Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Department of Homeland Security Office of Inspector General
Examining Insider Threat Risk at the USCitizenship and Immigration Services
(Redacted)
OIG-11-33 January 2011
Examining Insider Threat Risk at the
US Citizenship and Immigration Services
PreparedforDepartmentofHomelandSecurity
OfficeofInspectorGeneral
bytheSoftwareEngineeringInstituteatCarnegieMellonUniversity
Insider Threat Center at CERT
December 2010
NOWARRANTY
THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIAL ISFURNISHEDONANASISBASISCARNEGIEMELLONUNIVERSITYMAKESNO WARRANTIESOFANYKINDEITHEREXPRESSEDORIMPLIEDASTOANYMATTER INCLUDINGBUTNOTLIMITEDTOWARRANTYOFFITNESSFORPURPOSEOR MERCHANTABILITYEXCLUSIVITYORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITH RESPECTTOFREEDOMFROMPATENTTRADEMARKORCOPYRIGHTINFRINGEMENT
Useofanytrademarksinthisreportisnotintendedinanywaytoinfringeontherightsof thetrademarkholder
TableofContents
ExecutiveSummary 1
Recommendation2Incorporateinsiderthreatriskmitigationstrategiesintothe
Recommendation3Centralizerecordsofmisconductandviolationstobetterenablea
Background 2
Objective 3
Scope 3
AssessmentProcessMethodology 5
ResultsofAssessment 7
Organizational 7
HumanResources 9
PhysicalSecurity 11
BusinessProcesses 12
IncidentResponse 14
SoftwareEngineering 15
InformationTechnology 16
Recommendation1Instituteanenterpriseriskmanagementplan 22
Transformationeffort 22
coordinatedresponsetoinsiderthreats 22
Recommendation4 23
Recommendation5Considerseparationofdutiesforcriticalbusinessprocessesand theirrelatedinformationsystems 23
Recommendation7Employconsistentphysicalsecuritypoliciesforfieldofficesand
Recommendation9ExamineHRscreeningproceduresforhighriskpositionsandFSNs
Recommendation10Ensurethatphysicalandcomputeraccessisterminatedinatimely
Recommendation11Enforcearequirementforindividualaccountsoncriticalsystems
Recommendation6ConductauditofPICSandFSNaccountsforUSCISsystems 23
servicecentersincludingthephysicalcasefiles 23
Recommendation8Consistentlyenforceexitprocedures 24
24
fashion 24
25
CERT | SOFTWARE ENGINEERING INSTITUTE | i
Recommendation12 25
Recommendation13Reducethenumberofprivilegedaccountsforcriticaldatasystems
25
Recommendation14 25
Recommendation15Implementproceduralandtechnicalcontrolstopreventsource codeunderdevelopmentfrombeingreleasedwithoutappropriatereview 25
Recommendation16 26
Recommendation17 26
Recommendation18Periodicsecurityrefreshertrainingshouldberegularlyconducted andrequiredforallemployees 26
AppendixHAcronyms 107
AppendixIManagementCommentstotheDraftReport 109
AppendixJContributorstothisReport 110
AppendixKReportDistribution 111
ManagementCommentsandOIGAnalysis 27
Appendixes 28
AppendixAOrganizational 30
AppendixBHumanResources 37
AppendixCPhysicalSecurity 42
AppendixDBusinessProcesses 48
AppendixEIncidentResponse 62
AppendixFSoftwareEngineering 69
AppendixGInformationTechnology 75
CERT | SOFTWARE ENGINEERING INSTITUTE | ii
ExecutiveSummary
TheUSDepartmentofHomelandSecurityOfficeofInspectorGeneralengagedtheInsider ThreatCenteratCERToftheSoftwareEngineeringInstituteatCarnegieMellonUniversity toconductaninsiderthreatassessmentofUSCitizenshipandImmigrationServicesThe objectiveoftheassessmentwastodeterminehowUSCitizenshipandImmigrationSer viceshastakenstepstoprotectitsinformationtechnologysystemsanddatafromthe threatsposedbyemployeesandcontractorsTheassessmentevaluatedUSCitizenship andImmigrationServicesagainstapproximately400realinsiderthreatcompromisesdocu mentedintheCERTInsiderThreatCasedatabaseThesecasesallprosecutedintheUnited Statesincludefraudsabotageandtheftofintellectualproperty
TheassessmentteamperformedfieldworkinthenationalcapitalregionVermontService CenterandUSCitizenshipandImmigrationServicesBurlingtonofficesDuetothelimited scopeoftheassessmentsystemsreviewedandlocationsvisitedCERTwasnotabletover ifytheinstitutionalizationandenforcementofanyUSCitizenshipandImmigrationSer vicesrsquopoliciesorrenderanoverallopinionoftheeffectivenessofUSCitizenshipandImmi grationServicesinsiderthreatpostureTheOfficeofInspectorGeneraldidnotrequest CERTtoconductacomprehensiveinformationsystemrsquostechnicalsecuritycontrolsreviewor vulnerabilityassessmenttodeterminethesusceptibilitytointernalthreatsTheOfficeof InspectorGeneralmayperformanindepthfollowupreviewtorenderanoverallopinionof theeffectivenessofUSCitizenshipandImmigrationServicesinsiderthreatposture
USCitizenshipandImmigrationServiceshasmadeprogressinimplementingelementsof aneffectiveinsiderthreatprogramSpecificallyithasestablishedaConvictionTaskForce toreviewformeremployeesconvictedofcriminalmisconductwithinthescopeoftheirdu tiesperformsriskmanagementforinformationtechnologyandfinancialmanagementde velopedexitproceduresforemployeesimprovedprotectionofitsfacilitiesandassetsand adherestoformalizedprocessesforsomesystemsInadditionitisimplementingHome landSecurityPresidentialDirective12forphysicalandelectronicaccountmanagement
WhiletheseeffortshaveresultedinsomeimprovementsUSCitizenshipandImmigration Serviceshasopportunitiestoimproveitssecuritypostureagainstthreatsposedbyemploy eesandcontractorsForexampleitcaninstituteanenterpriseriskmanagementplanand incorporateinsiderthreatriskmitigationstrategiesintoitsnewbusinessprocessesItcan alsocentralizerecordsofmisconductandviolationsinstitutealoggingstrategytopreserve systemactivitiesimplementseparationofdutiesforadjudicativedecisionsconductaudits ofnonUSCitizenshipandImmigrationServicesaccountsemployconsistentpoliciesfor physicalsecurityandconsistentlyenforceemployeeexitprocedures
Theassessmentteamismaking18recommendationstotheDirectorofUSCitizenshipand ImmigrationServicestostrengthenthedepartmentrsquossecuritypostureagainstmaliciousin siderthreatsUSCISconcurredwithallofourrecommendationsandhasalreadybegunto takeactionstoimplementthemThedepartmentrsquosresponseisincludedinitsentiretyas appendixI
CERT | SOFTWARE ENGINEERING INSTITUTE | 1
Background
TheUSDepartmentofHomelandSecurity(DHS)OfficeofInspectorGeneral(DHSOIG) engagedtheCERTprogramintheSoftwareEngineeringInstituteatCarnegieMellonUniver sitytoconductaninsiderthreatvulnerabilityassessmentofUSCitizenshipandImmigra tionServices(USCIS)Theprojectapproachestheinsiderthreatproblemontwoprimary fronts
Thehumanbehavioralcomponent
Thetechnologicalsolutionforautomatingpreventionanddetectioncapabilitiesto identifymeasuremonitorandcontrolinsiderthreatvectors
Insiderscanbecurrentorformeremployeescontractorsorbusinesspartnerswhohaveor hadauthorizedaccesstotheirorganizationssystemandnetworksTheyarefamiliarwith internalpoliciesproceduresandtechnologyandcanexploitthatknowledgetofacilitate attacksandevencolludewithexternalattackersCERTrsquosresearchconductedsince2001 hasfocusedongatheringdataaboutactualmaliciousinsideractsincludinginformation technology(IT)sabotagefraudtheftofconfidentialorproprietaryinformationespionage andpotentialthreatstoourNationscriticalinfrastructures
CERTdevelopedaninsiderthreatvulnerabilityassessmentinstrumentforevaluatingvulner abilitiestoinsiderthreatbasedonresearchtodateBecauseofthecomplexityofthein siderthreatproblemmdashinvolvingsecurityofficersinformationtechnologyinformationsecu ritymanagementdataownerssoftwareengineeringandhumanresourcesmdashorganizations needassistanceinmergingthewealthofavailableguidanceintoasingleactionableframe workCERTadvisesorganizationstousethisassessmentinstrumenttohelpsafeguardtheir criticalinfrastructure
CERTbuilttheassessmentbasedonresearchofapproximately400insiderthreatcasesin theCERTInsiderThreatCasedatabase1Thesecasesareacollectionofrealinsiderthreat compromisesmdashprimarilyfraudsabotageandtheftofintellectualpropertymdashthathavebeen prosecutedintheUnitedStatesStartingin2002CERTcollaboratedwithUSSecretSer vicebehavioralpsychologiststocollectapproximately150actualinsiderthreatcasesthat occurredinUScriticalinfrastructuresectorsbetween1996and2002andexaminedthem frombothatechnicalandabehavioralperspectiveSincethatoriginalstudyCERThascon tinuedtoaddcaseswithfundingfromCarnegieMellonrsquosCyLab2bringingthecaselibraryto atotalofapproximately400casesTheinstrumentencompassestechnicalbehavioral processandpolicyissuesandisstructuredaroundinformationtechnologyinformation securityhumanresourcesphysicalsecuritybusinessprocesseslegalandcontracting managementandorganizationalissues
1Notethatthedatabasedoesnotcontainnationalsecurityespionagecasesinvolvingclassifiedin formation 2httpwwwcylabcmuedu
CERT | SOFTWARE ENGINEERING INSTITUTE | 2
Objective
TheobjectiveoftheinsiderthreatvulnerabilityassessmentwastodeterminehowUSCIShas takenstepstoprotectitsITsystemsanddatafromthethreatposedbyemployeesandcon tractorsThisassessmentwasbasedonbehavioralaswellastechnicalexperienceanditis intendedtoassistUSCISinsafeguardingitscriticalinfrastructureTheassessmentwill
EnableUSCIStogainabetterunderstandingofitsvulnerabilitytoinsiderthreatand provideanabilitytoidentifyandmanageassociatedrisks
Identifytechnicalorganizationalpersonnelbusinesssecurityandprocessissues intoasingleactionableframework
Identityshorttermcountermeasuresagainstinsiderthreats
HelpguideUSCISinitsongoingriskmanagementprocessforimplementinglong termstrategiccountermeasuresagainstinsiderthreats
Scope
USCISemploysapproximately18000governmentemployeesandcontractorslocatedat250 officesthroughouttheworld3Theinsiderthreatvulnerabilityassessmentisintendedto focusoncriticalsystemsandhighriskareasofconcernthatcanbeassessedina3to5day timeframeThereforeatapreassessmentwalkthroughmeetingUSCISstaffidentified3 systemsofthe96systemsusedbytheagencyascriticaltoitsoverallmission
VerificationInformationSystem(VIS)mdashthispublicfacingsystemiscomposedoffive differentapplicationsThepurposeofthesystemistoprovidemdash
o Immigrationstatusinformationtogovernmentbenefitgrantingorganiza tionstohelpthemdeterminetheeligibilityofalienswhoapplyforbenefits
o Ameansforprivateemployerstoperformemploymenteligibilityverifica tionofnewlyhiredemployees
ComputerLinkedApplicationInformationManagementSystem(CLAIMS)mdashThissys temprovidesthefollowingfunctions
3httpwwwuscisgovportalsiteuscismenuitemeb1d4c2a3e5b9ac89243c6a7543f6d1avgnextoi d=2af29c7755cb9010VgnVCM10000045f3d6a1RCRDampvgnextchannel=2af29c7755cb9010Vgn VCM10000045f3d6a1RCRD
CERT | SOFTWARE ENGINEERING INSTITUTE | 3
o CLAIMS3LocalAreaNetwork(C3LAN)wasoriginallydevelopedtotrack thereceiptingofapplicantorpetitionerremittancesandtoproducenotices documentingtheremittanceC3LANnowincludesadjudicationarchive cardproductioncasehistorycasetransferondemandreportselectronic filetrackingimagecaptureproductionstatisticsstatusupdateandelec tronicingestofapplicationdatacapturedthroughtheEFilingwebapplica tionandtheDepartmentofTreasurysponsoredlockboxoperations
o C3mainframesupportsprocessingofUSCISapplicationsandpetitionsfor variousimmigrantbenefits(egchangeofstatusemploymentauthoriza tionandextensionofstay)
FraudDetectionandNationalSecurityDataSystem(FDNSDS)mdashThissystemwasde velopedtoidentifythreatstonationalsecuritycombatbenefitfraudandlocate andremovevulnerabilitiesthatcompromisetheintegrityofthelegalimmigration system
Itisimportanttonotethattheinsiderthreatvulnerabilityassessmentislimitedtoareasof concernobservedinthehundredsofcasesintheCERTInsiderThreatdatabasePeople technologyandorganizationsareconstantlychangingandmaliciousinsiderscontinueto comeupwithnewavenuesofattackinordertodefeatapreviouslyeffectivecountermea sureHowevermanyofthecountermeasuressuggestedinthisreportareapplicabletoa multitudeofattackvectors
ItisalsoimportanttonotethatCERTrsquosinsiderthreatresearchhasonlyexploredintentional insidercrimesAccidentaldataleakageisanareaofsignificantconcernfororganizations howeverCERThasnotyetexploredthataspectofinsiderthreatInadditionthefocusof theresearchtodateistodescribehowtheinsiderthreatproblemevolvesovertimeCERTrsquos longtermresearchdoesincludemeasuringtheeffectivenessofmitigationstrategies
CERT | SOFTWARE ENGINEERING INSTITUTE | 4
AssessmentProcessMethodology
AnentranceconferencewasconductedbytheDHSOIGCERTandUSCISonFebruary23 2010TheentranceconferenceintroducedUSCIStotheCERTassessmentteamFollowing theentranceconferenceapreassessmentwalkthroughwasheldatUSCISheadquarterson March102010AtthatmeetingtheCERTassessmentteamandtheDHSOIGteamex plainedtheassessmentprocesstorepresentativesofUSCISUSCISprovidedsomedocu mentationtotheassessmentteamatthattimeandmoredocumentsthroughouttheas sessmentthosedocumentswerereviewedtoprovidesubstantiationforfindingsinthis report
USCISidentified96systemsitusesFollowingtheinitialmeetingUSCISleadershipandthe assessmentteamchosetheVISCLAIMSandFDNSDSsystemsbecausetheywerecriticalto theoverallmissionofUSCISThesethreesystemswerethefocusofthe5dayonsiteas sessment
AtthepreassessmentwalkthroughUSCISindicatedthatithadcreatedaConvictionsTask Forcetoreviewtheactivitiesof10formeremployeesconvictedofcriminalmisconduct withinthescopeoftheirofficialdutiesThepurposeofthetaskforceistoidentifyissues theseemployeesexploitedtocommittheircrimesThetaskforceintendedtodevelopfind ingsandrecommendationsaimedatpreventingsimilarcrimesinthefutureItgraciously extendedaninvitationtotheCERTandDHSOIGteamstoparticipateAsaresulttheteams observedorreviewedtranscriptsofalltelephoneconferencesconductedbythetaskforce Thesefindingsarereflectedinthisreport
TheCERTinsiderthreatteamandtheDHSOIGliaisonwereonsiteatvariousUSCISloca tionsinthenationalcapitalregion(NCR)fromMarch30throughApril12010
TheDHSOIGliaisonswerepresentatallinterviewsTheDHSOIGattendedtheseinterviews asanobserverandassistedCERTasneeded
Facetofaceinterviewswereconductedwithapproximately58representativesintheNCR followedby32representativesintheVermontServiceCenterandUSCISBurlingtonoffices InadditiontelephoneconferenceswereheldwithstafffromtheOfficeofSecurityandIn tegrity(OSI)InvestigationsDivisionandtheSecurityNetworkOperationsCenter(SNOC) Intervieweesrepresentedthefollowingareas
DataOwners(VISCLAIMSandFDNSDS)
ComputerSciencesCorporation(CSC)(softwareengineeringandoperationalsup portforVISCLAIMSandFDNSDS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 5
OSI(PhysicalSecurityRegionalSecurityInvestigationsPersonnelSecurityCounter intelligence)
HumanCapitalandTraining(TrainingHumanResourcesOperationsCenterLabor EmployeeRelations)
OfficeofInformationTechnology(OIT)(ITSecurityComputerSecurityIncidentRe sponseTeamSecurityandNetworkOperationsCenterAccountManagementEn terpriseOperations)
Legal(ProcurementLaw)
VermontServiceCenter(adjudicatorsdataentryclerkssupervisordirectorsOIT softwareengineering)
Allinterviewswereconsideredconfidentialnorecordofparticipatingemployeesisincluded inthisreportorinsubsequentbriefingsFindingsareattributedonlytoagroupordepart mentinterviewedadocumenttheConvictionsTaskForcetelephoneconferencesordirect observation
CERT | SOFTWARE ENGINEERING INSTITUTE | 6
CERT | SOFTWARE ENGINEERING INSTITUTE | 7
AcriticalissueforUSCISisensuringthattheentireorganizationisriskawareandimple mentingaformalriskmanagementprocesstoaddressriskconsistentlyandcontinually acrosstheenterpriseTheredoesnotappeartobeaconsistentunderstandingofthebroad spectrumofrisksfacingUSCISTheassessmentteamwastoldthereisnoenterprisewide riskmanagementprogramatUSCISOITperformsriskmanagementforInformationTech nology(IT)andFinancialManagementperformsriskmanagementforfinancialmattersbut noonewasawareofanyenterprisewideeffortsInadditioneachfieldofficeandservice centerappearstooperatefairlyindependentlyItisimportantforthoseorganizationsto worktogethertoidentifyprioritizeandaddressriskOngoingcommunicationbetweenall componentsofUSCISwillhelpensurethatnewthreatsattackvectorsandcountermea suresarecommunicatedandhandledeffectivelybyall
InadditionUSCISemployeesandcontractorsholdthekeystooneoftheworldrsquosmostcov etedkingdomsmdashUScitizenshipThismakesemployeesandcontractorsattractivetargets forrecruitmentBecauseofthesensitivenatureofUSCISmissionsomeofitsemployees andcontractorshavebeentargetsforrecruitmentfortheftorunauthorizedmodificationof USCISdataAllemployeesshouldbeawareoftheconsequencesofparticipatinginfraud againstUSCISTheyshouldalsobeinstructedonhowtoreportsolicitationsmadetocom mitfraud
Transformation
TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesUSCISisrelyingheavilyonTransformationtocorrectmanyoftheproblemsresulting fromlegacysystemsThisrelianceonasingleeffortmakesitseffectivenessveryimportant TheteamfoundtheTransformationefforttobeamassiveundertakingthatappearstobe implementingaverydetailedprojectplan
Basedontheteamrsquosreviewoftherequirementsforfrauddetectionandnationalsecurity issuesitappearstherearenorequirementstoaddressinsiderthreatsTheassessment teamreviewedfivecomprehensiveTransformationdocumentsaspartofthisassessment ThedocumentsdescribesystemrequirementsindetailFrauddetectionreferstodetection offraudperpetratedbyapplicantsandpetitionersnationalsecurityissuesfocusonthe handlingofinvestigationswithinUSCISthatinvolvenationalsecurityissues
Againanenterpriseriskmanagementapproachshouldbeconsideredwhendefiningre quirementsforTransformationInsidersatUSCIShaveperpetratedfraudinthepastasevi dencedbytheConvictionsTaskForceInadditionUSCISinsidersarecapableofgranting legalresidencyorcitizenshipstatustosomeonewhoposesanationalsecurityrisktothe UnitedStates
CERT | SOFTWARE ENGINEERING INSTITUTE | 8
TrainingandAwareness
Itisessentialthatsecurityawarenesstrainingisconsistentlyprovidedtoallemployeesto ensuresecuritypoliciesandpracticesareinstitutionalizedthroughoutanorganization Manytimescoworkersandsupervisorsarethefirstpeopletoobserveconcerningbehavior exhibitedbymaliciousinsidersFailuretoreportconcerningbehaviorbycoworkersoroth ersinanorganizationwasaprimaryreasoninsidersintheCERTInsiderThreatCasedata basecontinuedtosetuporcarryouttheirattacks
USCISshouldcontinuetoprovidesecurityawarenesstrainingtoallemployeesandcontrac torsacrosstheglobeThistrainingshouldbeconsistentlyappliedtoeachsitewithaconsis tentmessageofsecurityofUSCISpeoplesystemsanddataItisimperativethatallUSCIS employeesberesponsibleforachievingthemissionofUSCISandprotectingthecriticalas setstothehighestextentpossible
HumanResources
Anorganizationrsquosapproachtoreducinginsiderthreatshouldfocusonproactivelymanaging employeeissuesandbehaviorsThisconceptbeginswitheffectivehiringprocessesand backgroundinvestigationstoscreenpotentialcandidatesOrganizationsshouldalsotrain supervisorstomonitorandrespondtobehaviorsofconcernexhibitedbycurrentemploy eesSomecasesfromtheCERTInsiderThreatdatabaserevealedthatsuspiciousactivity wasnoticedintheworkplacebutnotacteduponOrganizationsmustestablishawell organizedandprofessionalmethodforhandlingnegativeemploymentissuesandensuring thathumanresourcepolicyviolationsareaddressed
Organizationalissuesrelatedtofunctionssharedbyhumanresources(HR)andsecurityper sonnelareattheheartofinsiderriskmanagementEmployeescreeningandselectionis vitaltopreventingcandidateswithknownbehavioralriskfactorsfromenteringtheorgani zationoriftheydoensuringthattheserisksareunderstoodandmonitoredClearpolicy guidelinesaddressingbothpermittedandprohibitedemployeebehaviorarevitaltorisk detectionandmonitoringClearrequirementsforensuringemployeesrsquoknowledgeofthese guidelinesarealsoessentialtotheirsuccessInadditionreportsofpolicyquestionsand violationsneedtobesystematicallyrecordedsothatmanagementHRandsecurityper sonnelcanapproachcasedecisionswithcompletebackgroundinformation
Analysisofthesereportsacrossindividualsanddepartmentscansupplyvitalknowledgeof problemareasbeyondindividualcasesRelationshipsinwhichHRsecurityandmanage mentpersonnelcollaborateaseducatorsandconsultantsarevitaltoearlydetectionand effectivemanagementofemployeesposinganinsiderriskTheneedforclearpolicies
CERT | SOFTWARE ENGINEERING INSTITUTE | 9
completepersonnelriskdataandclosemanagementHRsecuritycollaborationisrarely greaterthanwhenhandlingemployeeterminationissueswhethervoluntaryorinvoluntary
ScreeningandHiringPractices
SeveralpersonnelscreeningandhiringpracticesposearisktoUSCISsystemsanddata
USCISdoesnothaveaconsistentprocedurefordecidingwhethertoconductafacetoface interviewpriortohiringanapplicantbeingscreenedforgovernmentemploymentThere wasanimpressionatUSCISheadquartersthatnearly100ofthoseemployeeshiredby managersareinterviewedbutrepresentativesinBurlingtonVermonttoldusotherwise Thisgapbetweenperceptionandreality(thereisnotapolicystatingthatthismustbedone) isaconcernUSCISshouldrequireinterviewsforallpositionsTheinterviewsneedtobe conductedbysomeoneinvolvedinthedaytodaysupervisionofthepositiontobefilled
Ifapersonalissue(egsubstanceabuserelativelylargefinancialindebtedness)arisesdur ingPersonnelSecurityrsquos(PERSECrsquos)screeningPERSECmayissuealetterofadvisementto thecandidateandclearthatpersonforhirePERSECishesitanttosharenegativeinforma tionaboutapplicantswithUSCISbecauseofprivacyconcernsBecauseoftheseconcernsa managermaynotknowthatsomeoneiscomingintoapositionwithahistoryofalcohol andordrugabusefinancialindebtednessetcTheprivacywallbetweenPERSECandfield personnelconcernedwithhiringistroublingItisdifficultforPERSECrepresentativestoin dicatetheirconcernsaboutpotentialhiresiftheyhaveriskfactorsthatdonotcrossadjudi cationguidelinesfordisqualification
ForeignServiceNational(FSN)employeeswhoworkatUSembassiesandconsulates abroadhaveaccesstoUSCIScriticalsystemsanddatainsomecasesInordertobehired andgrantedaccesstoanyofthosesystemsFSNsarevettedbytheUSDepartmentof StateAlthoughtheaccesstoUSCISsystemsmustbeapprovedbythechiefsecurityofficer (CSO)andchiefinformationofficer(CIO)forDHSUSCIShasverylittlevisibilityintothe screeningprocessforFSNs
ExitProcedures
Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerorContract ingOfficerrsquosTechnicalRepresentative(COTR)Italsoappearsdifferentmanagersfollow
CERT | SOFTWARE ENGINEERING INSTITUTE | 10
differentprocedurestoensurethataccessisdisabledandequipmentisreturnedasem ployeesandcontractorsleaveUSCISThisgapmaymanifestitselfintheinconsistentcollec tionofbadgeslaptopsmobiledevicesandotherUSCISequipmentandimproperdisabling orterminationofaccess
PhysicalSecurity
SomeinsidersdocumentedintheCERTInsiderThreatCasedatabaseexploitedphysicalse curityvulnerabilitiesSomewereabletogainaccesstoorganizationfacilitiesoutsideof normalworkinghourstostealcontrolledinformationortoexactrevengeontheorganiza tionbysabotagingcriticaloperationsPhysicalsecuritycanprovideanotherlayerofdefense againstterminatedinsiderswhowishtoregainphysicalaccesstoattackJustaswithelec tronicsecurityhoweverformeremployeeshavebeensuccessfulinworkingaroundtheir organizationrsquosphysicalsecuritymeasuresItisimportantfororganizationstomanage physicalsecurityforfulltimeparttimeandtemporaryemployeescontractorsandcon tractlaborers
USCISPhysicalSecurityhasmadesignificantprogressprotectingUSCISfacilitiesandassetsin theNCRsinceJanuary2008whenitstoodupanewphysicalsecurityprogramAlthough physicalsecurityintheNCRisconsistentlydirectedandenforcedbyPhysicalSecurityeach fieldofficesetsitsownpoliciesandaccesscontrols
Finallyissuescon cerningthesecurityofapplicantsrsquophysicalcasefilesshouldbeconsideredaspartofaUSCIS riskmanagementstrategybyUSCIS
ControllingandMonitoringProperAccessAuthorization
USCIShandlesthephysicalsecurityandaccessauthorizationoffacilitiesdifferentlydepend ingonwherethefacilityislocatedThephysicalsecurityofNCRfacilitiesishandledbyone groupofUSCISpersonnelbutthephysicalsecurityoffieldofficesfallsundertheFieldSecu rityDivision(FSD)Insomecasesaphysicalsecurityrepresentativeisnotlocatedinafield officeatallWhenthisisthecasetheresponsibilityfallsonothermanagementpersonnel whomaynotbeequippedtohandletheseissuesproperlyandreporttheminatimelyman ner
In10casesdocumentedin
CERT | SOFTWARE ENGINEERING INSTITUTE | 11
theCERTInsiderThreatCasedatabasetheinsiderwasabletocommitacrimefollowing terminationbecauseoffailuretonotifysecurityemployeesandbusinesspartnersofthe terminationTocontrolaccesstoUSCISfacilitiesitisimportantforUSCIStocomparecur rentemployeesandcontractorstotheauthorizedaccesslistineachfacilityrsquosaccesscontrol systemDisablingphysicalaccesstofacilitieswhenemployeesandcontractorsterminateis essentialtoprotectingUSCISemployeesandfacilities
SecurityofPhysicalCaseFiles
AttheVermontServiceCentertheassessmentteamobservedphysicalcasefilesofbenefit applicantsstackedincratesinthehallwaysCasefilesareassumedtobesecureoncethey arecontainedwithinaServiceCenterbuttheycouldbephysicallyalteredorstolenbyany onewithphysicalaccesstothefacilityOneintervieweestatedthatadjudicatorstypically have50to100filesscatteredaroundtheirofficesordesksSomearetrackedandsome maynotbeAdjudicatorsconductinterviewswithapplicantsintheirofficesandtheymay leaveapplicantsunescortedintheirofficeswiththecasefileswhenforinstancemaking copiesorattendingtootherUSCISbusinessAccordingtothesameintervieweeinonefield officenaturalizationcertificatespassportsandcreditcardinformationhavebeenfoundin garbagecansinthehallwayThirteeninsidersdocumentedintheCERTdatabasestole physicalpropertybelongingtotheirorganization
BusinessProcesses
AvarietyofcasesfromtheCERTInsiderThreatCasedatabasedocumentinsiderattacksin whichgapsinbusinessprocessesprovidedapathwayforattackEnforcingseparationof dutiesandtheprincipleofleastprivilegeareprovenmethodsforlimitingauthorizedaccess byinsidersIdeallyorganizationsshouldincludeseparationofdutiesinthedesignofkey businessprocessesandfunctionsandenforcethemviatechnicalandnontechnicalmeans Accesscontrolbasedonseparationofdutiesandleastprivilegeinboththephysicaland virtualenvironmentiscrucialtomitigatingtheriskofinsiderattackTheseconceptsalone willnoteliminatethethreatposedbyinsiderstheyarehoweveranotherlayerinthede fensivepostureofanorganization
BecauseofthesensitivenatureoftheUSCISmissionsomeofitsemployeesandcontractors havebeentargetsforrecruitmentfortheftorunauthorizedmodificationofUSCISdata TwentyninepercentoftheinsidersdocumentedintheCERTdatabasewererecruitedby outsiderstocommittheircrimesMostoftheseinsiderscommittedtheircrimesforfinan cialgainCriticalUSCISbusinessprocessesshouldincludetechnicalcontrolstoenforce separationofdutiesanddualcontroltoreducetheriskofinsiderfraudInadditionpoten tialvulnerabilitiessurroundtheuseoftheICEPasswordIssuanceandControlSystem(PICS) forauthorizationforcriticalUSCISsystemsAlthoughPICSisoutsidethecontrolofUSCIS
CERT | SOFTWARE ENGINEERING INSTITUTE | 12
CERTrecommendsthatUSCISexplorethepossibilityofauditingandcontrollingauthoriza tionsinPICSforcriticalUSCISsystemsFinallyaccountmanagementissuesrelatedtocriti calsystemsshouldbeconsidered
VerificationInformationSystem
TheVerificationInformationSystem(VIS)providesimmigrantstatusinformationtoboth governmentagenciesandprivateemployersinordertoverifybenefitandemploymenteli gibilityBecausethesefunctionsrequiregrantingVISaccesstopartiesexternaltoUSCIS USCISmustissueaccountsandrequirethatthoseaccountsbeusedproperlyTwentyfour (6)oftheinsidersdocumentedintheCERTdatabasewereabletocarryouttheircrimes becauseinsiderssharedaccountandpasswordinformationoftentomaketheirjobseasier andtoincreaseproductivity
