee

Le

ave

ofA

bsen

ces

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

LPO

sw

ork

inth

eir

resp

ectiv

ere

gion

sor

off

ices

and

are

dec

entr

aliz

edb

yna

ture

Th

epo

licie

san

dpr

oced

ures

fo

llow

edo

ften

dep

end

onh

ow

thin

gsh

ave

been

don

ehi

stor

ical

lyin

th

atp

artic

ular

off

ice

Beca

use

acco

unta

utho

riza

tion

pro

cedu

res

are

nots

tand

ardi

zed

thro

ugho

uta

llor

gani

zatio

nsu

sing

the

PICS

sL

POs

acro

ssth

een

tire

USC

IS

ente

rpri

seh

ave

notb

een

cons

iste

nt

inh

owth

eyh

ave

hand

led

acco

unt

dele

tion

follo

win

gem

ploy

eete

rmin

atio

n

Ther

eis

no

offic

ialg

uida

nce

orp

rac

tice

inth

epr

oper

way

tos

uspe

nd

acce

ssfo

ran

em

ploy

eeo

na

leav

eof

ab

senc

eI

non

eca

sep

rovi

ded

by

USC

ISa

nem

ploy

eer

etai

ned

acce

ss

toc

ritic

als

yste

ms

even

aft

erb

eing

pl

aced

on

ana

dmin

istr

ativ

ele

ave

of

abse

nce

USC

ISs

houl

dco

ntin

ueit

sef

fort

sto

cen

tral

ize

orr

educ

eth

enu

m

ber

ofL

POs

ino

rder

for

stan

dard

pr

oced

ures

tob

efo

llow

ed

Ifth

isc

anno

tbe

acco

mpl

ishe

d

stan

dard

pro

cedu

res

shou

ldb

epu

blis

hed

inst

ruct

eda

ndc

onsi

ste

ntly

enf

orce

d

Afe

win

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

ser

etai

ned

acce

ssto

org

aniz

atio

nsy

stem

sw

hile

on

ale

ave

of

abse

nce

and

used

that

acc

ess

to

stea

linf

orm

atio

nor

com

mit

frau

dU

SCIS

sho

uld

impl

emen

ta

polic

yto

out

line

exac

tlyw

hat

shou

ldb

edo

new

hen

ago

vern

m

ente

mpl

oyee

or

cont

ract

or

goes

on

ale

ave

ofa

bsen

cec

on


Sugg

este

dCo

unte

rmea

sure

ssi

deri

ngth

eri

sks

vers

usb

enef

its

ofa

llow

ing

syst

ema

cces

s

Acc

ess

toth

ese

acco

unts

sho

uld

bec

aref

ully

doc

umen

ted

and

trac

ked

soth

atc

rede

ntia

lsc

an

bec

hang

edif

som

eone

inth

at

rest

rict

edg

roup

no

long

erw

ar

rant

sac

cess

Polic

yor

Pra

ctic

eG

aps

Alth

ough

con

cern

has

bee

nex

pres

sed

ab

outt

hee

xist

ence

oft

hese

ac

co

unts

the

bus

ines

sju

stifi

catio

nha

sta

ken

prec

eden

ceo

vert

her

isk

bein

g

assu

med

Polic

yan

dor

Sec

urit

yM

easu

re

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Shar

ing

Acc

ount

an

dPa

ssw

ord

In

form

atio

n

Acc

ess

Cont

rol

An

orga

niza

tionrsquo

sla

cko

fsuf

ficie

nta

cces

sco

ntro

lmec

hani

sms

was

ac

omm

onth

eme

inm

any

ofth

ein

side

rth

reat

cas

ese

xam

ined

by

CERT

In

si

ders

hav

ebe

ena

ble

toe

xplo

itex

cess

ive

priv

ilege

sto

gai

nac

cess

tos

yste

ms

and

info

rmat

ion

they

oth

erw

ise

wou

ldn

oth

ave

been

aut

hori

zed

toa

cces

sA

dditi

onal

lyi

nsid

ers

have

bee

nkn

own

tou

ser

emot

eac

cess

aft

erte

rmin

atio

nto

att

ack

ano

rgan

izat

ionrsquo

sin

tern

aln

etw

ork

Org

ani

zatio

nss

houl

den

sure

that

net

wor

km

onito

ring

and

logg

ing

ise

nabl

edfo

rex

tern

ala

cces

sM

onito

ring

ofn

etw

ork

activ

ityis

ext

rem

ely

impo

rta

nte

spec

ially

inth

epe

riod

bet

wee

nem

ploy

eer

esig

natio

nan

dte

rmin

atio

n

Giv

enth

edi

stri

bute

dna

ture

ofa

cces

sau

thor

izat

ion

via

PICS

ICE

and

the

US

Dep

artm

ento

fSta

ten

onU

SCIS

em

ploy

ees

and

cont

ract

ors

coul

dbe

gra

nted

acc

ess

toU

SCIS

cri

tical

sys

tem

sI

tis

poss

ible

that

the

non

USC

ISe

mpl

oyee

san

dco

ntra

ctor

sha

ven

otb

een

thro

ugh

the

rigo

rous

pr

eem

ploy

men

tscr

eeni

ngr

equi

red

ofU

SCIS

em

ploy

ees

and

cont

ract

ors

par

ticul

arly

thos

egr

ante

dac

cess

thro

ugh

the

US

Dep

artm

ento

fSta

te

for

acce

ssfr

ome

mba

ssie

sov

erse

as

USC

ISs

houl

dco

nsid

erth

eri

skth

ese

insi

ders

pos

eto

the

prot

ectio

nof

the

criti

calU

SCIS

dat

aan

dsy

stem

s

and

impl

emen

tpro

tect

ion

mec

hani

sms

toli

mit

the

dam

age

that

thes

ein

side

rsm

ight

cau

se


Oth

era

cces

sco

ntro

liss

ues

that

sho

uld

bec

onsi

dere

din

clud

eun

rest

rict

eda

cces

sto

som

ecr

itica

lsys

tem

sby

OIT

sta

ffl

ack

ofc

onsi

sten

tpro

ces

ses

for

man

agin

gem

ploy

eea

cces

sas

they

mov

efr

omo

ned

epar

tmen

tto

the

next

with

inU

SCIS

abi

lity

tou

sep

erso

nalc

ompu

ters

for

USC

IS

wor

ka

ndla

cko

fmon

itori

nga

ndc

ontr

ols

for

som

ecr

itica

lsys

tem

adm

inis

trat

ion

func

tions

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sA

cces

sCo

ntro

l

Fore

ign

Serv

ice

Nat

iona

ls

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

O

ffic

eof

Sec

urit

yan

dIn

te

grit

y

Curr

ently

aF

orei

gnS

ervi

ceN

atio

nal

(FSN

)req

uiri

nga

cces

sto

USC

ISs

ys

tem

ssu

bmits

pap

erw

ork

incl

udin

ga

wai

ver

thro

ugh

the

USC

ISd

irec

tor

and

the

CIO

and

CSO

ofD

HS

Alth

ough

the

asse

ssm

entt

eam

was

ab

leto

get

lim

ited

visi

bilit

yin

toth

is

prac

tice

its

eem

sto

be

alig

ned

with

th

epo

licy

Ift

rue

ith

asg

iven

USC

IS

and

DH

Sbe

tter

vis

ibili

tyin

toth

isa

ctiv

ity

The

prac

tice

shou

ldb

eco

ntin

ued

and

expa

nded

as

need

edto

in

form

all

rele

vant

USC

ISp

erso

nne

l

Info

rmat

ion

Tech

nolo

gy

Hum

anR

esou

rces

Pe

rson

nelS

ecur

ity

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Whe

nFS

Ns

requ

ire

acce

ssto

USC

IS