ModificationsbyVISuserstocriticaldataarelogged
CLAIMS3LAN
Currentlyalldeniedbenefitsapplicationsarereviewedbyasupervisoronlyasubsetofap provedapplicationsarereviewedAdiscrepancyaroseduringinterviewsadjudicatorssaid thatsupervisorsstoppedlookingatalldenialsbecausetheyaretoobusySupervisorsalso receiveareportofalladjudicationdecisionsenteredbyanadjudicatorforaformtypethat theadjudicatordoesnotnormallyapproveWhenadjudicatorsareintrainingwhichtakes placeforatleast6monthsonaspecifictypeofcasetheyareunder100reviewAquality assurance(QA)processisalsoinplaceOnepartofQAinvolvesasupervisorpulling10 casespermonthperadjudicatortoreviewThesupervisorexaminesadjudicativedecision securityandproceduralissuesInanotheraspectoftheQAotherldquosisterrdquoUSCISService CentersreviewarandomselectionofcasesTheprimarypurposeofQAistoidentifythe needforremedialtrainingratherthandeliberatefraudAuditingeverydeniedrequestindi catesthatthebiggestrisktoUSCISistoincorrectlydenyabenefittoanapplicantrather thantograntabenefittosomeonewhodoesnotdeserveit
FDNSDS
CERT | SOFTWARE ENGINEERING INSTITUTE | 13
IncidentResponse
ThroughcaseanalysisCERThasnotedthatproceduresforrespondingtopotentialinsider incidentspresentuniquechallengesanincidentresponseplanforinsiderincidentsdiffers fromaresponseplanforincidentscausedbyanexternalattackerInadditioninadequate detectionandresponsetosecurityviolationscouldemboldentheinsidermakingtheor ganizationevenmorevulnerabletoaninsidercrimeInfactin18ofthecasesdocumented intheCERTInsiderThreatCasedatabasetheorganizationexperiencedrepeatinsiderinci dentsofasimilarnatureInsiderincidentmanagementshouldleverageexistingsecurity policiesandformalproceduresforhandlingpolicyviolationsSomeofthecasesfromthe CERTInsiderThreatCasedatabaseillustrateinsiderattacksinwhichanorganizationrsquoslackof incidentresponseprocedureslimiteditsabilitytomanageitsresponseeffortsometimes evenresultinginmultiplecriminalactsbythesameinsider
Furthermore81oftheinsidersdocumentedintheCERTInsiderThreatCasedatabasedis playedconcerningbehaviorsintheworkplacepriortoorwhilecarryingouttheircriminal activitiesonlineSupervisorsandemployeesshouldbetrainedtorecognizeandrespondto indicatorsofriskforviolencesabotagefraudtheftandothermaliciousinsideractsEvenif itisnotpossibletorequirenonsupervisorstoreportconcernsthistrainingmayincreasethe frequencyofreportingandthedeterrenceofinsideractions
IncidentManagement
USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductOrganizationsinvolved includetheOfficeofInvestigationswithintheOSILaborandEmployeeRelations(LER)HR ComputerSecurityIncidentResponseTeam(CSIRT)PERSECCounterintelligence(CI) COTRsOITDHSOIGPhysicalSecuritysupervisorsandpossiblydataownersandISSOs Manydifferentpartiesexplainedhowtheymightbeinvolvedinoneaspectofanincident butnosingledepartmentcoordinatestheseactivitiesorconductsaholisticriskanalysisof individualswhohavecommittedviolationsThiscomplexandwidelydistributedbusiness processhasresultedinasituationinwhichitisverydifficulttoobtainacompletepictureof anindividualrsquosinsiderthreatrisklevelConsequentlyanyefforttocoordinateaproactive
CERT | SOFTWARE ENGINEERING INSTITUTE | 14
programforinsiderthreatmitigationwouldhavetocrosssignificantbureaucraticbounda rieswithinthesemyriaddepartmentsofUSCIS
SoftwareEngineering
CodeReviews
SomeUSCISsystemsadheretoaformalizedprocessofsoftwareengineeringusingcontrac torswithaspecifiedlevelofprocessmaturity(iecapabilitymaturitymodelintegration (CMMI)level3)
Therewasevenadocumentedcaseinwhichsourcecodecontainedsomethinginap propriateandwasonlydiscoveredonlyafterthecodewasturnedoverfromonecontractor toanother
CERT | SOFTWARE ENGINEERING INSTITUTE | 15
Insidersinsertedmaliciouscodeintoanoperationalsystemin33casesdocumentedinthe CERTInsiderThreatCasedatabaseandintosourcecodein10casesThesetypesofcrimes canhaveseriousresultsenablinginsiderstoconcealtheiractionsoveranextendedperiod oftimeTheseactionshavebeenusedtocreatemechanismsforcommittingfraudwithout detectionandtosetupfutureITsabotageattacks
Codereviewscanbeverytimeconsumingbutmostmaliciousinsidersinsertmaliciouscode intoproductionsystemsoncetheyarestableandinthemaintenancephasewhenchanges arelessfrequentandlesssubstantial
InformationTechnology
AccountManagement
Researchhasdemonstratedthatifanorganizationrsquoscomputeraccountscanbecompro misedinsidershaveanopportunitytocircumventmanualandautomatedcontrolmecha nismsintendedtopreventinsiderattacksEffectivecomputeraccountandpasswordman agementpoliciesandpracticesarecriticaltoimpedeaninsiderrsquosabilitytousethe organizationrsquossystemsforillicitpurposesInavarietyofcasesdocumentedintheCERTIn siderThreatCasedatabaseinsidersexploitedpasswordvulnerabilitiessharedaccounts andbackdooraccountstocarryoutattacksItisimportantfororganizationstolimitcom puteraccountstothosethatareabsolutelynecessaryusingstrictproceduresandtechnical controlsthatfacilitateattributionofallonlineactivityassociatedwitheachaccounttoan individualuserFurthermoreanorganizationrsquosaccountandpasswordmanagementpolicies mustbeappliedconsistentlyacrosstheenterprisetoincludecontractorssubcontractors andvendorswhohaveaccesstotheorganizationrsquosinformationsystemsandornetworks
InsomeareascomputeraccountsaremanagedfairlywellatUSCISItisimplementing HomelandSecurityPresidentialDirective12(HSPD12)forphysicalandelectronicaccount managementInadditionmostsharedaccountsarecontrolledandallactionsperformed usingthoseaccountscanbeattributedtoasingleuserHoweversomeaccountmanage mentliesoutsidethecontrolofUSCISThispresentsahighdegreeofriskFirstofallac countsandaccessforFSNsshouldbeconsideredcarefullybyUSCISAlthoughFSNsmust submitpaperworkthroughproperchannelswhichrequiresauthorizationbytheCSOand CIOofDHSsuchpaperworkwasnotsubmittedconsistentlypriorto2007Asaresultthere maybeactiveaccountsforwhichthereislittletonoaccountingforthecreationoftheac count
Althoughaccountnamingconventionsaredictatedby DHSandtheUSDepartmentofStateUSCIScouldrequestanamingconventiontodiffer entiatebetweenFSNandUScitizenfederalemployeeaccountsInadditionUSCISshould consistentlytracktheauthorizationandcreationofallUSCISaccountsTodetermineifun
CERT | SOFTWARE ENGINEERING INSTITUTE | 16
authorizedorlegacyaccountsexistUSCISshouldconsiderconductinganaccountauditwith theassistanceofUSDepartmentofStatepersonneltovalidateallexistingFSNaccounts
SecondaccesstosomecriticalUSCISsystemsiscontrolledbythePasswordIssuanceand ControlSystem(PICS)ThepurposeofPICSistofacilitatetheadministrationofusernames andpasswordstocertainICEandUSCISinformationsystemsOneareaofconcernregard ingPICSisthatitisadministeredbyICEandtherearemorethan2000LocalPICSOfficers (LPOs)acrossvariouscomponentsofDHSTheseLPOsusePICStograntauthorizedaccess toICEandUSCISsystemsforthepersonnelattheirrespectivesiteoragencysuchaslocal sheriffspetitionersCustomsandBorderPatrol(CBP)DepartmentofJustice(DOJ)Trans portationSecurityAdministration(TSA)TerrorismTaskForceandDHSOIGEachLPOcan grantaccesstoanysystemcontrolledbyPICSInotherwordsLPOsthroughoutUSCISand ICEcangrantaccessforanyoftheirstafftoanyUSCISsystemFurthermore
Giventhedistributednatureofaccountadmini strationitisverydifficultforUSCISdataownersandOITstafftomanageauthorizationof useraccountstoUSCIScriticalsystemsFinallytheprocessforcommunicatingchangesin employeestatusanddisablingaccountsvarieswidelyamongindividualfieldofficesService CentersandofficesintheNCR
TheapplicationofaccountmanagementpracticesunderthecontrolofUSCISisinconsistent Forexampledisablingorterminatingaccountsforemployeesisnotalwayscompletedina timelymannerupontheemployeersquoschangeinstatusThislackofconsistencyismade worsewhendecentralizedLPOsacrossUSCISdonotfollowthesameproceduresInother casesemployeesareretainingaccessafteratransferwhentheyshouldnotwhichrequires thelosingandgainingsupervisorstonotifyproperaccountmanagementpersonnel
AccessControl
Anorganizationrsquoslackofsufficientaccesscontrolmechanismswasacommonthemein manyoftheinsiderthreatcasesexaminedbyCERTInsidershavebeenabletoexploitex cessiveprivilegestogainaccesstosystemsandinformationtheyotherwisewouldnothave beenauthorizedtoaccessAdditionallyinsidershavebeenknowntouseremoteaccess afterterminationtoattackanorganizationrsquosinternalnetworkOrganizationsshouldensure networkmonitoringandloggingisenabledforexternalaccessMonitoringofnetworkactiv ityisextremelyimportantespeciallyintheperiodbetweenemployeeresignationandter mination
GiventhedistributednatureofaccessauthorizationviaPICSICEandtheUSDepartment ofStatenonUSCISemployeesandcontractorscouldbegrantedaccesstoUSCIScriticalsys temsItispossiblethatthenonUSCISemployeesandcontractorsparticularlythose
CERT | SOFTWARE ENGINEERING INSTITUTE | 17
grantedaccessthroughtheUSDepartmentofStateforaccessfromembassiesoverseas havenotbeenthroughtherigorouspreemploymentscreeningrequiredofUSCISemploy eesandcontractorsUSCISshouldconsidertherisktheseinsidersposetotheprotectionof thecriticalUSCISdataandsystemsandimplementprotectionmechanismstolimitthe damagethattheseinsidersmightcause
OtheraccesscontrolissuesthatshouldbeconsideredbyUSCISincludeunrestrictedaccess tosomecriticalsystemsbyOITstafflackofconsistentprocessesformanagingemployee accessastheymovefromonedepartmenttothenextwithinUSCISabilitytousepersonal computersforUSCISworkandlackofmonitoringandcontrolsforsomecriticalsystemad ministrationfunctions
ProtectionofControlledInformation
Protectingcontrolledinformation(ieinformationthatisclassifiedsensitivebutunclassi fiedorproprietary)iscriticaltomitigatingtheinsiderthreatrisktoorganizationsAvariety ofinsiderthreatcasesstudiedbyCERTrevealedcircumstancesinwhichinsiderscarriedout anattackthroughtheunauthorizeddownloadofinformationtoportablemediaorexternal storagedevicesInsomeinstancesmaliciousinsidersusedemailtoplantheirattacksorto communicatesensitiveinformationtocompetitorsorconspiratorsOrganizationsmusten surethatemployeesunderstandpoliciesregardingwhatconstitutesacceptableuseofcom panyresourcesincludinginformationassetsandenforcecompliancethroughtechnical meansTheunauthorizedexfiltrationofcontrolledinformationbymaliciousinsiderscan havedevastatingeffectsonanorganizationProtectingcontrolledinformation(ieinfor mationthatisclassifiedsensitivebutunclassifiedorproprietary)iscriticaltomitigatingthe insiderthreatrisktoorganizations
USCIShasimplementednetworkmonitoringstrategiesthatwoulddetectlargeamountsof datadownloadedorananomalousincreaseinnetworktrafficeitherbytotalvolumeor typeoftraffic(egbyportorprotocol)Thoughmonitoringnetworktrafficmayhelppro tectcontrolledinformation
CERT | SOFTWARE ENGINEERING INSTITUTE | 18
LoggingAuditingMonitoring
InsiderthreatresearchconductedbyCERThasshownthatloggingmonitoringandauditing employeeonlineactionscanprovideanorganizationtheopportunitytodiscoverandinves tigatesuspiciousinsideractivitybeforemoreseriousconsequencesensueOrganizations shouldleverageautomatedprocessesandtoolswheneverpossibleMoreovernetwork auditingshouldbeongoingandconductedrandomlyandemployeesshouldbeawarethat certainactivitiesareregularlymonitoredThisemployeeawarenesscanpotentiallyserveas adeterrenttoinsiderthreats
ThepreventionofinsiderattacksisthefirstlineofdefenseNonethelesseffectivebackup andrecoveryprocessesneedtobeinplaceandoperationallyeffectivesothatifacompro miseoccursbusinessoperationscanbesustainedwithminimalinterruptionInonecase documentedintheCERTInsiderThreatCasedatabaseaninsiderwasabletomagnifythe impactofhisattackbyaccessinganddestroyingbackupmediaOrganizationsneedtocon sidertheimportanceofbackupandrecoveryprocessesandcaremustbetakenthatback upsareperformedregularlyprotectedandtestedtoensurebusinesscontinuityinthe eventofdamagetoorlossofcentralizeddata
TechnicalSecurityVulnerabilities
Proactivelyaddressingknownsecurityvulnerabilitiesshouldbeapriorityforanyorganiza tionseekingtomitigatetheriskofinsiderthreatsaswellasexternalthreatsCasestudies haveshownthatmaliciousinsidersfollowingterminationwillsometimesexploitknown technicalsecurityvulnerabilitiesthattheyknowhavenotbeenpatchedtoobtainsystem accessandcarryoutanattackOrganizationsshouldhaveaprocesstoensurethatoperat ingsystemsandothersoftwarehavebeenhardenedorpatchedinatimelymannerwhen possibleFailuretoaddressknownvulnerabilitiesprovidesaninsiderampleopportunity andpathwaysforattackmakingitmoredifficultforanorganizationtoprotectitself
CERT | SOFTWARE ENGINEERING INSTITUTE | 19
ThereisaprimaryconcerninthisareaatUSCISUSCISshouldconsiderthefrequencywith whichitscansitssystemsfortechnicalsecurityvulnerabilities
ThereisalsoanotherconcerninthisareaatUSCIS
ConfigurationManagement
Effectiveconfigurationmanagementhelpsensuretheaccuracyintegrityanddocumenta tionofallcomputerandnetworksystemconfigurationsAwidevarietyofcasesintheCERT InsiderThreatCasedatabasedocumentinsiderswhoreliedheavilyonthemisconfiguration ofsystemsTheyhighlighttheneedforstrongermoreeffectiveimplementationofauto matedconfigurationmanagementcontrolsOrganizationsshouldalsoconsiderconsistent definitionandenforcementofapprovedconfigurationsChangesordeviationsfromthe approvedconfigurationbaselineshouldbeloggedsotheycanbeinvestigatedforpotential maliciousintentConfigurationmanagementalsoappliestosoftwaresourcecodeandap plicationfilesOrganizationsthatdonotenforceconfigurationmanagementacrosstheen terpriseareopeningvulnerabilitiesforexploitbytechnicalinsiderswithsufficientmotiva tionandalackofethics
TheOIThasaconfigurationmanagementpolicythatprovidesbaselinesoftwareconfigura tionsforUSCISdesktopsandlaptopsTheOITscansforincorrectoutdatedorunpatched versionsofsoftwareontheapprovedsoftwarelistTheOITkeepstrackofdifferentbase linesfordifferentcontractsDespitetrackingandarigorousconfigurationmanagementpol icy
Roguesoftwareormalwareisoftendiscoveredthroughadeliberatemanual scanratherthanthroughanautomatedprocessTomakethistaskmoredifficultUSCIS employeeswithseniorityorinfluencehavebeenabletouselocaladministratorprivilegesto installsoftwareforthesakeofconvenienceConcernsregardingconfigurationmanagement surroundthedifficultyfortheOITtoadequatelypreventdetectandrespondtorogue softwareormalwareusingitscurrentproceduresWesuggestsomeconsiderationsforlev
CERT | SOFTWARE ENGINEERING INSTITUTE | 20
eragingexistingdeploymentsandmodifyingincidentresponsepracticestoincreaseeffec tiveness
CERT | SOFTWARE ENGINEERING INSTITUTE | 21
Recommendations
Thefollowing18recommendationspresentactionablestepsthatwillenableUSCIStoim proveitspostureagainstmaliciousinsiderthreatsThesehighlevelstrategiesshouldbe plannedandimplementedwiththeassistanceofthemanydiversedepartmentswithin USCISAppendixescontainmorespecificrecommendationsthatpertaintoaparticularde partment(egOITandHR)TheappendixesalsolisttherelevantpartiestoassistUSCISin reviewingeachissuemoregranularlyandtodecidewhetherUSCIShasresourcestoimple mentaparticularrecommendation
Recommendation1Instituteanenterpriseriskmanagementplan USCISmustensurethattheentireorganizationisriskawareandimplementaformalrisk managementprocesstoaddressriskconsistentlyandcontinuallyacrosstheenterprise Theredoesnotappeartobeaconsistentunderstandingofthebroadspectrumofrisksfac ingUSCISTheOITperformsriskmanagementforITandFinancialManagementperforms riskmanagementforfinancialmattersbutnoonewasawareofanyenterprisewideefforts InadditioneachfieldofficeandservicecenterappearstooperatefairlyindependentlyItis importantforthoseorganizationstoworktogethertoidentifyprioritizeandaddressrisk OngoingcommunicationbetweenallcomponentsofUSCISwillhelpensurethatnew threatsattackvectorsandcountermeasuresarecommunicatedandhandledeffectivelyby all
Recommendation2Incorporateinsiderthreatriskmitigation strategiesintotheTransformationeffort TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesRiskmanagementiswithinthescopeofTransformationbutonlyasitpertainsto automatedriskscoringofapplicantsandtoworkflowmanagementtooptimizeadjudicator workloadUSCISshouldincorporatecomprehensiveinsiderthreatriskmitigationrequire mentsintotheTransformationeffort
Recommendation3Centralizerecordsofmisconductandviola tionstobetterenableacoordinatedresponsetoinsiderthreats USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductThiscomplexandwidely distributedbusinessprocesshasresultedinasituationinwhichitisverydifficulttoobtaina completepictureofanindividualrsquosinsiderthreatrisklevelUSCISshouldcreateacentral repositoryofemployeeandcontractormisconductsecurityviolationsSignificantIncident Reports(SIRs)andothersuspiciousactivityreportssorepeatoffenderscanbeeasilyidenti
CERT | SOFTWARE ENGINEERING INSTITUTE | 22
CERT | SOFTWARE ENGINEERING INSTITUTE | 23
storesphysicalfilesforbenefitapplicantsintheVermontServiceCenterwithnophysical protectionbeyondtheexteriorbuildingandguardcontrolsUSCISshouldevaluatecurrent physicalaccessprocedurestodetermineiftheyadequatelyaddressriskandiftheyareen forcedconsistentlyacrosstheenterprise
Recommendation8Consistentlyenforceexitprocedures Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerandCOTRIt alsoappearsthatdifferentmanagersfollowdifferentprocedurestoensurethataccessis disabledandequipmentisreturnedasemployeesandcontractorsleaveUSCISThisgap maymanifestitselfintheinconsistentcollectionofbadgeslaptopsmobiledevicesand otherUSCISequipmentandimproperdisablingorterminationofaccessUSCISshould adoptanenterprisewideexitproceduretoensureconsistentterminationofallemployees andcontractors
Recommendation9ExamineHRscreeningproceduresforhighrisk positionsandFSNs ChangesshouldbemadetotheUSCIShiringprocessesforselecthighriskpositionsFor exampleUSCISshouldconsideradditionalscreeningforadjudicatorsUSCISshouldbe moreinvolvedindecidingwhoisgrantedauthorizedaccessbecauseofthesensitivenature ofthesystemsanddatathatUSCISmanages
Recommendation10Ensurethatphysicalandcomputeraccessis terminatedinatimelyfashion
USCISshouldautomatetherevocationofemployeeandcontractorphysicalaccesswhena terminationoccursTheterminationchecklistshouldincludeanotificationtoPhysicalSecu ritysophysicalaccesscanbedisabledinatimelymannerUSCISshouldalsoreviewaccount managementprocedurestoensurethatthestepstakentoremoveoralteraccountaccess arecompleteunderstoodbyallrelevantpartiesandconsistentlyfollowed
CERT | SOFTWARE ENGINEERING INSTITUTE | 24
Recommendation11Enforcearequirementforindividualaccounts oncriticalsystems
InsomecasesUSCISisawareofaccountsharingtakingplaceatthirdpartyemployerswho useUSCISsystemstoverifyimmigrationstatusToconsistentlyidentifymaliciousinsider activityallactionsmustbeattributabletooneandonlyoneindividualUSCISshouldcon siderincreasingtheconsequencesforinfractionsandpossiblyimplementstrongerauthen ticationtomakesharingofaccountsmoredifficult
Recommendation12
Recommendation13Reducethenumberofprivilegedaccountsfor criticaldatasystems SomedatasystemsincludingFDNSDShaveahighnumberofprivilegedusersManyof theseusersdonotneedtheescalatedaccesstocompletetheirjobresponsibilitiesUSCIS shouldaudittheprivilegeduseraccountsandreducethoseaccountscommensuratewith jobresponsibilities
Recommendation14
Recommendation15Implementproceduralandtechnicalcontrols topreventsourcecodeunderdevelopmentfrombeingreleased withoutappropriatereview USCISshouldconsiderimplementingproceduralandtechnicalcontrolstoenforcesepara tionofdutiesbetweensoftwareengineersandthesystemadministratorsresponsiblefor
CERT | SOFTWARE ENGINEERING INSTITUTE | 25
releasingchangesintoproductionsystemsUSCISshouldconsideridentifyinghighrisk criticalsoftwaremodulesthatcouldbeusedtocarryoutillicitactivityInadditionformal softwaredevelopmentpracticesshouldbefollowed
Recommendation16
Recommendation17
Recommendation18Periodicsecurityrefreshertrainingshouldbe regularlyconductedandrequiredforallemployees USCISshouldreinforcesecuritypracticesandproceduresforallemployeesespeciallythose assignedtosecurityrolesthroughInformationAssurancerefreshertrainingThoughannual refreshertrainingismandatedithasnotbeencompletedinatimelymannerforallroles USCISshouldensurethatthistrainingisadaptedtospecificrolesregularlyconductedand trackedandconsequencesimposedforthosewhohavenotcompletedthetraining
CERT | SOFTWARE ENGINEERING INSTITUTE | 26
ManagementCommentsandOIGAnalysis
WeobtainedwrittencommentsonadraftofthisreportfromtheUSCISDeputyDirector WehaveincludedacopyofthecommentsinitsentiretyinappendixI
USCISconcurredwithourfindingsandrecommendationsandindicatedthatthereportwill beofgreatassistanceastheyseektofurtherstrengtheninternalcontrolsinthisareaInthe writtencommentsUSCISdidnotprovideinformationonhowitintendstoaddressourrec ommendationsThereforeweconsiderourrecommendationsunresolvedandopenpend ingourreviewofUSCIScorrectiveactionplans
CERT | SOFTWARE ENGINEERING INSTITUTE | 27
Appendixes
ThefollowingpagescontainappendixesAthroughGthatcontainacompletedetailedlistof findingsfromtheassessment
Theappendixesareorganizedintothefollowingsections
AppendixAOrganizational
AppendixBHumanResources
AppendixCPhysicalSecurity
AppendixDBusinessProcess
AppendixEIncidentResponse
AppendixFSoftwareEngineering
AppendixGInformationTechnology
AppendixHAcronyms
AppendixIManagementCommentstotheDraftReport
AppendixJContributorstothisReport
AppendixKReportDistribution
EachsectioninappendixesAndashGcontainsabriefintroductionsummaryofthefindingsfor thatareaandatablelistingdetailedfindingsThetablesarestructuredasfollows
Areaof Responsible PolicyandorSecu PolicyorPrac SuggestedCounter Concern Personnel rityMeasure ticeGaps measures
EachrowrepresentsauniqueareaofconcernResponsiblePersonnelliststhegroups withinUSCISthatwouldberesponsibleforimplementingsuggestedcountermeasuresfor thatareaPolicyandorSecurityMeasurelistsinformationrelatedtothatareaofconcern specifictoUSCISobtainedininterviewsIfthatcolumnwasintentionallyleftblankitindi catesthatnoevidencewasprovidedfortheexistenceofapolicyandorsecuritymeasure PolicyorPracticeGapsdescribesgapsidentifiedbyintervieweesorgapsnotedbyCERT staffFinallySuggestedCountermeasuresdescribescountermeasuresthatUSCIScouldim plementtoaddressaparticularvulnerability
Itisimportanttonotethatallsuggestedcountermeasuresmustbeconsideredinthecon textofabroaderriskanalysisItisnotpracticalformostorganizationstoimplement100 protectionagainsteverythreattoeveryorganizationalresourceThereforeitisimportant toadequatelyprotectcriticalinformationandotherresourcesandnotdirectsignificantef forttowardprotectingrelativelyunimportantdataandresourcesArealisticandachievable
CERT | SOFTWARE ENGINEERING INSTITUTE | 28
securitygoalistoprotectthoseassetsdeemedcriticaltotheorganizationrsquosmissionfrom bothexternalandinternalthreats
RiskisthecombinationofthreatvulnerabilityandmissionimpactSomecountermeasures inthisreportareintendedtohelpUSCISrecognizeandunderstandtheinsiderthreatOth ersfocusonclosinggapsthatleaveUSCISmorevulnerabletoinsiderattackMissionimpact cannotbeadequatelyassessedbyCERTthroughthisexercisebecauseitwillvarydepending onthecriticalityofsystemsandinformation
Theresultsofthisinsiderthreatvulnerabilityassessmentshouldbeusedtodeveloporre finetheorganizationrsquosoverallstrategyforsecuringitsnetworkedsystemsstrikingthe properbalancebetweencounteringthethreatandaccomplishingtheorganizationalmis sion
Manyofthefindingsinthisreportincludetherelativefrequencyoftheissueraisedinthe CERTInsiderThreatCasedatabaseAtthetimethisreportwaswrittentherewere386 casesofmaliciousinsideractivityagainstwhichthesuggestedcountermeasurepercentage iscalculatedSoifaparticularactivitywasseenin38ofourcaseswemayindicatethatit wasseenin10ofthecasesintheInsiderThreatCasedatabase
CERT | SOFTWARE ENGINEERING INSTITUTE | 29
Ap
pen
dix
AO
rgan
izat
ion
al
Risk
Man
agem
ent
Co
mm
unic
atio
n
Secu
rity
Pro
cess
Impr
ovem
ent
USC
ISis
ina
diff
icul
tpos
ition
Pa
rto
fits
mis
sion
isto
pro
vide
cus
tom
ers
ervi
ceto
thos
ese
ekin
gim
mig
ratio
nan
dci
tizen
ship
ben
efits
from
the
US
Gov
ernm
ent
How
ever
iti
sch
alle
ngin
gto
opt
imiz
ebu
sine
ssp
roce
sses
for
cust
omer
ser
vice
whi
lea
tthe
sam
etim
eim
plem
entin
gpr
otec
tiv
em
easu
res
toc
ount
erth
eri
skp
osed
by
gran
ting
thos
eve
ryb
enef
its
Man
yU
SCIS
em
ploy
ees
inte
rvie
wed
for
this
ass
essm
enti
dent
ified
the
orga
niza
tionrsquo
spr
imar
yri
ska
sal
low
ing
the
next
terr
oris
tto
live
and
wor
kle
gally
inth
eU
nite
dSt
ates
Th
eyd
esir
ehe
lpin
iden
tifyi
nga
ndim
ple
men
ting
inte
rnal
con
trol
sto
cou
nter
that
ris
kS
ome
ofth
ein
terv
iew
ees
how
ever
mdashev
ens
ome
ofth
eIS
SOs
and
data
ow
ners
mdashfo
cuse
don
leak
ag
eof
PII
asth
eir
prim
ary
conc
ern
Aft
erd
elvi
ngin
toth
em
atte
rw
ithth
eas
sess
men
ttea
mt
hey
cam
eto
und
erst
and
the
risk
pos
edb
yex
po
sure
or
mis
use
ofc
ritic
ald
ata
asth
egr
eate
str
isk
face
dby
USC
ISp
rim
arily
bec
ause
suc
ha
secu
rity
bre
ach
coul
dre
sult
ina
llow
ing
ate
rror
isti
nto
the
coun
try
Ac
ritic
alis
sue
for
USC
ISis
ens
urin
gth
een
tire
orga
niza
tion
isr
isk
awar
ea
ndim
plem
entin
ga
form
alr
isk
man
agem
entp
roce
ssto
add
ress
ris
kco
nsis
tent
lya
ndc
ontin
ually
acr
oss
the
ente
rpri
se
Ther
edo
esn
ota
ppea
rto
be
aco
nsis
tent
und
erst
andi
ngo
fthe
bro
ads
pect
rum
ofr
isks
faci
ng
USC
IS
The
asse
ssm
entt
eam
was
told
ther
eis
no
ente
rpri
sew
ide
risk
man
agem
entp
rogr
ama
tUSC
IS
OIT
per
form
sri
skm
anag
emen
tfor
ITa
nd
Fina
ncia
lMan
agem
entp
erfo
rms
risk
man
agem
entf
orfi
nanc
ialm
atte
rsb
utn
oon
ew
asa
war
eof
any
ent
erpr
ise
wid
eef
fort
sI
nad
ditio
ne
ach
field
off
ice
and
serv
ice
cent
era
ppea
rsto
ope
rate
fair
lyin
depe
nden
tly
Itis
impo
rtan
tfor
thos
eor
gani
zatio
nsto
wor
kto
geth
erto
iden
tify
pri
or
itize
and
add
ress
ris
kO
ngoi
ngc
omm
unic
atio
nbe
twee
nal
lcom
pone
nts
ofU
SCIS
will
hel
pen
sure
that
new
thre
ats
att
ack
vect
ors
and
cou
nte
rmea
sure
sar
eco
mm
unic
ated
and
han
dled
eff
ectiv
ely
bya
ll
Ina
dditi
onU
SCIS
em
ploy
ees
and
cont
ract
ors
hold
the
keys
too
neo
fthe
wor
ldrsquos
mos
tcov
eted
kin
gdom
smdashU
Sc
itize
nshi
pT
his
mak
ese
mpl
oy
ees
and
cont
ract
ors
attr
activ
eta
rget
sfo
rre
crui
tmen
tB
ecau
seo
fthe
sen
sitiv
ena
ture
ofU
SCIS
mis
sion
som
eof
its
empl
oyee
san
dco
ntra
ctor
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 30
have
bee
nta
rget
sfo
rre
crui
tmen
tfor
thef
tor
unau
thor
ized
mod
ifica
tion
ofU
SCIS
dat
aA
llem
ploy
ees
shou
ldb
eaw
are
ofth
eco
nseq
uenc
eso
fpa
rtic
ipat
ing
infr
aud
agai
nstU
SCIS
Th
eys
houl
dal
sob
ein
stru
cted
on
how
tor
epor
tsol
icita
tions
mad
eto
com
mit
frau
d
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEn
terp
rise
Ris
kM
anag
emen
t
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Indi
vidu
alo
rgan
izat
ions
with
inU
SCIS
do
ris
km
anag
emen
trel
ated
toth
eir
part
icul
ard
omai
nF
orin
stan
ceI
Tdo
esr
isk
man
agem
entf
rom
an
IT
pers
pect
ive
and
the
Fina
ncia
lMan
ag
emen
tdoe
sfin
anci
alr
isk
man
ag
emen
t
USC
ISp
erso
nnel
sta
ted
ther
eis
no
ente
rpri
ser
isk
man
agem
entp
roce
ss
for
anal
yzin
gth