syst

ems

ine

mba

ssie

san

dco

nsul

ates

ab

road

the

yar

eve

tted

by

the

US

D

epar

tmen

tofS

tate

Beca

use

the

US

Dep

artm

ento

fSta

te

isp

erfo

rmin

gth

eve

ttin

gpr

oces

s

USC

ISh

asv

ery

little

con

trol

or

visi

bil

ityin

toth

epr

oces

sfo

rgr

antin

gFS

Ns

acce

ssto

USC

ISs

yste

ms

and

net

wor

ks

Inte

rvie

wee

sst

ated

that

in

som

eca

ses

FSN

sha

vea

dmin

istr

ativ

eco

ntro

love

rso

me

syst

ems

and

that

in

oth

erc

ases

the

yar

ese

rvin

gas

in

form

atio

nsy

stem

sec

urity

off

icer

s(IS

SOs)

USC

ISs

houl

dga

ina

bet

ter

un

ders

tand

ing

ofth

eU

SD

epar

tm

ento

fSta

tersquos

vet

ting

proc

ess

and

clar

ifyit

sow

nre

quir

emen

ts

for

gran

ting

and

trac

king

acc

ess

for

FSN

sto

USC

ISs

yste

ms

If

cont

inue

dac

cess

isr

equi

red

the

proc

edur

esto

doc

umen

tand

co

ntro

ltha

tacc

ess

shou

ldb

ene

gotia

ted

with

the

US

De

part

men

tofS

tate

and

con

sis

tent

lye

nfor

ced

Info

rmat

ion

Tech

nolo

gy

Onc

ea

trad

ition

alu

ser

acco

unti

scr

eate

dth

ere

isli

ttle

ton

ow

ayto

di

stin

guis

han

FSN

acc

ount

from

one

be

long

ing

toa

US

citi

zen

Beca

use

anF

SNa

ccou

ntis

not

dis

tin

guis

habl

efr

omo

ther

acc

ount

sit

w

ould

be

extr

emel

ydi

ffic

ultt

oas

so

ciat

esp

ecifi

con

line

activ

ities

with

ac

coun

tsb

elon

ging

toF

SNs

Em

ail

USC

ISs

houl

dco

nsid

erw

heth

er

orn

otit

wan

tsth

eab

ility

tod

is

tingu

ish

wha

tonl

ine

activ

ities

an

dac

cess

esF

SNs

are

enga

ging

in

If

soi

tsho

uld

inco

rpor

ate


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sad

dres

ses

appe

arth

esa

me

and

viol

atio

nac

tiviti

esw

ould

not

eas

ilyb

eat

trib

uted

toa

nFS

N

thos

est

eps

into

the

proc

edur

es

men

tione

dab

ove

Info

rmat

ion

Tech

nolo

gy

DH

Sis

inth

epr

oces

sof

bui

ldin

ga

secu

rein

tran

etc

alle

dO

neN

et

whi

chw

illb

ette

ren

able

info

rmat

ion

shar

ing

amon

gD

HS

com

pone

nts

Th

isp

roje

ctw

illb

een

able

dby

inte

rco

nnec

tion

agre

emen

tsb

etw

een

segm

ents

Onc

eth

eap

prop

riat

ein

terc

onne

ctio

nag

reem

ents

are

inp

lace

itw

illb

eha

rder

tor

estr

icta

cces

sfo

rFSN

sto

sp

ecifi

csy

stem

s(e

g

Shar

ePoi

nt)

USC

ISs

houl

dm

ake

ade

term

ina

tion

abou

twhe

ther

or

notF

SN

acce

sss

houl

dbe

any

diff

eren

tfr

omo

ther

sim

ilar

acco

unts

of

US

citi

zens

If

the

lack

ofr

est

rict

ions

isu

nacc

epta

ble

that

is

sue

shou

ldb

ebr

ough

tto

DH

Spe

rson

nelr

espo

nsib

lefo

rim

pl

emen

ting

the

One

Net

sol

utio

n

Acc

ess

cont

rols

Ther

ear

ebu

sine

ssp

roce

ssa

ndr

eso

urce

s(e

g

PICS

CLA

IMS

3a

nd

CLA

IMS

4)th

ata

res

hare

dw

ithIC

E

This

par

tner

ship

isa

nar

tifac

toft

he

past

and

cur

rent

rel

atio

nshi

psb

etw

een

depa

rtm

ents

with

inD

HS

For

thes

esh

ared

res

ourc

esto

func

tio

npr

oper

lyt

hey

requ

ire

care

ful

coor

dina

tion

whi

chd

oes

nott

ake

plac

ein

all

case

sF

ore

xam

ple

USC

IS

does

not

rec

eive

ac

opy

ofth

efo

rmal

ac

cess

req

uest

sub

mitt

edto

ICE

for

anIC

Eem

ploy

eeto

acc

ess

aU

SCIS

sy

stem

USC

ISs

houl

dca

refu

llyd

ocum

ent

wha

tacc

ess

isb

eing

gra

nted

to

any

part

ies

exte

rnal

toU

SCIS

If

addi

tiona

lcoo

rdin

atio

nis

re

quir

edi

tsho

uld

bed

one

with

th

ere

leva

ntd

epar

tmen

tso

fD

HS

For

cert

ain

info

rmat

ion

syst

ems

lo

cala

ndr

emot

elo

gins

are

not

per

m

itted

bet

wee

nth

eho

urs

of1

130

p

ma

nd6

00

am

Th

isp

ract

ice

clos

ely

adhe

res

toth

epo

licy

for

spec

ific

syst

ems

Enfo

rcin

ga

man

dato

rya

cces

spe

riod

may

hel

pen

sure

that

a

mal

icio

usin

side

ris

not

usi

ngs

ys

tem

sw

hen

supe

rvis

ion

isle

ss

ened

Ei

ghtp

erce

nt(2

9)o

fthe

in

side

rsd

ocum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

se


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sus

eda

cces

sou

tsid

eof

nor

mal

w

orki

ngh

ours

toc

arry

out

thei

rill

icit

activ

ities

Whe

nan

em

ploy

eea

ttem

pts

tolo

gin

toa

res

tric

ted

syst

emd

urin

gof

fpe

akh

ours

an

auto

mat

ice

mai

lno

tice

iss

entb

yth

eO

ITto

per

sons

in

the

empl

oyee

rsquosm

anag

emen

tch

ain

ofc

omm

and

This

pra

ctic

eis

not

con

sist

enta

cros

sal

lsys

tem

san

dis

not

par

tofo

ther

in

cide

ntr

espo

nse

proc

edur

es

USC

ISs

houl

dco

nsid

erim

ple

men

ting

this

pra

ctic

ein

toth

ela

rger

sys

tem

ofi

ncid

entr

esp

onse

to

incl

ude

corr

elat

ion

with

oth

ere

vent

san

dov

era

pe

riod

oft

ime

Acc

ess

Priv

ilege

sndash

Gen

eral

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Att

heV

erm

ontS

ervi

ceC

ente

rO

IT

staf

fare

the

only

one

spr

esen

tlat

eat

nig

ht

As

part

oft

heir

dut

ies

they

al

soh

ave

elec

tron

ica

cces

sto

the

CLA

IMS3

info

rmat

ion

syst

em

As

afu

nctio

nof

the

elec

tron

ica

cces

san

dth

eph

ysic

alla

yout

oft

heS

ervi

ce

Cent

erO

ITp

erso

nnel

hav

eac

cess

to

CLA

IMS3

as

wel

las

the

phys

ical

file

sin

the

build

ing

U

SCIS

sho

uld

cons

ider

the

min

im

umle

velo

facc

ess

(leas

tpriv

ile

ge)n

eede

dfo

ral

lper

sonn

elto

ac

com

plis

hth

eir

job

dutie

sT

hir

teen

per

cent

(49)