eor
gani
zatio
nrsquos
over
al
lris
k
We
sugg
estt
hatU
SCIS
inst
itute
an
ent
erpr
ise
risk
man
agem
ent
prog
ram
W
ithou
tac
omm
on
visi
onfo
rri
skm
anag
emen
tth
eIS
SOs
and
allo
rgan
izat
ions
w
ithin
USC
ISc
anno
teff
ectiv
ely
unde
rsta
ndth
eri
ske
nvir
onm
ent
and
wor
kto
geth
erto
eff
ectiv
ely
miti
gate
ris
k
Inin
terv
iew
ss
ome
USC
ISs
taff
in
clud
ing
som
eIS
SOs
dat
aow
ners
an
dO
ITs
taff
see
med
tov
iew
loss
of
PIIa
sth
em
osti
mpo
rtan
tins
ider
th
reat
ris
kA
llof
the
asse
ssm
ent
ques
tions
wer
ean
swer
edin
the
con
text
ofl
oss
ofP
II
Whe
nw
eas
ked
spec
ifica
llyw
hatt
hey
see
asth
ebi
gges
tins
ider
thre
atr
isk
ev
eryo
nes
eem
edto
agr
eeit
isc
rea
tion
ofr
ealc
itize
nshi
pdo
cum
ents
for
peop
lew
hos
houl
dno
thav
eth
em
In
fact
int
ervi
ewee
sat
the
Verm
ont
Serv
ice
Cent
erc
ateg
oriz
edth
efu
nc
tions
cha
ract
eriz
edb
yth
ehi
ghes
tris
kas
follo
ws
1)
Unl
awfu
lalie
nin
the
Uni
ted
Stat
es
gran
ted
non
imm
igra
nts
tatu
s
2)S
omeo
new
ithn
onim
mig
rant
st
atus
gra
nted
per
man
entr
esid
ency
w
hich
mea
nsh
eor
she
can
live
and
w
ork
inde
finite
lyin
the
Uni
ted
Stat
es
Aga
ina
nen
terp
rise
ris
km
an
agem
entp
rogr
amw
ille
nsur
eth
ate
very
one
acro
ssU
SCIS
is
wor
king
toge
ther
tom
itiga
teth
ehi
ghes
tpri
ority
ris
ks
Ther
ear
ere
gula
tions
and
law
ssu
rrou
nd
ing
prot
ectio
nof
PII
but
focu
sin
gpr
imar
ilyo
nth
atis
sue
can
lead
toa
fals
ese
nse
ofs
ecur
ity
ifot
her
mor
eim
port
antr
isk
ar
eas
are
give
nle
ssa
tten
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 31
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dal
soc
anp
etiti
onfo
rre
lativ
es
The
Verm
ontS
ervi
ceC
ente
ris
im
plem
entin
gse
para
tion
ofd
utie
sfo
rpe
rfor
min
gfu
nctio
ns
1an
d2
ab
ove
(gra
ntin
gno
nim
mig
rant
st
atus
and
mov
ing
som
eone
from
no
nim
mig
rant
sta
tus
top
erm
anen
tre
side
ncy)
so
that
one
USC
ISa
djud
ica
tor
alon
eca
nnot
take
an
appl
ican
tfr
omu
nlaw
fult
ope
rman
entr
esi
dent
Th
ese
two
func
tions
will
be
perf
orm
eda
tdiff
eren
tphy
sica
lloc
atio
ns2
9m
iles
apar
t
The
Verm
ontS
ervi
ceC
ente
rhas
not
ha
dan
adj
udic
ator
who
per
form
ed
both
func
tions
1
and
2fo
rth
esa
me
appl
ican
t
This
dec
isio
nde
mon
stra
tes
that
le
ader
ship
att
heV
erm
ontS
er
vice
Cen
terr
ecog
nize
sth
esi
gni
fican
tris
kof
cre
atin
gle
gal
citiz
ensh
ipd
ocum
ents
fori
llega
lal
iens
and
ista
king
ste
psto
m
itiga
teth
atr
isk
How
ever
our
in
side
rth
reat
ass
essm
enth
as
unco
vere
dot
her
issu
esth
at
coul
dbe
add
ress
edto
miti
gate
th
atr
isk
Aga
ina
form
alr
isk
anal
ysis
wou
lde
nabl
eU
SCIS
to
thor
ough
lye
xam
ine
the
issu
es
and
prio
ritiz
eco
unte
rmea
sure
sus
ing
afo
rmal
pro
cess
Fo
rex
am
ple
an
alte
rnat
ive
toth
eph
ysic
alm
ove
coul
dbe
toim
pl
emen
tan
audi
tmec
hani
smto
lo
okfo
rad
judi
cato
rsw
hop
er
form
edb
oth
func
tions
1
and
2
for
the
sam
eap
plic
ant
Ente
rpri
seW
ide
Com
mun
icat
ion
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ther
eis
no
cons
iste
ncy
ofc
ontr
ols
from
one
ser
vice
cen
ter
toth
ene
xt
We
wer
eto
ldth
eye
ach
oper
ate
fair
ly
inde
pend
ently
USC
ISw
ould
ben
efit
from
ong
oin
gco
mm
unic
atio
nsa
bout
ris
kba
sed
issu
esb
etw
een
the
ser
vice
cen
ters
Fo
rin
stan
ce
com
mun
icat
ions
con
cern
ing
prob
lem
se
ffec
tive
coun
ter
mea
sure
sm
odifi
catio
nsto
CERT | SOFTWARE ENGINEERING INSTITUTE | 32
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sbu
sine
ssp
roce
sses
or
idea
sfo
rco
unte
ring
incr
ease
dri
skc
ould
le
adto
an
impr
oved
ris
kpo
stur
efo
rth
een
tire
USC
ISe
nter
pris
e
Cont
inua
lSec
urit
yPr
oces
sIm
prov
em
ent
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
The
USC
ISC
onvi
ctio
nsT
ask
Forc
eis
an
exc
elle
ntfo
rum
for
anal
yzin
gpa
st
crim
inal
cas
esa
ndd
eter
min
ing
mea
sure
sth
ats
houl
dbe
inst
itute
dto
pre
vent
sim
ilar
crim
esin
the
fu
ture
Ther
eis
no
proc
ess
for
follo
win
gup
on
ac
ase
afte
rthe
Off
ice
ofS
peci
al
Inve
stig
atio
n(O
SI)f
inis
hes
anin
vest
iga
tion
Th
eCo
nvic
tions
Tas
kFo
rce
isth
eon
ly
proc
ess
we
foun
dfo
rfor
mal
trac
king
an
alys
isa
ndp
roce
ssim
prov
emen
tba
sed
ona
ctua
linc
iden
ts
The
as
sess
men
ttea
ma
sked
var
ious
gro
ups
ifth
ere
isa
nyfo
llow
up
toin
cide
nts
fo
rin
stan
ceim
plem
entin
gau
tom
ated
sc
ript
sor
con
trol
sto
det
ectt
hes
ame
inci
dent
inth
efu
ture
Th
ete
amc
ould
no
tfin
da
sing
lep
erso
nw
hok
now
sof
su
cha
nac
tivity
Man
yex
ampl
eso
fem
ploy
eem
isco
ndu
ctc
ited
toth
eas
sess
men
ttea
m
coul
dea
sily
hav
ebe
end
etec
ted
or
even
pre
vent
edv
iaa
utom
ated
con
tr
ols
In
add
ition
the
reis
no
mec
hani
smfo
rco
mm
unic
atin
gis
sues
out
side
ofa
In
nea
rly2
5(9
1)o
fthe
cas
esin
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
hein
side
rw
asa
ble
to
carr
you
tthe
cri
me
beca
use
of
inad
equa
tea
uditi
ngo
fcri
tical
pr
oces
ses
in2
8of
thes
eca
ses
it
was
bec
ause
ofi
nade
quat
eau
ditin
gof
irre
gula
rpr
oces
ses
In
29
ofth
eca
ses
the
orga
niza
tio
nha
dre
peat
edin
cide
nts
ofa
si
mila
rna
ture
A
utom
ated
sc
ript
sar
ean
exc
elle
ntm
echa
ni
smfo
rde
tect
ing
susp
icio
us
tran
sact
ions
as
wel
las
hone
st
mis
take
sU
SCIS
sho
uld
cons
ider
a
form
alp
roce
ssfo
ran
alys
iso
fth
eO
SIrsquos
find
ings
and
the
deve
lop
men
tofa
utom
ated
che
cks
impl
emen
ted
natio
nally
CERT | SOFTWARE ENGINEERING INSTITUTE | 33
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sgi
ven
serv
ice
cent
er
U
SCIS
Em
ploy
ees
are
Pote
ntia
lTar
ge
tsfo
rRe
crui
tm
ent
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
No
evid
ence
pro
vide
d
Som
eU
SCIS
em
ploy
ees
inte
rvie
wed
ha
ver
ecei
ved
are
ques
tfor
ass
ista
nce
from
afr
iend
rel
ativ
eo
rst
rang
er
seek
ing
top
rom
ote
aca
sefo
rso
me
form
ofa
pplic
ant
One
adj
udic
ator
sa
idh
edo
esn
otte
llot
hers
who
he
wor
ksfo
rH
owev
ert
hed
istin
ctiv
egr
een
park
ing
stic
ker
onh
isc
arc
ould
in
as
mal
ltow
nlik
eBu
rlin
gton
VT
re
veal
the
iden
tity
ofh
ise
mpl
oyer
U
SCIS
per
sonn
ela
reth
eref
ore
unus
ual
lyv
ulne
rabl
eto
sol
icita
tion
byo
ut
side
rs
Twen
tyn
ine
perc
ento
fthe
in
side
rsin
the
CERT
Insi
der
Thre
at
Case
dat
abas
ew
ere
recr
uite
dby
ou
tsid
ers
toc
omm
itth
eir
crim
es
USC
ISs
houl
dco
nsid
er
incr
easi
ngth
ese
curi
tya
war
ene
sstr
aini
ngp
rovi
ded
toU
SCIS
em
ploy
ees
and
cont
ract
ors
The
tr
aini
ngs
houl
dbe
con
tinuo
us
incl
udin
gpo
rtio
nsin
tend
edto
ra
ise
awar
enes
sof
the
pote
ntia
lta
rget
that
USC
ISe
mpl
oyee
spr
esen
tA
llem
ploy
ees
shou
ld
bea
war
eof
the
cons
eque
nces
of
par
ticip
atin
gin
frau
dag
ains
tU
SCIS
as
wel
las
how
tor
epor
tso
licita
tions
mad
eto
com
mit
frau
d
Tran
sfor
mat
ion
USC
ISL
eade
rshi
p D
ata
Ow
ners
In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Tran
sfor
mat
ion
isa
larg
ebu
sine
ss
proc
ess
reen
gine
erin
gef
fort
inU
SCIS
th
atis
pri
mar
ilyfo
cuse
don
impr
oved
cu
stom
ers
ervi
cea
ndfr
aud
dete
ctio
nF
ore
xam
ple
the
asse
ssm
ent
team
was
told
that
Tra
nsfo
rmat
ion
will
aut
omat
ical
lyv
alid
ate
data
in
CLA
IMS
agai
nsto
ther
ext
erna
lsys
te
ms
(eg
IC
Ean
dFB
I)a
ndth
at
secu
rity
req
uire
men
tsa
ndc
ontr
ols
Tran
sfor
mat
ion
was
men
tione
din
m
osti
nter
view
sfo
rth
isa
sses
smen
t
Ita
ppea
rsth
atU
SCIS
isr
elyi
ngh
eavi
ly
upon
Tra
nsfo
rmat
ion
toc
orre
ctm
any
ofth
epr
oble
ms
resu
lting
from
lega
cy
syst
ems
How
ever
iti
sun
clea
rw
heth
erin
tern
alp
erso
nnel
sec
urity
an
din
form
atio
nse
curi
tyc
once
rns
will
bein
clud
edin
this
pro
gram
This
rel
ianc
eon
as
ingl
eef
fort
m
akes
the
effe
ctiv
enes
sof
this
ef
fort
ver
yim
port
ant
USC
IS
shou
ldc
onsi
der
the
Tran
sfor
ma
tion
proj
ectf
rom
an
ente
rpris
ew
ide
pers
pect
ive
Iti
sim
port
ant
for
itto
use
afo
rmal
req
uire
m
ents
gat
herin
gpr
oces
sin
or
der
toe
ffec
tivel
ym
itiga
teb
oth
inte
rnal
and
ext
erna
lthr
eats
CERT | SOFTWARE ENGINEERING INSTITUTE | 34
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
veb
een
iden
tifie
dby
cur
rent
C3
LAN
dat
aow
ners
Read
ing
the
Tran
sfor
mat
ion
requ
ire
men
tsd
ocum
enta
tion
itis
not
cle
ar
that
insi
ders
are
con
side
red
inth
ese
curi
tyr
equi
rem
ents
for
prev
entio
nan
dde
tect
ion
offr
aud
orn
atio
nal
secu
rity
inU
SCIS
sys
tem
s
Pers
onne
lsec
urity
sho
uld
be
incl
uded
as
wel
las
info
rmat
ion
secu
rity
to
ensu
reth
atth
eap
pr
opri
ate
inte
rnal
con
trol
sar
ein
pl
ace
tor
educ
eth
eri
skp
osed
by
mal
icio
usin
side
rs
CERT | SOFTWARE ENGINEERING INSTITUTE | 35
Trai
ning
and
Aw
aren
ess
Itis
ess
entia
ltha
tsec
urity
aw
aren
ess
trai
ning
be
cons
iste
ntly
pro
vide
dto
all
empl
oyee
sto
ens
ure
that
sec
urity
pol
icie
san
dpr
actic
esa
rein
stitu
tio
naliz
edth
roug
hout
an
orga
niza
tion
Man
ytim
esc
owor
kers
and
sup
ervi
sors
are
the
first
peo
ple
too
bser
vec
once
rnin
gbe
havi
ore
xhib
ited
by
mal
icio
usin
side
rs
Failu
reb
yco
wor
kers
or
othe
rsin
an
orga
niza
tion
tor
epor
tcon
cern
ing
beha
vior
was
ap
rim
ary
reas
onin
side
rsin
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
tos
etu
por
car
ryo
utth
eir
atta
cks
USC
ISs
houl
dco
ntin
ueto
pro
vide
sec
urity
aw
aren
ess
trai
ning
toa
llem
ploy
ees
and
cont
ract
ors
acro
ssth
egl
obe
Thi
str
aini
ngs
houl
dbe
con
sis
tent
lya
pplie
dto
eac
hsi
tew
itha
con
sist
entm
essa
geo
fsec
urity
ofU
SCIS
peo
ple
sys
tem
sa
ndd
ata
Iti
sim
pera
tive
that
all
USC
ISe
mpl
oyee
sbe
re
spon
sibl
efo
rac
hiev
ing
the
mis
sion
ofU
SCIS
and
pro
tect
ing
the
criti
cala
sset
sto
the
high
este
xten
tpos
sibl
e
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sTr
aini
ngo
rSk
ills
Requ
ired
ofT
hose
in
App
oint
edS
ecu
rity
Rol
es
USC
ISL
eade
rshi
p
USC
ISh
asa
trai
ning
pro
cess
thro
ugh
anin
form
atio
nsy
stem
sse
curi
ty
man
ager
(ISS
M)
USC
ISr
elie
she
av
ilyo
nco
ntra
ctor
sto
pro
vide
ade
qu
atel
ytr
aine
dst
aff
Man
yIS
SOs
are
notw
ellv
erse
din
se
curi
ty
ISSO
sar
ecu
rren
tlyin
an
educ
atio
npr
oces
sb
utIS
SOs
are
typi
ca
llyn
ots
ecur
ityw
atch
dogs
ISSO
sm
usth
ave
prop
ertr
aini
ng
ino
rder
tok
eep
upw
ithth
eev
erc
hang
ing
info
rmat
ion
secu
ri
tye
nvir
onm
enta
ndto
be
able
to
dea
lwith
the
myr
iad
tech
no
logi
esa
ndto
ols
avai
labl
eto
th
em
App
ropr
iate
bud
get
shou
ldb
eal
loca
ted
forI
SSO
tr
aini
ngi
nclu
ding
ven
dor
spec
ific
trai
ning
(eg
M
cAfe
ean
dCi
sco)
and
indu
stry
spe
cific
tr
aini
ng(e
g
SAN
S)
CERT | SOFTWARE ENGINEERING INSTITUTE | 36
Ap
pen
dix
BH
um
anR
esou
rces
Empl
oyee
Issu
es
An
orga
niza
tionrsquo
sap
proa
chto
red
ucin
gin
side
rth
reat
sho
uld
focu
son
pro
activ
ely
man
agin
gem
ploy
eeis
sues
and
beh
avio
rs
This
con
cept
beg
ins
with
eff
ectiv
ehi
ring
pro
cess
esa
ndb
ackg
roun
din
vest
igat
ions
tos
cree
npo
tent
ialc
andi
date
sO
rgan
izat
ions
sho
uld
also
trai
nsu
perv
isor
sto
m
onito
ran
dre
spon
dto
beh
avio
rso
fcon
cern
by
curr
ente
mpl
oyee
sS
ome
case
sfr
omth
eCE
RTIn
sid e
rTh
reat
Cas
eda
taba
ser
evea
led
that
sus
pi
ciou
sac
tivity
was
not
iced
inth
ew
orkp
lace
but
not
act
edu
pon
Org
aniz
atio
nss
houl
des
tabl
ish
aw
ello
rgan
ized
and
pro
fess
iona
lmet
hod
for
hand
ling
nega
tive
empl
oym
enti
ssue
san
den
suri
ngth
ath
uman
res
ourc
epo
licy
viol
atio
nsa
rea
ddre
ssed
Org
aniz
atio
nali
ssue
sre
late
dto
func
tions
sha
red
byH
Ran
dse
curi
typ
erso
nnel
are
att
heh
eart
ofi
nsid
err
isk
man
agem
ent
Em
ploy
ees
cree
ning
an
dse
lect
ion
isv
italt
opr
even
ting
cand
idat
esw
ithk
now
nbe
havi
oral
ris
kfa
ctor
sfr
ome
nter
ing
the
orga
niza
tion
or
ifth
eyd
oe
nsur
ing
that
th
ese
risk
sar
eun
ders
tood
and
mon
itore
dC
lear
pol
icy
guid
elin
esa
ddre
ssin
gbo
thp
erm
itted
and
pro
hibi
ted
empl
oyee
beh
avio
rar
evi
talt
ori
sk
dete
ctio
nan
dm
onito
ring
and
cle
arr
equi
rem
ents
for
ensu
ring
em
ploy
eesrsquo
kno
wle
dge
ofth
ese
guid
elin
esa
ree
ssen
tialt
oth
eir
succ
ess
In
addi
tio
nr
epor
tso
fpol
icy
ques
tions
and
vio
latio
nsn
eed
tob
esy
stem
atic
ally
rec
orde
dso
that
man
agem
ent
HR
and
sec
urity
per
sonn
elc
ana
ppr
oach
cas
ede
cisi
ons
with
com
plet
eba
ckgr
ound
info
rmat
ion
Ana
lysi
sof
thes
ere
port
sac
ross
indi
vidu
als
and
depa
rtm
ents
can
sup
ply
vita
lkno
wle
dge
ofp
robl
ema
reas
bey
ond
indi
vidu
alc
ases
Re
latio
nshi
ps
inw
hich
HR
sec
urity
and
man
agem
entp
erso
nnel
col
labo
rate
as
educ
ator
san
dco
nsul
tant
sar
evi
talt
oea
rly
dete
ctio
nan
def
fect
ive
man
age
men
tofe
mpl
oyee
spo
sing
an
insi
der
risk
Th
ene
edfo
rcl
ear
polic
ies
com
plet
epe
rson
nelr
isk
data
and
clo
sem
anag
emen
tH
Rse
curi
tyc
olla
bo
ratio
nis
rar
ely
grea
ter
than
whe
nha
ndlin
gem
ploy
eete
rmin
atio
nis
sues
whe
ther
vol
unta
ryo
rin
volu
ntar
y
CERT
sug
gest
sen
hanc
emen
tsto
the
USC
ISh
irin
gan
dte
rmin
atio
npr
oces
ses
For
exa
mpl
eU
SCIS
sho
uld
cons
ider
add
ition
als
cree
ning
for
high
ri
skp
ositi
ons
suc
has
adj
udic
ator
sU
SCIS
sho
uld
als o
con
side
rbe
com
ing
mor
ein
volv
edin
vet
ting
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)p
rior
tog
rant
CERT | SOFTWARE ENGINEERING INSTITUTE | 37
ing
them
acc
ess
toU
SCIS
cri
tical
sys
tem
san
dda
ta
Fina
llyU
SCIS
sho
uld
cons
ider
ado
ptin
gan
ent
erpr
ise
wid
eex
itpr
oced
ure
toe
nsur
eco
nsis
te
ntte
rmin
atio
nof
all
empl
oyee
san
dco
ntra
ctor
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPr
eEm
ploy
men
tSc
reen
ing
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
No
evid
ence
pro
vide
d
The
empl
oyee
scr
eeni
ngp
roce
ssla
cks
any
form
ofp
sych
olog
ical
scr
eeni
ng
for
ara
nge
ofp
ositi
ons
incl
udin
gad
ju
dica
tors
Five
per
cent
(18)
oft
hein
side
rs
inth
eCE
RTd
atab
ase
had
poss
ibl
eps
ycho
logi
cali
ssue
sU
SCIS
sh
ould
con
side
rin
clud
ing
psy
chol
ogic
alte
stin
gas
par
toft
h e
new
hir
epr
oces
sfo
rse
lect
pos
itio
nsi
nclu
ding
adj
udic
ator
s
Giv
enth
esi
gnifi
cant
soc
ialp
res
sure
son
adj
udic
ator
san
dth
ere
lativ
ela
cko
fmon
itori
ngfo
rin
side
rri
ski
tsee
ms
impo
rtan
tto
impr
ove
this
asp
ecto
fscr
een
ing
Hum
anR
esou
rces
App
lican
tsa
rea
ssig
ned
ara
ting
by
HR
the
ratin
gis
use
dto
ran
kap
pli
cant
s
Ther
eis
cur
rent
lyn
oau
ditl
ogth
at
wou
ldc
aptu
rein
stan
ces
inw
hich
so
meo
nein
HR
chan
ged
ara
ting
to
enab
les
omeo
neto
get
hir
edm
ore
easi
ly
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
udit
log
totr
a ck
the
cand
idat
era
tings
and
ale
rtw
hen
cand
idat
era
tings
are
cha
nged
by
som
eone
inH
R
CERT | SOFTWARE ENGINEERING INSTITUTE | 38
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Ifa
pers
onal
issu
e(e
g
subs
tanc
eab
use
rel
ativ
ely
larg
efin
anci
alin
de
bted
ness
)aris
esd
urin
gPe
rson
nel
Secu
rity
rsquos(P
ERSE
Crsquos)
scr
eeni
ng
PERS
ECm
ayis
sue
ale
tter
ofa
dvis
em
entt
oth
eca
ndid
ate
and
clea
rth
at
pers
onfo
rhir
eP
ERSE
RCis
hes
itant
to
sha
ren
egat
ive
info
rmat
ion
abou
tap
plic
ants
with
USC
ISb
eca u
seo
fpr
ivac
yco
ncer
ns
Beca
use
ofth
ese
conc
erns
am
anag
erm
ayn
otk
now
th
ats
omeo
neis
com
ing
into
ap
osi
tion
with
ah
isto
ryo
falc
ohol
and
or
drug
abu
sef
inan
cial
inde
bted
ness
et
c
The
priv
acy
wal
lbet
wee
nPE
RSEC
and
fie
ldp
erso
nnel
con
cern
edw
ithh
irin
gis
trou
blin
gI
tis
diff
icul
tfor
PER
SEC
repr
esen
tativ
esto
indi
cate
thei
rco
nce
rns
abou
tpot
entia
lhir
esw
hoh
ave
risk
fact
ors
that
do
notc
ross
adj
udic
atio
ngu
idel
ines
for
disq
ualif
icat
ion
USC
ISs
houl
dco
nsid
era
dditi
onal
sc
reen
ing
for
adju
dica
tors
U
SCIS
sho
uld
bem
ore
invo
lved
in
dec
idin
gw
hois
gra
nted
au
thor
ized
acc
ess
beca
use
ofth
ese
nsiti
ven
atur
eof
the
syst
ems
and
data
tha t
USC
ISm
anag
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Each
fiel
dof
fice
dete
rmin
esw
heth
er
orn
otto
mee
tan
appl
ican
tfac
eto
fa
ceb
efor
ehi
ring
Ther
ew
asa
nim
pres
sion
ath
eadq
uar
ters
that
nea
rly1
00
oft
hose
hir
ed
bym
anag
ers
are
inte
rvie
wed
but
re
pres
enta
tives
inB
urlin
gton
Ver
m
ontt
old
uso
ther
wis
eT
his
gap
be
twee
npe
rcep
tion
(the
reis
not
ap
ol
icy
stat
ing
this
mus
tbe
done
)and
re
ality
iso
fcon
cern
Ther
eha
veb
een
know
nin
stan
ces
in
whi
cha
pplic
ants
wer
eon
lys
cree
ned
USC
ISs
houl
dre
quir
ein
terv
iew
sfo
ral
lpos
ition
sT
hein
terv
iew
sne
edto
be
cond
ucte
dby
som
eon
ein
volv
edin
the
day
tod
ay
supe
rvis
ion
ofth
epo
sitio
nto
be
fille
d
CERT | SOFTWARE ENGINEERING INSTITUTE | 39
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
son
pap
ero
rove
rth
eph
one
befo
re
bein
ghi
red
Sta
ndar
dop
erat
ing
pro
cedu
res
are
notf
ollo
wed
ata
llfie
ld
offic
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
PERS
ECv
ets
fede
rale
mpl
oyee
san
dco
ntra
ctor
s(w
itha
min
imum
bac
kgr
ound
inve
stig
atio
n)
USC
ISr
elie
son
the
US
Dep
artm
ent
ofS
tate
tov
etfo
reig
nna
tiona
lem
pl
oyee
sw
how
ork
ate
mba
ssie
sor
co
nsul
ates
abr
oad
FSN
sin
som
ein
stan
ces
are
gra
nted
ac
coun
tso
nU
SCIS
info
rmat
ion
sys
tem
sI
fFSN
sne
eda
cces
sto
DH
Ssy
ste
ms
(incl
udin
gU
SCIS
)cur
rent
lyt
his
acce
ssm
ustb
eap
prov
edb
yth
eCS
O
and
CIO
for
DH
ST
his
prac
tice
was
no
talw
ays
follo
wed
con
sist
ently
in
the
past
so
ther
em
ayb
eFS
Ns
who
w
ere
gran
ted
acce
ssw
ithou
tall
the
curr
entv
ettin
gan
dap
prov
als
U
SCIS
sho
uld
cons
ider
be c
omin
gm
ore
invo
lved
inv
ettin
gof
FSN
spr
ior
tog
rant
ing
them
acc
ess
to
USC
ISs
yste
ms
In
addi
tion
U
SCIS
sho
uld
audi
tcur
rent
FSN
sw
itha
cces
sto
USC
ISs
yste
ms
and
ensu
reth
ata
ppro
pria
te
vett
ing
was
per
form
ed
Cand
idat
eCe
rtifi
ca
tion
Ver
ifica
tion
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
USC
ISd
oes
noth
ave
ast
anda
rdp
ro
cedu
refo
rve
rifyi
ngth
ece
rtifi
catio
ns
ofjo
bap
plic
ants
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ast
epin
the
new
hir
epr
oces
sto
ver
ifyc
ertif
icat
ions
of
allc
andi
date
sA
few
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 40
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sto
obt
ain
posi
tions
ino
rgan
iza
tions
by
prov
idin
gfa
lsifi
edc
erti
ficat
ions
Empl
oyee
and
Co
ntra
ctor
Ter
mi
nati
on
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Exit
proc
edur
esa
rer
ecen
tlyd
evel
op
eda
ndi
nso
me
case
ss
tillu
nder
de
velo
pmen
t(ie
fo
rmal
exi
tpro
ce
dure
sar
eex
pect
edto
be
rele
ased
in
3m
onth
s)
This
gap
may
man
ifest
itse
lfin
the
inco
nsis
tent
col
lect
ion
ofb
adge
sla
pto
psm
obile
dev
ices
and
oth
erU
SCIS
eq
uipm
ent
USC
ISs
houl
dco
nsid
era
dopt
ing
ane
nter
pris
ew
ide
exit
proc
edu
reto
ens
ure
cons
iste
ntte
rmi
natio
nof
all
empl
oyee
san
dco
ntr
acto
rs
Ita
ppea
rsth
ere
spon
sibi
lity
for
ensu
ring
that
em
ploy
ees
and
cont
ract
ors
are
term
inat
edr
ests
sol
ely
with
the
man
ager
It
als
oap
pear
sdi
ffer
en
tman
ager
sfo
llow
diff
eren
tpr
oced
ures
toe
nsur
eth
ata
cce
ssis
dis
able
dan
deq
uipm
ent
isr
etur
ned
ase
mpl
oyee
san
dco
ntra
ctor
sle
ave
USC
IS
Empl
oyee
and
Co
ntra
ctor
Man
da
tory
Dru
gTe
stin
g
Hum
anR
esou
rces
All
fede
ralp
ositi
ons
are
subj
ectt
odr
ugte
stin
gb
uto
nly
forn
ewh
ires
Acc
ordi
ngto
aU
SCIS
Con
vict
ions
Tas
kFo
rce
inve
stig
atio
nca
sec
all
cont
rac
tor
posi
tions
do
notr
equi
red
rug
test
in
g
Fift
een
insi
ders
doc
umen
ted
in
the
CERT
Insi
der
Thre
atC
ase
data
base
exh
ibite
dsu
bsta
nce
abus
eU
SCIS
sho
uld
cons
ider
im
plem
entin
gm
anda
tory
pos
thi
red
rug
test
ing
for
alle
mpl
oy
ees
and
cont
ract
ors
CERT | SOFTWARE ENGINEERING INSTITUTE | 41
Ap
pen
dix
CP
hys
ical
Sec
uri
ty
Fiel
dof
fices
A
cces
sFo
llow
ing
Term
inat
ion
Se
curi
tyo
fPhy
sica
lCas
eFi
les
Som
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
exp
loite
dph
ysic
als
ecur
ityv
ulne
rabi
litie
s
Som
ew
ere
able
tog
ain
acce
ss
too
rgan
izat
ion
faci
litie
sou
tsid
eof
nor
mal
wor
king
hou
rsto
ste
alc
ontr
olle
din
form
atio
nor
toe
xact
rev
enge
on
the
orga
niza
tion
bys
abot
agin
gcr
itica
lope
ratio
ns
Phys
ical
sec
urity
can
als
opr
ovid
ean
othe
rla
yer
ofd
efen
sea
gain
stte
rmin
ated
insi
ders
who
wis
hto
reg
ain
phys
ical
acc
ess
to
atta
ck
Just
as
with
ele
ctro
nic
secu
rity
how
ever
for
mer
em
ploy
ees
have
bee
nsu
cces
sful
inw
orki
nga
roun
dth
eir
orga
niza
tionrsquo
sph
ysic
als
ecu
rity
mea
sure
sI
tis
impo
rtan
tfor
org
aniz
atio
nsto
man
age
phys
ical
sec
urity
for
full
time
par
ttim
ea
ndte
mpo
rary
em
ploy
ees
con
trac
tors
and
co
ntra
ctla
bore
rs
USC
ISP
hysi
calS
ecur
ityh
asm
ade
sign
ifica
ntp
rogr
ess
prot
ectin
gU
SCIS
faci
litie
san
das
sets
inth
ena
tiona
lcap
italr
egio
n(N
CR)s
ince
Janu
ary
2008
whe
nit
stoo
dup
an
ewp
hysi
cals
ecur
ityp
rogr
am
Alth
ough
phy
sica
lsec
urity
inth
eN
CRis
con
sist
ently
dir
ecte
dan
den
forc
edb
yPh
ysic
al
Secu
rity
eac
hfie
ldo
ffic
ese
tsit
sow
npo
licie
san
dac
cess
con
trol
sI
nad
ditio
ng
aps
inte
rmin
atio
npr
oced
ures
hav
ere
sulte
din
ong
oing
phy
sica
lac
cess
follo
win
gte
rmin
atio
nF
inal
lyi
ssue
sco
ncer
ning
the
secu
rity
ofp
hysi
calc
ase
files
sho
uld
bec
onsi
dere
das
par
tofa
USC
ISr
isk
man
age
men
tstr
ateg
y
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPh
ysic
alS
ecur
ity
ofF
ield
Off
ices
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
USC
ISis
inth
epr
oces
sof
put
ting
ane
wa
cces
sco
ntro
lsys
tem
inp
lace
fo
rth
eN
CR
Befo
reit
doe
sit
will
di
sabl
eac
cess
for
anyo
new
hoh
as
notu
sed
phys
ical
acc
ess
inm
ore
Each
USC
ISfa
cilit
yha
sits
ow
n
polic
ies
and
acce
ssc
ontr
ols
syst
ems
Som
efie
ldo
ffic
esw
ithin
USC
ISh
ave
acce
ss
cont
rols
yste
ms
oth
ers
don
ot
Not
al
loff
ices
inth
efie
ldh
ave
elec
tron
ic
Fort
yof
the
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
took
adv
an
tage
ofi
nade
quat
eph
ysic
als
ecu
rity
toc
arry
out
thei
rcr
imes
El
ectr
onic
acc
ess
cont
rols
pro
vide
CERT | SOFTWARE ENGINEERING INSTITUTE | 42
Sugg
este
dCo
unte
rmea
sure
slo
gsth
atc
ould
be
usef
ulin
inve
s
tigat
ions
ofi
llici
tact
ivity
out
side
of
nor
mal
wor
king
hou
rs
USC
IS
shou
ldc
onsi
der
deve
lopi
nge
nte
rpri
sew
ide
phys
ical
sec
urity
pr
oced
ures
rol
ltho
seo
utto
ea
chfi
eld
offic
ea
ndr
equi
rea
ph
ysic
als
ecur
ityr
epre
sent
ativ
eat
eac
hsi
teto
ens
ure
cons
iste
nt
enfo
rcem
ento
fthe
pol
icie
s
USC
ISs
houl
dco
nsid
erp
rohi
bitin
gea
chfi
eld
offic
efr
omd
evel
opin
gsi
tes
peci
ficp
olic
ies
and
rem
ov
ing
enfo
rcem
entc
ontr
olfr
om
each
site
In1
0ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
follo
win
gte
rmin
atio
ndu
eto
fa
ilure
ton
otify
sec
urity
em
pl
oyee
san
dbu
sine
ssp
artn
ers
of
the
term
inat
ion
To
cont
rola
cce
ssto
USC
ISfa
cilit
ies
itis
im
port
antf
orU
SCIS
toc
ompa
re
curr
ente
mpl
oyee
san
dco
ntra
cto
rsto
the
auth
oriz
eda
cces
slis
t
Polic
yor
Pra
ctic
eG
aps
acce
ssc
ontr
ols
ndashso
me
only
hav
elo
cks
and
keys
N
ote
very
USC
ISs
iteh
asa
phy
sica
lse
curi
tyr
epre
sent
ativ
eW
here
no
re
pres
enta
tive
isp
rese
ntt
his
resp
on
sibi
lity
falls
on
othe
rm
anag
emen
t pe
rson
nelw
hom
ayn
otb
eeq
uipp
ed
toh
andl
eth
ese
issu
esp
rope
rly
and
repo
rtth
emin
ati
mel
ym
anne
r
So
me
man
ager
str
ack
who
acc
esse
s
wha
twhe
nan
dot
hers
do
not
Ac
cord
ing
toP
hysi
calS
ecur
ityin
Ver
m
ont
onl
y20
o
fvio
latio
nsa
reb
ein
gre
port
edto
sec
urity
Polic
yan
dor
Sec
urit
yM
easu
re
than
12
mon
ths
as
wel
las
anyo
ne
nolo
nger
em
ploy
edb
yU
SCIS
It
als
opl
ans
one
xam
inin
gal
lacc
ount
sth
at
have
not
use
dph
ysic
ala
cces
sin
m
ore
than
30
days
Se
curi
tyo
ffie
ldo
ffic
esfa
llsu
nder
th
eFi
eld
Secu
rity
Div
isio
n(F
SD)
The
O
ffic
eof
Sec
urity
and
Inte
grity
(OSI
)re
cent
lyd
evel
oped
an
insp
ectio
nw
orkb
ook
and
isfi
eld
test
ing
itw
ith
FSD
U
SCIS
Fie
ldS
ecur
ityD
ivis
ion
isp
lan
ning
top
uta
sec
urity
rep
rese
ntat
ive
ine
very
fiel
dof
fice
Ite
xpec
tstw
oto
thre
etim
esm
ore
repo
rts
ofv
iola
tio
nso
nce
itha
sa
repr
esen
tativ
ein
ever
ylo
catio
n
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
Phys
ical
Acc
ess
Follo
win
gTe
rmi
nati
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 43
Sugg
este
dCo
unte
rmea
sure
s
ine
ach
faci
lityrsquo
sac
cess
con
trol
syst
em
D
isab
ling
phys
ical
acc
ess
tofa
cili
ties
whe
nem
ploy
ees
and
con
trac
tors
term
inat
eis
ess
entia
lto
prot
ectin
gU
SCIS
em
ploy
ees
and
faci
litie
sU
SCIS
sho
uld
cons
ider
au
tom
atin
gth
ere
voca
tion
of
empl
oyee
and
con
trac
tor
phys
ica
lacc
ess
whe
na
term
inat
ion
occu
rs
The
term
inat
ion
chec
klis
tsh
ould
incl
ude
ano
tific
atio
nto
ph
ysic
als
ecur
itys
oph
ysic
ala
cce
ssc
anb
edi
sabl
ed
Cons
ider
con
sist
ente
nfor
cem
ent
and
inve
stig
atio
nof
USC
ISp
hysi
ca
lsec
urity
inci
dent
sA
llal
erts
sh
ould
be
inve
stig
ated
and
Polic
yor
Pra
ctic
eG
aps
Secu
rity
gua
rds
ats
itelo
catio
nsh
ave
on
occ
asio
nig
nore
ddo
orp
ropp
ed
open
ala
rms
beca
use
thef
thas
trad
itio
nally
bee
na
very
sm
allp
robl
ema
t
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
No
Two
Pers
on
Cont
rol
CERT | SOFTWARE ENGINEERING INSTITUTE | 44
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
docu
men
ted
ifth
eal
erti
sde
emed
unn
eces
sary
then
it
shou
ldb
edi
scon
tinue
dA
llse
cu
rity
vio
latio
nss
houl
dbe
trac
ked
ina
cen
tral
rep
osito
rys
oa
com
pl
ete
hist
ory
for
each
indi
vidu
alis
av
aila
ble
Aft
erH
ours
Acc
ess
Phys
ical
Sec
urit
y
Aut
hori
zed
Acc
ess
Mos
tacc
ess
is2
4ho
urs
ada
y7
days
a
wee
kndash
Tw
enty
nin
eof
the
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seu
sed
phys
ical
acc
ess
outs
ide
ofn
orm
alw
orki
ngh
ours
toa
tta
ck
USC
ISs
houl
dco
nsid
erim
pl
emen
ting
ana
cces
sco
ntro
lsy
stem
that
gra
nts
acce
ssc
om
men
sura
tew
ithth
epo
sitio
nan
em
ploy
eeo
rcon
trac
tor
fills
If
apo
sitio
ndo
esn
otr
equi
rea
cces
sou
tsid
eof
nor
mal
wor
king
hou
rs
the
acce
ssc
ontr
ols
yste
ms
houl
dpr
ohib
itsu
cha
cces
san
dlo
gun
su
cces
sful
acc
ess
atte
mpt
s
Secu
rity
ofP
hysi
ca
lCas
eFi
les
Phys
ical
Sec
urit
y
Prot
ectio
nof
USC
ISC
ase
File
Dat
a
Phys
ical
file
sw
ere
obse
rved
inc
rate
sst
acke
din
the
hallw
ays
inth
eVe
rm
ontS
ervi
ceC
ente
rA
ccor
ding
toa
nin
terv
iew
att
heS
ervi
ceC
ente
ra
ny
one
coul
dw
alk
outw
itha
ldquocr
ate
fullrdquo
of
file
saf
ter
hour
se
spec
ially
ify
ou
are
ate
lew
orke
r
USC
ISa
ssum
esit
sca
sefi
led
ata
is
secu
reb
ecau
seit
sem
ploy
ees
and
cont
ract
ors
have
ac
lear
ance
or
hav
eha
da
back
grou
ndc
heck
It
isim
port
antt
ono
teth
at4
9in
side
rsd
ocum
ente
din
the
CERT
da
taba
sev
iola
ted
need
to
know
CERT | SOFTWARE ENGINEERING INSTITUTE | 45
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ca
sefi
les
are
assu
med
tob
ese
cure
on
ceth
eya
rec
onta
ined
with
ina
Ser
vi
ceC
ente
rb
utth
eyc
ould
be
phys
ica
llya
ltere
dor
sto
len
bya
nyon
ew
ith
phys
ical
acc
ess
toth
efa
cilit
y
One
inte
rvie
wee
sta
ted
that
adj
udic
ato
rsty
pica
llyh
ave
50to
100
file
ssc
at
tere
dar
ound
thei
rof
fice
ord
esk
So
me
are
trac
ked
and
som
em
ayn
ot
be
Adj
udic
ator
sco
nduc
tint
ervi
ews
with
app
lican
tsin
thei
rof
fices
and
th
eym
ight
leav
eap
plic
ants
une
sco
rted
inth
eir
offic
esw
ithth
eca
se
files
whe
nfo
rin
stan
cem
akin
gco
pie
sor
att
endi
ngto
oth
erU
SCIS
bus
ine
ss
Acc
ordi
ngto
the
sam
ein
terv
iew
eei
non
efie
ldo
ffic
en
atur
aliz
atio
nce
rtifi
ca
tes
pas
spor
tsa
ndc
redi
tcar
din
fo
rmat
ion
has
been
foun
din
gar
bage
ca
nsin
the
hallw
ay
Adj
udic
ator
spi
cku
pth
eir
case
sin
an
enve
lope
inth
eir
mai
lbox
D
urin
gth
esi
tev
isit
the
asse
ssm
entt
eam
ob
serv
edth
em
ailr
oom
att
heV
erm
ont
Serv
ice
Cent
eru
natt
ende
dbe
twee
n
polic
ies
inth
eco
mm
issi
ono
fth
eir
crim
es
Ther
efor
er
elyi
ng
onc
lear
ance
sal
one
can
bev
ery
dang
erou
s
Thir
teen
insi
ders
doc
umen
ted
in
the
CERT
dat
abas
est
ole
phys
ical
pr
oper
tyb
elon
ging
toth
eor
gani
za
tion
CER
Tsu
gges
tsU
SCIS
con
si
der
the
cons
eque
nces
oft
heft
or
una
utho
rize
dac
cess
top
hysi
ca
lcas
efil
esa
ndm
ake
ari
sk
base
dde
cisi
onr
egar
ding
pot
en
tialp
olic
yan
dpr
oced
ure
chan
ges
Th
ere
are
stan
dard
pol
icie
san
dpr
oced
ures
forh
andl
ing
sens
itive
in
form
atio
nb
uta
str
ong
educ
atio
nalc
ampa
ign
isn
eede
dto
en
sure
the
prot
ectio
nof
dat
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 46
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
ssh
ifts
(app
roxi
mat
ely
3p
m)
Whe
nad
judi
cato
rsfi
nish
with
afi
let
hey
retu
rnit
toa
dro
pof
fspo
tT
hea
sse
ssm
entt
eam
obs
erve
dth
ose
spot
s
whi
cha
rein
the
open
and
una
tte
nded
A
djud
icat
ors
may
kee
pca
ses
over
nigh
tand
usu
ally
ret
urn
them
w
ithin
1w
eek
Tele
wor
kers
at
Serv
ice
Cent
ers
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
One
hun
dred
eig
hty
nine
peo
ple
at
the
Verm
ontS
ervi
ceC
ente
rare
au
thor
ized
tow
ork
from
hom
eT
hese
em
ploy
ees
pick
up
files
att
heV
er
mon
tSer
vice
Cen
ter
and
take
them
ho
me
The
yw
ork
2da
ysp
erw
eek
in
the
Serv
ice
Cent
era
nd3
day
spe
rw
eek
ath
ome
USC
ISp
ays
anu
nan
noun
ced
visi
tto
allh
omes
toin
ven
tory
the
empl
oyee
srsquofi
les
atle
ast
quar
terl
yT
hese
em
ploy
ees
mus
tha
vea
lock
edfa
cilit
yin
thei
rho
me
and
mus
talw
ays
have
the
abili
tyto
re
turn
the
files
toth
eSe
rvic
eCe
nter
w
ithin
4h
ours
The
cont
rolo
fUSC
ISd
ata
whe
nit
leav
esth
eVe
rmon
tSer
vice
Cen
ter
is
diff
icul
tto
enfo
rce
Em
ploy
ees
mus
tha
vea
ppro
pria
tes
tora
gefa
cilit
ies
bu
tthe
yco
uld
easi
lyc
opy
USC
ISd
ata
and
shar
eit
with
una
utho
rize
din
di
vidu
als
Twen
tyn
ine
perc
ento
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
taba
sew
ere
recr
uite
dby
out
si
ders
toc
omm
itth
eir
crim
e
Mos
toft
hese
insi
ders
com
mitt
ed
the
crim
efo
rfin
anci
alg
ain
Iti
sim
port
antt
hatU
SCIS
rec
ogni
ze
the
pote
ntia
lfor
recr
uitm
ent
an
dth
ela
cko
fcon
trol
exe
rcis
ed
over
sen
sitiv
eda
taa
tadj
udic
ato
rsrsquor
esid
ence
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 47
Ap
pen
dix
DB
usi
nes
sP
roce
sses
Tech
nica
lCon
trol
s
Aut
hori
zati
onv
iaP
ICS
A
ccou
ntM
anag
emen
t
Av
arie
tyo
fcas
esfr
omth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sed
ocum
enti
nsid
era
ttac
ksw
here
gap
sin
bus
ines
spr
oces
ses
prov
ided
ap
athw
ay
for
atta
ck
Enfo
rcin
gse
para
tion
ofd
utie
san
dth
epr
inci
ple
ofle
astp
rivi
lege
are
pro
ven
met
hods
for
limiti
nga
utho
rize
dac
cess
by
insi
ders
Id
eal
lyo
rgan
izat
ions
sho
uld
incl
ude
sepa
ratio
nof
dut
ies
inth
ede
sign
ofk
eyb
usin
ess
proc
esse
san
dfu
nctio
nsa
nde
nfor
ceth
emv
iate
chni
cala
nd
nont
echn
ical
mea
ns
Acc
ess
cont
rolb
ased
on
sepa
ratio
nof
dut
ies
and
leas
tpri
vile
gei
nbo
thth
eph
ysic
ala
ndv
irtu
ale
nvir
onm
ents
is
cruc
ialt
om
itiga
ting
the
risk
ofi
nsid
era
ttac
kT
hese
con
cept
sal
one
will
not
elim
inat
eth
eth
reat
pos
edb
yin
side
rst
hey
are
how
ever
ano
ther
laye
rin
the
defe
nsiv
epo
stur
eof
an
orga
niza
tion
Beca
use
ofth
ese
nsiti
ven
atur
eof
the
USC
ISm
issi
ons
ome
ofit
sem
ploy
ees
and
cont
ract
ors
are
targ
ets
for
recr
uitm
entf
orth
efto
run
auth
or
ized
mod
ifica
tion
ofU
SCIS
dat
aT
wen
tyn
ine
perc
ento
fthe
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
we r
ere
crui
ted
byo
utsi
ders
toc
omm
itth
eir
crim
eM
osto
fthe
sein
side
rsc
omm
itted
the
crim
efo
rfin
anci
alg
ain
Cri
tical
USC
ISb
usin
ess
proc
esse
ssh
ould
incl
ude
tech
nica
lcon
trol
sto
en
forc
ese
para
tion
ofd
utie
san
ddu
alc
ontr
olto
red
uce
the
risk
ofi
nsid
erfr
aud
In
addi
tion
pot
entia
lvul
nera
bilit
ies
surr
ound
the
use
ofth
eIC
EPI
CSs
yste
mfo
rau
thor
izat
ion
for
criti
calU
SCIS
sys
tem
sA
lthou
ghP
ICS
iso
utsi
deth
eco
ntro
lofU
SCIS
CER
Tre
com
men
dsth
atU
SCIS
exp
lore
the
poss
ibili
tyo
faud
iting
and
con
trol
ling
auth
oriz
atio
nsin
PIC
Sfo
rcr
itica
lUSC
ISs
yste
ms
Fin
ally
acc
ount
man
agem
enti
ssue
sre
late
dto
cri
tical
sys
te
ms
shou
ldb
eco
nsid
ered
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
utho
riza
tion
for
USC
ISC
riti
calS
ys
tem
sth
roug
hP
ICS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Seve
ralc
ritic
alU
SCIS
sys
tem
sar
etie
dto
PIC
Sfo
raut
hent
icat
ion
whi
ch
isa
dmin
istr
ated
by
the
ICE
PI
CSlo
gsa
ccou
ntc
reat
ions
whe
nth
eac
coun
tsw
ere
crea
ted
wha
tro
les
appl
ied
toth
eac
coun
tse
tc
PICS
per
mits
use
rso
utsi
deo
fUSC
ISto
au
thor
ize
user
sfo
ran
yU
SCIS
app
lica
tion
tied
toP
ICS
Tw
oth
ousa
ndlo
cal
PICS
off
icer
s(L
POs)
inth
eIC
Ean
dU
SCIS
can
cre
ate
new
acc
ount
sin
PIC
Sfo
rem
ploy
ees
loca
ted
atth
eir
site
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
utho
riza
tion
proc
es
san
dsy
stem
that
ena
bles
itto
co
ntro
lwho
isg
rant
e da
cces
sto
U
SCIS
sys
tem
san
dda
ta
CERT | SOFTWARE ENGINEERING INSTITUTE | 48
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLP
Os
cont
rola
cces
sfo
rshe
riff
sp
eti
tione
rsC
BPD
OJ
TSA
DH
SO
IGT
er
rori
smT
ask
Forc
ea
ndo
ther
s
Acc
ount
sar
eba
sed
onp
erso
nnel
re
cord
so
LPO
sca
nnot
cre
ate
acco
unts
fo
ran
yone
who
isn
ota
nem
ploy
eea
tth
eir
site
H
owev
erP
ICS
adm
inis
tra
tors
can
cre
ate
acco
unts
for
anyo
ne
wor
king
att
heir
site
for
any
syst
em
tied
toP
ICS
CERT
sug
gest
sth
atU
SCIS
val
ida
tec
urre
ntP
ICS
acco
unts
and
ro
les
agai
nstc
urre
nte
mpl
oyee
lis
ts
Ten
perc
ent(
37)o
fth e
in
side
rsd
ocum
ente
din
the
CERT
da
taba
seh
ade
xces
sive
pri
vi
lege
sw
hich
ena
bled
them
to
atta
ck
Ina
dditi
on
b
ecau
seldquo
priv
ilege
cr
eeprdquo
ena
bled
afe
w(s
ix)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
tab a
seto
car
ryo
utth
eir
crim
es
CERT | SOFTWARE ENGINEERING INSTITUTE | 49
Sugg
este
dCo
unte
rmea
sure
s
Twen
tyfo
ur(6
per
cent
)oft
he
insi
ders
doc
umen
ted
inth
eCE
RT
data
base
wer
eab
leto
car
ryo
ut
thei
rcr
imes
bec
ause
insi
ders
sh
ared
acc
ount
and
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bse
asie
ran
dto
incr
ease
pro
du
ctiv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tio
nsa
ndp
ossi
bly
impl
emen
tst
rong
era
uthe
ntic
atio
nto
ma k
esh
arin
gac
coun
tsm
ore
diff
icul
t
Polic
yor
Pra
ctic
eG
aps
VIS
adm
inis
trat
ors
ine
xter
nalc
ompa
ni
eso
rag
enci
esh
ave
been
cau
ght
le
ttin
gm
ultip
lee
mpl
oyee
sus
eth
e
sa
me
VIS
acco
unt
but
USC
ISh
asn
o ab
ility
tota
kea
nya
ctio
nT
hea
cco
unts
ena
ble
empl
oyee
sto
val
idat
ePI
Iand
citi
zens
hip
info
rmat
ion
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
Mod
ifica
tions
by
VIS
user
sto
cri
tical
da
taa
relo
gged
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
VIS
Ac
coun
ts
Logg
ing
Aud
itin
g
and
Ale
rtin
gin
VIS
Ver
ifica
tion
Info
rmat
ion
Syst
em(V
IS) CERT | SOFTWARE ENGINEERING INSTITUTE | 50
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Com
pute
rLi
nked
App
licat
ion
Info
rmat
ion
Man
agem
ent
Syst
em(C
LAIM
S)3
LA
N
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Su
gges
ted
Coun
term
easu
res
Self
Sele
ctio
nof
A
djud
icat
ion
Case
s
ISSO
s D
ata
Ow
ners
Adj
udic
ator
sca
nse
lfse
lect
cas
es
(acc
ordi
ngto
an
inte
rvie
wc
once
rn
ing
anin
tern
alin
cide
ntth
ato
ccur
red
atth
eU
SCIS
and
inte
rvie
ws
with
da
tao
wne
rsa
tthe
Ver
mon
tSer
vice
Ce
nter
)
With
inth
eSe
rvic
eCe
nter
sa
djud
ica
tors
hav
evi
rtua
llyu
nlim
ited
acce
ssto
ap
plic
antf
ilesmdash
ther
ear
eno
nee
dto
kn
owli
mita
tions
or
cont
rols
top
re
vent
an
adju
dica
tor
from
acc
essi
ng
sens
itive
info
rmat
ion
and
repo
rtin
git
too
utsi
ders
or
mod
ifyin
ga
file
(ent
er
ing
anin
valid
dec
isio
n)
Adj
udic
ator
sca
nal
soa
ppro
vea
cas
eth
atis
not
ass
igne
dto
them
Th
ere
is
noti
ebe
twee
nth
eca
sem
anag
emen
tsy
stem
(ie
N
atio
nalF
ileT
rack
ing
Syst
emo
rN
FTS)
and
the
case
adj
udi
catio
nsy
stem
(ie
CL
AIM
S)
Inth
ein
tern
alc
ase
that
occ
urre
dat
U
SCIS
the
per
petr
ator
cir
cum
vent
ed
the
inte
rvie
wp
roce
ssfo
r14
mon
ths
ndash
USC
ISs
houl
dco
nsid
erim
ple
men
ting
tech
nica
lcon
trol
sto
pr
ohib
itad
judi
cato
rsfr
oms
elf
sele
ctin
gca
ses
toa
djud
icat
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 51
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
she
app
rove
dldquon
osh
owrdquo
case
sT
here
w
ere
noc
ontr
ols
tod
etec
tthi
s
Ina
dditi
ona
djud
icat
ors
can
adju
di
cate
any
type
ofc
ase
eve
nth
ough
th
eya
ree
ach
assi
gned
cer
tain
type
sof
ben
efits
cas
esfo
rad
judi
catio
n
Emph
asis
on
Cus
tom
erS
ervi
ceO
ver
Risk
Dat
aO
wne
rs
No
evid
ence
pro
vide
d
One
inte
rvie
wee
att
heV
erm
ontD
ata
Cent
ers
aid
that
ldquost
atsrdquo
can
be
ast
rain
esp
ecia
llyfo
rne
wh
ires
al
thou
ghth
eyd
oge
ta9
0da
ygr
ace
peri
od
USC
ISs
houl
dus
eca
utio
nin
em
ph
asiz
ing
cust
omer
ser
vice
as
the
only
per
form
ance
met
ric
beca
use
this
cou
lde
ncou
rage
la
cko
fatt
entio
nto
ris
kre
late
dac
tiviti
es(s
uch
asa
ccur
ate
adju
di
catio
nde
cisi
ons)
Lack
ofS
epar
atio
nof
Dut
ies
in
CLA
IMS
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Curr
ently
all
decl
ined
req
uest
sfo
rbe
nefit
sar
ere
view
edb
ya
supe
rvi
sor
H
owev
ert
here
was
ad
iscr
ep
ancy
dur
ing
inte
rvie
ws
adj
udic
ator
ssa
idth
ats
uper
viso
rss
topp
edlo
okin
gat
all
deni
als
beca
use
they
are
too
busy
Su
perv
isor
sal
sor
ecei
vea
rep
orto
fal
ladj
udic
atio
nde
cisi
ons
ente
red
by
ana
djud
icat
orfo
ra
form
type
that
th
ead
judi
cato
rdo
esn
otn
orm
ally
ap
prov
e
Onl
ya
rand
oms
ampl
eof
app
rove
dad
judi
catio
nde
cisi
ons
isr
evie
wed
For
som
eca
ses
(for
inst
ance
vic
tims
case
s)a
sen
ior
adju
dica
tor
has
to
revi
ewth
ede
cisi
ona
fter
the
adju
dica
to
ren
ters
itt
hen
the
supe
rvis
orr
evi
ews
itT
his
isa
man
ually
enf
orce
dpr
oces
s
Ther
ew
asa
noth
erd
iscr
epan
cy
in
inte
rvie
ws
the
adju
dica
tors
sai
dth
at
USC
ISs
houl
dco
nsid
erim
ple
men
ting
auto
mat
edp
roce
sses
to
prev
enta
ndd
etec
tfra
ud
Man
ag
emen
tind
icat
edit
wou
ldli
ke
tos
eea
utom
ated
tech
nica
len
forc
emen
toft
her
evie
wa
nd
appr
oval
pro
cess
Inn
earl y
ten
perc
ent(
39)o
fthe
ca
ses
docu
men
ted
inth
eCE
RT
data
base
ins
ider
sto
oka
dvan
CERT | SOFTWARE ENGINEERING INSTITUTE | 52
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s W
hen
adju
dica
tors
are
intr
aini
ng
they
are
und
er1
00
rev
iew
Th
ey
are
intr
aini
ngo
na
spec
ific
type
of
case
for
atle
ast6
mon
ths
A
uditi
ngfo
rim
prop
erly
gra
nted
be
nefit
sis
bas
edo
nsa
mpl
ing
and
or
blin
dqu
ality
ass
uran
ce(Q
A)a
ccor
din
gldquot
oA
rmy
stan
dard
srdquoa
fter
the
fact
A
rand
omly
sel
ecte
d30
cas
es
per
quar
ter
are
also
rev
iew
edb
yldquos
iste
rce
nter
srdquo
QA
pro
cess
var
ies
offic
eby
off
ice
(no
natio
nalp
roce
ss)
Th
isQ
Ah
asb
een
done
fort
hep
ast
year
and
ah
alf
Inth
eVe
rmon
tfie
ld
offic
ee
ach
supe
rvis
orp
ulls
atl
east
10
cas
esp
era
djud
icat
orp
erm
onth
Th
eyr
evie
wd
ecis
ion
rela
ted
issu
es
secu
rity
rel
ated
issu
esa
ndp
roce
du
rali
ssue
s(d
idth
eyfo
llow
the
righ
tst
eps
)T
hey
also
look
for
less
ons
lear
ned
The
pri
mar
ypu
rpos
eof
QA
is
toid
entif
yth
ene
edfo
rre
med
ial
trai
ning
rath
erth
and
elib
erat
efr
aud
So
me
case
sar
em
ore
than
10
00
page
ss
oev
ery
deta
ilca
nnot
be
prac
tical
lyr
evie
wed
for
ever
yca
se
cler
ksp
ullc
ases
ac
oupl
eof
tim
esp
er
mon
thndash
ac
erta
inn
umbe
rof
cas
es
per
empl
oyee
Th
ose
case
sar
epa
ssed
toQ
Aw
hor
evie
ws
the
case
s
QA
then
sen
dsfe
edba
ckto
the
supe
rvi
sor
and
adju
dica
tor
ifth
eyfi
nd
som
ethi
ngth
atd
oes
notl
ook
righ
t
tage
ofi
nsuf
ficie
nts
epar
atio
nof
du
ties
toc
arr y
out
thei
rcr
imes
U
SCIS
sho
uld
care
fully
con
side
rth
ebi
gges
tris
kto
the
orga
niza
tio
nM
any
ofth
eU
SCIS
em
pl
oyee
sin
terv
iew
edfo
rth
isa
sse
ssm
enti
dent
ified
the
prim
ary
risk
for
the
orga
niza
tion
asa
llo
win
gth
ene
xtte
rror
istt
oliv
ean
dw
ork
lega
llyin
the
Uni
ted
Stat
es
They
des
ire
assi
stan
cein
id
entif
ying
and
impl
emen
ting
inte
rnal
con
trol
sto
cou
nter
that
ri
sk
Aud
iting
eve
ryd
enie
dre
ques
tin
dica
tes
that
the
bigg
estr
isk
to
USC
ISis
toin
corr
ectly
den
ya
bene
fitto
an
appl
ican
trat
her
than
tog
rant
ab
enef
itto
som
eon
ew
hod
oes
notd
eser
veit
IfU
SCIS
agr
ees
that
gra
ntin
gle
gald
ocum
ents
toil
lega
lapp
lica
nts
iso
neo
fthe
big
gest
ris
ks
toth
eor
gani
zatio
nth
enit
sh
ould
con
side
rre
quir
ing
dual
CERT | SOFTWARE ENGINEERING INSTITUTE | 53
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sau
thor
izat
ion
for
thes
ead
judi
ca
tion
deci
sion
s
Lack
ofA
utom
ated
Ch
ecks
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Verm
ontI
Tha
sdo
ned
ata
swee
ps
afte
rit
foun
dso
met
hing
sus
pici
ous
W
hen
itha
sdo
nes
oit
has
foun
dm
ore
ofth
esa
me
activ
ity
Ther
ear
eno
aut
omat
edc
heck
s(t
here
w
illb
ein
Tra
nsfo
rmat
ion)
Chec
ksth
atd
oex
ista
rem
anag
eda
tth
elo
call
evel
rat
her
than
ale
rtin
gto
th
ehe
adqu
arte
rsle
vel
Inn
early
twen
tyf
ive
perc
ent
(91)
ofc
ases
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
ca
rry
outt
hec
rim
ebe
caus
eof
in
adeq
uate
aud
iting
ofc
ritic
al
proc
esse
sin
28
case
sit
was
be
caus
eof
inad
equa
tea
uditi
ng
ofir
regu
lar
proc
esse
sI
n29
of
the
case
sth
eor
gani
zatio
nha
dre
peat
edin
cide
nts
ofa
sim
ilar
natu
re
Aut
omat
eds
crip
tsa
re
ane
xcel
lent
mec
hani
smfo
rde
te
ctin
gsu
spic
ious
tran
sact
ions
as
wel
las
hone
stm
ista
kes
U
SCIS
sho
uld
cons
ider
afo
rmal
pr
oces
sfo
ran
alyz
ing
the
OSI
rsquos
findi
ngs
and
deve
lopi
nga
uto
mat
edc
heck
sth
ata
rer
olle
dou
tna
tiona
lly
Phys
ical
Sec
urit
yof
Ca
seF
iles
Dat
aO
wne
rs
Adj
udic
ator
s
No
evid
ence
pro
vide
d
The
NFT
Str
acks
mill
ions
off
iles
It
was
des
crib
edh
owev
era
sa
very
la
rge
war
ehou
sew
here
file
sdo
occ
a
Ten
perc
ent(
40)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
sec
arri
edo
utth
eir
crim
esb
y
CERT | SOFTWARE ENGINEERING INSTITUTE | 54
C
ER
T | S
OFT
WA
RE
EN
GIN
EE
RIN
G IN
STI
TUTE
| 55
Sugg
este
dCo
unte
rmea
sure
s
the
sam
eap
plic
ant
C3LA
Nw
illb
ere
tired
as
part
of
Tran
sfor
mat
ion
C4
will
als
obe
re
tired
A
cop
yof
sec
urity
con
tr
ols
and
requ
irem
ents
has
bee
npr
ovid
edb
yC3
LAN
dat
aow
ners
to
Tra
nsfo
rmat
ion
Iti
sim
por
tant
for
the
Tran
sfor
mat
ion
team
tom
ake
risk
bas
edd
eci
sion
sin
Tra
nsfo
rmat
ion
desi
gn
and
deve
lopm
ent
Polic
yor
Pra
ctic
eG
aps
T
hen
ewH
Rfo
rmh
asn
otb
een
soci
aliz
edo
rw
idel
yad
vert
ised
It
is
upto
the
COTR
san
dsu
perv
isor
sto
co
nsis
tent
lyr
eque
stth
ata
cces
sbe
di
sabl
edw
hen
ane
mpl
oyee
or
con
trac
tor
nolo
nger
nee
dsa
cces
s
Polic
yan
dor
Sec
urit
yM
easu
re
Curr
ently
eve
rym
onth
USC
ISc
om
pare
sth
eH
uman
Res
ourc
esa
ttri
tion
lista
gain
stth
eC3
LA
Na
ccou
ntli
st
and
disa
bles
inac
tive
empl
oyee
ac
coun
ts
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
cces
sto
CL
AIM
S
CERT | SOFTWARE ENGINEERING INSTITUTE | 56
Are
aof
Con
cern
Non
Att
ribu
tion
fo
rD
BAA
ccou
nts
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 57
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Pend
ing
Redu
ctio
nin
For
cefo
rD
ata
Entr
yCl
erks
Dat
aO
wne
rs
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
Dat
aen
try
cler
ksw
illb
elo
sing
thei
rjo
bsw
hen
they
mov
eto
Loc
kBox
w
hich
will
take
ove
rth
efu
nctio
nal
ityo
facc
eptin
gre
mitt
ance
sfo
rbe
nefit
app
lican
ts
Itw
ass
tate
dth
atth
eda
tae
ntry
cle
rks
mig
htb
ehi
red
away
tow
ork
atth
eor
gani
za
tion
whi
chp
erfo
rms
that
func
tio
n
USC
ISs
houl
dbe
aw
are
ofth
ein
crea
sed
insi
der
risk
inth
efa
ce
ofn
egat
ive
orga
niza
tiona
lev
ents
like
this
It
sho
uld
con
side
rpr
oact
ive
step
sto
dec
reas
est
ress
inth
ew
orkp
lace
and
to
ease
pot
entia
lfin
anci
alb
urde
ns
that
cou
ldm
ake
empl
oyee
sm
ore
susc
eptib
leto
rec
ruitm
ent
byo
utsi
ders
Shar
ing
Acc
ount
sin
CLA
IMS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aEn
try
Cler
ks
The
NFT
Sw
illn
otle
tcle
rks
log
inif
th
eyh
ave
notu
sed
the
syst
emfo
ra
cert
ain
num
ber
ofd
ays
Ac
lerk
rsquosc
ube
mat
ew
illlo
gin
for
thei
rcu
bem
ate
ifit
isth
een
dof
the
day
and
ITh
asg
one
hom
efo
rthe
day
Twen
tyf
our
(6
)oft
hein
side
rs
docu
men
ted
inth
eCE
RTd
ata
base
wer
eab
leto
car
ryo
utth
eir
crim
esb
ecau
sein
side
rss
hare
dac
coun
tand
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bs
easi
era
ndto
incr
ease
pro
duct
iv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tions
an
dpo
ssib
lyim
plem
ents
tron
ger
auth
entic
atio
nto
mak
eac
coun
tsh
arin
gm
ore
diff
icul
t
CERT | SOFTWARE ENGINEERING INSTITUTE | 58
Sugg
este
dCo
unte
rmea
sure
s
Ten
perc
ent(
39)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seto
oka
dvan
tage
ofi
nsuf
fici
enta
cces
sco
ntro
ls
USC
IS
shou
ldc
onsi
der
redu
cing
the
num
ber
ofp
rivi
lege
dac
coun
ts
with
acc
ess
toth
eFD
NS
DS
If
the
num
ber
ofs
uper
user
ac
coun
tsw
ere
redu
ced
then
en
hanc
eda
uditi
ngc
ould
be
em
ploy
edo
ntr
ansa
ctio
ns
cond
ucte
dus
ing
thos
eac
coun
ts
Polic
yor
Pra
ctic
eG
aps
b
ut
ther
ear
ena
tiona
lcon
trol
sto
ens
ure
th
atc
eleb
ritie
srsquofi
les
are
notb
eing
ac
cess
ed
Ther
eis
ala
rge
supe
ruse
rco
mm
unity
m
ore
than
thirt
ype
rcen
tofa
llFD
NS
DS
user
sw
itha
cces
sto
the
FDN
SD
S
Thes
eac
coun
tsh
ave
exte
nsiv
epo
wer
a
mal
icio
uss
uper
user
can
com
plet
ely
dele
tea
rec
ord
orm
odify
the
sum
m
ary
offi
ndin
gs
Polic
yan
dor
Sec
urit
yM
easu
re
The
FDN
SD
Sis
ac
entr
alr
epos
itory
of
frau
dan
dna
tiona
lsec
urity
inve
stig
atio
ns
This
sys
tem
hol
dsa
ppli
cant
san
dpe
titio
ners
as
wel
las
PII
Th
ere
isa
lso
ana
tiona
lsec
urity
tab
N
oev
iden
cep
rovi
ded
nnel
logy
logy
sibl
ePe
rso
wne
rs
tion
Tec
hno
wne
rs
tion
Tec
hno
Resp
onD
ata
O In
form
a
Dat
aO
Info
rma
rn
sac
ges
eCo
ncn e
Priv
ilD
S
Are
aof
ng
oLo
ggi
fTra
tion
s
Elev
ated
N
Sto
FD
Frau
dD
etec
tion
and
Nat
ural
izat
ion
Syst
emndash
Dat
aSy
stem
(FD
NS
DS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 59
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Unk
now
n
Conn
ecti
ons
to
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Failu
reto
Add
ress
Kn
own
Secu
rity
V
ulne
rabi
litie
s
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Ther
eis
no
auto
mat
edp
atch
ing
be
caus
eof
the
age
ofth
ese
rver
san
dth
eap
plic
atio
nO
nly
criti
calp
atch
es
are
appl
ied
forf
ear
ofc
rash
ing
the
serv
ers
Thir
teen
insi
ders
inth
eCE
RT
data
base
exp
loite
dkn
own
secu
ri
tyv
ulne
rabi
litie
sth
atw
ere
not
addr
esse
dby
the
orga
niza
tion
U
SCIS
sho
uld
cons
ider
upg
radi
ng
the
FDN
SD
Ssi
nce
thes
evu
lner
ab
ilitie
sin
crea
ser
isk
ofa
ttac
kfr
omo
utsi
dea
ndin
side
Prod
ucti
onD
ata
Ava
ilabl
eto
Con
tr
acto
rsin
Dev
el
opm
ent
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
CSC
has
prod
uctio
nda
tain
the
deve
lop
men
tenv
iron
men
te
ven
thou
ghit
sh
ould
not
hav
eac
cess
top
rodu
ctio
nda
ta
Onl
yon
ein
side
rdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
ses
tole
pro
duct
ion
data
th
ats
houl
dno
thav
ebe
ena
vail
able
tod
evel
oper
sin
the
deve
lop
men
tenv
iron
men
tH
owev
er
itw
ase
xtre
mel
yse
nsiti
ved
ata
with
ver
yst
rict
con
trol
sin
the
prod
uctio
nen
viro
nmen
ta
nd
was
not
sub
ject
toth
ose
sam
eco
ntro
lsin
the
deve
lopm
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 60
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sen
viro
nmen
tT
his
isv
ery
sim
ilar
toth
esi
tuat
ion
atU
SCIS
U
SCIS
sh
ould
exa
min
eda
tab
eing
use
din
the
rem
ote
con
trac
tor
owne
dde
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
vel
ofs
ecur
ityc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
Conf
igur
atio
nM
anag
emen
tan
dor
Cha
nge
Cont
rolP
roce
ss
Not
Enf
orce
d
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Dev
elop
ers
cann
otr
elea
sen
ewe
xec
utab
les
as
epar
ate
syst
ema
dmin
is
trat
orh
asto
pus
hth
emo
ut
Cont
ract
ors
som
etim
esr
elea
sec
ode
tofi
xpr
oble
ms
with
outf
ollo
win
gth
ech
ange
man
agem
entp
roce
ss
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
ofl
ack
ofa
de
quat
eco
nfig
urat
ion
man
age
men
tU
SCIS
has
afo
rmal
con
fig
urat
ion
man
agem
entp
roce
ss
Itis
impo
rtan
tto
enfo
rce
itsu
se
for
alle
mpl
oyee
san
dco
ntra
cto
rs
Oth
erw
ise
itw
illb
eex
tr
emel
ydi
ffic
ultt
oin
vest
igat
ea
crim
eco
mm
itted
usi
ngfl
aws
inte
ntio
nally
inje
cted
into
sou
rce
code
by
aco
ntra
ctor
CERT | SOFTWARE ENGINEERING INSTITUTE | 61
Ap
pen
dix
EI
nci
den
tR
esp
onse
Inci
dent
Man
agem
ent
Se
curi
tyA
war
enes
s
Conc
erni
ngB
ehav
iors
Thro
ugh
case
ana
lysi
sC
ERT
has
note
dth
atp
roce
dure
sfo
rre
spon
ding
top
oten
tiali
nsid
erin
cide
nts
pres
entu
niqu
ech
alle
nges
an
inci
dent
re
spon
sep
lan
for
insi
der
inci
dent
sdi
ffer
sfr
oma
res
pons
epl
anfo
rin
cide
nts
caus
edb
yan
ext
erna
latt
acke
rI
nad
ditio
nin
adeq
uate
det
ectio
nan
dre
spon
seto
sec
urity
vio
latio
nsc
ould
em
bold
enth
ein
side
rm
akin
gth
eor
gani
zatio
nev
enm
ore
vuln
erab
leto
an
insi
der
crim
eI
nfa
cti
n18
of
the
case
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
the
org
aniz
atio
nex
peri
ence
dre
peat
insi
der
inci
dent
sof
as
imila
rna
ture
In
si
der
inci
dent
man
agem
ents
houl
dle
vera
gee
xist
ing
secu
rity
pol
icie
san
dfo
rmal
pro
cedu
res
for
hand
ling
polic
yvi
olat
ions
So
me
ofth
eca
ses
from
the
CERT
Insi
d er
Thre
atC
ase
data
base
illu
stra
tein
side
rat
tack
sin
whi
cha
nor
gani
zatio
nrsquos
lack
ofi
ncid
entr
espo
nse
proc
edur
esli
mite
dits
ab
ility
tom
anag
eits
res
pons
eef
fort
som
etim
ese
ven
resu
lting
inm
ultip
lec
rim
inal
act
sby
the
sam
ein
side
r
USC
ISis
ac
ompl
exo
rgan
izat
ion
with
man
ydi
ffer
entc
ompo
nent
sin
volv
edin
det
ectin
gtr
acki
ngi
nves
tigat
ing
and
follo
win
gup
on
empl
oyee
m
isco
nduc
tT
his
com
plex
itya
ndw
idel
ydi
stri
bute
dfu
nctio
ncr
eate
sa
situ
atio
nin
whi
chit
isv
ery
diff
icul
tto
obta
ina
com
plet
epi
ctur
eof
an
in
divi
dual
rsquosin
side
rth
reat
ris
kle
vel
Bec
ause
oft
his
itis
pra
ctic
ally
impo
ssib
lefo
rU
SCIS
toim
plem
enta
pro
activ
epr
ogra
mto
miti
gate
insi
der
thre
at
CERT
str
ongl
yre
com
men
dsth
atU
SCIS
cre
ate
ace
ntra
lrep
osito
ryo
fem
ploy
eem
isco
nduc
tso
itca
nde
tect
indi
cato
rso
finc
reas
ing
in
side
rth
reat
ris
kan
dm
itiga
teth
ema
squ
ickl
yas
pos
sibl
e
Furt
herm
ore
81
ofth
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
edc
once
rnin
gbe
havi
ors
inth
ew
orkp
lace
pri
orto
or
whi
lec
arry
ing
out
thei
rcr
imin
ala
ctiv
ities
onl
ine
Sup
ervi
sors
and
em
ploy
ees
shou
ldb
etr
aine
dto
rec
ogni
zea
ndr
espo
ndto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
and
oth
erm
alic
ious
insi
der
acts
Ev
enif
itis
not
pos
sibl
eto
req
uire
non
sup
ervi
sors
to
repo
rtc
o nce
rns
this
tr
aini
ngm
ayin
crea
seth
efr
eque
ncy
ofr
epor
ting
and
the
dete
rren
ceo
fins
ider
act
ions
CERT | SOFTWARE ENGINEERING INSTITUTE | 62
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLa
cko
fCen
tral
Re
posi
tory
ofE
m
ploy
eeM
isco
nduc
t
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
IfFi
eld
Secu
rity
rec
eive
sa
Sign
ifica
nt
Inci
dent
Rep
ort(
SIR)
the
nit
inve
sti
gate
sE
mpl
oyee
mis
cond
ucti
sth
en
repo
rted
toO
ffic
eof
Sec
urity
and
In
tegr
ity(O
SI)
Ifth
eO
SIin
vest
igat
ion
subs
tant
iate
san
em
ploy
eersquos
mis
con
duct
itp
rovi
des
Coun
teri
ntel
ligen
ce
(CI)
am
onth
lyr
epor
tI
tals
opr
ovid
es
the
empl
oyee
rsquosm
anag
emen
tac
opy
CI
iss
tart
ing
tog
etm
ore
repo
rts
of
acce
ptab
leu
sev
iola
tions
and
sec
urity
vi
olat
ions
It
trac
kse
very
thin
gin
a
file
for
late
rus
ein
rei
nves
tigat
ions
La
bor
Empl
oyee
Rel
atio
ns(L
ER)h
asa
re
cord
oft
here
port
sit
rece
ives
of
mis
cond
uct
com
plai
nts
agai
nsta
nem
ploy
eer
ule
viol
atio
nsa
nds
oon
H
Rm
aint
ains
the
Off
icia
lPer
sonn
el
File
whi
chc
onta
ins
reco
rds
ofs
us
pens
ions
etc
LE
Rco
ntac
tsH
Ron
ly
for
thos
ety
pes
ofa
ctio
ns
Th
eO
SIe
valu
ates
all
com
plai
nts
itre
ceiv
esa
ndlo
gsth
emin
toth
eca
se
man
agem
ents
yste
m
Ita
ssig
nsth
em
toa
fiel
dof
fice
Att
hatp
oint
any
co
mpl
aint
sar
eth
ere
spon
sibi
lity
of
the
spec
iala
gent
inc
harg
eat
the
field
of
fice
The
fiel
dof
fice
inve
stig
ates
Ther
eis
no
sing
lep
lace
tog
ofo
ran
em
ploy
eersquos
dis
cipl
inar
yre
cord
sT
he
num
ber
ofo
rgan
izat
ions
invo
lved
an
dm
anag
emen
tofr
ecor
dsis
ver
yco
mpl
exa
ndd
istr
ibut
edth
roug
hout
th
eor
gani
zatio
n
Acc
ordi
ngto
Phy
sica
lSec
urity
the
fie
ldo
ffic
edo
esn
otte
llth
eO
SI
abou
tpro
blem
sndashth
eO
SIfi
nds
out
whe
nit
ldquohits
the
pres
srdquo
For
exa
m
ple
the
OSI
isn
otin
form
edo
fad
is
grun
tled
syst
ema
dmin
istr
ator
who
is
exhi
bitin
gco
ncer
ning
beh
avio
rs
USC
ISs
houl
dco
nsid
err
equi
ring
m
anda
tory
rep
ortin
gof
all
inci
de
nts
toth
eO
SI
This
com
mu
nica
tion
stre
amw
illa
llow
the
OSI
tog
etin
volv
eda
sea
rly
as
poss
ible
and
tod
ocum
enta
nd
mai
ntai
na
cent
ralr
epos
itory
of
alli
ncid
ents
Th
isc
entr
alr
epo
sito
ryis
cri
tical
for
ade
quat
ely
man
agin
gin
side
rth
reat
sin
USC
IS
CERT | SOFTWARE ENGINEERING INSTITUTE | 63
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dse
nds
the
case
for
corr
ectiv
eac
tio
nto
the
regi
onal
dir
ecto
rin
the
chai
nof
com
man
da
ndth
enth
ere
gi
onal
dir
ecto
rret
urns
am
anag
emen
tre
port
ofa
ctio
nto
the
spec
iala
gent
in
cha
rge
Th
eO
SIc
onta
cts
the
DH
SO
IGfo
rpo
te
ntia
llyc
rim
inal
beh
avio
ror
ser
ious
m
isco
nduc
tI
fthe
DH
SO
IGtu
rns
the
case
dow
nth
enit
iss
entt
oth
efie
ld
offic
eor
tola
we
nfor
cem
ent
Th
ePe
rson
nelS
ecur
ityd
ivis
ion
(PER
SEC)
not
ifies
the
OSI
mon
thly
of
arre
sts
(tra
cked
inth
eca
sem
anag
em
ents
yste
m)a
ndth
eO
SIn
otifi
es
PERS
ECo
finv
estig
atio
ns
Trac
king
ofO
nlin
eIn
cide
nts
Info
rmat
ion
Tech
nolo
gy
Com
pute
ror
net
wor
kvi
olat
ion
inci
de
nts
are
trac
ked
bya
Rem
edy
sys
tem
tied
toa
uni
que
com
pute
rid
enti
fier
rath
erth
ana
use
rin
an
atte
mpt
to
kee
pPI
Iout
oft
heti
cket
Itis
diff
icul
tto
tiea
nev
entt
oa
par
ticul
arp
erso
nE
ven
ifth
eid
entit
yof
an
off
ende
ris
know
nr
epea
toff
end
ers
are
nott
rack
edin
any
aut
omat
ed
orc
orre
late
dw
ay
USC
ISs
houl
dco
nsid
erin
clud
ing
user
info
rmat
ion
for
each
inci
de
nts
oth
atr
epea
toff
ende
rs
can
bee
asily
iden
tifie
da
sre
pe
ato
ffen
ses
coul
din
dica
tea
nin
side
rof
hig
her
risk
Cons
iste
ncy
inR
esp
onse
toS
ecur
ity
Vio
lati
ons
and
Con
cern
ing
Beha
vior
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
eis
no
requ
ired
trai
ning
for
su
perv
isor
son
how
tor
espo
ndto
a
rang
eof
beh
avio
rsa
ssoc
iate
dw
ith
man
yfo
rms
ofin
side
rri
sk
Co
mpu
ter
use
viol
atio
nsa
ren