oft

hein

side

rs

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sev

iola

ted

ane

edto

kno

win

ord

erto

per

pe

trat

eth

eir

crim

esi

nclu

ding

st

ealin

gPI

Iand

pro

prie

tary

in

form

atio

nI

nad

ditio

ns

ever

al

insi

ders

com

mitt

edth

eir

crim

es

whi

lew

orki

ngo

nth

eni

ghts

hift

w

here

they

enj

oyed

ar

educ

ed

leve

lofs

crut

iny

Unr

estr

icte

del

ectr

onic

and

phy

sica

lacc

ess

to

such

hig

hri

skd

ata

and

syst

ems

outs

ide

ofn

orm

alw

orki

ngh

ours

pr

esen

tsa

hig

hde

gree

ofr

isk

to


Sugg

este

dCo

unte

rmea

sure

s

USC

IS

Sinc

eU

SCIS

can

notd

eter

min

ew

hata

cces

sth

eU

SD

epar

tmen

tof

Sta

teg

rant

sto

FSN

son

its

sys

tem

sU

SCIS

sho

uld

cont

inue

to

use

tech

nica

lmea

sure

sto

pre

ve

ntu

naut

hori

zed

acce

ssw

hile

w

orki

ngw

ithc

ount

erin

telli

genc

epe

rson

nelt

ode

alw

iths

uspe

cted

fo

reig

nag

ents

wor

king

aro

und

US

gov

ernm

entf

acili

ties

A

few

insi

ders

inth

eca

ses

ana

lyze

dby

CER

Tus

edth

eir

un

revo

ked

acce

ssto

the

orga

niza

Polic

yor

Pra

ctic

eG

aps

Acc

ordi

ngto

one

inte

rvie

wee

som

eFS

Ns

onth

eCo

nsul

arA

ffai

rsn

etw

ork

are

susp

ecte

dto

be

wor

king

for

arm

sof

fore

ign

inte

llige

nce

ors

ecur

ity

agen

cies

U

SCIS

has

use

dte

chni

cal

met

hods

(eg

fir

ewal

ls)t

oen

sure

th

atU

SCIS

sys

tem

sar

epr

otec

ted

from

any

inte

rcon

nect

ions

with

the

US

Dep

artm

ento

fSta

tersquos

net

wor

ks

This

sin

gle

poin

toff

ailu

rem

akes

it

diff

icul

tto

reco

ver

from

am

alic

ious

ac

ton

this

par

ticul

ars

yste

m

Polic

yan

dor

Sec

urit

yM

easu

re

The

US

Dep

artm

ento

fSta

teC

onsu

la

rA

ffai

rsn

etw

ork

gran

tsa

cces

sto

FSN

sw

orki

ngin

em

bass

ies

and

con

su

late

san

dit

conn

ects

toU

SCIS

sys

te

ms

Ther

eis

as

ingl

epe

rson

who

has

the

know

ledg

eof

and

res

pons

ibili

tyfo

rad

min

iste

ring

the

voic

emai

lsys

tem

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Off

ice

ofS

ecur

ity

and

In

tegr

ity

Are

aof

Con

cern

Acc

ess

Priv

ilege

sndash

Syst

emA

dmin

is

trat

or


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sfo

rU

SCIS

tionrsquo

sph

one

syst

emto

har

mth

eor

gani

zatio

nI

non

eca

set

he

entir

ecu

stom

ers

ervi

cev

oice

m

ails

yste

mw

asr

edir

ecte

dto

a

porn

ogra

phic

pho

nes

ite

Ina

not

her

der

ogat

ory

com

men

ts

abou

tthe

org

aniz

atio

nw

ere

re

cord

eda

ndp

laye

dfo

rev

ery

voic

em

ailb

ox

USC

ISs

houl

dpl

ace

addi

tiona

lst

affi

nth

ero

leo

fadm

inis

trat

ors

for

the

USC

ISv

oice

mai

lsys

tem

Th

isw

ould

allo

wU

SCIS

toim

pl

emen

tsom

efo

rmo

fsep

ara

tion

ofd

utie

so

rat

the

very

le

ast

min

imal

che

cks

and

bal

ance

sto

pre

vent

tam

peri

ngw

ith

the

voic

emai

lsys

tem

U

SCIS

sho

uld

ensu

reth

atit

man

ag

esa

ccou

nts

and

pass

wor

dsfo

rin

tern

als

yste

ms

such

as

voic

em

ail

asw

ella

sex

tern

ala

cco

unts

O

nein

side

rdo

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

cha

nged

the

dom

ain

nam

esy

stem

reg

istr

yfo

rhis

or

gani

zatio

nrsquos

web

site

so

that

vis

ito

rsw

ere

sent

toa

por

nogr

aphi

c


Sugg

este

dCo

unte

rmea

sure

sw

ebsi

te

Thes

ety

pes

ofa

ccou

nts

are

used

ver

yin

freq

uent

lya

nd

are

ofte

nno

tinc

lude

din

form

al

term

inat

ion

proc

edur

es

USC

ISs

houl

dco

ordi

nate

with

D

HS

pers

onne

lto

ensu

reth

at

desi

red

USC

ISs

ecur

ityp

olic

ies

are

enfo

rced

for

pers

onne

lac

cess

ing

USC

ISs

yste

ms

and

data

Se

ven

perc

ent(

26)o

fthe

insi

der

sdo

cum

ente

din

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

toa

ttac

kin

par

tbec

ause

of

insu

ffic

ient

mon

itori

ngo

fext

er

nala

cces

s

Polic

yor

Pra

ctic

eG

aps

A

lthou

ghc

onne

ctin

ga

pers

onal

lap

top

toa

USC

ISn

etw

ork

via

are

mot

eco

nnec

tion

may

or

may

not

be

bloc

ked

the

SNO

Cw

asn

otc

onfid

ent

itw

ould

be

bloc

ked

beca

use

itdo

es

notc

ontr

olth

ata

cces

sI

tis

poss

ible

th

ata

use

rco

uld

conn

ectw

itha

per

so

nalm

achi

neif

DH

Sal

low

edit

Polic

yan

dor

Sec

urit

yM

easu

re

Port

sec

urity

wou

ldp

reve

nta

use

rfr

omc

onne

ctin

ga

pers

onal

mac

hine

di

rect

lyto

aU

SCIS

net

wor

kT

his

secu

rity

mec

hani

smis

han

dled

by

the

SNO

C

Rem

ote

acce

sso

nth

eot

herh

and

is

hand

led

byD

HS

USC

ISh

asa

cces

sto

ve

ryli

mite

din

form

atio

nin