ot
Eigh
tyo
neo
fthe
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
ed
conc
erni
ngb
ehav
iors
pri
orto
or
whi
lec
arry
ing
outt
heir
cri
min
al
activ
ities
Em
ploy
ees
shou
ldb
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 64
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
ndle
dco
nsis
tent
lya
cros
sde
part
m
ents
sup
ervi
sors
and
type
ofe
m
ploy
ee
Egre
giou
svi
olat
ions
are
re
ferr
edto
the
OSI
for
afu
llin
vest
igat
ion
but
the
crite
rion
for
deci
ding
whe
nth
atis
war
rant
edis
a
gutr
eact
ion
trai
ned
tor
ecog
nize
and
re
spon
dto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
an
dot
her
insi
der
acts
Ev
enif
it
isn
otp
ossi
ble
tor
equi
ren
on
supe
rvis
ors
tor
epor
tcon
cern
s
this
trai
ning
may
incr
ease
the
freq
uenc
yof
repo
rtin
gan
dde
te
rren
ceo
fins
ider
act
ions
US
Dep
artm
ento
fSt
ate
Inve
stig
atio
ns
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
OSI
Inve
stig
atio
nsh
ave
been
sub
ject
to
alle
gatio
nso
fvio
latio
nsin
volv
ing
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)
but
the
OIS
rel
ies
onth
eU
SD
epar
tmen
tof
Sta
teto
inve
stig
ate
USC
ISh
asn
ovi
sibi
lity
into
US
De
part
men
tofS
tate
inve
stig
atio
ns
FSN
sw
hoh
ave
acce
ssto
USC
IS
syst
ems
and
data
sho
uld
be
incl
uded
ina
nin
side
rth
reat
risk
m
itiga
tion
stra
tegy
Prep
arat
ion
for
Neg
ativ
eW
ork
Rela
ted
Even
ts
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
edo
not
app
ear
tob
ean
ygu
ide
lines
tra
inin
go
rpe
rson
nela
vaila
ble
toe
valu
ate
empl
oyee
insi
der
risk
be
fore
or
afte
rfre
quen
tlyp
reci
pita
tin
gev
ents
suc
has
term
inat
ion
de
mot
ions
tra
nsfe
rso
rot
her
disa
ppo
intm
ents
or
unm
ete
xpec
tatio
ns
Ther
eal
sod
oes
nota
ppea
rto
bea
gr
oup
char
ged
with
eva
luat
ing
in
side
rri
skfr
omo
rgan
izat
iona
leve
nts
ord
evel
opm
ents
aff
ectin
ggr
oups
of
empl
oyee
ss
uch
asr
eloc
atio
nsc
on
trac
tcha
nges
lay
offs
and
reo
rgan
iza
tions
Fift
yfiv
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
had
neg
ativ
eem
pl
oym
enti
ssue
sN
inet
yfo
ur
had
ach
ange
ine
mpl
oym
ent
stat
usp
rior
toth
eir
atta
cks
20
had
com
pens
atio
nor
ben
efit
issu
esa
nd6
5w
ere
disg
runt
led
Su
perv
isor
ssh
ould
be
trai
ned
in
thes
eri
skin
dica
tors
Th
ere
shou
lda
lso
bea
nav
aila
ble
pane
lofs
peci
alis
tsfr
omth
eO
SI
orth
eLa
bor
Empl
oyee
Rel
atio
ns(L
ER)t
rain
edto
ass
ess
such
ris
k
CERT | SOFTWARE ENGINEERING INSTITUTE | 65
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Si
mila
rsp
ecia
lists
sho
uld
be
avai
labl
eto
par
ticip
ate
inp
lan
ning
and
exe
cutio
nof
res
pons
epl
ans
inp
repa
ratio
nfo
rne
ga
tive
wor
kpla
cee
vent
sth
atp
ote
ntia
llyc
ould
lead
tod
isgr
un
tlem
enta
mon
gth
ew
orkf
orce
at
USC
IS
Cont
ract
orM
an
agem
ent
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Hum
anR
esou
rces
Pers
onne
lscr
eeni
ngp
roce
dure
sfo
rco
ntra
ctor
sar
esi
mila
rto
thos
efo
rem
ploy
ees
Cont
ract
ing
com
pani
esa
rer
equi
red
tor
epor
tany
adv
erse
info
rmat
ion
rega
rdin
gth
eir
empl
oyee
sim
med
iat
ely
(ina
llco
ntra
cts)
LER
has
noin
volv
emen
twith
con
tr
acto
rs
They
hav
eno
rec
ord
of
cont
ract
orm
isbe
havi
ors
orc
om
plai
nts
agai
nstc
ontr
acto
rs
Supe
rvis
ors
the
OSI
LER
and
oth
ers
conc
erne
dw
itho
rgan
izat
iona
lsec
uri
tym
ayb
ela
rgel
yun
awar
eof
in
side
rri
sks
rela
ted
toc
ontr
acto
rs
Cont
ract
ors
are
nots
ubje
ctto
gov
er
nmen
tmon
itori
ngo
rris
kas
sess
m
ent
Ac
ontr
acto
ron
ac
ritic
als
ys
tem
may
dev
elop
or
have
sig
nific
ant
insi
der
risk
fact
ors
that
may
rem
ain
unkn
own
tog
over
nmen
tem
ploy
ees
due
tola
cko
frep
ortin
gre
quir
em
ents
Sixt
ytw
oof
the
insi
ders
doc
um
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eco
ntr
acto
rs
USC
ISc
ontr
actm
an
agem
ents
taff
sho
uld
cons
ider
th
ene
edfo
rre
port
ing
ara
nge
ofp
oten
tiali
ndic
ator
sof
insi
der
risk
am
ong
cont
ract
sta
ff
Inci
de
ntr
espo
nse
plan
ssh
ould
in
clud
ere
spon
seto
em
ploy
ee
and
cont
ract
oris
sues
Empl
oyee
or
Con
trac
tor
Conc
erni
ng
Beha
vior
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Byp
olic
yit
ise
very
em
ploy
eersquos
re
spon
sibi
lity
tor
epor
tsus
pici
ous
be
havi
oro
rm
isco
nduc
tS
uper
viso
rs
Self
repo
rted
dru
gus
ea
rres
ta
nd
asso
ciat
ions
with
fore
ign
natio
nals
du
ring
em
ploy
men
tare
sen
tto
the
Supe
rvis
ors
need
tob
eno
tifie
dim
med
iate
lyw
hen
ane
mpl
oyee
re
port
sdr
ugu
sea
rres
tso
r
CERT | SOFTWARE ENGINEERING INSTITUTE | 66
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Labo
rEm
ploy
eeR
elat
ions
who
obs
erve
con
cern
ing
ors
uspi
ciou
sbe
havi
orr
epor
titt
oLE
Ror
the
OSI
Fo
rlo
wle
velm
isco
nduc
tL
ERa
dvis
es
the
field
off
ice
man
agem
ento
nha
ndl
ing
the
mat
ter
LER
rep
orts
mor
ese
riou
sm
isco
nduc
twith
mor
ese
vere
co
nseq
uenc
esto
HR
M
isco
nduc
tcan
als
obe
rep
orte
dvi
aSi
gnifi
cant
Inci
dent
Rep
orts
(SIR
s)
SIRs
are
sen
tto
Phys
ical
Sec
urity
or
to
the
OSI
for
inve
stig
atio
n
IfCI
dis
cove
rss
omet
hing
sus
pici
ous
duri
nga
rei
nves
tigat
ion
itin
form
sth
eem
ploy
eersquos
sup
ervi
sor
The
su
perv
isor
wor
ksw
ithL
ERa
ndc
ouns
el
tod
ecid
eon
follo
wu
pac
tions
OSI
Th
eO
SIs
ends
res
ults
tos
uper
vi
sor
follo
win
gin
vest
igat
ion
asso
ciat
ion
with
fore
ign
natio
nal
ss
oth
eyh
ave
ana
ccur
ate
perc
eptio
nof
the
risk
ass
oci
ated
with
eac
hof
thei
rem
ploy
ee
sI
nad
ditio
n1
8of
the
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
had
poss
ible
psy
chol
ogic
alis
su
es
Inc
olla
bora
tion
with
the
OSI
and
LER
sup
ervi
sors
con
fr
ontin
gem
ploy
ees
who
dis
play
co
ncer
ning
beh
avio
rss
houl
dha
veth
eab
ility
tor
emov
eth
em
from
the
wor
kfor
cep
endi
nga
m
edic
alo
rps
ycho
logi
cal
eval
uatio
nto
det
erm
ine
whe
ther
they
hav
ea
diso
rder
or
illne
ssth
atm
ayim
pair
thei
rtr
ustw
orth
ines
sor
judg
men
tor
mak
eth
ema
dan
gert
oth
em
selv
eso
rot
hers
Si
mila
rly
em
po
wer
ing
supe
rvis
ors
tom
ake
ane
mpl
oyee
ass
ista
nce
pro
gram
ref
erra
land
eva
luat
ion
man
dato
ryi
nco
llabo
ratio
nw
ithL
ERo
rth
eO
SIm
ight
hel
pre
mov
eat
ris
kin
divi
dual
sfr
om
the
wor
kfor
ceu
ntil
they
can
sa
fely
and
sec
urel
yre
turn
CERT | SOFTWARE ENGINEERING INSTITUTE | 67
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEl
ectr
onic
Inve
sti
gati
ons
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Mos
talle
gatio
nsr
epor
ted
toth
eO
SI
are
notv
ery
tech
nica
lth
eO
ITp
ro
vide
sfo
rens
ics
uppo
rtfo
rin
vest
iga
tions
(pri
mar
ilyd
atab
ase
tran
sac
tions
)
PERS
ECh
asn
ever
ask
edth
eO
ITto
re
view
au
serrsquo
son
line
activ
ity
Onl
yon
epe
rson
inO
SIis
qua
lifie
dto
do
afo
rens
icin
spec
tion
USC
ISs
houl
dco
nsid
erin
clud
ing
the
OIT
inin
vest
igat
ions
ofs
us
pici
ous
activ
ity
CERT
rsquosin
side
rth
reat
res
earc
hha
ssh
own
that
no
ntec
hnic
alc
once
rnin
gbe
hav
iors
can
be
asso
ciat
edw
ith
onlin
ecr
imin
ala
ctiv
ity
It
wou
ldb
ebe
nefic
ialt
och
eck
for
past
tech
nica
lsec
urity
vio
la
tions
and
hav
eth
eO
ITa
naly
ze
curr
ento
nlin
eac
tivity
as
part
of
the
OSI
inve
stig
atio
ns
CERT | SOFTWARE ENGINEERING INSTITUTE | 68
t
efe
w de ti
nth
eca
ses
docu
men
ted
inth
eCE
RTd
atab
ase
inje
cted
cod
ein
tos
ourc
eco
deto
faci
lita
but
ina
ase
the
coo
utb
yso
f
L
oggi
ng
Cri
tica
lDat
aCo
ntro
ls
urce
cod
ew
ere
inte
nded
tos
abot
age
the
orga
niza
tionrsquo
ssy
stem
sc
ases
the
code
n
ino
nec
was
set
toe
xecu
tefo
llow
ing
the
insi
derrsquo
ste
rmin
atio
SCIS
rec
ogni
zeth
epo
dbe
car
ried
tent
iali
llici
tact
ivity
that
cou
lr
the
mos
tcri
tical
sys
tem
san
dsy
stem
com
pone
nts
Cod
eRe
view
s
Conf
igur
atio
nM
anag
emen
t
side
rsb
oth
empl
oyee
san
dco
ntra
ctor
snd
ITs
abot
age
In
mos
tcas
est
hem
odifi
catio
nsto
so
faci
litat
efr
aud
In
man
yde
was
use
dto
impo
rtan
ttha
tUfo
ra
year
bef
ore
final
lye
xecu
ting
Iti
ser
sa
ndim
plem
enta
ppro
pria
tec
ontr
ols
par
ticul
arly
fo
ciou
sin
frau
da
sth
eco
plan
ted
eng
ine
Mal
ibo
thca
sew
as
war
e
Ap
pen
dix
FS
oftw
are
Engi
nee
rin
g CERT | SOFTWARE ENGINEERING INSTITUTE | 69
Are
aof
Con
cern
C
ode
Re
view
s
Resp
onsi
ble
Pers
onne
lIS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Cont
ract
ors
are
requ
ired
tom
aint
ain
ace
rtai
nle
velo
fpro
cess
mat
urity
(C
MM
ILev
el3
)to
bein
com
plia
nce
with
USC
ISp
olic
ies
So
urce
cod
eis
res
tric
ted
toth
ose
with
the
need
tok
now
Ve
rsio
nM
anag
eris
use
dto
con
trol
an
dtr
ack
chan
ges
tos
ourc
eco
de
Sepa
ratio
nof
dut
ies
isim
plem
ente
din
the
soft
war
ere
leas
epr
oces
sC
SC
chec
ksn
ews
ourc
eco
dein
toV
ersi
on
Man
ager
aU
SCIS
em
ploy
eec
heck
sou
tthe
sou
rce
code
and
rel
ease
sit
into
pro
duct
ion
Th
eU
SCIS
DBA
mov
esn
ewd
atab
ase
obje
cts
into
the
prod
uctio
nda
ta
base
Polic
yor
Pra
ctic
eG
aps
Ano
ther
inte
rvie
wee
men
tione
dth
at
anldquo
East
ere
ggrdquo
was
foun
din
sou
rce
code
aft
erth
eco
ntra
ctw
asg
iven
toa
ne
wc
ompa
ny4
Sugg
este
dCo
unte
rmea
sure
s
4 Av
irtu
alE
aste
reg
gis
an
inte
ntio
nalh
idde
nm
essa
gej
oke
orfe
atur
ein
ap
rogr
amm
ovie
boo
ke
tc
CERT | SOFTWARE ENGINEERING INSTITUTE | 70
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
and
orC
hang
eCo
ntro
lPro
cess
N
otE
nfor
ced
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
No
evid
ence
pro
vide
d
Whe
nco
ntra
ctor
sde
velo
pso
ftw
are
rem
otel
yth
eya
res
uppo
sed
tor
egis
te
rco
dein
Ver
sion
Man
ager
but
this
is
not
alw
ays
done
con
sist
ently
Co
ntra
ctor
sso
met
imes
rel
ease
cod
eto
fix
prob
lem
sw
ithou
tfol
low
ing
the
chan
gem
anag
emen
tpro
cess
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
oft
hela
cko
fade
qu
ate
conf
igur
atio
nm
anag
emen
t
Soft
war
eEn
gine
er
ing
Cont
rols
inth
eSe
rvic
eCe
nter
s
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
ISSO
s
No
evid
ence
pro
vide
d
Soft
war
eis
bei
ngd
evel
oped
inth
eSe
rvic
eCe
nter
sw
ithou
tcon
sist
ently
en
forc
ing
the
sam
ech
ange
man
age
men
tpro
cess
ese
nfor
ced
atth
ena
tio
nal(
ente
rpris
e)le
vel
The
cen
ters
us
ea
code
rep
osito
ryb
utn
otV
ersi
on
Man
ager
to
trac
kso
ftw
are
chan
ges
Th
eyd
ope
err
evie
ws
ofc
ode
and
belie
veth
ate
nter
pris
eco
ntro
lsfo
rco
der
evie
wa
rem
ore
deta
iled
(al
thou
ghth
atb
elie
fapp
ears
tob
efa
lse
ac
cord
ing
toin
terv
iew
sat
hea
dqua
rte
rs)
USC
ISs
houl
dco
nsid
erc
onsi
sten
tpo
licie
san
dpr
oced
ures
for
soft
w
are
engi
neer
ing
for
the
entir
een
terp
rise
inc
ludi
ngth
eSe
rvic
eCe
nter
s
Mos
tins
ider
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 71
A
rea
ofC
once
rn
Resp
onsi
ble
Pers
onne
lPo
licy
and
orS
ecur
ity
Mea
sure
Po
licy
orP
ract
ice
Gap
sSu
gges
ted
Coun
term
easu
res
Dat
aO
wne
rs
ba
sew
ere
dete
cted
or
iden
tifie
d
usin
gso
me
kind
ofs
yste
mlo
g
Info
rmat
ion
Tech
nolo
gy
Lo
gsu
sed
incl
ude
data
base
logs
appl
icat
ion
logs
sys
tem
logs
re
mot
eac
cess
logs
and
man
y
othe
rs
Prod
ucti
onD
ata
in
ISSO
sD
evel
opm
enta
ndp
rodu
ctio
nsy
sIn
som
eca
ses
con
trac
tors
hav
eac
O
nly
one
insi
der
docu
men
ted
in
Dev
elop
men
tEnv
i
tem
ssh
ould
be
sepa
rate
inte
rms
of
cess
tob
oth
syst
ems
incl
udin
gpr
oth
eCE
RTIn
side
rTh
reat
Cas
eda
CERT | SOFTWARE ENGINEERING INSTITUTE | 72
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sro
nmen
t
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
data
sha
ring
and
acc
ess
cont
rol
duct
ion
data
inth
ede
velo
pmen
ten
viro
nmen
t
taba
ses
tole
pro
duct
ion
data
that
sh
ould
not
hav
ebe
ena
vaila
ble
to
deve
lope
rsin
the
deve
lopm
ent
envi
ronm
ent
How
ever
itw
as
extr
emel
yse
nsiti
ved
ata
with
ve
rys
tric
tcon
trol
sin
the
prod
uc
tion
envi
ronm
ent
and
was
not
su
bjec
tto
thos
esa
me
cont
rols
in
the
deve
lopm
ente
nvir
onm
ent
Th
isis
ver
ysi
mila
rto
the
situ
atio
nat
USC
IS
USC
ISs
houl
dex
am
ine
data
bei
ngu
sed
inth
ede
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
velo
fse
curi
tyc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 73
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 74
Ap
pen
dix
GI
nfo
rmat
ion
Tec
hn
olog
y
Acc
ount
Man
agem
ent
Rese
arch
has
dem
onst
rate
dth
atif
an
orga
niza
tionrsquo
sco
mpu
ter
acco
unts
can
be
com
prom
ised
ins
ider
sha
vea
nop
port
unity
toc
ircu
mve
ntm
an
uala
nda
utom
ated
con
trol
mec
hani
sms
inte
nded
top
reve
ntin
side
rat
tack
sE
ffec
tive
com
pute
rac
coun
tand
pas
swor
dm
anag
emen
tpol
icie
san
dpr
actic
esa
rec
ritic
alto
impe
dea
nin
side
rrsquos
abili
tyto
use
the
orga
niza
tionrsquo
ssy
stem
sfo
rill
icit
purp
oses
In
av
arie
tyo
fcas
esd
ocum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sei
nsid
ers
expl
oite
dpa
ssw
ord
vuln
erab
ilitie
ss
hare
dac
coun
tsa
ndb
ackd
oor
acco
unts
toc
arry
out
att
acks
It
isim
port
antf
oro
rgan
izat
ions
toli
mit
com
pute
rac
coun
tsto
thos
eth
ata
rea
bsol
utel
yne
cess
ary
usi
ngs
tric
tpro
cedu
res
and
tech
nica
lcon
trol
sth
atfa
cilit
ate
attr
ibut
ion
ofa
llon
line
activ
itya
ssoc
iate
dw
ithe
a ch
acco
untt
oan
indi
vidu
alu
ser
Fur
ther
mor
ea
nor
gani
zatio
nrsquos
acco
unta
nd
pass
wor
dm
anag
emen
tpol
icie
sm
ustb
eap
plie
dco
nsis
tent
lya
cros
sth
een
terp
rise
toin
clud
eco
ntra
ctor
ss
ubco
ntra
ctor
sa
ndv
endo
rsw
hoh
ave
acce
ssto
the
orga
niza
tionrsquo
sin
form
atio
nsy
stem
sor
net
wor
ks
Ins
ome
area
sc
ompu
ter
acco
unts
are
man
aged
fair
lyw
ella
tUSC
IS
USC
ISis
impl
emen
ting
Hom
elan
dSe
curi
tyP
resi
dent
ialD
irec
tive
12(H
SPD
12
)for
phy
sica
land
ele
ctro
nic
acco
untm
anag
emen
tI
nad
ditio
nm
osts
hare
dac
coun
tsa
rec
ontr
olle
dan
dal
lact
ions
per
form
edu
sing
thos
eac
coun
tsc
anb
eat
trib
uted
toa
sin
gle
user
H
owev
ers
ome
acco
untm
anag
emen
tlie
sou
tsid
eth
eco
ntro
lofU
SCIS
Th
i sp
rese
nts
ahi
ghd
egre
eof
ris
kF
irst
ofa
lla
ccou
nts
and
acce
ssfo
rFS
Ns
shou
ldb
eco
nsid
ered
car
eful
lyb
yU
SCIS
A
lthou
ghF
SNs
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
ch
anne
lsw
hich
req
uire
sau
thor
izat
ion
byth
eCS
Oa
ndC
IOo
fDH
Ss
uch
pape
rwor
kw
asn
ots
ubm
itted
con
sist
ently
pri
orto
200
7A
sa
resu
lt
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
tF
urth
erm
ore
an
FSN
acc
ount
and
aU
S
citiz
enfe
dera
lem
ploy
eea
ccou
ntc
anno
tbe
dist
ingu
ishe
don
ceit
isc
reat
ed
Alth
ough
acc
ount
nam
ing
conv
entio
nsa
red
icta
ted
byD
HS
and
the
US
Dep
artm
ento
fSta
teU
SCIS
cou
ldr
eque
sta
nam
ing
conv
entio
nto
diff
eren
tiate
bet
wee
nFS
Na
ndU
Sc
itize
nfe
dera
lem
ploy
eea
ccou
nts
In
addi
tion
USC
ISs
houl
dco
nsis
tent
lytr
ack
the
auth
oriz
atio
nan
dcr
eatio
nof
all
USC
ISa
ccou
nts
To
dete
rmin
eif
unau
thor
ized
or
lega
cya
ccou
nts
exis
tU
SCIS
sho
uld
cons
ider
con
duct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSta
tep
erso
nnel
tov
alid
ate
alle
xist
ing
FSN
ac
coun
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 75
Seco
nda
cces
sto
som
ecr
itica
lUSC
ISs
yste
ms
isc
ontr
olle
dby
the
Pass
wor
dIs
suan
cea
ndC
ontr
olS
yste
m(P
ICS)
Th
epu
rpos
eof
PIC
Sis
tofa
cili
tate
the
adm
inis
trat
ion
ofu
sern
ames
and
pas
swor
dsto
cer
tain
ICE
and
USC
ISin
form
atio
nsy
stem
sO
nea
rea
ofc
once
rnr
egar
ding
PIC
Sis
that
it
isa
dmin
iste
red
byIC
Ea
ndth
ere
are
mor
eth
an2
000
Loc
alP
ICS
Off
icer
s(L
POs)
acr
oss
vari
ous
com
pone
nts
ofD
HS
The
seL
POs
use
PICS
to
gran
taut
hori
zed
acce
ssto
ICE
and
USC
ISs
yste
ms
for
the
pers
onne
latt
heir
res
pect
ive
site
or
agen
cys
uch
aslo
cals
heri
ffs
pet
ition
ers
Cus
tom
san
dBo
rder
Pat
rol(
CBP)
Dep
artm
ento
fJus
tice
(DO
J)T
rans
port
atio
nSe
curi
tyA
dmin
istr
atio
n(T
SA)
Terr
oris
mT
ask
Forc
ea
ndD
HS
OIG
Ea
ch
LPO
can
gra
nta
cces
sto
any
sys
tem
con
trol
led
byP
ICS
In
othe
rw
ords
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
rany
oft
heir
sta
ffto
an
yU
SCIS
sys
tem
Fu
rthe
rmor
eU
SCIS
has
no
visi
bilit
yin
tow
hoh
asa
cces
sto
its
syst
ems
Giv
enth
edi
stri
bute
dna
ture
ofa
ccou
nta
dmin
istr
atio
nit
isv
ery
diff
icul
tfor
USC
ISd
ata
owne
rsa
ndO
ITs
taff
tom
anag
eau
thor
izat
ion
ofu
ser
acco
unts
toU
SCIS
cri
tical
sys
tem
sF
inal
lyt
hep
roc
ess
for
com
mun
icat
ing
chan
ges
ine
mpl
oyee
sta
tus
and
disa
blin
gac
coun
tsv
arie
sw
idel
yam
ong
indi
vidu
alfi
eld
offic
esS
ervi
ceC
ente
rsa
ndo
ffic
esin
the
NCR
D
orm
anta
ccou
nts
prov
ide
aco
nven
ient
unk
now
nac
cess
pat
hfo
rcu
rren
tand
form
ere
mpl
oyee
sto
use
for
illic
itac
tivity
Ala
cko
fcon
sist
ency
exi
sts
inth
eap
plic
atio
nof
acc
ount
man
agem
entp
ract
ices
und
erth
eco
ntro
lofU
SCIS
Fo
rex
ampl
ed
isab
ling
orte
rmin
at
ing
acco
unts
for
empl
oyee
sis
not
alw
ays
com
plet
edin
ati
mel
ym
anne
rup
onth
eem
ploy
eersquos
cha
nge
ins
tatu
sT
his
lack
ofc
onsi
sten
cyis
mad
ew
orse
whe
nde
cent
raliz
edL
POs
acro
ssU
SCIS
do
notf
ollo
wth
esa
me
proc
edur
es
Ino
ther
cas
ese
mpl
oyee
sar
ere
tain
ing
acce
ssa
fter
atr
ansf
er
whe
nth
eys
houl
dno
tw
hich
req
uire
sth
elo
sing
and
gai
ning
sup
e rvi
sors
ton
otify
pro
per
acco
untm
anag
emen
tper
sonn
el
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
ccou
ntE
stab
lis
hmen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ino
rder
for
FSN
sto
gai
nac
cess
to
USC
ISs
yste
ms
they
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
cha
nnel
s
whi
che
vent
ually
req
uire
sau
thor
iza
tion
byth
eCS
Oa
ndC
IOo
fDH
S
Prio
rto
200
7w
aive
rpa
perw
ork
for
FSN
sre
ques
ting
acco
unta
cces
sw
as
nots
ubm
itted
con
sist
ently
A
sa
re
sult
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
t
USC
ISs
houl
dco
nsid
erc
ondu
ct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSt
ate
pers
onne
lto
valid
ate
all
exis
ting
FSN
acc
ount
s
Info
rmat
ion
Tech
nolo
gy
Diff
eren
tper
sonn
ela
rer
espo
nsib
le
for
acco
untc
reat
ion
and
dele
tion
acro
ssth
een
tire
ente
rpri
sed
epe
ndin
gon
the
syst
emo
rne
twor
kin
Dat
abas
ead
min
istr
ator
sm
ayb
eab
le
toc
reat
ean
dde
lete
dat
abas
ean
dap
plic
atio
nac
coun
tsw
ithou
tas
ec
ond
pers
onv
erify
ing
that
act
ion
Beca
use
data
base
adm
inis
trat
ors
have
acc
ess
tos
uch
criti
cald
ata
U
SCIS
sho
uld
cons
ider
sep
arat
ing
the
task
ofa
utho
rizi
nga
cces
sto
CERT | SOFTWARE ENGINEERING INSTITUTE | 76
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
squ
estio
n
USC
ISd
atab
ases
from
the
task
of
man
agin
gth
eda
tain
the
data
ba
ses
Thi
sse
para
tion
ofd
utie
sm
ayr
educ
eth
eri
sko
fad
ata
base
adm
inis
trat
orc
reat
ing
an
unau
thor
ized
acc
ount
and
usi
ng
that
acc
ount
toc
arry
out
am
ali
ciou
sac
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ac
ompu
ter
acco
unti
ses
tabl
ishe
don
lya
fter
an
umbe
rof
cri
teri
aha
ve
been
met
inc
ludi
ngs
ecur
itya
war
ene
sstr
aini
ng
Ina
dditi
onto
the
step
sre
quire
dof
al
lper
sonn
elfo
rac
coun
tacc
ess
co
ntra
ctor
sha
veto
go
thro
ugh
extr
ast
eps
som
eof
whi
chin
clud
eve
rifi
catio
nby
the
COTR
Com
pute
racc
ount
acc
ess
iss
ome
times
gra
nted
bef
ore
secu
rity
aw
are
ness
trai
ning
isc
ompl
eted
Th
isp
rac
tice
may
be
true
esp
ecia
llyfo
rco
ntra
ctor
ss
ince
the
onb
oard
ing
proc
ess
depe
nds
onth
eco
ntra
ctin
gag
ency
and
the
COTR
tov
erify
that
th
etr
aini
ngis
com
plet
ed
USC
ISs
houl
dco
nsid
err
equi
ring
co
mpu
ter
secu
rity
aw
aren
ess
trai
ning
for
allp
erso
nnel
ndashfu
lltim
eem
ploy
ees
par
ttim
eem
pl
oyee
sa
ndc
ontr
acto
rsndash
and
ve
rify
that
itis
com
plet
ebe
fore
cr
eatin
gan
ysy
stem
acc
ount
sfo
rth
ese
pers
onne
l
Acc
ount
Man
age
men
tG
ener
al
Info
rmat
ion
Tech
nolo
gy
PICS
isa
dmin
iste
red
byIC
Ew
hich
ha
sov
er2
000
LPO
sac
ross
var
ious
co
mpo
nent
sof
DH
ST
hese
LPO
sar
ere
spon
sibl
efo
rgra
ntin
gau
thor
ized
ac
cess
toP
ICS
for
the
pers
onne
lat
thei
rre
spec
tive
wor
ksi
tes
Eac
hLP
Oc
ang
rant
acc
ess
toa
nys
yste
m
cont
rolle
dby
PIC
SI
not
her
wor
ds
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
ran
yof
thei
rst
afft
o
Alth
ough
the
PICS
acc
ount
pro
cess
re
quir
esth
eac
coun
tto
beli
nked
toa
va
lide
mpl
oyee
PIC
Sad
min
istr
ator
sco
uld
crea
teu
naut
hori
zed
acco
unts
in
the
nam
eof
val
ide
mpl
oyee
sw
ith
outt
heir
kno
wle
dge
Inv
alid
acc
ount
sar
ety
pica
llyfl
agge
don
lyw
hen
the
acco
unti
sdo
rman
tfor
ac
erta
inp
eri
odo
ftim
eA
nLP
Oc
ana
lso
assi
gn
righ
tsfo
ran
ysy
stem
con
trol
led
by
In1
2of
the
case
sdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
ins
uffic
ient
acc
ount
m
anag
emen
tena
bled
the
insi
der
sto
com
mit
thei
rcr
imes
U
SCIS
sho
uld
cons
ider
con
duct
in
gac
coun
taud
itsa
tthe
loca
lsi
tele
vel
whi
chw
ould
allo
wth
eva
lidat
ion
ofc
urre
ntP
ICS
ac
coun
tsa
ndr
oles
ver
sus
curr
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 77
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
yU
SCIS
sys
tem
PICS
empl
oyee
list
s
Furt
herm
ore
ICE
adm
inis
ters
this
USC
ISs
houl
dex
plor
ea
mea
nso
fsy
stem
and
cou
lda
ffec
tUSC
ISr
e
segr
egat
ing
acco
untm
anag
eco
rds
unbe
know
nstt
oU
SCIS
men
tin
PICS
so
that
LPO
sca
nad
min
iste
rac
coun
tso
nly
for
thei
row
nor
gani
zatio
nrsquos
syst
ems
In
oth
erw
ords
USC
ISL
POs
wou
ldo
nly
bea
ble
toa
dmin
iste
rau
thor
izat
ions
for
USC
ISs
yste
ms
inP
ICS
and
ICE
LPO
sw
ould
onl
ybe
abl
eto
adm
inis
ter
auth
oriz
atio
nsfo
rIC
Esy
stem
s
Info
rmat
ion
Tech
nolo
gy
Acc
ount
man
agem
enti
sha
ndle
dby
a
num
ber
ofd
iffer
entg
roup
sac
ross
U
SCIS
A
lthou
ghth
ere
isa
nef
fort
to
cent
raliz
eac
coun
tman
agem
ent
lo
cala
ndr
egio
nalo
ffic
eso
fUSC
IS
have
his
tori
cally
don
eth
eir
own
ac
coun
tman
agem
ent
Ifan
acc
ount
has
not
bee
nus
edfo
ra
cert
ain
peri
odo
ftim
eit
isa
uto
mat
ical
lyd
isab
led
The
tim
epe
riod
st
ated
by
vari
ous
inte
rvie
wee
sva
rie
dfr
om3
06
0o
r90
days
CERT | SOFTWARE ENGINEERING INSTITUTE | 78
Sugg
este
dCo
unte
rmea
sure
s
Six
insi
ders
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
wer
eab
leto
car
ryo
utth
eir
illeg
ala
ctiv
ities
bec
ause
ofldquo
priv
ile
gec
reep
rdquoU
SCIS
sho
uld
revi
ew
acco
untm
anag
emen
tpro
ce
dure
sto
ens
ure
that
the
step
scu
rren
tlyta
ken
tor
emov
eor
al
ter
acco
unta
cces
sar
eco
m
plet
ean
dbe
ing
cons
iste
ntly
fol
low
ed
Inp
artic
ular
the
pro
ce
dure
sus
edw
hen
som
eone
ch
ange
slo
catio
nso
rde
part
m
ents
with
inU
SCIS
sho
uld
be
exam
ined
A
sem
ploy
ees
tran
sfe
rth
roug
hout
an
agen
cyt
hey
shou
ldn
otb
eac
cum
ulat
ing
priv
ile
ges
The
ysh
ould
onl
yre
tain
pr
ivile
ges
com
men
sura
tew
ith
thei
rjo
bre
spon
sibi
litie
s
Twel
vep
erce
nt(4
6)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
seu
sed
syst
ema
dmin
istr
ator
pri
vile
ges
tos
abot
age
syst
ems
ord
ata
sh
ared
acc
ount
sw
ere
used
by
insi
ders
follo
win
gte
rmin
atio
nin
Polic
yor
Pra
ctic
eG
aps
The
issu
eof
acc
ount
man
agem
entf
or
empl
oyee
tran
sfer
sis
not
bei
nga
d
dres
sed
ina
con
sist
entm
anne
rT
he
O
ITr
elie
son
not
ifica
tion
bye
ither
the
ne
wo
rol
dsu
perv
isor
whe
nan
em
ploy
eetr
ansf
ers
but
ther
eha
veb
een
ca
ses
inU
SCIS
inw
hich
em
ploy
ees
have
ret
aine
dac
cess
whe
nth
ey
shou
ldn
oth
ave
Th
ough
itw
ould
req
uire
phy
sica
lac
cess
toa
USC
ISm
achi
net
hatf
orm
er
Polic
yan
dor
Sec
urit
yM
easu
re
Whe
nan
em
ploy
eem
oves
from
one
po
sitio
nto
ano
ther
or
tran
sfer
sto
an
othe
rdep
artm
ent
the
man
age
men
tin
thos
ede
part
men
tsm
ust
initi
ate
the
requ
ired
com
pute
rac
coun
tcha
nges
Ther
ear
eop
erat
ing
syst
emim
ages
us
edth
roug
hout
USC
ISth
atp
erm
itan
adm
inis
trat
orto
inst
alla
sta
nda
rdc
onfig
urat
ion
ofa
nop
erat
ing
syst
ema
nda
ccom
pany
ing
soft
war
e
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Chan
ging
Pas
sw
ord
ofS
hare
dA
ccou
ntU
pon
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 79
Sugg
este
dCo
unte
rmea
sure
s
14c
ases
A
lthou
gha
nad
min
is
trat
orw
ould
nee
dph
ysic
ala
cce
ssto
ap
iece
ofe
quip
men
t
The
lack
ofc
onsi
sten
cya
nd
awar
enes
sof
the
stan
dard
pro
ce
dure
sm
ayp
erm
itth
eac
coun
tof
an
insi
der
tob
eus
edfo
llow
ing
term
inat
ion
Term
inat
ing
acco
unts
eve
n2
wee
ksfo
llow
ing
term
inat
ion
may
Polic
yor
Pra
ctic
eG
aps
adm
inis
trat
orw
ould
hav
ead
min
istr
ato
rri
ghts
toG
FE
Itis
cle
arfr
omin
terv
iew
sw
ithU
SCIS
pe
rson
nelt
hata
sin
gle
proc
ess
isn
ei
ther
und
erst
ood
norf
ollo
wed
for
dis
ab
ling
acco
unts
follo
win
gan
em
pl
oyee
orc
ontr
acto
rte
rmin
atio
n
The
proc
edur
esu
sed
are
notc
onsi
ste
ntb
etw
een
supe
rvis
ors
orfi
eld
of
fices
and
for
fede
rale
mpl
oyee
sve
rsu
sco
ntra
ctor
sS
omet
imes
the
exit
clea
ranc
efo
rmm
akes
itto
the
OIT
an
dso
met
imes
itd
oes
not
The
OIT
rsquos
task
ism
ade
even
mor
edi
ffic
ultb
yth
efa
ctth
atit
wou
ldn
eed
tok
now
ex
actly
whi
cha
ccou
nts
anin
divi
dual
ha
sac
cess
to
Thou
ghth
isp
roce
ssis
fair
lye
ffec
tive
it
pote
ntia
llya
llow
sun
auth
oriz
ed
Polic
yan
dor
Sec
urit
yM
easu
re
The
OIT
typi
cally
isn
otifi
edo
fan
acco
untt
erm
inat
ion
ino
neo
fthr
ee
way
s
1)A
sta
ndar
dfo
rmc
alle
dan
exi
tcl
eara
nce
form
is
dist
ribu
ted
and
sign
edb
yot
her
part
ies
suc
has
Hu
man
Res
ourc
esa
ndth
eO
ffic
eof
Se
curi
tya
ndIn
tegr
ity(O
SI)
Thi
sfo
rmle
tsth
eO
ITk
now
that
an
em
ploy
eersquos
acc
ount
ssh
ould
be
dis
able
dor
term
inat
ed
2)T
hes
uper
viso
rof
the
depa
rtin
gem
ploy
eec
onta
cts
the
OIT
dire
ctly
an
din
form
sth
emo
fthe
em
ploy
eersquos
de
part
ure
3)
Whe
na
cont
ract
oris
invo
lved
it
is
the
resp
onsi
bilit
yof
the
COTR
to
info
rmth
eO
IT
The
OIT
rec
eive
san
ldquoat
triti
onli
strdquo
ever
y2
wee
ks
Whe
nth
isli
stis
re
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Upo
nEm
ploy
ee
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 80
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sH
uman
Res
ourc
es
ceiv
eda
man
ualc
heck
isd
one
to
ensu
reth
ate
mpl
oyee
sw
hoh
ave
depa
rted
inth
ela
st2
wee
ksh
ave
thei
rac
coun
tacc
ess
dele
ted
acce
ssfo
r2
wee
ksfo
llow
ing
term
ina
tion
Bec
ause
this
isa
man
ualp
roc
ess
ther
eis
cur
rent
lyn
oau
tom
atic
w
ayto
ens
ure
that
ith
appe
ns
USC
IS
pers
onne
lcite
dan
inst
ance
inw
hich
th
ese
proc
edur
esfa
iled
for
ane
m
ploy
eew
how
aste
rmin
ated
as
aco
ntr
acto
ran
dla
ter
hire
das
afe
dera
lem
ploy
ee
notb
een
ough
top
reve
ntu
nau
thor
ized
orc
rimin
ala
ctiv
ity
As
soon
as
HR
isa
war
eof
the
chan
gea
mor
eau
tom
ated
m
echa
nism
ofd
elet
ing
thes
eac
coun
tss
houl
dbe
impl
em
ente
d
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Dur
ing
Empl
oyee
Le
ave
ofA
bsen
ces
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
LPO
sw
ork
inth
eir
resp
ectiv
ere
gion
sor
off
ices
and
are
dec
entr
aliz
edb
yna
ture
Th
epo
licie
san
dpr
oced
ures
fo
llow
edo
ften
dep
end
onh
ow
thin
gsh
ave
been
don
ehi
stor
ical
lyin
th
atp
artic
ular
off
ice
Beca
use
acco
unta
utho
riza
tion
pro
cedu
res
are
nots
tand
ardi
zed
thro
ugho
uta
llor
gani
zatio
nsu
sing
the
PICS
sL
POs
acro
ssth
een
tire
USC
IS
ente
rpri
seh
ave
notb
een
cons
iste
nt
inh
owth
eyh
ave
hand
led
acco
unt
dele
tion
follo
win
gem
ploy
eete
rmin
atio
n
Ther
eis
no
offic
ialg
uida
nce
orp
rac
tice
inth
epr
oper
way
tos
uspe
nd
acce
ssfo
ran
em
ploy
eeo
na
leav
eof
ab
senc
eI
non
eca
sep
rovi
ded
by
USC
ISa
nem
ploy
eer
etai
ned
acce
ss
toc
ritic
als
yste
ms
even
aft
erb
eing
pl
aced
on
ana
dmin
istr