clud

ing

logs

for

rem

ote

conn

ectio

nsb

eca

use

ofc

ontr

acts

tipul

atio

nsw

ith

Spri

nt

The

asse

ssm

entt

eam

re

ceiv

edc

onfli

ctin

gop

inio

nsa

bout

w

heth

era

per

sona

lmac

hine

cou

ld

bec

onne

cted

with

ar

emot

eac

coun

t

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Secu

rity

Net

wor

kO

pera

ti

ons

Cent

er

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Man

agem

ento

fRe

mot

eA

cces

s


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

The

cont

ract

ors

resp

onsi

ble

for

VIS

have

impl

emen

ted

ast

rict

acc

ess

cont

rols

olut

ion

with

Fir

epas

san

dit

appe

ars

toa

ccom

plis

hits

goa

lofe

nsu

ring

that

onl

yth

epr

oper

per

sonn

el

are

gran

ted

acce

ssa

ndth

atth

eyp

er

form

aut

hori

zed

actio

nso

nce

they

ar

eco

nnec

ted

Unf

ortu

nate

lyt

hey

are

the

only

con

trac

tors

and

sys

tem

us

ing

Fire

pass

and

itw

illn

otb

eus

ed

once

the

mov

eis

mad

eto

Ste

nnis

Sp

ace

Cent

er

They

are

uns

ure

of

wha

tcon

trol

sw

illb

eus

eda

tSte

nnis

Sugg

este

dCo

unte

rmea

sure

s

Impl

emen

ting

aFi

repa

sss

olut

ion

for

allU

SCIS

sys

tem

sm

ight

not

be

cos

tef

fect

ive

USC

ISm

an

agem

ents

houl

dat

leas

texa

min

eth

eri

skp

osed

toth

em

ostc

ritic

al

syst

ems

and

impl

emen

taF

ire

pass

like

sol

utio

nfo

rth

ose

that

re

quir

ere

mot

eac

cess

A

sst

ated

ab

ove

one

inte

nin

side

rsd

ocu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

seu

sed

the

crea

tion

ofu

nkno

wn

path

sin

to

orga

niza

tion

syst

ems

pro

per

mea

sure

sm

ight

hav

epr

even

ted

man

yof

thos

ein

stan

ces


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Non

Sys

tem

Ad

USC

ISL

eade

rshi

pA

ccor

ding

too

nein

terv

iew

eeF

SNs

An

FSN

who

isa

sys

tem

adm

inis

trat

or

Ten

perc

ent(

39)o

fins

ider

sm

inis

trat

ors

Wit

h

are

syst

ema

dmin

istr

ator

son

som

efo

rU

SD

epar

tmen

tofS

tate

sys

tem

sdo

cum

ente

din

the

CERT

Insi

der

A

utho

rize

dA

cces

sIn

form

atio

nTe

chno

logy

U

SD

epar

tmen

tofS

tate

sys

tem

sin

do

esn

otn

eces

sari

lyh

ave

adm

inis

tra

Thre

atC

ase

data

base

took

ad

toA

dmin

istr

ator

em

bass

ies

orc

onsu

late

sab

road

to

rri

ghts

on

USC

ISs

yste

ms

One

in

vant

age

ofin

suff

icie

nta

cces

sA

ccou

nts

The

US

Dep

artm

ento

fSta

teh

as

terv

iew

eee

xpre

ssed

con

cern

how

co

ntro

lsto

con

duct

thei

rcr

imes

au

thor

ized

acc

ess

for

som

eFS

Ns

to

ever

tha

tan

adm

inis

trat

orw

hois

a

USC

ISs

houl

dex

amin

eU

SCIS

sys

so

me

USC

ISs

yste

ms

need

edfo

rth

eci

tizen

ofa

fore

ign

coun

try

coul

des

te

ma

cces

sfo

rU

SD

epar

tmen

tpe

rfor

man

ceo

fthe

ird

utie

s

cala

tep

rivi

lege

sor

use

soc

iale

ngi

ofS

tate

sys

tem

adm

inis

trat

ors

ne

erin

gta

ctic

sto

gai

nun

auth

oriz

ed

asw

ella

sho

wth

ose

conn

ectio

ns

acce

ssto

USC

ISs

yste

ms

ar

em

onito

red

orlo

gged

Th

ey

sh

ould

als

ow

ork

with

the

US

Dep

artm

ento

fSta

teto

und

er

stan

dits

pro

cess

esfo

rgr

antin

g

FSN

sac

cess

toU

SD

epar

tmen

t

ofS

tate

sys

tem

s


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

Lea

ders

hip

Ther

ear

ecu

rren

tlyn

olim

itso

nTh

ela

cko

flim

itsp

lace

don

req

uest

Th

ere

shou

ldb

elo

gica

lcon

trol

s

w

hich

Af

iles

ana

djud

icat

orc

anr

ein

gA

file

sin

NFT

Sm

aya

llow

adj

udi

tod

etec

tldquoex

trao

rdin

aryrdquo

or

sus

Info

rmat

ion

Tech

nolo

gy

ques

tin

the

Nat

iona

lFile

Tra

ckin

gca

tors

tor

eque

sta

file

by

nam

eev

en

pici

ous

file

tran

sfer

req

uest

sI

n

Syst

em(N

FTS)

if

they

sho

uld

notb

eac

cess

ing

that

on

eU

SCIS

cas

eth

ein

side

rre

fil

e

ques

ted

afil

etr

ansf

erto

ar

egio

nfo

ran

indi

vidu

alw

hose

file

sw

ere

ina

noth

err

egio

nan

dw

hose

form

sha

dbe

enp

revi

ousl

yde

ni

ed


cri

tilt

om

itiga

ting

the

insi

der

rsc

arri

edo

uta

nat

tack

ta

nce

mal

icio

usin

side

rsu

sed

uste

nsur

end

enf

orce

cn

have

dev

eff

ects

on

ano

ras

tatin

gta

r

nom

alou

sin

crea

sein

net

ay

Sugg

este

dCo

unte

rmea

sure

s

ca sn

toc

ompe

titor

sor

con

spir

ator

sO

rgan

izat

ions

mth

ate

mpl

oyee

sr

esou

rces

inc

ludi

ngin

form

atio

nas

sets

aom

plia

nce

sen

sitiv

ebu

tunc

lass

ified

or

prop

rie

y)is

cri

tical

tom

itiga

ting

an

am

onito

ring

net

wor

ktr

affic

mh

elp

prot

ectc

ontr

olle

d

side

unc

lass

ified

or

prop

riet

ary)