ativ
ele
ave
of
abse
nce
USC
ISs
houl
dco
ntin
ueit
sef
fort
sto
cen
tral
ize
orr
educ
eth
enu
m
ber
ofL
POs
ino
rder
for
stan
dard
pr
oced
ures
tob
efo
llow
ed
Ifth
isc
anno
tbe
acco
mpl
ishe
d
stan
dard
pro
cedu
res
shou
ldb
epu
blis
hed
inst
ruct
eda
ndc
onsi
ste
ntly
enf
orce
d
Afe
win
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
ser
etai
ned
acce
ssto
org
aniz
atio
nsy
stem
sw
hile
on
ale
ave
of
abse
nce
and
used
that
acc
ess
to
stea
linf
orm
atio
nor
com
mit
frau
dU
SCIS
sho
uld
impl
emen
ta
polic
yto
out
line
exac
tlyw
hat
shou
ldb
edo
new
hen
ago
vern
m
ente
mpl
oyee
or
cont
ract
or
goes
on
ale
ave
ofa
bsen
cec
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 81
Sugg
este
dCo
unte
rmea
sure
ssi
deri
ngth
eri
sks
vers
usb
enef
its
ofa
llow
ing
syst
ema
cces
s
Acc
ess
toth
ese
acco
unts
sho
uld
bec
aref
ully
doc
umen
ted
and
trac
ked
soth
atc
rede
ntia
lsc
an
bec
hang
edif
som
eone
inth
at
rest
rict
edg
roup
no
long
erw
ar
rant
sac
cess
Polic
yor
Pra
ctic
eG
aps
Alth
ough
con
cern
has
bee
nex
pres
sed
ab
outt
hee
xist
ence
oft
hese
ac
co
unts
the
bus
ines
sju
stifi
catio
nha
sta
ken
prec
eden
ceo
vert
her
isk
bein
g
assu
med
Polic
yan
dor
Sec
urit
yM
easu
re
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
Acc
ount
an
dPa
ssw
ord
In
form
atio
n
Acc
ess
Cont
rol
An
orga
niza
tionrsquo
sla
cko
fsuf
ficie
nta
cces
sco
ntro
lmec
hani
sms
was
ac
omm
onth
eme
inm
any
ofth
ein
side
rth
reat
cas
ese
xam
ined
by
CERT
In
si
ders
hav
ebe
ena
ble
toe
xplo
itex
cess
ive
priv
ilege
sto
gai
nac
cess
tos
yste
ms
and
info
rmat
ion
they
oth
erw
ise
wou
ldn
oth
ave
been
aut
hori
zed
toa
cces
sA
dditi
onal
lyi
nsid
ers
have
bee
nkn
own
tou
ser
emot
eac
cess
aft
erte
rmin
atio
nto
att
ack
ano
rgan
izat
ionrsquo
sin
tern
aln
etw
ork
Org
ani
zatio
nss
houl
den
sure
that
net
wor
km
onito
ring
and
logg
ing
ise
nabl
edfo
rex
tern
ala
cces
sM
onito
ring
ofn
etw
ork
activ
ityis
ext
rem
ely
impo
rta
nte
spec
ially
inth
epe
riod
bet
wee
nem
ploy
eer
esig
natio
nan
dte
rmin
atio
n
Giv
enth
edi
stri
bute
dna
ture
ofa
cces
sau
thor
izat
ion
via
PICS
ICE
and
the
US
Dep
artm
ento
fSta
ten
onU
SCIS
em
ploy
ees
and
cont
ract
ors
coul
dbe
gra
nted
acc
ess
toU
SCIS
cri
tical
sys
tem
sI
tis
poss
ible
that
the
non
USC
ISe
mpl
oyee
san
dco
ntra
ctor
sha
ven
otb
een
thro
ugh
the
rigo
rous
pr
eem
ploy
men
tscr
eeni
ngr
equi
red
ofU
SCIS
em
ploy
ees
and
cont
ract
ors
par
ticul
arly
thos
egr
ante
dac
cess
thro
ugh
the
US
Dep
artm
ento
fSta
te
for
acce
ssfr
ome
mba
ssie
sov
erse
as
USC
ISs
houl
dco
nsid
erth
eri
skth
ese
insi
ders
pos
eto
the
prot
ectio
nof
the
criti
calU
SCIS
dat
aan
dsy
stem
s
and
impl
emen
tpro
tect
ion
mec
hani
sms
toli
mit
the
dam
age
that
thes
ein
side
rsm
ight
cau
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 82
Oth
era
cces
sco
ntro
liss
ues
that
sho
uld
bec
onsi
dere
din
clud
eun
rest
rict
eda
cces
sto
som
ecr
itica
lsys
tem
sby
OIT
sta
ffl
ack
ofc
onsi
sten
tpro
ces
ses
for
man
agin
gem
ploy
eea
cces
sas
they
mov
efr
omo
ned
epar
tmen
tto
the
next
with
inU
SCIS
abi
lity
tou
sep
erso
nalc
ompu
ters
for
USC
IS
wor
ka
ndla
cko
fmon
itori
nga
ndc
ontr
ols
for
som
ecr
itica
lsys
tem
adm
inis
trat
ion
func
tions
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
cces
sCo
ntro
l
Fore
ign
Serv
ice
Nat
iona
ls
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
O
ffic
eof
Sec
urit
yan
dIn
te
grit
y
Curr
ently
aF
orei
gnS
ervi
ceN
atio
nal
(FSN
)req
uiri
nga
cces
sto
USC
ISs
ys
tem
ssu
bmits
pap
erw
ork
incl
udin
ga
wai
ver
thro
ugh
the
USC
ISd
irec
tor
and
the
CIO
and
CSO
ofD
HS
Alth
ough
the
asse
ssm
entt
eam
was
ab
leto
get
lim
ited
visi
bilit
yin
toth
is
prac
tice
its
eem
sto
be
alig
ned
with
th
epo
licy
Ift
rue
ith
asg
iven
USC
IS
and
DH
Sbe
tter
vis
ibili
tyin
toth
isa
ctiv
ity
The
prac
tice
shou
ldb
eco
ntin
ued
and
expa
nded
as
need
edto
in
form
all
rele
vant
USC
ISp
erso
nne
l
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
Pe
rson
nelS
ecur
ity
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Whe
nFS
Ns
requ
ire
acce
ssto
USC
IS
syst
ems
ine
mba
ssie
san
dco
nsul
ates
ab
road
the
yar
eve
tted
by
the
US
D
epar
tmen
tofS
tate
Beca
use
the
US
Dep
artm
ento
fSta
te
isp
erfo
rmin
gth
eve
ttin
gpr
oces
s
USC
ISh
asv
ery
little
con
trol
or
visi
bil
ityin
toth
epr
oces
sfo
rgr
antin
gFS
Ns
acce
ssto
USC
ISs
yste
ms
and
net
wor
ks
Inte
rvie
wee
sst
ated
that
in
som
eca
ses
FSN
sha
vea
dmin
istr
ativ
eco
ntro
love
rso
me
syst
ems
and
that
in
oth
erc
ases
the
yar
ese
rvin
gas
in
form
atio
nsy
stem
sec
urity
off
icer
s(IS
SOs)
USC
ISs
houl
dga
ina
bet
ter
un
ders
tand
ing
ofth
eU
SD
epar
tm
ento
fSta
tersquos
vet
ting
proc
ess
and
clar
ifyit
sow
nre
quir
emen
ts
for
gran
ting
and
trac
king
acc
ess
for
FSN
sto
USC
ISs
yste
ms
If
cont
inue
dac
cess
isr
equi
red
the
proc
edur
esto
doc
umen
tand
co
ntro
ltha
tacc
ess
shou
ldb
ene
gotia
ted
with
the
US
De
part
men
tofS
tate
and
con
sis
tent
lye
nfor
ced
Info
rmat
ion
Tech
nolo
gy
Onc
ea
trad
ition
alu
ser
acco
unti
scr
eate
dth
ere
isli
ttle
ton
ow
ayto
di
stin
guis
han
FSN
acc
ount
from
one
be
long
ing
toa
US
citi
zen
Beca
use
anF
SNa
ccou
ntis
not
dis
tin
guis
habl
efr
omo
ther
acc
ount
sit
w
ould
be
extr
emel
ydi
ffic
ultt
oas
so
ciat
esp
ecifi
con
line
activ
ities
with
ac
coun
tsb
elon
ging
toF
SNs
Em
ail
USC
ISs
houl
dco
nsid
erw
heth
er
orn
otit
wan
tsth
eab
ility
tod
is
tingu
ish
wha
tonl
ine
activ
ities
an
dac
cess
esF
SNs
are
enga
ging
in
If
soi
tsho
uld
inco
rpor
ate
CERT | SOFTWARE ENGINEERING INSTITUTE | 83
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sad
dres
ses
appe
arth
esa
me
and
viol
atio
nac
tiviti
esw
ould
not
eas
ilyb
eat
trib
uted
toa
nFS
N
thos
est
eps
into
the
proc
edur
es
men
tione
dab
ove
Info
rmat
ion
Tech
nolo
gy
DH
Sis
inth
epr
oces
sof
bui
ldin
ga
secu
rein
tran
etc
alle
dO
neN
et
whi
chw
illb
ette
ren
able
info
rmat
ion
shar
ing
amon
gD
HS
com
pone
nts
Th
isp
roje
ctw
illb
een
able
dby
inte
rco
nnec
tion
agre
emen
tsb
etw
een
segm
ents
Onc
eth
eap
prop
riat
ein
terc
onne
ctio
nag
reem
ents
are
inp
lace
itw
illb
eha
rder
tor
estr
icta
cces
sfo
rFSN
sto
sp
ecifi
csy
stem
s(e
g
Shar
ePoi
nt)
USC
ISs
houl
dm
ake
ade
term
ina
tion
abou
twhe
ther
or
notF
SN
acce
sss
houl
dbe
any
diff
eren
tfr
omo
ther
sim
ilar
acco
unts
of
US
citi
zens
If
the
lack
ofr
est
rict
ions
isu
nacc
epta
ble
that
is
sue
shou
ldb
ebr
ough
tto
DH
Spe
rson
nelr
espo
nsib
lefo
rim
pl
emen
ting
the
One
Net
sol
utio
n
Acc
ess
cont
rols
Ther
ear
ebu
sine
ssp
roce
ssa
ndr
eso
urce
s(e
g
PICS
CLA
IMS
3a
nd
CLA
IMS
4)th
ata
res
hare
dw
ithIC
E
This
par
tner
ship
isa
nar
tifac
toft
he
past
and
cur
rent
rel
atio
nshi
psb
etw
een
depa
rtm
ents
with
inD
HS
For
thes
esh
ared
res
ourc
esto
func
tio
npr
oper
lyt
hey
requ
ire
care
ful
coor
dina
tion
whi
chd
oes
nott
ake
plac
ein
all
case
sF
ore
xam
ple
USC
IS
does
not
rec
eive
ac
opy
ofth
efo
rmal
ac
cess
req
uest
sub
mitt
edto
ICE
for
anIC
Eem
ploy
eeto
acc
ess
aU
SCIS
sy
stem
USC
ISs
houl
dca
refu
llyd
ocum
ent
wha
tacc
ess
isb
eing
gra
nted
to
any
part
ies
exte
rnal
toU
SCIS
If
addi
tiona
lcoo
rdin
atio
nis
re
quir
edi
tsho
uld
bed
one
with
th
ere
leva
ntd
epar
tmen
tso
fD
HS
For
cert
ain
info
rmat
ion
syst
ems
lo
cala
ndr
emot
elo
gins
are
not
per
m
itted
bet
wee
nth
eho
urs
of1
130
p
ma
nd6
00
am
Th
isp
ract
ice
clos
ely
adhe
res
toth
epo
licy
for
spec
ific
syst
ems
Enfo
rcin
ga
man
dato
rya
cces
spe
riod
may
hel
pen
sure
that
a
mal
icio
usin
side
ris
not
usi
ngs
ys
tem
sw
hen
supe
rvis
ion
isle
ss
ened
Ei
ghtp
erce
nt(2
9)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 84
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sus
eda
cces
sou
tsid
eof
nor
mal
w
orki
ngh
ours
toc
arry
out
thei
rill
icit
activ
ities
Whe
nan
em
ploy
eea
ttem
pts
tolo
gin
toa
res
tric
ted
syst
emd
urin
gof
fpe
akh
ours
an
auto
mat
ice
mai
lno
tice
iss
entb
yth
eO
ITto
per
sons
in
the
empl
oyee
rsquosm
anag
emen
tch
ain
ofc
omm
and
This
pra
ctic
eis
not
con
sist
enta
cros
sal
lsys
tem
san
dis
not
par
tofo
ther
in
cide
ntr
espo
nse
proc
edur
es
USC
ISs
houl
dco
nsid
erim
ple
men
ting
this
pra
ctic
ein
toth
ela
rger
sys
tem
ofi
ncid
entr
esp
onse
to
incl
ude
corr
elat
ion
with
oth
ere
vent
san
dov
era
pe
riod
oft
ime
Acc
ess
Priv
ilege
sndash
Gen
eral
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Att
heV
erm
ontS
ervi
ceC
ente
rO
IT
staf
fare
the
only
one
spr
esen
tlat
eat
nig
ht
As
part
oft
heir
dut
ies
they
al
soh
ave
elec
tron
ica
cces
sto
the
CLA
IMS3
info
rmat
ion
syst
em
As
afu
nctio
nof
the
elec
tron
ica
cces
san
dth
eph
ysic
alla
yout
oft
heS
ervi
ce
Cent
erO
ITp
erso
nnel
hav
eac
cess
to
CLA
IMS3
as
wel
las
the
phys
ical
file
sin
the
build
ing
U
SCIS
sho
uld
cons
ider
the
min
im
umle
velo
facc
ess
(leas
tpriv
ile
ge)n
eede
dfo
ral
lper
sonn
elto
ac
com
plis
hth
eir
job
dutie
sT
hir
teen
per
cent
(49)
oft
hein
side
rs
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sev
iola
ted
ane
edto
kno
win
ord
erto
per
pe
trat
eth
eir
crim
esi
nclu
ding
st
ealin
gPI
Iand
pro
prie
tary
in
form
atio
nI
nad
ditio
ns
ever
al
insi
ders
com
mitt
edth
eir
crim
es
whi
lew
orki
ngo
nth
eni
ghts
hift
w
here
they
enj
oyed
ar
educ
ed
leve
lofs
crut
iny
Unr
estr
icte
del
ectr
onic
and
phy
sica
lacc
ess
to
such
hig
hri
skd
ata
and
syst
ems
outs
ide
ofn
orm
alw
orki
ngh
ours
pr
esen
tsa
hig
hde
gree
ofr
isk
to
CERT | SOFTWARE ENGINEERING INSTITUTE | 85
Sugg
este
dCo
unte
rmea
sure
s
USC
IS
Sinc
eU
SCIS
can
notd
eter
min
ew
hata
cces
sth
eU
SD
epar
tmen
tof
Sta
teg
rant
sto
FSN
son
its
sys
tem
sU
SCIS
sho
uld
cont
inue
to
use
tech
nica
lmea
sure
sto
pre
ve
ntu
naut
hori
zed
acce
ssw
hile
w
orki
ngw
ithc
ount
erin
telli
genc
epe
rson
nelt
ode
alw
iths
uspe
cted
fo
reig
nag
ents
wor
king
aro
und
US
gov
ernm
entf
acili
ties
A
few
insi
ders
inth
eca
ses
ana
lyze
dby
CER
Tus
edth
eir
un
revo
ked
acce
ssto
the
orga
niza
Polic
yor
Pra
ctic
eG
aps
Acc
ordi
ngto
one
inte
rvie
wee
som
eFS
Ns
onth
eCo
nsul
arA
ffai
rsn
etw
ork
are
susp
ecte
dto
be
wor
king
for
arm
sof
fore
ign
inte
llige
nce
ors
ecur
ity
agen
cies
U
SCIS
has
use
dte
chni
cal
met
hods
(eg
fir
ewal
ls)t
oen
sure
th
atU
SCIS
sys
tem
sar
epr
otec
ted
from
any
inte
rcon
nect
ions
with
the
US
Dep
artm
ento
fSta
tersquos
net
wor
ks
This
sin
gle
poin
toff
ailu
rem
akes
it
diff
icul
tto
reco
ver
from
am
alic
ious
ac
ton
this
par
ticul
ars
yste
m
Polic
yan
dor
Sec
urit
yM
easu
re
The
US
Dep
artm
ento
fSta
teC
onsu
la
rA
ffai
rsn
etw
ork
gran
tsa
cces
sto
FSN
sw
orki
ngin
em
bass
ies
and
con
su
late
san
dit
conn
ects
toU
SCIS
sys
te
ms
Ther
eis
as
ingl
epe
rson
who
has
the
know
ledg
eof
and
res
pons
ibili
tyfo
rad
min
iste
ring
the
voic
emai
lsys
tem
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Are
aof
Con
cern
Acc
ess
Priv
ilege
sndash
Syst
emA
dmin
is
trat
or
CERT | SOFTWARE ENGINEERING INSTITUTE | 86
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sfo
rU
SCIS
tionrsquo
sph
one
syst
emto
har
mth
eor
gani
zatio
nI
non
eca
set
he
entir
ecu
stom
ers
ervi
cev
oice
m
ails
yste
mw
asr
edir
ecte
dto
a
porn
ogra
phic
pho
nes
ite
Ina
not
her
der
ogat
ory
com
men
ts
abou
tthe
org
aniz
atio
nw
ere
re
cord
eda
ndp
laye
dfo
rev
ery
voic
em
ailb
ox
USC
ISs
houl
dpl
ace
addi
tiona
lst
affi
nth
ero
leo
fadm
inis
trat
ors
for
the
USC
ISv
oice
mai
lsys
tem
Th
isw
ould
allo
wU
SCIS
toim
pl
emen
tsom
efo
rmo
fsep
ara
tion
ofd
utie
so
rat
the
very
le
ast
min
imal
che
cks
and
bal
ance
sto
pre
vent
tam
peri
ngw
ith
the
voic
emai
lsys
tem
U
SCIS
sho
uld
ensu
reth
atit
man
ag
esa
ccou
nts
and
pass
wor
dsfo
rin
tern
als
yste
ms
such
as
voic
em
ail
asw
ella
sex
tern
ala
cco
unts
O
nein
side
rdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
cha
nged
the
dom
ain
nam
esy
stem
reg
istr
yfo
rhis
or
gani
zatio
nrsquos
web
site
so
that
vis
ito
rsw
ere
sent
toa
por
nogr
aphi
c
CERT | SOFTWARE ENGINEERING INSTITUTE | 87
Sugg
este
dCo
unte
rmea
sure
sw
ebsi
te
Thes
ety
pes
ofa
ccou
nts
are
used
ver
yin
freq
uent
lya
nd
are
ofte
nno
tinc
lude
din
form
al
term
inat
ion
proc
edur
es
USC
ISs
houl
dco
ordi
nate
with
D
HS
pers
onne
lto
ensu
reth
at
desi
red
USC
ISs
ecur
ityp
olic
ies
are
enfo
rced
for
pers
onne
lac
cess
ing
USC
ISs
yste
ms
and
data
Se
ven
perc
ent(
26)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
toa
ttac
kin
par
tbec
ause
of
insu
ffic
ient
mon
itori
ngo
fext
er
nala
cces
s
Polic
yor
Pra
ctic
eG
aps
A
lthou
ghc
onne
ctin
ga
pers
onal
lap
top
toa
USC
ISn
etw
ork
via
are
mot
eco
nnec
tion
may
or
may
not
be
bloc
ked
the
SNO
Cw
asn
otc
onfid
ent
itw
ould
be
bloc
ked
beca
use
itdo
es
notc
ontr
olth
ata
cces
sI
tis
poss
ible
th
ata
use
rco
uld
conn
ectw
itha
per
so
nalm
achi
neif
DH
Sal
low
edit
Polic
yan
dor
Sec
urit
yM
easu
re
Port
sec
urity
wou
ldp
reve
nta
use
rfr
omc
onne
ctin
ga
pers
onal
mac
hine
di
rect
lyto
aU
SCIS
net
wor
kT
his
secu
rity
mec
hani
smis
han
dled
by
the
SNO
C
Rem
ote
acce
sso
nth
eot
herh
and
is
hand
led
byD
HS
USC
ISh
asa
cces
sto
ve
ryli
mite
din
form
atio
nin
clud
ing
logs
for
rem
ote
conn
ectio
nsb
eca
use
ofc
ontr
acts
tipul
atio
nsw
ith
Spri
nt
The
asse
ssm
entt
eam
re
ceiv
edc
onfli
ctin
gop
inio
nsa
bout
w
heth
era
per
sona
lmac
hine
cou
ld
bec
onne
cted
with
ar
emot
eac
coun
t
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Secu
rity
Net
wor
kO
pera
ti
ons
Cent
er
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Man
agem
ento
fRe
mot
eA
cces
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 88
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
The
cont
ract
ors
resp
onsi
ble
for
VIS
have
impl
emen
ted
ast
rict
acc
ess
cont
rols
olut
ion
with
Fir
epas
san
dit
appe
ars
toa
ccom
plis
hits
goa
lofe
nsu
ring
that
onl
yth
epr
oper
per
sonn
el
are
gran
ted
acce
ssa
ndth
atth
eyp
er
form
aut
hori
zed
actio
nso
nce
they
ar
eco
nnec
ted
Unf
ortu
nate
lyt
hey
are
the
only
con
trac
tors
and
sys
tem
us
ing
Fire
pass
and
itw
illn
otb
eus
ed
once
the
mov
eis
mad
eto
Ste
nnis
Sp
ace
Cent
er
They
are
uns
ure
of
wha
tcon
trol
sw
illb
eus
eda
tSte
nnis
Sugg
este
dCo
unte
rmea
sure
s
Impl
emen
ting
aFi
repa
sss
olut
ion
for
allU
SCIS
sys
tem
sm
ight
not
be
cos
tef
fect
ive
USC
ISm
an
agem
ents
houl
dat
leas
texa
min
eth
eri
skp
osed
toth
em
ostc
ritic
al
syst
ems
and
impl
emen
taF
ire
pass
like
sol
utio
nfo
rth
ose
that
re
quir
ere
mot
eac
cess
A
sst
ated
ab
ove
one
inte
nin
side
rsd
ocu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
seu
sed
the
crea
tion
ofu
nkno
wn
path
sin
to
orga
niza
tion
syst
ems
pro
per
mea
sure
sm
ight
hav
epr
even
ted
man
yof
thos
ein
stan
ces
CERT | SOFTWARE ENGINEERING INSTITUTE | 89
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Non
Sys
tem
Ad
USC
ISL
eade
rshi
pA
ccor
ding
too
nein
terv
iew
eeF
SNs
An
FSN
who
isa
sys
tem
adm
inis
trat
or
Ten
perc
ent(
39)o
fins
ider
sm
inis
trat
ors
Wit
h
are
syst
ema
dmin
istr
ator
son
som
efo
rU
SD
epar
tmen
tofS
tate
sys
tem
sdo
cum
ente
din
the
CERT
Insi
der
A
utho
rize
dA
cces
sIn
form
atio
nTe
chno
logy
U
SD
epar
tmen
tofS
tate
sys
tem
sin
do
esn
otn
eces
sari
lyh
ave
adm
inis
tra
Thre
atC
ase
data
base
took
ad
toA
dmin
istr
ator
em
bass
ies
orc
onsu
late
sab
road
to
rri
ghts
on
USC
ISs
yste
ms
One
in
vant
age
ofin
suff
icie
nta
cces
sA
ccou
nts
The
US
Dep
artm
ento
fSta
teh
as
terv
iew
eee
xpre
ssed
con
cern
how
co
ntro
lsto
con
duct
thei
rcr
imes
au
thor
ized
acc
ess
for
som
eFS
Ns
to
ever
tha
tan
adm
inis
trat
orw
hois
a
USC
ISs
houl
dex
amin
eU
SCIS
sys
so
me
USC
ISs
yste
ms
need
edfo
rth
eci
tizen
ofa
fore
ign
coun
try
coul
des
te
ma
cces
sfo
rU
SD
epar
tmen
tpe
rfor
man
ceo
fthe
ird
utie
s
cala
tep
rivi
lege
sor
use
soc
iale
ngi
ofS
tate
sys
tem
adm
inis
trat
ors
ne
erin
gta
ctic
sto
gai
nun
auth
oriz
ed
asw
ella
sho
wth
ose
conn
ectio
ns
acce
ssto
USC
ISs
yste
ms
ar
em
onito
red
orlo
gged
Th
ey
sh
ould
als
ow
ork
with
the
US
Dep
artm
ento
fSta
teto
und
er
stan
dits
pro
cess
esfo
rgr
antin
g
FSN
sac
cess
toU
SD
epar
tmen
t
ofS
tate
sys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 90
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
Lea
ders
hip
Ther
ear
ecu
rren
tlyn
olim
itso
nTh
ela
cko
flim
itsp
lace
don
req
uest
Th
ere
shou
ldb
elo
gica
lcon
trol
s
w
hich
Af
iles
ana
djud
icat
orc
anr
ein
gA
file
sin
NFT
Sm
aya
llow
adj
udi
tod
etec
tldquoex
trao
rdin
aryrdquo
or
sus
Info
rmat
ion
Tech
nolo
gy
ques
tin
the
Nat
iona
lFile
Tra
ckin
gca
tors
tor
eque
sta
file
by
nam
eev
en
pici
ous
file
tran
sfer
req
uest
sI
n
Syst
em(N
FTS)
if
they
sho
uld
notb
eac
cess
ing
that
on
eU
SCIS
cas
eth
ein
side
rre
fil
e
ques
ted
afil
etr
ansf
erto
ar
egio
nfo
ran
indi
vidu
alw
hose
file
sw
ere
ina
noth
err
egio
nan
dw
hose
form
sha
dbe
enp
revi
ousl
yde
ni
ed
CERT | SOFTWARE ENGINEERING INSTITUTE | 91
cri
tilt
om
itiga
ting
the
insi
der
rsc
arri
edo
uta
nat
tack
ta
nce
mal
icio
usin
side
rsu
sed
uste
nsur
end
enf
orce
cn
have
dev
eff
ects
on
ano
ras
tatin
gta
r
nom
alou
sin
crea
sein
net
ay
Sugg
este
dCo
unte
rmea
sure
s
ca sn
toc
ompe
titor
sor
con
spir
ator
sO
rgan
izat
ions
mth
ate
mpl
oyee
sr
esou
rces
inc
ludi
ngin
form
atio
nas
sets
aom
plia
nce
sen
sitiv
ebu
tunc
lass
ified
or
prop
rie
y)is
cri
tical
tom
itiga
ting
an
am
onito
ring
net
wor
ktr
affic
mh
elp
prot
ectc
ontr
olle
d
side
unc
lass
ified
or
prop
riet
ary)
isea
led
circ
umst
ance
sin
whi
chin
tern
ales
In
som
ein
ss
tora
ged
evic
tion
mal
icio
usin
side
rsc
ab
y
mou
nts
ofd
ata
dow
nloa
ded
orou
ghT
h
Polic
yor
Pra
ctic
eG
aps
a re
ono
fCon
trol
led
Info
rmat
ion
ntro
lled
info
rmat
ion
(ie
inf
orm
atio
nth
atis
cla
ssifi
eds
ensi
tive
but
CER
Tr
thre
atr
isk
too
rgan
izat
ions
A
var
iety
ofi
nsid
erth
reat
cas
ess
tudi
edb
yev
thro
ugh
thd
ownl
oad
ofin
form
atio
nto
por
tabl
em
edia
or
exe
unau
thor
ized
ptt
acks
or
toc
omm
unic
ate
sens
itive
info
rmat
ioun
ders
tan
tcon
stitu
tes
acce
ptab
leu
seo
fcom
pany
dpo
licie
sre
gard
ing
wha
thro
ugh
teed
info
rma
chni
calm
eans
Th
eun
auth
oriz
ede
xfilt
ratio
nof
con
trol
l(i
ei
nfor
mat
ion
that
isc
lass
ifie
gani
zatio
nP
rote
ctin
gco
ntro
lled
info
rmat
ion
dth
reat
ris
kto
org
aniz
atio
ns
impl
emen
ted
netw
ork
mon
itori
ngs
trat
egie
sth
atw
ould
det
ectl
arge
wor
ktr
affi
by
tota
lvol
ume
orty
peo
ftra
ffic
(eg
by
ce
ither
por
tor
prot
ocol
)n
Polic
yan
dor
Sec
urit
yM
easu
Resp
onsi
ble
Pers
onne
lIn
form
atio
nTe
chno
logy
ncer
nlo
adto
Prot
ecti
Prot
ectin
gco
emai
lto
lan
thei
ra
the
insi
der
USC
ISh
as
info
rmat
io
Are
aof
Co
Dat
aD
own
Med
ia
CERT | SOFTWARE ENGINEERING INSTITUTE | 92
sure
s
po
1
pria
yte
lld
be
func
he
T ed
s
ecu
itted
em
os
ogs
el
vity
by
org
za
ani
ot
sbe
nter
mea
side
rtw
o
hori
zed
inap
pro
uev
ices
co
bite
dfr
omsy
stem
s
bit
epr
ohi fa
hec
ont
oc
gn
are
per
m hus
eso
fta
ndth
cti
ciou
sa
ngth
es
her
exhi
bitin
glm
alic
iou
Cou
uld
con
ora
ut ed
thes
ed
pro
hi SSC
Iy
ar
rity
aw
aren
ess
ampa
i
evic
es lb
elo
gged
uspi
ted
for
ss
leav
i
ntia
te
Sugg
este
d
Ss
o
ptf
1)E
xce
ces
that
ar
ete
chni
cally
Ung
in
that
the
shou
nte
ldb
et
2)If
USB
dfo
ru
nal
set
held
empl
oyee pl
tion
em
oyee
sign
sof
po c
ore
t
USC
Ih
tions
stan
trac
k
tioni
fact
shou
audi
havi
ns
ider
un
t
of
wor
k
ssed
de
s
onvi
ctio ns
tne
i eng
tel
He
acce
rder
to
Prac
tice
Gap
mth
eU
SCIS
CTa
skF
orc
sho
wed
tha
oe d
ant
pe
rfor
me
sig
nific
aam
oof
ficia
lbus
ines
sin
clud
ill
apto
p
sona
mai
lin
ond
e
Polic
yor
Ac
ase
fro
onh
isp
ersy
stem
sa
sure
pmen
tSC
IS
gov
(G
FE)
orS
ecur
ity
Mea
per
aga
inst
usi
ng
son
ompu
ter
equi
cial
dut
ies
for
Ub
edo
new
ithm
entf
urni
shed
ent
ern
quip
me
Polic
yan
d
Ther
eis
ap
olic
yd
cal
lyo
wne
top
erfo
rmo
ffi
Tele
wor
ksh
ould
on
ly
nel
ble
Pers
on
Resp
onsi
o
ern
Are
aof
Con
c dt
Dat
aD
ownl
oaor
Fro
mH
ome
CERT | SOFTWARE ENGINEERING INSTITUTE | 93
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sve
lop
asy
stem
that
he
was
rew
arde
d
fo
rpr
oduc
ing
The
rea
ren
ote
chni
cal
co
ntro
lsto
cat
chth
isa
ctiv
ityu
nles
s
the
devi
ceis
phy
sica
llyp
lugg
edin
to
the
netw
ork
Prot
ecti
ngC
riti
cal
Info
rmat
ion
Tech
nolo
gy
The
SNO
Cre
spon
dsto
spi
llso
fPII
USC
ISr
espo
nds
toP
IIsp
illag
es
Fi
les
whi
cho
ccur
on
aw
eekl
yba
sis
The
ofte
nen
ough
that
its
staf
fis
wel
l
info
rmat
ion
abou
tthe
inci
dent
is
ve
rsed
inr
espo
nse
proc
edur
es
tran
sfer
red
from
the
data
ow
ner
U
nfor
tuna
tely
the
freq
uenc
yto
w
hob
ecom
esa
war
eof
the
spill
to
w
hich
inci
dent
soc
cur
and
the
the
OSI
whi
chc
reat
esa
Ser
ious
In
re
spon
sep
roce
dure
sin
pla
ced
o
cide
ntR
epor
t(SI
R)th
atit
forw
ards
nots
eem
tor
educ
eth
enu
mbe
rto
the
Priv
acy
Off
icer
and
fina
llyto
Th
ere
spon
see
ffor
tto
aPI
Ispi
llage
of
inci
dent
sor
pro
vide
aut
oth
eSN
OC
in
volv
esm
any
part
ies
and
appe
ars
to
mat
edd
etec
tion
whe
nsp
illag
ebe
ac
ompl
icat
edp
roce
ssfo
ran
eve
nt
occu
rs
that
hap
pens
on
aw
eekl
yba
sis
Thou
ghth
ese
spill
ages
are
acc
iden
tal
even
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 94
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
sho
uld
cont
inue
this
pra
ctic
eas
par
tofi
tsin
cide
ntr
esp
onse
pro
cedu
res
Inc
orpo
rat
ing
ana
ppro
pria
tele
velo
fm
onito
ring
wou
lda
lso
bea
pru
de
ntm
easu
re
Polic
yor
Pra
ctic
eG
aps
This
pra
ctic
eap
pear
sto
be
done
con
si
sten
tly
Polic
yan
dor
Sec
urit
yM
easu
re
Acc
ess
ton
etw
ork
reso
urce
sis
ter
min
ated
imm
edia
tely
whe
na
spill
or
mis
cond
ucti
ssu
spec
ted
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Aud
it
Mon
itor
B
acku
p
Reco
very
Insi
der
thre
atr
esea
rch
cond
ucte
dby
CER
Tha
ssh
own
that
logg
ing
mon
itori
nga
nda
uditi
nge
mpl
oyee
onl
ine
actio
nsc
anp
rovi
dea
nor
gani
za
tion
the
oppo
rtun
ityto
dis
cove
ran
din
vest
igat
esu
spic
ious
insi
der
activ
ityb
efor
em
ore
seri
ous
cons
eque
nces
ens
ue
Org
aniz
atio
nss
houl
dle
ver
age
auto
mat
edp
roce
sses
and
tool
sw
hene
ver
poss
ible
M
oreo
ver
net
wor
kau
ditin
gsh
ould
be
ongo
ing
and
cond
ucte
dra
ndom
lya
nde
m
ploy
ees
shou
ldb
eaw
are
that
cer
tain
act
iviti
esa
rer
egul
arly
mon
itore
dT
his
empl
oyee
aw
aren
ess
can
pote
ntia
llys
erve
as
ade
terr
entt
oin
side
rth
reat
s
Prev
entin
gin
side
rat
tack
sis
the
first
line
ofd
efen
se
Non
ethe
less
eff
ectiv
eba
ckup
and
rec
over
ypr
oces
ses
need
tob
ein
pla
cea
ndo
pera
tion
ally
eff
ectiv
eso
that
ifa
co m
prom
ise
occu
rsb
usin
ess
oper
atio
nsc
anb
esu
stai
ned
with
min
imal
inte
rrup
tion
In
one
case
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sea
nin
side
rw
asa
ble
tom
agni
fyth
eim
pact
ofh
isa
ttac
kby
acc
essi
nga
ndd
estr
oyin
gba
ckup
med
ia
Org
aniz
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 95
Ina
dditi
ont
heS
NO
Cla
cks
the
reso
urce
sto
focu
son
mon
itori
ngfo
rsu
spic
ious
insi
der
activ
ityf
ocus
ing
inst
ead
prim
arily
on
prot
ectio
nfr
om
exte
rnal
inci
dent
s
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sM
odifi
cati
on
In
form
atio
nTe
chno
logy
Lo
gfil
esa
rea
cces
sibl
eby
the
do
D
isab
ling
Log
File
sm
ain
adm
inis
trat
ors
and
syst
em
adm
inis
trat
ors
ofe
ach
resp
ectiv
e
syst
em
USC
ISs
houl
dse
ndc
ritic
allo
gsto
a
cent
raliz
edlo
gse
rver
and
pro
te
ctth
elo
gfil
esto
per
mit
afo
re
nsic
rec
onst
r uct
ion
ofn
etw
ork
orh
ost
base
dev
ents
In
form
atio
nTe
chno
logy
Th
ela
cko
fcon
sist
ency
for
wha
tis
Alth
ough
six
per
cent
(23)
oft
he
logg
eda
cros
sU
SCIS
ser
vers
sys
tem
s
insi
ders
doc
umen
ted
inth
eCE
RT
appl
icat
ions
and
wor
ksta
tions
isc
on
Insi
der
Thre
atC
ase
data
base
cern
ing
Sev
eral
par
ties
addr
esse
dw
ere
able
tom
odify
ord
isab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 96
tions
nee
dto
con
side
rth
eim
port
ance
ofb
acku
pan
dre
cove
ryp
roce
sses
and
car
em
ustb
eta
ken
that
bac
kups
are
per
form
edr
egul
arly
pro
te
cted
and
test
edto
ens
ure
busi
ness
con
tinui
tyin
the
even
tofd
amag
eto
or
loss
ofc
entr
aliz
edd
ata
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
slo
gfil
es
Mon
itor
ing
Susp
ici
ous
Act
ivit
y
Info
rmat
ion
Tech
nolo
gy
are
som
etim
esli
mite
dto
24
hour
sor
less
ofc
olle
ctio
n
the
fact
that
ITp
erso
nnel
mus
tbe
able
top
hysi
cally
rea
cha
mac
hine
in
atim
ely
fash
ion
ifth
eyh
ope
toc
ap
ture
logs
rel
ated
toa
nin
cide
nt
This
as
sum
ptio
nm
akes
itli
kely
that
cri
tica
llog
info
rmat
ion
will
be
mis
sed
CERT | SOFTWARE ENGINEERING INSTITUTE | 97
Sugg
este
dCo
unte
rmea
sure
s
Polic
yor
Pra
ctic
eG
aps
Polic
yan
dor
Sec
urit
yM
easu
re
Dat
abas
ead
min
istr
ator
sar
ere
spon
si
ble
for
mon
itori
nga
nda
lert
ing
whe
nda
taa
cces
sat
tem
pts
are
mad
eto
cri
tical
dat
ain
USC
ISd
ata
base
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 98
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
sho
uld
cons
ider
cle
arly
de
finin
gth
ere
spon
sibi
lity
ofd
ata
base
adm
inis
trat
ors
and
the
SNO
Cfo
rm
onito
ring
ale
rtin
g
and
resp
ondi
ngto
una
utho
rize
dda
taa
cces
sO
nce
the
resp
onsi
bi
lity
isa
ssig
ned
the
appr
opri
ate
grou
psh
ould
dili
gent
lyp
reve
nt
dete
cta
ndr
espo
ndto
una
utho
riz
edd
ata
acce
ssm
odifi
catio
n
and
exfil
trat
ion
atte
mpt
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
mon
itors
and
filte
rs
inbo
und
and
outb
ound
net
wor
ktr
affic
Th
iss
trat
egy
may
pre
ve
nto
rde
tect
the
unau
thor
ized
tr
ansf
ero
fUSC
ISd
ata
outs
ide
the
orga
niza
tion
Man
yin
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
sew
ere
able
toc
omm
itth
eir
mal
icio
usa
ctiv
ities
usi
ngla
ptop
s
Polic
yor
Pra
ctic
eG
aps
Net
wor
ktr
affic
filte
ring
ish
appe
ning
on
lyo
nin
boun
dtr
affic
not
out
boun
dtr
affic
Th
ere
sour
ces
don
ote
xist
toe
xam
ine
ou
tbou
ndtr
affic
onl
yin
boun
dtr
affic
Fu
rthe
rmor
eth
ein
trus
ion
dete
ctio
nsy
stem
sar
eno
topt
imiz
edto
det
ect
secu
rity
eve
nts
Polic
yan
dor
Sec
urit
yM
easu
re
USC
ISh
asth
eab
ility
toc
reat
ein
bo
und
firew
allr
ules
tofi
lter
pote
ntia
llym
alic
ious
net
wor
ktr
affic
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 99
Sugg
este
dCo
unte
rmea
sure
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
incl
udes
fore
nsic
to
ols
toa
idin
vest
igat
ions
Ins
ixp
erce
nt(2
2)o
fthe
cas
es
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
heim
pact
of
the
crim
ew
asm
agni
fied
be
caus
eof
insu
ffic
ient
bac
kups
Polic
yor
Pra
ctic
eG
aps
The
SNO
Cha
sha
dpr
oble
ms
iden
tify
ing
the
root
cau
seo
fan
affe
cted
w
orks
tatio
nor
use
rbe
caus
eof
the
lack
ofn
etw
ork
fore
nsic
app
licat
ions
Id
eally
the
SN
OC
shou
ldb
eab
leto
tr
ace
netw
ork
traf
ficfr
oms
ourc
eto
de
stin
atio
nan
dw
atch
act
ivity
It
has
a
stan
dal
one
fore
nsic
cap
abili
tyb
ut
noth
ing
onth
ene
twor
k
Tabl
etop
exe
rcis
esm
ayn
otg
ive
USC
ISa
true
indi
catio
nof
its
abili
tyto
re
cove
rfr
oma
sys
tem
icfa
ilure
W
hen
poss
ible
bac
kups
sho
uld
be
impl
emen
ted
ons
imila
rha
rdw
are
to
ensu
reth
atth
eba
ckup
tape
isfu
nc
tiona
land
the
back
upis
ope
ratio
nal
Polic
yan
dor
Sec
urit
yM
easu
re
The
SNO
Cis
res
pons
ible
for
dete
rm
inin
gth
ero
otc
ause
ofa
nin
cide
nt
incl
udin
gus
ing
fore
nsic
tool
sto
id
entif
yaf
fect
edw
orks
tatio
nsd
esk
tops
and
lapt
ops
Ba
ckup
test
ing
for
man
ysy
stem
soc
curs
onc
epe
rye
ar
Ins
ome
case
s
the
back
ups
are
only
test
edw
itha
ta
blet
ope
xerc
ise
and
don
otu
se
sim
ilar
orid
entic
alh
ardw
are
toth
at
used
inth
epr
oduc
tion
envi
ronm
ent
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Back
ups
CERT | SOFTWARE ENGINEERING INSTITUTE | 100
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Info
rmat
ion
Tech
nolo
gy
Year
sof
bac
kup
tape
sar
eke
pto
nsi
tea
tthe
Ver
mon
tSer
vice
Cen
ter
an
dsy
stem
adm
inis
trat
ors
have
ac
cess
toth
ese
back
upfi
les
Adm
inis
trat
ors
who
hav
eac
cess
to
the
back
upta
pes
wou
ldb
eab
leto
Back
upm
edia
sho
uld
bec
on
trol
led
care
fully
doc
umen
ted
an
dst
ored
off
site
with
lim
ited
acce
ss
With
outt
hose
con
trol
s
USC
ISc
anno
tbe
sure
its
back
ups
will
giv
eit
the
abili
tyto
rec
over
ss
ecur
ity o wn
Proa
ctiv
ely
addr
essi
ngk
now
nse
curi
tyv
ulne
rabi
litie
ssh
ould
be
apr
iori
tyfo
ran
yor
gani
zatio
nse
ekin
gto
miti
gate
the
risk
ofi
nsid
erth
reat
sa
wel
las
exte
rnal
thre
ats
Cas
est
udie
sha
ves
how
nth
atm
alic
ious
insi
ders
fol
low
ing
term
inat
ion
will
som
etim
ese
xplo
itkn
own
tech
nica
lho
uld
have
ap
roce
sst
vuln
erab
ilitie
sth
atth
eyk
now
hav
eno
tbee
npa
tche
dto
obt
ain
syst
ema
cces
san
dca
rry
outa
nat
tack
O
rgan
izat
ions
sdr
ess
kno
ensu
reth
ato
pera
ting
syst
ems
and
othe
rso
ftw
are
have
bee
nha
rden
edo
rpa
tche
din
ati
mel
ym
anne
rw
hen
poss
ible
Fa
ilure
toa
dvu
lner
abili
ties
prov
ides
an
insi
der
ampl
eop
port
unity
and
pat
hway
sfo
rat
tack
mak
ing
itm
ore
diff
icul
tfor
an
orga
niza
tion
top
rote
ctit
self
Tech
nica
lSec
urit
yV
ulne
rabi
litie
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 101
ount
erm
easu
res
Sugg
este
dC
CERT | SOFTW ARE ENGINE ERING INSTITUTE |102
ceG
aps
Polic
yor
Pra
cti
The
pres
ence
of
host
pe
rim
eter
and
m
prot
ectio
nfo
rCI
Sin
al
war
epu
tsU
Sa
rela
tivel
yse
curd
ing
rep
ositi
onr
ega
oads
m
alic
ious
dow
nl
Polic
yan
dor
Se
easu
re
curi
tyM
Th
eO
ITr
elie
son
tan
ism
sto
w
om
ech
wnl
ode
tect
the
doad
of
licio
us
ma
code
1)
DH
S
nte
mon
itors
the
Ig
atrn
etw
aya
nd
e
2)
orks
ta
age
nto
nw
tio
ns
ale
rts
mm
edi
the
OIT
iat
ely
upon
dis
cov
wn
mal
er
yof
kno
war
eT
heO
ITs
hth
epo
rt
uts
dow
n
tob
lock
mal
ici
ere
ap
ous
code
wh
prop
riat
e
sin
stal
la
als
ode
tect
nel
Resp
onsi
ble
Pers
onog
yIn
form
atio
nTe
chno
l ogy
Info
rmat
ion
Tech
nol
Are
ac
ofC
oner
ne
Add
rss
ino
wn
ngK
Secu
rer
it
yV
uln
ies
abili
t
eA
ddr
ssi
now
nng
KSe
cur
er
ity
Vul
nie
sab
ilit
Sugg
este
dCo
unte
rmea
sure
s
Tw
elve
per
cent
(46)
oft
hec
ases
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
invo
lve
user
sab
usin
gad
min
istr
ator
pri
vi
lege
sto
sab
otag
esy
stem
sor
da
ta
Alth
ough
USC
ISu
sers
nee
dfo
rad
min
istr
ator
righ
tsto
inst
allo
rru
nau
thor
ized
sof
twar
eth
eO
IT
shou
ldc
onsi
der
givi
ngu
sers
se
para
tea
dmin
istr
ator
acc
ount
sfo
rth
ese
expl
icit
purp
oses
U
sers
co
uld
then
use
non
adm
inis
trat
or
acco
unts
for
thei
rda
ilyw
ork
Th
isw
ould
gre
atly
min
imiz
eth
eri
sko
fmal
war
eco
mpr
omis
e
Polic
yor
Pra
ctic
eG
aps
Am
itiga
ting
fact
or
is
that
the
depa
rtin
gem
ploy
eew
ould
ne
edp
hysi
cala
cces
sto
the
syst
emto
lo
gin
A
use
rw
itha
dmin
istr
ator
pri
vile
ges
mus
tnot
rel
yso
lely
on
auto
mat
ic
mec
hani
sms
tos
afeg
uard
his
or
her
com
pute
rA
dmin
istr
ator
rig
hts
give
in
adve
rten
tlyd
ownl
oade
dm
alw
are
the
abili
tyto
com
plet
ely
com
prom
ise
asy
stem
som
etim
esw
ithou
tthe
kn
owle
dge
ofth
eus
er
Polic
yan
dor
Sec
urit
yM
easu
re
tion
ofm
alic
ious
cod
efr
omU
SBs
and
othe
rm
edia
USC
ISu
sers
hav
elo
cala
dmin
istr
ator
ri
ghts
on
thei
row
nm
achi
nes
Thi
sal
low
sus
ers
toin
stal
lsof
twar
eon
th
eirs
yste
ms
So
me
auth
oriz
eds
oftw
are
does
re
quir
ead
min
istr
ator
rig
hts
toin
stal
l
Som
eap
plic
atio
nsa
ctua
llyr
equi
re
adm
inis
trat
orri
ghts
tor
un
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Unm
anag
edS
ys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 103
Conf
igur
atio
nM
anag
emen
t
Effe
ctiv
eco
nfig
urat
ion
man
agem
enth
elps
ens
ure
the
accu
racy
int
egri
tya
ndd
ocum
enta
tion
ofa
llco
mpu
ter
and
netw
ork
syst
emc
onfig
ura
tions
A
wid
eva
riet
yof
cas
esin
the
CERT
Insi
der
Thre
atC
ase
data
base
doc
umen
tins
ider
sw
hor
elie
dhe
avily
on
the
mis
conf
igur
atio
nof
sys
te
ms
The
yhi
ghlig
htth
ene
edfo
rst
rong
erm
ore
effe
ctiv
eim
plem
enta
tion
ofa
utom
ated
con
figur
atio
nm
anag
emen
tcon
trol
sO
rgan
izat
ions
sh
ould
als
oco
nsid
erc
onsi
sten
tdef
initi
ona
nde
nfor
cem
ento
fapp
rove
dco
nfig
urat
ions
Ch
ange
sor
dev
iatio
nsfr
omth
eap
prov
edc
onfig
urat
ion
base
line
shou
ldb
elo
gged
so
they
can
be
inve
stig
ated
for
pote
ntia
lmal
icio
usin
tent
Co
nfig
urat
ion
man
agem
enta
lso
appl
ies
tos
oftw
are
sou
rce
code
and
app
licat
ion
files
O
rgan
izat
ions
that
do
note
nfor
cec
onfig
urat
ion
ma n
agem
enta
cros
sth
een
terp
rise
are
ope
ning
vul
nera
bilit
ies
for
expl
oitb
yte
chni
cali
nsid
ers
with
suf
ficie
ntm
otiv
atio
nan
da
lack
ofe
thic
s
The
OIT
has
ac
onfig
urat
ion
man
agem
entp
olic
yth
atp
rovi
des
base
line
soft
war
eco
nfig
urat
ions
for
USC
ISd
eskt
ops
and
lapt
ops
The
OIT
sca
ns
for
inco
rrec
to
utda
ted
or
unp
atch
edv
ersi
ons
ofs
oftw
are
onth
eap
prov
eds
oftw
are
list
The
OIT
kee
pstr
ack
ofd
iffer
entb
asel
ines
for
diff
er
entc
ontr
acts
D
espi
tetr
acki
nga
nda
rig
orou
sco
nfig
urat
ion
man
agem
entp
olic
yth
eO
ITh
asd
iffic
ulty
kee
ping
trac
kof
the
901
50d
iffer
ents
ys
tem
imag
esin
the
USC
ISe
nvir
onm
ent
Rog
ues
oftw
are
orm
alw
are
iso
ften
dis
cove
red
thro
ugh
ade
liber
ate
man
uals
can
rat
her
than
thro
ugh
ana
utom
ated
pro
cess
To
mak
eth
ista
skm
ore
diff
icul
tth
ere
have
bee
nU
SCIS
em
ploy
ees
with
sen
iori
tyo
rin
fluen
cew
hoa
rea
ble
tou
selo
cal
adm
inis
trat
orp
rivi
lege
sto
inst
alls
oftw
are
for
the
sake
ofc
onve
nien
ce
Conc
erns
reg
ardi
ngc
onfig
urat
ion
man
agem
entm
ake
itdi
ffic
ultf
orth
eO
ITto
ad e
quat
ely
prev
ent
det
ect
and
res
pond
tor
ogue
sof
twar
eor
m
alw
are
usin
gits
cur
rent
pro
cedu
res
We
sugg
ests
ome
cons
ider
atio
nsfo
rle
vera
ging
exi
stin
gde
ploy
men
tsa
ndm
odify
ing
inci
dent
res
pons
epr
actic
esto
incr
ease
eff
ectiv
enes
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
The
OIT
has
ac
onfig
urat
ion
man
ag
emen
tpol
icy
for
soft
war
eco
nfig
ura
tion
base
lines
Th
eO
ITs
cans
for
inco
rrec
to
utda
ted
or
unpa
tche
dve
rsio
nso
fsof
twar
eon
the
ap
Des
pite
rig
orou
sco
nfig
urat
ion
man
ag
emen
tpol
icy
the
OIT
has
diff
icul
ty
keep
ing
trac
kof
the
90to
150
diff
er
ents
yste
mim
ages
inth
eU
SCIS
env
iro
nmen
tR
ogue
sof
twar
eor
mal
war
e
Seve
ntee
nca
ses
docu
men
ted
in
the
CERT
Insi
der
Thre
atC
ase
da
taba
sein
volv
eus
ers
expl
oitin
gth
ela
cko
rw
eakn
ess
ofa
con
fig
urat
ion
man
agem
ents
yste
m
CERT | SOFTWARE ENGINEERING INSTITUTE | 104
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
spr
oved
sof
twar
elis
tT
heO
ITk
eeps
tr
ack
ofd
iffer
entb
asel
ines
for
dif
fere
ntc
ontr
acts
iso
ften
dis
cove
red
thro
ugh
ade
liber
at
em
anua
lsca
nra
ther
than
thro
ugh
ana
utom
ated
pro
cess
toc
arry
out
thei
rat
tack
s
The
OIT
cou
ldle
vera
geth
eex
ist
ing
ePO
dep
loym
entt
oco
mpl
em
enti
tsc
onfig
urat
ion
man
age
men
teff
orts
eP
Oc
and
efin
ea
base
line
for
soft
war
eap
plic
atio
ns
and
aler
ton
any
devi
atio
nsfr
om
that
bas
elin
e
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ins
ome
case
sin
divi
dual
sw
iths
en
iori
tyo
rin
fluen
cea
rea
ble
tou
se
adm
inis
trat
orp
rivi
lege
sto
inst
all
soft
war
efo
rth
esa
keo
fcon
veni
ence
USC
ISs
houl
den
sure
that
con
fig
urat
ion
polic
yis
con
sist
ently
co
mm
unic
ated
and
enf
orce
dth
roug
hout
the
orga
niza
tion
Ev
ens
enio
rle
ader
ship
sho
uld
notb
eab
leto
cas
ually
cir
cum
ve
ntth
ese
polic
ies
with
outg
oing
th
roug
hth
epr
oper
cha
nnel
sas
de
fined
by
the
conf
igur
atio
nm
anag
emen
tpol
icy
Conf
igur
atio
nM
anag
emen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Serv
ice
Cent
ers
are
resp
onsi
ble
for
lock
ing
dow
nde
skto
psto
pre
vent
un
auth
oriz
eds
oftw
are
from
runn
ing
The
lock
dow
npr
oces
sre
lies
onh
um
anin
terv
entio
nI
fcal
lvol
ume
to
the
Serv
ice
Cent
eris
hea
vyt
his
may
in
crea
ser
espo
nse
time
toa
nun
ac
cept
able
leve
l
The
OIT
sho
uld
expl
ore
way
sto
au
tom
ate
lock
dow
nof
pot
en
tially
com
prom
ised
sys
tem
sT
his
wou
ldr
equi
rea
car
eful
bal
ance
of
ser
vice
ver
sus
secu
rity
O
nth
ese
rvic
esi
ded
elay
edr
espo
nse
by
the
Serv
ice
Cent
erm
ayr
esul
tin
loss
ofp
rodu
ctiv
ity
On
the
secu
ri
tys
ide
del
ayed
res
pons
eco
uld
CERT | SOFTWARE ENGINEERING INSTITUTE | 105
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sle
adto
sys
tem
com
prom
ise
M
anag
emen
tsho
uld
eval
uate
the
risk
sof
ac
ompr
omis
ean
dw
eigh
th
ose
risk
sag
ains
tthe
pot
entia
lco
nseq
uenc
eso
fser
vice
dis
rup
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 106
Appendix H Acronyms
C3-LAN CBP CI CIO CLAIMS CMMI COTR CSC CSIRT CSO CMU DBA DHS DOJ FBI FDNS-DS FISMA FSD FSN GFE HR HSPD-12 ICE ISSO IT LER LPO NCR NFTS ODBC OIG OIT OSI PERSEC PICS PII QA SEI SIEM SIR SNOC TSA USB
CLAIMS 3 ndash Local Area Network Customs and Border Protection Counterintelligence Chief Information Officer Computer Linked Application Information Management System Capability Maturity Model Integration Contracting Officerrsquos Technical Representative Computer Sciences Corporation Computer Security Incident Response Team Chief Security Officer Carnegie Mellon University Database Administrator Department of Homeland Security Department of Justice Federal Bureau of Investigation Fraud Detection and National Security Data System Federal Information Security Management Act Field Security Division Foreign Service National Government-furnished Equipment Human Resources Homeland Security Presidential Directive 12 Immigration and Customs Enforcement Information System Security Officer Information Technology Labor and Employee Relations Local PICS Officer National Capital Region National File Tracking System Open Database Connectivity Office of Inspector General Office of Information Technology Office of Security and Integrity Personnel Security Password Issuance and Control System Personally Identifiable Information Quality Assurance Software Engineering Institute Security Information and Event Management Significant Incident Report Security Network Operations Center Transportation Security Administration Universal Serial Bus
107
Appendix H Acronyms
USCIS US Citizenship and Immigration Services VIS Verification Information System
108
Appendix I Management Comments to the Draft Report
109
Appendix J Contributors to this Report
Software Engineering Institute Carnegie Mellon University
Insider Threat Center at CERT
Department of Homeland Security Office of Inspector General
Richard Saunders Director Advanced Technology Division Steve Matthews IT Audit Manager Advanced Technology Division Philip Greene IT AuditorTeam Lead Advanced Technology Division
110
Appendix K Report Distribution
Department of Homeland Security
Secretary Deputy Secretary Chief of Staff Deputy Chiefs of Staff General Counsel Executive Secretariat Director GAOOIG Liaison Office Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs Chief Information Officer Chief Information Security Officer USCIS Chief Information Officer USCIS Chief Information Security Officer USCIS Audit Liaison Office
Office of Management and Budget
Chief Homeland Security Branch DHS OIG Budget Examiner
Congress
Congressional Oversight and Appropriations Committees as appropriate
111
ADDITIONAL INFORMATION AND COPIES
To obtain additional copies of this report please call the Office of Inspector General (OIG) at (202) 254-4100 fax your request to (202) 254-4305 or visit the OIG web site at wwwdhsgovoig
OIG HOTLINE
To report alleged fraud waste abuse or mismanagement or any other kind of criminal or noncriminal misconduct relative to department programs or operations
bull Call our Hotline at 1-800-323-8603
bull Fax the complaint directly to us at (202) 254-4292
bull Email us at DHSOIGHOTLINEdhsgov or
bull Write to us at DHS Office of Inspector GeneralMAIL STOP 2600 Attention Office of Investigations - Hotline 245 Murray Drive SW Building 410 Washington DC 20528
The OIG seeks to protect the identity of each writer and caller
Examining Insider Threat Risk at the
US Citizenship and Immigration Services
PreparedforDepartmentofHomelandSecurity
OfficeofInspectorGeneral
bytheSoftwareEngineeringInstituteatCarnegieMellonUniversity
Insider Threat Center at CERT
December 2010
NOWARRANTY
THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIAL ISFURNISHEDONANASISBASISCARNEGIEMELLONUNIVERSITYMAKESNO WARRANTIESOFANYKINDEITHEREXPRESSEDORIMPLIEDASTOANYMATTER INCLUDINGBUTNOTLIMITEDTOWARRANTYOFFITNESSFORPURPOSEOR MERCHANTABILITYEXCLUSIVITYORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITH RESPECTTOFREEDOMFROMPATENTTRADEMARKORCOPYRIGHTINFRINGEMENT
Useofanytrademarksinthisreportisnotintendedinanywaytoinfringeontherightsof thetrademarkholder
TableofContents
ExecutiveSummary 1
Recommendation2Incorporateinsiderthreatriskmitigationstrategiesintothe
Recommendation3Centralizerecordsofmisconductandviolationstobetterenablea
Background 2
Objective 3
Scope 3
AssessmentProcessMethodology 5
ResultsofAssessment 7
Organizational 7
HumanResources 9
PhysicalSecurity 11
BusinessProcesses 12
IncidentResponse 14
SoftwareEngineering 15
InformationTechnology 16
Recommendation1Instituteanenterpriseriskmanagementplan 22
Transformationeffort 22
coordinatedresponsetoinsiderthreats 22
Recommendation4 23
Recommendation5Considerseparationofdutiesforcriticalbusinessprocessesand theirrelatedinformationsystems 23
Recommendation7Employconsistentphysicalsecuritypoliciesforfieldofficesand
Recommendation9ExamineHRscreeningproceduresforhighriskpositionsandFSNs
Recommendation10Ensurethatphysicalandcomputeraccessisterminatedinatimely
Recommendation11Enforcearequirementforindividualaccountsoncriticalsystems
Recommendation6ConductauditofPICSandFSNaccountsforUSCISsystems 23
servicecentersincludingthephysicalcasefiles 23
Recommendation8Consistentlyenforceexitprocedures 24
24
fashion 24
25
CERT | SOFTWARE ENGINEERING INSTITUTE | i
Recommendation12 25
Recommendation13Reducethenumberofprivilegedaccountsforcriticaldatasystems
25
Recommendation14 25
Recommendation15Implementproceduralandtechnicalcontrolstopreventsource codeunderdevelopmentfrombeingreleasedwithoutappropriatereview 25
Recommendation16 26
Recommendation17 26
Recommendation18Periodicsecurityrefreshertrainingshouldberegularlyconducted andrequiredforallemployees 26
AppendixHAcronyms 107
AppendixIManagementCommentstotheDraftReport 109
AppendixJContributorstothisReport 110
AppendixKReportDistribution 111
ManagementCommentsandOIGAnalysis 27
Appendixes 28
AppendixAOrganizational 30
AppendixBHumanResources 37
AppendixCPhysicalSecurity 42
AppendixDBusinessProcesses 48
AppendixEIncidentResponse 62
AppendixFSoftwareEngineering 69
AppendixGInformationTechnology 75
CERT | SOFTWARE ENGINEERING INSTITUTE | ii
ExecutiveSummary
TheUSDepartmentofHomelandSecurityOfficeofInspectorGeneralengagedtheInsider ThreatCenteratCERToftheSoftwareEngineeringInstituteatCarnegieMellonUniversity toconductaninsiderthreatassessmentofUSCitizenshipandImmigrationServicesThe objectiveoftheassessmentwastodeterminehowUSCitizenshipandImmigrationSer viceshastakenstepstoprotectitsinformationtechnologysystemsanddatafromthe threatsposedbyemployeesandcontractorsTheassessmentevaluatedUSCitizenship andImmigrationServicesagainstapproximately400realinsiderthreatcompromisesdocu mentedintheCERTInsiderThreatCasedatabaseThesecasesallprosecutedintheUnited Statesincludefraudsabotageandtheftofintellectualproperty
TheassessmentteamperformedfieldworkinthenationalcapitalregionVermontService CenterandUSCitizenshipandImmigrationServicesBurlingtonofficesDuetothelimited scopeoftheassessmentsystemsreviewedandlocationsvisitedCERTwasnotabletover ifytheinstitutionalizationandenforcementofanyUSCitizenshipandImmigrationSer vicesrsquopoliciesorrenderanoverallopinionoftheeffectivenessofUSCitizenshipandImmi grationServicesinsiderthreatpostureTheOfficeofInspectorGeneraldidnotrequest CERTtoconductacomprehensiveinformationsystemrsquostechnicalsecuritycontrolsreviewor vulnerabilityassessmenttodeterminethesusceptibilitytointernalthreatsTheOfficeof InspectorGeneralmayperformanindepthfollowupreviewtorenderanoverallopinionof theeffectivenessofUSCitizenshipandImmigrationServicesinsiderthreatposture
USCitizenshipandImmigrationServiceshasmadeprogressinimplementingelementsof aneffectiveinsiderthreatprogramSpecificallyithasestablishedaConvictionTaskForce toreviewformeremployeesconvictedofcriminalmisconductwithinthescopeoftheirdu tiesperformsriskmanagementforinformationtechnologyandfinancialmanagementde velopedexitproceduresforemployeesimprovedprotectionofitsfacilitiesandassetsand adherestoformalizedprocessesforsomesystemsInadditionitisimplementingHome landSecurityPresidentialDirective12forphysicalandelectronicaccountmanagement
WhiletheseeffortshaveresultedinsomeimprovementsUSCitizenshipandImmigration Serviceshasopportunitiestoimproveitssecuritypostureagainstthreatsposedbyemploy eesandcontractorsForexampleitcaninstituteanenterpriseriskmanagementplanand incorporateinsiderthreatriskmitigationstrategiesintoitsnewbusinessprocessesItcan alsocentralizerecordsofmisconductandviolationsinstitutealoggingstrategytopreserve systemactivitiesimplementseparationofdutiesforadjudicativedecisionsconductaudits ofnonUSCitizenshipandImmigrationServicesaccountsemployconsistentpoliciesfor physicalsecurityandconsistentlyenforceemployeeexitprocedures
Theassessmentteamismaking18recommendationstotheDirectorofUSCitizenshipand ImmigrationServicestostrengthenthedepartmentrsquossecuritypostureagainstmaliciousin siderthreatsUSCISconcurredwithallofourrecommendationsandhasalreadybegunto takeactionstoimplementthemThedepartmentrsquosresponseisincludedinitsentiretyas appendixI
CERT | SOFTWARE ENGINEERING INSTITUTE | 1
Background
TheUSDepartmentofHomelandSecurity(DHS)OfficeofInspectorGeneral(DHSOIG) engagedtheCERTprogramintheSoftwareEngineeringInstituteatCarnegieMellonUniver sitytoconductaninsiderthreatvulnerabilityassessmentofUSCitizenshipandImmigra tionServices(USCIS)Theprojectapproachestheinsiderthreatproblemontwoprimary fronts
Thehumanbehavioralcomponent
Thetechnologicalsolutionforautomatingpreventionanddetectioncapabilitiesto identifymeasuremonitorandcontrolinsiderthreatvectors
Insiderscanbecurrentorformeremployeescontractorsorbusinesspartnerswhohaveor hadauthorizedaccesstotheirorganizationssystemandnetworksTheyarefamiliarwith internalpoliciesproceduresandtechnologyandcanexploitthatknowledgetofacilitate attacksandevencolludewithexternalattackersCERTrsquosresearchconductedsince2001 hasfocusedongatheringdataaboutactualmaliciousinsideractsincludinginformation technology(IT)sabotagefraudtheftofconfidentialorproprietaryinformationespionage andpotentialthreatstoourNationscriticalinfrastructures
CERTdevelopedaninsiderthreatvulnerabilityassessmentinstrumentforevaluatingvulner abilitiestoinsiderthreatbasedonresearchtodateBecauseofthecomplexityofthein siderthreatproblemmdashinvolvingsecurityofficersinformationtechnologyinformationsecu ritymanagementdataownerssoftwareengineeringandhumanresourcesmdashorganizations needassistanceinmergingthewealthofavailableguidanceintoasingleactionableframe workCERTadvisesorganizationstousethisassessmentinstrumenttohelpsafeguardtheir criticalinfrastructure
CERTbuilttheassessmentbasedonresearchofapproximately400insiderthreatcasesin theCERTInsiderThreatCasedatabase1Thesecasesareacollectionofrealinsiderthreat compromisesmdashprimarilyfraudsabotageandtheftofintellectualpropertymdashthathavebeen prosecutedintheUnitedStatesStartingin2002CERTcollaboratedwithUSSecretSer vicebehavioralpsychologiststocollectapproximately150actualinsiderthreatcasesthat occurredinUScriticalinfrastructuresectorsbetween1996and2002andexaminedthem frombothatechnicalandabehavioralperspectiveSincethatoriginalstudyCERThascon tinuedtoaddcaseswithfundingfromCarnegieMellonrsquosCyLab2bringingthecaselibraryto atotalofapproximately400casesTheinstrumentencompassestechnicalbehavioral processandpolicyissuesandisstructuredaroundinformationtechnologyinformation securityhumanresourcesphysicalsecuritybusinessprocesseslegalandcontracting managementandorganizationalissues
1Notethatthedatabasedoesnotcontainnationalsecurityespionagecasesinvolvingclassifiedin formation 2httpwwwcylabcmuedu
CERT | SOFTWARE ENGINEERING INSTITUTE | 2
Objective
TheobjectiveoftheinsiderthreatvulnerabilityassessmentwastodeterminehowUSCIShas takenstepstoprotectitsITsystemsanddatafromthethreatposedbyemployeesandcon tractorsThisassessmentwasbasedonbehavioralaswellastechnicalexperienceanditis intendedtoassistUSCISinsafeguardingitscriticalinfrastructureTheassessmentwill
EnableUSCIStogainabetterunderstandingofitsvulnerabilitytoinsiderthreatand provideanabilitytoidentifyandmanageassociatedrisks
Identifytechnicalorganizationalpersonnelbusinesssecurityandprocessissues intoasingleactionableframework
Identityshorttermcountermeasuresagainstinsiderthreats
HelpguideUSCISinitsongoingriskmanagementprocessforimplementinglong termstrategiccountermeasuresagainstinsiderthreats
Scope
USCISemploysapproximately18000governmentemployeesandcontractorslocatedat250 officesthroughouttheworld3Theinsiderthreatvulnerabilityassessmentisintendedto focusoncriticalsystemsandhighriskareasofconcernthatcanbeassessedina3to5day timeframeThereforeatapreassessmentwalkthroughmeetingUSCISstaffidentified3 systemsofthe96systemsusedbytheagencyascriticaltoitsoverallmission
VerificationInformationSystem(VIS)mdashthispublicfacingsystemiscomposedoffive differentapplicationsThepurposeofthesystemistoprovidemdash
o Immigrationstatusinformationtogovernmentbenefitgrantingorganiza tionstohelpthemdeterminetheeligibilityofalienswhoapplyforbenefits
o Ameansforprivateemployerstoperformemploymenteligibilityverifica tionofnewlyhiredemployees
ComputerLinkedApplicationInformationManagementSystem(CLAIMS)mdashThissys temprovidesthefollowingfunctions
3httpwwwuscisgovportalsiteuscismenuitemeb1d4c2a3e5b9ac89243c6a7543f6d1avgnextoi d=2af29c7755cb9010VgnVCM10000045f3d6a1RCRDampvgnextchannel=2af29c7755cb9010Vgn VCM10000045f3d6a1RCRD
CERT | SOFTWARE ENGINEERING INSTITUTE | 3
o CLAIMS3LocalAreaNetwork(C3LAN)wasoriginallydevelopedtotrack thereceiptingofapplicantorpetitionerremittancesandtoproducenotices documentingtheremittanceC3LANnowincludesadjudicationarchive cardproductioncasehistorycasetransferondemandreportselectronic filetrackingimagecaptureproductionstatisticsstatusupdateandelec tronicingestofapplicationdatacapturedthroughtheEFilingwebapplica tionandtheDepartmentofTreasurysponsoredlockboxoperations
o C3mainframesupportsprocessingofUSCISapplicationsandpetitionsfor variousimmigrantbenefits(egchangeofstatusemploymentauthoriza tionandextensionofstay)
FraudDetectionandNationalSecurityDataSystem(FDNSDS)mdashThissystemwasde velopedtoidentifythreatstonationalsecuritycombatbenefitfraudandlocate andremovevulnerabilitiesthatcompromisetheintegrityofthelegalimmigration system
Itisimportanttonotethattheinsiderthreatvulnerabilityassessmentislimitedtoareasof concernobservedinthehundredsofcasesintheCERTInsiderThreatdatabasePeople technologyandorganizationsareconstantlychangingandmaliciousinsiderscontinueto comeupwithnewavenuesofattackinordertodefeatapreviouslyeffectivecountermea sureHowevermanyofthecountermeasuressuggestedinthisreportareapplicabletoa multitudeofattackvectors
ItisalsoimportanttonotethatCERTrsquosinsiderthreatresearchhasonlyexploredintentional insidercrimesAccidentaldataleakageisanareaofsignificantconcernfororganizations howeverCERThasnotyetexploredthataspectofinsiderthreatInadditionthefocusof theresearchtodateistodescribehowtheinsiderthreatproblemevolvesovertimeCERTrsquos longtermresearchdoesincludemeasuringtheeffectivenessofmitigationstrategies
CERT | SOFTWARE ENGINEERING INSTITUTE | 4
AssessmentProcessMethodology
AnentranceconferencewasconductedbytheDHSOIGCERTandUSCISonFebruary23 2010TheentranceconferenceintroducedUSCIStotheCERTassessmentteamFollowing theentranceconferenceapreassessmentwalkthroughwasheldatUSCISheadquarterson March102010AtthatmeetingtheCERTassessmentteamandtheDHSOIGteamex plainedtheassessmentprocesstorepresentativesofUSCISUSCISprovidedsomedocu mentationtotheassessmentteamatthattimeandmoredocumentsthroughouttheas sessmentthosedocumentswerereviewedtoprovidesubstantiationforfindingsinthis report
USCISidentified96systemsitusesFollowingtheinitialmeetingUSCISleadershipandthe assessmentteamchosetheVISCLAIMSandFDNSDSsystemsbecausetheywerecriticalto theoverallmissionofUSCISThesethreesystemswerethefocusofthe5dayonsiteas sessment
AtthepreassessmentwalkthroughUSCISindicatedthatithadcreatedaConvictionsTask Forcetoreviewtheactivitiesof10formeremployeesconvictedofcriminalmisconduct withinthescopeoftheirofficialdutiesThepurposeofthetaskforceistoidentifyissues theseemployeesexploitedtocommittheircrimesThetaskforceintendedtodevelopfind ingsandrecommendationsaimedatpreventingsimilarcrimesinthefutureItgraciously extendedaninvitationtotheCERTandDHSOIGteamstoparticipateAsaresulttheteams observedorreviewedtranscriptsofalltelephoneconferencesconductedbythetaskforce Thesefindingsarereflectedinthisreport
TheCERTinsiderthreatteamandtheDHSOIGliaisonwereonsiteatvariousUSCISloca tionsinthenationalcapitalregion(NCR)fromMarch30throughApril12010
TheDHSOIGliaisonswerepresentatallinterviewsTheDHSOIGattendedtheseinterviews asanobserverandassistedCERTasneeded
Facetofaceinterviewswereconductedwithapproximately58representativesintheNCR followedby32representativesintheVermontServiceCenterandUSCISBurlingtonoffices InadditiontelephoneconferenceswereheldwithstafffromtheOfficeofSecurityandIn tegrity(OSI)InvestigationsDivisionandtheSecurityNetworkOperationsCenter(SNOC) Intervieweesrepresentedthefollowingareas
DataOwners(VISCLAIMSandFDNSDS)
ComputerSciencesCorporation(CSC)(softwareengineeringandoperationalsup portforVISCLAIMSandFDNSDS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 5
OSI(PhysicalSecurityRegionalSecurityInvestigationsPersonnelSecurityCounter intelligence)
HumanCapitalandTraining(TrainingHumanResourcesOperationsCenterLabor EmployeeRelations)
OfficeofInformationTechnology(OIT)(ITSecurityComputerSecurityIncidentRe sponseTeamSecurityandNetworkOperationsCenterAccountManagementEn terpriseOperations)
Legal(ProcurementLaw)
VermontServiceCenter(adjudicatorsdataentryclerkssupervisordirectorsOIT softwareengineering)
Allinterviewswereconsideredconfidentialnorecordofparticipatingemployeesisincluded inthisreportorinsubsequentbriefingsFindingsareattributedonlytoagroupordepart mentinterviewedadocumenttheConvictionsTaskForcetelephoneconferencesordirect observation