isea

led

circ

umst

ance

sin

whi

chin

tern

ales

In

som

ein

ss

tora

ged

evic

tion

mal

icio

usin

side

rsc

ab

y

mou

nts

ofd

ata

dow

nloa

ded

orou

ghT

h

Polic

yor

Pra

ctic

eG

aps

a re

ono

fCon

trol

led

Info

rmat

ion

ntro

lled

info

rmat

ion

(ie

inf

orm

atio

nth

atis

cla

ssifi

eds

ensi

tive

but

CER

Tr

thre

atr

isk

too

rgan

izat

ions

A

var

iety

ofi

nsid

erth

reat

cas

ess

tudi

edb

yev

thro

ugh

thd

ownl

oad

ofin

form

atio

nto

por

tabl

em

edia

or

exe

unau

thor

ized

ptt

acks

or

toc

omm

unic

ate

sens

itive

info

rmat

ioun

ders

tan

tcon

stitu

tes

acce

ptab

leu

seo

fcom

pany

dpo

licie

sre

gard

ing

wha

thro

ugh

teed

info

rma

chni

calm

eans

Th

eun

auth

oriz

ede

xfilt

ratio

nof

con

trol

l(i

ei

nfor

mat

ion

that

isc

lass

ifie

gani

zatio

nP

rote

ctin

gco

ntro

lled

info

rmat

ion

dth

reat

ris

kto

org

aniz

atio

ns

impl

emen

ted

netw

ork

mon

itori

ngs

trat

egie

sth

atw

ould

det

ectl

arge

wor

ktr

affi

by

tota

lvol

ume

orty

peo

ftra

ffic

(eg

by

ce

ither

por

tor

prot

ocol

)n

Polic

yan

dor

Sec

urit

yM

easu

Resp

onsi

ble

Pers

onne

lIn

form

atio

nTe

chno

logy

ncer

nlo

adto

Prot

ecti

Prot

ectin

gco

emai

lto

lan

thei

ra

the

insi

der

USC

ISh

as

info

rmat

io

Are

aof

Co

Dat

aD

own

Med

ia


sure

s

po

1

pria

yte

lld

be

func

he

T ed

s

ecu

itted

em

os

ogs

el

vity

by

org

za

ani

ot

sbe

nter

mea

side

rtw

o

hori

zed

inap

pro

uev

ices

co

bite

dfr

omsy

stem

s

bit

epr

ohi fa

hec

ont

oc

gn

are

per

m hus

eso

fta

ndth

cti

ciou

sa

ngth

es

her

exhi

bitin

glm

alic

iou

Cou

uld

con

ora

ut ed

thes

ed

pro

hi SSC

Iy

ar

rity

aw

aren

ess

ampa

i

evic

es lb

elo

gged

uspi

ted

for

ss

leav

i

ntia

te

Sugg

este

d

Ss

o

ptf

1)E

xce

ces

that

ar

ete

chni

cally

Ung

in

that

the

shou

nte

ldb

et

2)If

USB

dfo

ru

nal

set

held

empl

oyee pl

tion

em

oyee

sign

sof

po c

ore

t

USC

Ih

tions

stan

trac

k

tioni

fact

shou

audi

havi

ns

ider

un

t

of

wor

k

ssed

de

s

onvi

ctio ns

tne

i eng

tel

He

acce

rder

to

Prac

tice

Gap

mth

eU

SCIS

CTa

skF

orc

sho

wed

tha

oe d

ant

pe

rfor

me

sig

nific

aam

oof

ficia

lbus

ines

sin

clud

ill

apto

p

sona

mai

lin

ond

e

Polic

yor

Ac

ase

fro

onh

isp

ersy

stem

sa

sure

pmen

tSC

IS

gov

(G

FE)

orS

ecur

ity

Mea

per

aga

inst

usi

ng

son

ompu

ter

equi

cial

dut

ies

for

Ub

edo

new

ithm

entf

urni

shed

ent

ern

quip

me

Polic

yan

d

Ther

eis

ap

olic

yd

cal

lyo

wne

top

erfo

rmo

ffi

Tele

wor

ksh

ould

on

ly

nel

ble

Pers

on

Resp

onsi

o

ern

Are

aof

Con

c dt

Dat

aD

ownl

oaor

Fro

mH

ome


Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sve

lop

asy

stem

that

he

was

rew

arde

d

fo

rpr

oduc

ing

The

rea

ren

ote

chni

cal

co

ntro

lsto

cat

chth

isa

ctiv

ityu

nles

s

the

devi

ceis

phy

sica

llyp

lugg

edin

to

the

netw

ork

Prot

ecti

ngC

riti

cal

Info

rmat

ion

Tech

nolo

gy

The

SNO

Cre

spon

dsto

spi

llso

fPII

USC

ISr

espo

nds

toP

IIsp

illag

es

Fi

les

whi

cho

ccur

on

aw

eekl

yba

sis

The

ofte

nen

ough

that

its

staf

fis

wel

l

info

rmat

ion

abou

tthe

inci

dent

is

ve

rsed

inr

espo

nse

proc

edur

es

tran

sfer

red

from

the

data

ow

ner

U

nfor

tuna

tely

the

freq

uenc

yto

w

hob

ecom

esa

war

eof

the

spill

to

w

hich

inci

dent

soc

cur

and

the

the

OSI

whi

chc

reat

esa

Ser

ious

In

re

spon

sep

roce

dure

sin

pla

ced

o

cide

ntR

epor

t(SI

R)th

atit

forw

ards

nots

eem

tor

educ

eth

enu

mbe

rto

the

Priv

acy

Off

icer

and

fina

llyto

Th

ere

spon

see

ffor

tto

aPI

Ispi

llage

of

inci

dent

sor

pro

vide

aut

oth

eSN

OC

in

volv

esm

any

part

ies

and

appe

ars

to

mat

edd

etec

tion

whe

nsp

illag

ebe

ac

ompl

icat

edp

roce

ssfo

ran

eve

nt

occu

rs

that

hap

pens

on

aw

eekl

yba

sis

Thou

ghth

ese

spill

ages

are

acc

iden

tal

even

ts


Sugg

este

dCo

unte

rmea

sure

s

U

SCIS

sho

uld

cont

inue

this

pra

ctic

eas

par

tofi

tsin

cide

ntr

esp

onse

pro

cedu

res

Inc

orpo

rat

ing

ana

ppro

pria

tele

velo

fm

onito

ring

wou

lda

lso

bea

pru

de

ntm

easu

re

Polic

yor

Pra

ctic

eG

aps

This

pra

ctic

eap

pear

sto

be

done

con

si

sten

tly

Polic

yan

dor

Sec

urit

yM

easu

re

Acc

ess

ton

etw

ork

reso

urce

sis

ter

min

ated

imm

edia

tely

whe

na

spill

or

mis

cond

ucti

ssu

spec

ted

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Aud

it

Mon

itor

B

acku

p

Reco

very

Insi

der

thre

atr

esea

rch

cond

ucte

dby

CER

Tha

ssh

own

that

logg

ing

mon

itori

nga

nda

uditi

nge

mpl

oyee

onl

ine

actio

nsc

anp

rovi

dea

nor

gani

za

tion

the

oppo

rtun

ityto

dis

cove

ran

din

vest

igat

esu

spic

ious

insi

der

activ

ityb

efor

em

ore

seri

ous

cons

eque

nces

ens

ue

Org

aniz

atio

nss

houl

dle

ver

age

auto

mat

edp

roce

sses

and

tool

sw

hene

ver

poss

ible

M

oreo

ver

net

wor

kau

ditin

gsh

ould

be

ongo

ing

and

cond

ucte

dra

ndom

lya

nde

m

ploy

ees

shou

ldb

eaw

are

that

cer

tain

act

iviti

esa

rer

egul

arly

mon

itore

dT

his

empl

oyee

aw

aren

ess

can

pote

ntia

llys

erve

as

ade

terr

entt

oin

side

rth

reat

s

Prev

entin

gin

side

rat

tack

sis

the

first

line

ofd

efen

se

Non

ethe

less

eff

ectiv

eba

ckup

and

rec

over

ypr

oces

ses

need

tob

ein

pla

cea

ndo

pera

tion

ally

eff

ectiv

eso

that

ifa

co m

prom

ise

occu

rsb

usin

ess

oper

atio

nsc

anb

esu

stai

ned

with

min

imal

inte

rrup

tion

In

one

case

doc

umen

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

sea

nin

side

rw

asa

ble

tom

agni

fyth

eim

pact

ofh

isa

ttac

kby

acc

essi

nga

ndd

estr

oyin

gba

ckup

med

ia

Org

aniz

a


Ina

dditi

ont

heS

NO

Cla

cks

the

reso

urce

sto

focu

son

mon

itori

ngfo

rsu

spic

ious

insi

der

activ

ityf

ocus

ing

inst

ead

prim

arily

on

prot

ectio

nfr

om

exte

rnal

inci

dent

s

Are

aof

Con

cern

Re

spon

sibl

ePe

rson

nel

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sM

odifi

cati

on

In

form

atio

nTe

chno

logy

Lo

gfil

esa

rea

cces

sibl

eby

the

do

D

isab

ling

Log

File

sm

ain

adm

inis

trat

ors

and

syst

em

adm

inis

trat

ors

ofe

ach

resp

ectiv

e

syst

em

USC

ISs

houl

dse

ndc

ritic

allo

gsto

a

cent

raliz

edlo

gse

rver

and

pro

te

ctth

elo

gfil

esto

per

mit

afo

re

nsic

rec

onst

r uct

ion

ofn

etw

ork

orh

ost

base

dev

ents

In

form

atio

nTe

chno

logy

Th

ela

cko

fcon

sist

ency

for

wha

tis

Alth

ough

six

per

cent

(23)

oft

he

logg

eda

cros

sU

SCIS

ser

vers

sys

tem

s

insi

ders

doc

umen

ted

inth

eCE

RT

appl

icat

ions

and

wor

ksta

tions

isc

on

Insi

der

Thre

atC

ase

data

base

cern

ing

Sev

eral

par

ties

addr

esse

dw

ere

able

tom

odify

ord

isab

le


tions

nee

dto

con

side

rth

eim

port

ance

ofb

acku

pan

dre

cove

ryp

roce

sses

and

car

em

ustb

eta

ken

that

bac

kups

are

per

form

edr

egul

arly

pro

te

cted

and

test

edto

ens

ure

busi

ness

con

tinui

tyin

the

even

tofd

amag

eto

or

loss

ofc

entr

aliz

edd

ata

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

slo

gfil

es

Mon

itor

ing

Susp

ici

ous

Act

ivit

y

Info

rmat

ion

Tech

nolo

gy

are

som

etim

esli

mite

dto

24

hour

sor

less

ofc

olle

ctio

n

the

fact

that

ITp

erso

nnel

mus

tbe

able

top

hysi

cally

rea

cha

mac

hine

in

atim

ely

fash

ion

ifth

eyh

ope

toc

ap

ture

logs

rel

ated

toa

nin

cide

nt

This

as

sum

ptio

nm

akes

itli

kely

that

cri

tica

llog

info

rmat

ion

will

be

mis

sed


Sugg

este

dCo

unte

rmea

sure

s

Polic

yor

Pra

ctic

eG

aps

Polic

yan

dor

Sec

urit

yM

easu

re

Dat

abas

ead

min

istr

ator

sar

ere

spon

si

ble

for

mon

itori

nga

nda

lert

ing

whe

nda

taa

cces

sat

tem

pts

are

mad

eto

cri

tical

dat

ain

USC

ISd

ata

base

s

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

sU

SCIS

sho

uld

cons

ider

cle

arly

de

finin

gth

ere

spon

sibi

lity

ofd

ata

base

adm

inis

trat

ors

and

the

SNO

Cfo

rm

onito

ring

ale

rtin

g

and

resp

ondi

ngto

una

utho

rize

dda

taa

cces

sO

nce

the

resp

onsi

bi

lity

isa

ssig

ned

the

appr

opri

ate

grou

psh

ould

dili

gent

lyp

reve

nt

dete

cta

ndr

espo

ndto

una

utho

riz

edd

ata

acce

ssm

odifi

catio

n

and

exfil

trat

ion

atte

mpt

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

mon

itors

and

filte

rs

inbo

und

and

outb

ound

net

wor

ktr

affic

Th

iss

trat

egy

may

pre

ve

nto

rde

tect

the

unau

thor

ized

tr

ansf

ero

fUSC

ISd

ata

outs

ide

the

orga

niza

tion

Man

yin

side

rsd

ocum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

ba

sew

ere

able

toc

omm

itth

eir

mal

icio

usa

ctiv

ities

usi

ngla

ptop

s

Polic

yor

Pra

ctic

eG

aps

Net

wor

ktr

affic

filte

ring

ish

appe

ning

on

lyo

nin

boun

dtr

affic

not

out

boun

dtr

affic

Th

ere

sour

ces

don

ote

xist

toe

xam

ine

ou

tbou

ndtr

affic

onl

yin

boun

dtr

affic

Fu

rthe

rmor

eth

ein

trus

ion

dete

ctio

nsy

stem

sar

eno

topt

imiz

edto

det

ect

secu

rity

eve

nts

Polic

yan

dor

Sec

urit

yM

easu

re

USC

ISh

asth

eab

ility

toc

reat

ein

bo

und

firew

allr

ules

tofi

lter

pote

ntia

llym

alic

ious

net

wor

ktr

affic

No

evid

ence

pro

vide

d

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern


Sugg

este

dCo

unte

rmea

sure

s

USC

ISs

houl

dco

nsid

erim

ple

men

ting

ane

twor

km

onito

ring

stra

tegy

that

incl

udes

fore

nsic

to

ols

toa

idin

vest

igat

ions

Ins

ixp

erce

nt(2

2)o

fthe

cas

es

docu

men

ted

inth

eCE

RTIn

side

rTh

reat

Cas

eda

taba

set

heim

pact

of

the

crim

ew

asm

agni

fied

be

caus

eof

insu

ffic

ient

bac

kups

Polic

yor

Pra

ctic

eG

aps

The

SNO

Cha

sha

dpr

oble

ms

iden

tify

ing

the

root

cau

seo

fan

affe

cted

w

orks

tatio

nor

use

rbe

caus

eof

the

lack

ofn

etw

ork

fore

nsic

app

licat

ions

Id

eally

the

SN

OC

shou

ldb

eab

leto

tr

ace

netw

ork

traf

ficfr

oms

ourc

eto

de

stin

atio

nan

dw

atch

act

ivity

It

has

a

stan

dal

one

fore

nsic

cap

abili

tyb

ut

noth

ing

onth

ene

twor

k

Tabl

etop

exe

rcis

esm

ayn

otg

ive

USC

ISa

true

indi

catio

nof

its

abili

tyto

re

cove

rfr

oma

sys

tem

icfa

ilure

W

hen

poss

ible

bac

kups

sho

uld

be

impl

emen

ted

ons

imila

rha

rdw

are

to

ensu

reth

atth

eba

ckup

tape

isfu

nc

tiona

land

the

back

upis

ope

ratio

nal

Polic

yan

dor

Sec

urit

yM

easu

re

The

SNO

Cis

res

pons

ible

for

dete

rm

inin

gth

ero

otc

ause

ofa

nin

cide

nt

incl

udin

gus

ing

fore

nsic

tool

sto

id

entif

yaf

fect

edw

orks

tatio

nsd

esk

tops

and

lapt

ops

Ba

ckup

test

ing

for

man

ysy

stem

soc

curs

onc

epe

rye

ar

Ins

ome

case

s

the

back

ups

are

only

test

edw

itha

ta

blet

ope

xerc

ise

and

don

otu

se

sim

ilar

orid

entic

alh

ardw

are

toth

at

used

inth

epr

oduc

tion

envi

ronm

ent

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Back

ups


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

s

Info

rmat

ion

Tech

nolo

gy

Year

sof

bac

kup

tape

sar

eke

pto

nsi

tea

tthe

Ver

mon

tSer

vice

Cen

ter

an

dsy

stem

adm

inis

trat

ors

have

ac

cess

toth

ese

back

upfi

les

Adm

inis

trat

ors

who

hav

eac

cess

to

the

back

upta

pes

wou

ldb

eab

leto

Back

upm

edia

sho

uld

bec

on

trol

led

care

fully

doc

umen

ted

an

dst

ored

off

site

with

lim

ited

acce

ss

With

outt

hose

con

trol

s

USC

ISc

anno

tbe

sure

its

back

ups

will

giv

eit

the

abili

tyto

rec

over

ss

ecur

ity o wn

Proa

ctiv

ely

addr

essi

ngk

now

nse

curi

tyv

ulne

rabi

litie

ssh

ould

be

apr

iori

tyfo

ran

yor

gani

zatio

nse

ekin

gto

miti

gate

the

risk

ofi

nsid

erth

reat

sa

wel

las

exte

rnal

thre

ats

Cas

est

udie

sha

ves

how

nth

atm

alic

ious

insi

ders

fol

low

ing

term

inat

ion

will

som

etim

ese

xplo

itkn

own

tech

nica

lho

uld

have

ap

roce

sst

vuln

erab

ilitie

sth

atth

eyk

now

hav

eno

tbee

npa

tche

dto

obt

ain

syst

ema

cces

san

dca

rry

outa

nat

tack

O

rgan

izat

ions

sdr

ess

kno

ensu

reth

ato

pera

ting

syst

ems

and

othe

rso

ftw

are

have

bee

nha

rden

edo

rpa

tche

din

ati

mel

ym

anne

rw

hen

poss

ible

Fa

ilure

toa

dvu

lner

abili

ties

prov

ides

an

insi

der

ampl

eop

port

unity

and

pat

hway

sfo

rat

tack

mak

ing

itm

ore

diff

icul

tfor

an

orga

niza

tion

top

rote

ctit

self

Tech

nica

lSec

urit

yV

ulne

rabi

litie

s


ount

erm

easu

res

Sugg

este

dC


ceG

aps

Polic

yor

Pra

cti

The

pres

ence

of

host

pe

rim

eter

and

m

prot

ectio

nfo

rCI

Sin

al

war

epu

tsU

Sa

rela

tivel

yse

curd

ing

rep

ositi

onr

ega

oads

m

alic

ious

dow

nl

Polic

yan

dor

Se

easu

re

curi

tyM

Th

eO

ITr

elie

son

tan

ism

sto

w

om

ech

wnl

ode

tect

the

doad

of

licio

us

ma

code

1)

DH

S

nte

mon

itors

the

Ig

atrn

etw

aya

nd

e

2)

orks

ta

age

nto

nw

tio

ns

ale

rts

mm

edi

the

OIT

iat

ely

upon

dis

cov

wn

mal

er

yof

kno

war

eT

heO

ITs

hth

epo

rt

uts

dow

n

tob

lock

mal

ici

ere

ap

ous

code

wh

prop

riat

e

sin

stal

la

als

ode

tect

nel

Resp

onsi

ble

Pers

onog

yIn

form

atio

nTe

chno

l ogy

Info

rmat

ion

Tech

nol

Are

ac

ofC

oner

ne

Add

rss

ino

wn

ngK

Secu

rer

it

yV

uln

ies

abili

t

eA

ddr

ssi

now

nng

KSe

cur

er

ity

Vul

nie

sab

ilit

Sugg

este

dCo

unte

rmea

sure

s

Tw

elve

per

cent

(46)

oft

hec

ases

do

cum

ente

din

the

CERT

Insi

der

Thre

atC

ase

data

base

invo

lve

user

sab

usin

gad

min

istr

ator

pri

vi

lege

sto

sab

otag

esy

stem

sor

da

ta

Alth

ough

USC

ISu

sers

nee

dfo

rad

min

istr

ator

righ

tsto

inst

allo

rru

nau

thor

ized

sof

twar

eth

eO

IT

shou

ldc

onsi

der

givi

ngu

sers

se

para

tea

dmin

istr

ator

acc

ount

sfo

rth

ese

expl

icit

purp

oses

U

sers

co

uld

then

use

non

adm

inis

trat

or

acco

unts

for

thei

rda

ilyw

ork

Th

isw

ould

gre

atly

min

imiz

eth

eri

sko

fmal

war

eco

mpr

omis

e

Polic

yor

Pra

ctic

eG

aps

Am

itiga

ting

fact

or

is

that

the

depa

rtin

gem

ploy

eew

ould

ne

edp

hysi

cala

cces

sto

the

syst

emto

lo

gin

A

use

rw

itha

dmin

istr

ator

pri

vile

ges

mus

tnot

rel

yso

lely

on

auto

mat

ic

mec

hani

sms

tos

afeg

uard

his

or

her

com

pute

rA

dmin

istr

ator

rig

hts

give

in

adve

rten

tlyd

ownl

oade

dm

alw

are

the

abili

tyto

com

plet

ely

com

prom

ise

asy

stem

som

etim

esw

ithou

tthe

kn

owle

dge

ofth

eus

er

Polic

yan

dor

Sec

urit

yM

easu

re

tion

ofm

alic

ious

cod

efr

omU

SBs

and

othe

rm

edia

USC

ISu

sers

hav

elo

cala

dmin

istr

ator

ri

ghts

on

thei

row

nm

achi

nes

Thi

sal

low

sus

ers

toin

stal

lsof

twar

eon

th

eirs

yste

ms

So

me

auth

oriz

eds

oftw

are

does

re

quir

ead

min

istr

ator

rig

hts

toin

stal

l

Som

eap

plic

atio

nsa

ctua

llyr

equi

re

adm

inis

trat

orri

ghts

tor

un

Resp

onsi

ble

Pers

onne

l

Info

rmat

ion

Tech

nolo

gy

Are

aof

Con

cern

Unm

anag

edS

ys

tem

s


Conf

igur

atio

nM

anag

emen

t

Effe

ctiv

eco

nfig

urat

ion

man

agem

enth

elps

ens

ure

the

accu

racy

int

egri

tya

ndd

ocum

enta

tion

ofa

llco

mpu

ter

and

netw

ork

syst

emc

onfig

ura

tions

A

wid

eva

riet

yof

cas

esin

the

CERT

Insi

der

Thre

atC

ase

data

base

doc

umen

tins

ider

sw

hor

elie

dhe

avily

on

the

mis

conf

igur

atio

nof

sys

te

ms

The

yhi

ghlig

htth

ene

edfo

rst

rong

erm

ore

effe

ctiv

eim

plem

enta

tion

ofa

utom

ated

con

figur

atio

nm

anag

emen

tcon

trol

sO

rgan

izat

ions

sh

ould

als

oco

nsid

erc

onsi

sten

tdef

initi

ona

nde

nfor

cem

ento

fapp

rove

dco

nfig

urat

ions

Ch

ange

sor

dev

iatio

nsfr

omth

eap

prov

edc

onfig

urat

ion

base

line

shou

ldb

elo

gged

so

they

can

be

inve

stig

ated

for

pote

ntia

lmal

icio

usin

tent

Co

nfig

urat

ion

man

agem

enta

lso

appl

ies

tos

oftw

are

sou

rce

code

and

app

licat

ion

files

O

rgan

izat

ions

that

do

note

nfor

cec

onfig

urat

ion

ma n

agem

enta

cros

sth

een

terp

rise

are

ope

ning

vul

nera

bilit

ies

for

expl

oitb

yte

chni

cali

nsid

ers

with

suf

ficie

ntm

otiv

atio

nan

da

lack

ofe

thic

s

The

OIT

has

ac

onfig

urat

ion

man

agem

entp

olic

yth

atp

rovi

des

base

line

soft

war

eco

nfig

urat

ions

for

USC

ISd

eskt

ops

and

lapt

ops

The

OIT

sca

ns

for

inco

rrec

to

utda

ted

or

unp

atch

edv

ersi

ons

ofs

oftw

are

onth

eap

prov

eds

oftw

are

list

The

OIT

kee

pstr

ack

ofd

iffer

entb

asel

ines

for

diff

er

entc

ontr

acts

D

espi

tetr

acki

nga

nda

rig

orou

sco

nfig

urat

ion

man

agem

entp

olic

yth

eO

ITh

asd

iffic

ulty

kee

ping

trac

kof

the

901

50d

iffer

ents

ys

tem

imag

esin

the

USC

ISe

nvir

onm

ent

Rog

ues

oftw

are

orm

alw

are

iso

ften

dis

cove

red

thro

ugh

ade

liber

ate

man

uals

can

rat

her

than

thro

ugh

ana

utom

ated

pro

cess

To

mak

eth

ista

skm

ore

diff

icul

tth

ere

have

bee

nU

SCIS

em

ploy

ees

with

sen

iori

tyo

rin

fluen

cew

hoa

rea

ble

tou

selo

cal

adm

inis

trat

orp

rivi

lege

sto

inst

alls

oftw

are

for

the

sake

ofc

onve

nien

ce

Conc

erns

reg

ardi

ngc

onfig

urat

ion

man

agem

entm

ake

itdi

ffic

ultf

orth

eO

ITto

ad e

quat

ely

prev

ent

det

ect

and

res

pond

tor

ogue

sof

twar

eor

m

alw

are

usin

gits

cur

rent

pro

cedu

res

We

sugg

ests

ome

cons

ider

atio

nsfo

rle

vera

ging

exi

stin

gde

ploy

men

tsa

ndm

odify

ing

inci

dent

res

pons

epr

actic

esto

incr

ease

eff

ectiv

enes

s

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sCo

nfig

urat

ion

Man

agem

ent

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

The

OIT

has

ac

onfig

urat

ion

man

ag

emen

tpol

icy

for

soft

war

eco

nfig

ura

tion

base

lines

Th

eO

ITs

cans

for

inco

rrec

to

utda

ted

or

unpa

tche

dve

rsio

nso

fsof

twar

eon

the

ap

Des

pite

rig

orou

sco

nfig

urat

ion

man

ag

emen

tpol

icy

the

OIT

has

diff

icul

ty

keep

ing

trac

kof

the

90to

150

diff

er

ents

yste

mim

ages

inth

eU

SCIS

env

iro

nmen

tR

ogue

sof

twar

eor

mal

war

e

Seve

ntee

nca

ses

docu

men

ted

in

the

CERT

Insi

der

Thre

atC

ase

da

taba

sein

volv

eus

ers

expl

oitin

gth

ela

cko

rw

eakn

ess

ofa

con

fig

urat

ion

man

agem

ents

yste

m


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

spr

oved

sof

twar

elis

tT

heO

ITk

eeps

tr

ack

ofd

iffer

entb

asel

ines

for

dif

fere

ntc

ontr

acts

iso

ften

dis

cove

red

thro

ugh

ade

liber

at

em

anua

lsca

nra

ther

than

thro

ugh

ana

utom

ated

pro

cess

toc

arry

out

thei

rat

tack

s

The

OIT

cou

ldle

vera

geth

eex

ist

ing

ePO

dep

loym

entt

oco

mpl

em

enti

tsc

onfig

urat

ion

man

age

men

teff

orts

eP

Oc

and

efin

ea

base

line

for

soft

war

eap

plic

atio

ns

and

aler

ton

any

devi

atio

nsfr

om

that

bas

elin

e

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ins

ome

case

sin

divi

dual

sw

iths

en

iori

tyo

rin

fluen

cea

rea

ble

tou

se

adm

inis

trat

orp

rivi

lege

sto

inst

all

soft

war

efo

rth

esa

keo

fcon

veni

ence

USC

ISs

houl

den

sure

that

con

fig

urat

ion

polic

yis

con

sist

ently

co

mm

unic

ated

and

enf

orce

dth

roug

hout

the

orga

niza

tion

Ev

ens

enio

rle

ader

ship

sho

uld

notb

eab

leto

cas

ually

cir

cum

ve

ntth

ese

polic

ies

with

outg

oing

th

roug

hth

epr

oper

cha

nnel

sas

de

fined

by

the

conf

igur

atio

nm

anag

emen

tpol

icy

Conf

igur

atio

nM

anag

emen

t

USC

ISL

eade

rshi

p In

form

atio

nTe

chno

logy

Serv

ice

Cent

ers

are

resp

onsi

ble

for

lock

ing

dow

nde

skto

psto

pre

vent

un

auth

oriz

eds

oftw

are

from

runn

ing

The

lock

dow

npr

oces

sre

lies

onh

um

anin

terv

entio

nI

fcal

lvol

ume

to

the

Serv

ice

Cent

eris

hea

vyt

his

may

in

crea

ser

espo

nse

time

toa

nun

ac

cept

able

leve

l

The

OIT

sho

uld

expl

ore

way

sto

au

tom

ate

lock

dow

nof

pot

en

tially

com

prom

ised

sys

tem

sT

his

wou

ldr

equi

rea

car

eful

bal

ance

of

ser

vice

ver

sus

secu

rity

O

nth

ese

rvic

esi

ded

elay

edr

espo

nse

by

the

Serv

ice

Cent

erm

ayr

esul

tin

loss

ofp

rodu

ctiv

ity

On

the

secu

ri

tys

ide

del

ayed

res

pons

eco

uld


Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

dor

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sle

adto

sys

tem

com

prom

ise

M

anag

emen

tsho

uld

eval

uate

the

risk

sof

ac

ompr

omis

ean

dw

eigh

th

ose

risk

sag

ains

tthe

pot

entia

lco

nseq

uenc

eso

fser

vice

dis

rup

tion


Appendix H Acronyms



107

Appendix H Acronyms


108


109






110






Congress


111



OIG HOTLINE







examining insider threat risk at the us citizenship and immigration

Documents