CERT | SOFTWARE ENGINEERING INSTITUTE | 6
CERT | SOFTWARE ENGINEERING INSTITUTE | 7
AcriticalissueforUSCISisensuringthattheentireorganizationisriskawareandimple mentingaformalriskmanagementprocesstoaddressriskconsistentlyandcontinually acrosstheenterpriseTheredoesnotappeartobeaconsistentunderstandingofthebroad spectrumofrisksfacingUSCISTheassessmentteamwastoldthereisnoenterprisewide riskmanagementprogramatUSCISOITperformsriskmanagementforInformationTech nology(IT)andFinancialManagementperformsriskmanagementforfinancialmattersbut noonewasawareofanyenterprisewideeffortsInadditioneachfieldofficeandservice centerappearstooperatefairlyindependentlyItisimportantforthoseorganizationsto worktogethertoidentifyprioritizeandaddressriskOngoingcommunicationbetweenall componentsofUSCISwillhelpensurethatnewthreatsattackvectorsandcountermea suresarecommunicatedandhandledeffectivelybyall
InadditionUSCISemployeesandcontractorsholdthekeystooneoftheworldrsquosmostcov etedkingdomsmdashUScitizenshipThismakesemployeesandcontractorsattractivetargets forrecruitmentBecauseofthesensitivenatureofUSCISmissionsomeofitsemployees andcontractorshavebeentargetsforrecruitmentfortheftorunauthorizedmodificationof USCISdataAllemployeesshouldbeawareoftheconsequencesofparticipatinginfraud againstUSCISTheyshouldalsobeinstructedonhowtoreportsolicitationsmadetocom mitfraud
Transformation
TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesUSCISisrelyingheavilyonTransformationtocorrectmanyoftheproblemsresulting fromlegacysystemsThisrelianceonasingleeffortmakesitseffectivenessveryimportant TheteamfoundtheTransformationefforttobeamassiveundertakingthatappearstobe implementingaverydetailedprojectplan
Basedontheteamrsquosreviewoftherequirementsforfrauddetectionandnationalsecurity issuesitappearstherearenorequirementstoaddressinsiderthreatsTheassessment teamreviewedfivecomprehensiveTransformationdocumentsaspartofthisassessment ThedocumentsdescribesystemrequirementsindetailFrauddetectionreferstodetection offraudperpetratedbyapplicantsandpetitionersnationalsecurityissuesfocusonthe handlingofinvestigationswithinUSCISthatinvolvenationalsecurityissues
Againanenterpriseriskmanagementapproachshouldbeconsideredwhendefiningre quirementsforTransformationInsidersatUSCIShaveperpetratedfraudinthepastasevi dencedbytheConvictionsTaskForceInadditionUSCISinsidersarecapableofgranting legalresidencyorcitizenshipstatustosomeonewhoposesanationalsecurityrisktothe UnitedStates
CERT | SOFTWARE ENGINEERING INSTITUTE | 8
TrainingandAwareness
Itisessentialthatsecurityawarenesstrainingisconsistentlyprovidedtoallemployeesto ensuresecuritypoliciesandpracticesareinstitutionalizedthroughoutanorganization Manytimescoworkersandsupervisorsarethefirstpeopletoobserveconcerningbehavior exhibitedbymaliciousinsidersFailuretoreportconcerningbehaviorbycoworkersoroth ersinanorganizationwasaprimaryreasoninsidersintheCERTInsiderThreatCasedata basecontinuedtosetuporcarryouttheirattacks
USCISshouldcontinuetoprovidesecurityawarenesstrainingtoallemployeesandcontrac torsacrosstheglobeThistrainingshouldbeconsistentlyappliedtoeachsitewithaconsis tentmessageofsecurityofUSCISpeoplesystemsanddataItisimperativethatallUSCIS employeesberesponsibleforachievingthemissionofUSCISandprotectingthecriticalas setstothehighestextentpossible
HumanResources
Anorganizationrsquosapproachtoreducinginsiderthreatshouldfocusonproactivelymanaging employeeissuesandbehaviorsThisconceptbeginswitheffectivehiringprocessesand backgroundinvestigationstoscreenpotentialcandidatesOrganizationsshouldalsotrain supervisorstomonitorandrespondtobehaviorsofconcernexhibitedbycurrentemploy eesSomecasesfromtheCERTInsiderThreatdatabaserevealedthatsuspiciousactivity wasnoticedintheworkplacebutnotacteduponOrganizationsmustestablishawell organizedandprofessionalmethodforhandlingnegativeemploymentissuesandensuring thathumanresourcepolicyviolationsareaddressed
Organizationalissuesrelatedtofunctionssharedbyhumanresources(HR)andsecurityper sonnelareattheheartofinsiderriskmanagementEmployeescreeningandselectionis vitaltopreventingcandidateswithknownbehavioralriskfactorsfromenteringtheorgani zationoriftheydoensuringthattheserisksareunderstoodandmonitoredClearpolicy guidelinesaddressingbothpermittedandprohibitedemployeebehaviorarevitaltorisk detectionandmonitoringClearrequirementsforensuringemployeesrsquoknowledgeofthese guidelinesarealsoessentialtotheirsuccessInadditionreportsofpolicyquestionsand violationsneedtobesystematicallyrecordedsothatmanagementHRandsecurityper sonnelcanapproachcasedecisionswithcompletebackgroundinformation
Analysisofthesereportsacrossindividualsanddepartmentscansupplyvitalknowledgeof problemareasbeyondindividualcasesRelationshipsinwhichHRsecurityandmanage mentpersonnelcollaborateaseducatorsandconsultantsarevitaltoearlydetectionand effectivemanagementofemployeesposinganinsiderriskTheneedforclearpolicies
CERT | SOFTWARE ENGINEERING INSTITUTE | 9
completepersonnelriskdataandclosemanagementHRsecuritycollaborationisrarely greaterthanwhenhandlingemployeeterminationissueswhethervoluntaryorinvoluntary
ScreeningandHiringPractices
SeveralpersonnelscreeningandhiringpracticesposearisktoUSCISsystemsanddata
USCISdoesnothaveaconsistentprocedurefordecidingwhethertoconductafacetoface interviewpriortohiringanapplicantbeingscreenedforgovernmentemploymentThere wasanimpressionatUSCISheadquartersthatnearly100ofthoseemployeeshiredby managersareinterviewedbutrepresentativesinBurlingtonVermonttoldusotherwise Thisgapbetweenperceptionandreality(thereisnotapolicystatingthatthismustbedone) isaconcernUSCISshouldrequireinterviewsforallpositionsTheinterviewsneedtobe conductedbysomeoneinvolvedinthedaytodaysupervisionofthepositiontobefilled
Ifapersonalissue(egsubstanceabuserelativelylargefinancialindebtedness)arisesdur ingPersonnelSecurityrsquos(PERSECrsquos)screeningPERSECmayissuealetterofadvisementto thecandidateandclearthatpersonforhirePERSECishesitanttosharenegativeinforma tionaboutapplicantswithUSCISbecauseofprivacyconcernsBecauseoftheseconcernsa managermaynotknowthatsomeoneiscomingintoapositionwithahistoryofalcohol andordrugabusefinancialindebtednessetcTheprivacywallbetweenPERSECandfield personnelconcernedwithhiringistroublingItisdifficultforPERSECrepresentativestoin dicatetheirconcernsaboutpotentialhiresiftheyhaveriskfactorsthatdonotcrossadjudi cationguidelinesfordisqualification
ForeignServiceNational(FSN)employeeswhoworkatUSembassiesandconsulates abroadhaveaccesstoUSCIScriticalsystemsanddatainsomecasesInordertobehired andgrantedaccesstoanyofthosesystemsFSNsarevettedbytheUSDepartmentof StateAlthoughtheaccesstoUSCISsystemsmustbeapprovedbythechiefsecurityofficer (CSO)andchiefinformationofficer(CIO)forDHSUSCIShasverylittlevisibilityintothe screeningprocessforFSNs
ExitProcedures
Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerorContract ingOfficerrsquosTechnicalRepresentative(COTR)Italsoappearsdifferentmanagersfollow
CERT | SOFTWARE ENGINEERING INSTITUTE | 10
differentprocedurestoensurethataccessisdisabledandequipmentisreturnedasem ployeesandcontractorsleaveUSCISThisgapmaymanifestitselfintheinconsistentcollec tionofbadgeslaptopsmobiledevicesandotherUSCISequipmentandimproperdisabling orterminationofaccess
PhysicalSecurity
SomeinsidersdocumentedintheCERTInsiderThreatCasedatabaseexploitedphysicalse curityvulnerabilitiesSomewereabletogainaccesstoorganizationfacilitiesoutsideof normalworkinghourstostealcontrolledinformationortoexactrevengeontheorganiza tionbysabotagingcriticaloperationsPhysicalsecuritycanprovideanotherlayerofdefense againstterminatedinsiderswhowishtoregainphysicalaccesstoattackJustaswithelec tronicsecurityhoweverformeremployeeshavebeensuccessfulinworkingaroundtheir organizationrsquosphysicalsecuritymeasuresItisimportantfororganizationstomanage physicalsecurityforfulltimeparttimeandtemporaryemployeescontractorsandcon tractlaborers
USCISPhysicalSecurityhasmadesignificantprogressprotectingUSCISfacilitiesandassetsin theNCRsinceJanuary2008whenitstoodupanewphysicalsecurityprogramAlthough physicalsecurityintheNCRisconsistentlydirectedandenforcedbyPhysicalSecurityeach fieldofficesetsitsownpoliciesandaccesscontrols
Finallyissuescon cerningthesecurityofapplicantsrsquophysicalcasefilesshouldbeconsideredaspartofaUSCIS riskmanagementstrategybyUSCIS
ControllingandMonitoringProperAccessAuthorization
USCIShandlesthephysicalsecurityandaccessauthorizationoffacilitiesdifferentlydepend ingonwherethefacilityislocatedThephysicalsecurityofNCRfacilitiesishandledbyone groupofUSCISpersonnelbutthephysicalsecurityoffieldofficesfallsundertheFieldSecu rityDivision(FSD)Insomecasesaphysicalsecurityrepresentativeisnotlocatedinafield officeatallWhenthisisthecasetheresponsibilityfallsonothermanagementpersonnel whomaynotbeequippedtohandletheseissuesproperlyandreporttheminatimelyman ner
In10casesdocumentedin
CERT | SOFTWARE ENGINEERING INSTITUTE | 11
theCERTInsiderThreatCasedatabasetheinsiderwasabletocommitacrimefollowing terminationbecauseoffailuretonotifysecurityemployeesandbusinesspartnersofthe terminationTocontrolaccesstoUSCISfacilitiesitisimportantforUSCIStocomparecur rentemployeesandcontractorstotheauthorizedaccesslistineachfacilityrsquosaccesscontrol systemDisablingphysicalaccesstofacilitieswhenemployeesandcontractorsterminateis essentialtoprotectingUSCISemployeesandfacilities
SecurityofPhysicalCaseFiles
AttheVermontServiceCentertheassessmentteamobservedphysicalcasefilesofbenefit applicantsstackedincratesinthehallwaysCasefilesareassumedtobesecureoncethey arecontainedwithinaServiceCenterbuttheycouldbephysicallyalteredorstolenbyany onewithphysicalaccesstothefacilityOneintervieweestatedthatadjudicatorstypically have50to100filesscatteredaroundtheirofficesordesksSomearetrackedandsome maynotbeAdjudicatorsconductinterviewswithapplicantsintheirofficesandtheymay leaveapplicantsunescortedintheirofficeswiththecasefileswhenforinstancemaking copiesorattendingtootherUSCISbusinessAccordingtothesameintervieweeinonefield officenaturalizationcertificatespassportsandcreditcardinformationhavebeenfoundin garbagecansinthehallwayThirteeninsidersdocumentedintheCERTdatabasestole physicalpropertybelongingtotheirorganization
BusinessProcesses
AvarietyofcasesfromtheCERTInsiderThreatCasedatabasedocumentinsiderattacksin whichgapsinbusinessprocessesprovidedapathwayforattackEnforcingseparationof dutiesandtheprincipleofleastprivilegeareprovenmethodsforlimitingauthorizedaccess byinsidersIdeallyorganizationsshouldincludeseparationofdutiesinthedesignofkey businessprocessesandfunctionsandenforcethemviatechnicalandnontechnicalmeans Accesscontrolbasedonseparationofdutiesandleastprivilegeinboththephysicaland virtualenvironmentiscrucialtomitigatingtheriskofinsiderattackTheseconceptsalone willnoteliminatethethreatposedbyinsiderstheyarehoweveranotherlayerinthede fensivepostureofanorganization
BecauseofthesensitivenatureoftheUSCISmissionsomeofitsemployeesandcontractors havebeentargetsforrecruitmentfortheftorunauthorizedmodificationofUSCISdata TwentyninepercentoftheinsidersdocumentedintheCERTdatabasewererecruitedby outsiderstocommittheircrimesMostoftheseinsiderscommittedtheircrimesforfinan cialgainCriticalUSCISbusinessprocessesshouldincludetechnicalcontrolstoenforce separationofdutiesanddualcontroltoreducetheriskofinsiderfraudInadditionpoten tialvulnerabilitiessurroundtheuseoftheICEPasswordIssuanceandControlSystem(PICS) forauthorizationforcriticalUSCISsystemsAlthoughPICSisoutsidethecontrolofUSCIS
CERT | SOFTWARE ENGINEERING INSTITUTE | 12
CERTrecommendsthatUSCISexplorethepossibilityofauditingandcontrollingauthoriza tionsinPICSforcriticalUSCISsystemsFinallyaccountmanagementissuesrelatedtocriti calsystemsshouldbeconsidered
VerificationInformationSystem
TheVerificationInformationSystem(VIS)providesimmigrantstatusinformationtoboth governmentagenciesandprivateemployersinordertoverifybenefitandemploymenteli gibilityBecausethesefunctionsrequiregrantingVISaccesstopartiesexternaltoUSCIS USCISmustissueaccountsandrequirethatthoseaccountsbeusedproperlyTwentyfour (6)oftheinsidersdocumentedintheCERTdatabasewereabletocarryouttheircrimes becauseinsiderssharedaccountandpasswordinformationoftentomaketheirjobseasier andtoincreaseproductivity
ModificationsbyVISuserstocriticaldataarelogged
CLAIMS3LAN
Currentlyalldeniedbenefitsapplicationsarereviewedbyasupervisoronlyasubsetofap provedapplicationsarereviewedAdiscrepancyaroseduringinterviewsadjudicatorssaid thatsupervisorsstoppedlookingatalldenialsbecausetheyaretoobusySupervisorsalso receiveareportofalladjudicationdecisionsenteredbyanadjudicatorforaformtypethat theadjudicatordoesnotnormallyapproveWhenadjudicatorsareintrainingwhichtakes placeforatleast6monthsonaspecifictypeofcasetheyareunder100reviewAquality assurance(QA)processisalsoinplaceOnepartofQAinvolvesasupervisorpulling10 casespermonthperadjudicatortoreviewThesupervisorexaminesadjudicativedecision securityandproceduralissuesInanotheraspectoftheQAotherldquosisterrdquoUSCISService CentersreviewarandomselectionofcasesTheprimarypurposeofQAistoidentifythe needforremedialtrainingratherthandeliberatefraudAuditingeverydeniedrequestindi catesthatthebiggestrisktoUSCISistoincorrectlydenyabenefittoanapplicantrather thantograntabenefittosomeonewhodoesnotdeserveit
FDNSDS
CERT | SOFTWARE ENGINEERING INSTITUTE | 13
IncidentResponse
ThroughcaseanalysisCERThasnotedthatproceduresforrespondingtopotentialinsider incidentspresentuniquechallengesanincidentresponseplanforinsiderincidentsdiffers fromaresponseplanforincidentscausedbyanexternalattackerInadditioninadequate detectionandresponsetosecurityviolationscouldemboldentheinsidermakingtheor ganizationevenmorevulnerabletoaninsidercrimeInfactin18ofthecasesdocumented intheCERTInsiderThreatCasedatabasetheorganizationexperiencedrepeatinsiderinci dentsofasimilarnatureInsiderincidentmanagementshouldleverageexistingsecurity policiesandformalproceduresforhandlingpolicyviolationsSomeofthecasesfromthe CERTInsiderThreatCasedatabaseillustrateinsiderattacksinwhichanorganizationrsquoslackof incidentresponseprocedureslimiteditsabilitytomanageitsresponseeffortsometimes evenresultinginmultiplecriminalactsbythesameinsider
Furthermore81oftheinsidersdocumentedintheCERTInsiderThreatCasedatabasedis playedconcerningbehaviorsintheworkplacepriortoorwhilecarryingouttheircriminal activitiesonlineSupervisorsandemployeesshouldbetrainedtorecognizeandrespondto indicatorsofriskforviolencesabotagefraudtheftandothermaliciousinsideractsEvenif itisnotpossibletorequirenonsupervisorstoreportconcernsthistrainingmayincreasethe frequencyofreportingandthedeterrenceofinsideractions
IncidentManagement
USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductOrganizationsinvolved includetheOfficeofInvestigationswithintheOSILaborandEmployeeRelations(LER)HR ComputerSecurityIncidentResponseTeam(CSIRT)PERSECCounterintelligence(CI) COTRsOITDHSOIGPhysicalSecuritysupervisorsandpossiblydataownersandISSOs Manydifferentpartiesexplainedhowtheymightbeinvolvedinoneaspectofanincident butnosingledepartmentcoordinatestheseactivitiesorconductsaholisticriskanalysisof individualswhohavecommittedviolationsThiscomplexandwidelydistributedbusiness processhasresultedinasituationinwhichitisverydifficulttoobtainacompletepictureof anindividualrsquosinsiderthreatrisklevelConsequentlyanyefforttocoordinateaproactive
CERT | SOFTWARE ENGINEERING INSTITUTE | 14
programforinsiderthreatmitigationwouldhavetocrosssignificantbureaucraticbounda rieswithinthesemyriaddepartmentsofUSCIS
SoftwareEngineering
CodeReviews
SomeUSCISsystemsadheretoaformalizedprocessofsoftwareengineeringusingcontrac torswithaspecifiedlevelofprocessmaturity(iecapabilitymaturitymodelintegration (CMMI)level3)
Therewasevenadocumentedcaseinwhichsourcecodecontainedsomethinginap propriateandwasonlydiscoveredonlyafterthecodewasturnedoverfromonecontractor toanother
CERT | SOFTWARE ENGINEERING INSTITUTE | 15
Insidersinsertedmaliciouscodeintoanoperationalsystemin33casesdocumentedinthe CERTInsiderThreatCasedatabaseandintosourcecodein10casesThesetypesofcrimes canhaveseriousresultsenablinginsiderstoconcealtheiractionsoveranextendedperiod oftimeTheseactionshavebeenusedtocreatemechanismsforcommittingfraudwithout detectionandtosetupfutureITsabotageattacks
Codereviewscanbeverytimeconsumingbutmostmaliciousinsidersinsertmaliciouscode intoproductionsystemsoncetheyarestableandinthemaintenancephasewhenchanges arelessfrequentandlesssubstantial
InformationTechnology
AccountManagement
Researchhasdemonstratedthatifanorganizationrsquoscomputeraccountscanbecompro misedinsidershaveanopportunitytocircumventmanualandautomatedcontrolmecha nismsintendedtopreventinsiderattacksEffectivecomputeraccountandpasswordman agementpoliciesandpracticesarecriticaltoimpedeaninsiderrsquosabilitytousethe organizationrsquossystemsforillicitpurposesInavarietyofcasesdocumentedintheCERTIn siderThreatCasedatabaseinsidersexploitedpasswordvulnerabilitiessharedaccounts andbackdooraccountstocarryoutattacksItisimportantfororganizationstolimitcom puteraccountstothosethatareabsolutelynecessaryusingstrictproceduresandtechnical controlsthatfacilitateattributionofallonlineactivityassociatedwitheachaccounttoan individualuserFurthermoreanorganizationrsquosaccountandpasswordmanagementpolicies mustbeappliedconsistentlyacrosstheenterprisetoincludecontractorssubcontractors andvendorswhohaveaccesstotheorganizationrsquosinformationsystemsandornetworks
InsomeareascomputeraccountsaremanagedfairlywellatUSCISItisimplementing HomelandSecurityPresidentialDirective12(HSPD12)forphysicalandelectronicaccount managementInadditionmostsharedaccountsarecontrolledandallactionsperformed usingthoseaccountscanbeattributedtoasingleuserHoweversomeaccountmanage mentliesoutsidethecontrolofUSCISThispresentsahighdegreeofriskFirstofallac countsandaccessforFSNsshouldbeconsideredcarefullybyUSCISAlthoughFSNsmust submitpaperworkthroughproperchannelswhichrequiresauthorizationbytheCSOand CIOofDHSsuchpaperworkwasnotsubmittedconsistentlypriorto2007Asaresultthere maybeactiveaccountsforwhichthereislittletonoaccountingforthecreationoftheac count
Althoughaccountnamingconventionsaredictatedby DHSandtheUSDepartmentofStateUSCIScouldrequestanamingconventiontodiffer entiatebetweenFSNandUScitizenfederalemployeeaccountsInadditionUSCISshould consistentlytracktheauthorizationandcreationofallUSCISaccountsTodetermineifun
CERT | SOFTWARE ENGINEERING INSTITUTE | 16
authorizedorlegacyaccountsexistUSCISshouldconsiderconductinganaccountauditwith theassistanceofUSDepartmentofStatepersonneltovalidateallexistingFSNaccounts
SecondaccesstosomecriticalUSCISsystemsiscontrolledbythePasswordIssuanceand ControlSystem(PICS)ThepurposeofPICSistofacilitatetheadministrationofusernames andpasswordstocertainICEandUSCISinformationsystemsOneareaofconcernregard ingPICSisthatitisadministeredbyICEandtherearemorethan2000LocalPICSOfficers (LPOs)acrossvariouscomponentsofDHSTheseLPOsusePICStograntauthorizedaccess toICEandUSCISsystemsforthepersonnelattheirrespectivesiteoragencysuchaslocal sheriffspetitionersCustomsandBorderPatrol(CBP)DepartmentofJustice(DOJ)Trans portationSecurityAdministration(TSA)TerrorismTaskForceandDHSOIGEachLPOcan grantaccesstoanysystemcontrolledbyPICSInotherwordsLPOsthroughoutUSCISand ICEcangrantaccessforanyoftheirstafftoanyUSCISsystemFurthermore
Giventhedistributednatureofaccountadmini strationitisverydifficultforUSCISdataownersandOITstafftomanageauthorizationof useraccountstoUSCIScriticalsystemsFinallytheprocessforcommunicatingchangesin employeestatusanddisablingaccountsvarieswidelyamongindividualfieldofficesService CentersandofficesintheNCR
TheapplicationofaccountmanagementpracticesunderthecontrolofUSCISisinconsistent Forexampledisablingorterminatingaccountsforemployeesisnotalwayscompletedina timelymannerupontheemployeersquoschangeinstatusThislackofconsistencyismade worsewhendecentralizedLPOsacrossUSCISdonotfollowthesameproceduresInother casesemployeesareretainingaccessafteratransferwhentheyshouldnotwhichrequires thelosingandgainingsupervisorstonotifyproperaccountmanagementpersonnel
AccessControl
Anorganizationrsquoslackofsufficientaccesscontrolmechanismswasacommonthemein manyoftheinsiderthreatcasesexaminedbyCERTInsidershavebeenabletoexploitex cessiveprivilegestogainaccesstosystemsandinformationtheyotherwisewouldnothave beenauthorizedtoaccessAdditionallyinsidershavebeenknowntouseremoteaccess afterterminationtoattackanorganizationrsquosinternalnetworkOrganizationsshouldensure networkmonitoringandloggingisenabledforexternalaccessMonitoringofnetworkactiv ityisextremelyimportantespeciallyintheperiodbetweenemployeeresignationandter mination
GiventhedistributednatureofaccessauthorizationviaPICSICEandtheUSDepartment ofStatenonUSCISemployeesandcontractorscouldbegrantedaccesstoUSCIScriticalsys temsItispossiblethatthenonUSCISemployeesandcontractorsparticularlythose
CERT | SOFTWARE ENGINEERING INSTITUTE | 17
grantedaccessthroughtheUSDepartmentofStateforaccessfromembassiesoverseas havenotbeenthroughtherigorouspreemploymentscreeningrequiredofUSCISemploy eesandcontractorsUSCISshouldconsidertherisktheseinsidersposetotheprotectionof thecriticalUSCISdataandsystemsandimplementprotectionmechanismstolimitthe damagethattheseinsidersmightcause
OtheraccesscontrolissuesthatshouldbeconsideredbyUSCISincludeunrestrictedaccess tosomecriticalsystemsbyOITstafflackofconsistentprocessesformanagingemployee accessastheymovefromonedepartmenttothenextwithinUSCISabilitytousepersonal computersforUSCISworkandlackofmonitoringandcontrolsforsomecriticalsystemad ministrationfunctions
ProtectionofControlledInformation
Protectingcontrolledinformation(ieinformationthatisclassifiedsensitivebutunclassi fiedorproprietary)iscriticaltomitigatingtheinsiderthreatrisktoorganizationsAvariety ofinsiderthreatcasesstudiedbyCERTrevealedcircumstancesinwhichinsiderscarriedout anattackthroughtheunauthorizeddownloadofinformationtoportablemediaorexternal storagedevicesInsomeinstancesmaliciousinsidersusedemailtoplantheirattacksorto communicatesensitiveinformationtocompetitorsorconspiratorsOrganizationsmusten surethatemployeesunderstandpoliciesregardingwhatconstitutesacceptableuseofcom panyresourcesincludinginformationassetsandenforcecompliancethroughtechnical meansTheunauthorizedexfiltrationofcontrolledinformationbymaliciousinsiderscan havedevastatingeffectsonanorganizationProtectingcontrolledinformation(ieinfor mationthatisclassifiedsensitivebutunclassifiedorproprietary)iscriticaltomitigatingthe insiderthreatrisktoorganizations
USCIShasimplementednetworkmonitoringstrategiesthatwoulddetectlargeamountsof datadownloadedorananomalousincreaseinnetworktrafficeitherbytotalvolumeor typeoftraffic(egbyportorprotocol)Thoughmonitoringnetworktrafficmayhelppro tectcontrolledinformation
CERT | SOFTWARE ENGINEERING INSTITUTE | 18
LoggingAuditingMonitoring
InsiderthreatresearchconductedbyCERThasshownthatloggingmonitoringandauditing employeeonlineactionscanprovideanorganizationtheopportunitytodiscoverandinves tigatesuspiciousinsideractivitybeforemoreseriousconsequencesensueOrganizations shouldleverageautomatedprocessesandtoolswheneverpossibleMoreovernetwork auditingshouldbeongoingandconductedrandomlyandemployeesshouldbeawarethat certainactivitiesareregularlymonitoredThisemployeeawarenesscanpotentiallyserveas adeterrenttoinsiderthreats
ThepreventionofinsiderattacksisthefirstlineofdefenseNonethelesseffectivebackup andrecoveryprocessesneedtobeinplaceandoperationallyeffectivesothatifacompro miseoccursbusinessoperationscanbesustainedwithminimalinterruptionInonecase documentedintheCERTInsiderThreatCasedatabaseaninsiderwasabletomagnifythe impactofhisattackbyaccessinganddestroyingbackupmediaOrganizationsneedtocon sidertheimportanceofbackupandrecoveryprocessesandcaremustbetakenthatback upsareperformedregularlyprotectedandtestedtoensurebusinesscontinuityinthe eventofdamagetoorlossofcentralizeddata
TechnicalSecurityVulnerabilities
Proactivelyaddressingknownsecurityvulnerabilitiesshouldbeapriorityforanyorganiza tionseekingtomitigatetheriskofinsiderthreatsaswellasexternalthreatsCasestudies haveshownthatmaliciousinsidersfollowingterminationwillsometimesexploitknown technicalsecurityvulnerabilitiesthattheyknowhavenotbeenpatchedtoobtainsystem accessandcarryoutanattackOrganizationsshouldhaveaprocesstoensurethatoperat ingsystemsandothersoftwarehavebeenhardenedorpatchedinatimelymannerwhen possibleFailuretoaddressknownvulnerabilitiesprovidesaninsiderampleopportunity andpathwaysforattackmakingitmoredifficultforanorganizationtoprotectitself
CERT | SOFTWARE ENGINEERING INSTITUTE | 19
ThereisaprimaryconcerninthisareaatUSCISUSCISshouldconsiderthefrequencywith whichitscansitssystemsfortechnicalsecurityvulnerabilities
ThereisalsoanotherconcerninthisareaatUSCIS
ConfigurationManagement
Effectiveconfigurationmanagementhelpsensuretheaccuracyintegrityanddocumenta tionofallcomputerandnetworksystemconfigurationsAwidevarietyofcasesintheCERT InsiderThreatCasedatabasedocumentinsiderswhoreliedheavilyonthemisconfiguration ofsystemsTheyhighlighttheneedforstrongermoreeffectiveimplementationofauto matedconfigurationmanagementcontrolsOrganizationsshouldalsoconsiderconsistent definitionandenforcementofapprovedconfigurationsChangesordeviationsfromthe approvedconfigurationbaselineshouldbeloggedsotheycanbeinvestigatedforpotential maliciousintentConfigurationmanagementalsoappliestosoftwaresourcecodeandap plicationfilesOrganizationsthatdonotenforceconfigurationmanagementacrosstheen terpriseareopeningvulnerabilitiesforexploitbytechnicalinsiderswithsufficientmotiva tionandalackofethics
TheOIThasaconfigurationmanagementpolicythatprovidesbaselinesoftwareconfigura tionsforUSCISdesktopsandlaptopsTheOITscansforincorrectoutdatedorunpatched versionsofsoftwareontheapprovedsoftwarelistTheOITkeepstrackofdifferentbase linesfordifferentcontractsDespitetrackingandarigorousconfigurationmanagementpol icy
Roguesoftwareormalwareisoftendiscoveredthroughadeliberatemanual scanratherthanthroughanautomatedprocessTomakethistaskmoredifficultUSCIS employeeswithseniorityorinfluencehavebeenabletouselocaladministratorprivilegesto installsoftwareforthesakeofconvenienceConcernsregardingconfigurationmanagement surroundthedifficultyfortheOITtoadequatelypreventdetectandrespondtorogue softwareormalwareusingitscurrentproceduresWesuggestsomeconsiderationsforlev
CERT | SOFTWARE ENGINEERING INSTITUTE | 20
eragingexistingdeploymentsandmodifyingincidentresponsepracticestoincreaseeffec tiveness
CERT | SOFTWARE ENGINEERING INSTITUTE | 21
Recommendations
Thefollowing18recommendationspresentactionablestepsthatwillenableUSCIStoim proveitspostureagainstmaliciousinsiderthreatsThesehighlevelstrategiesshouldbe plannedandimplementedwiththeassistanceofthemanydiversedepartmentswithin USCISAppendixescontainmorespecificrecommendationsthatpertaintoaparticularde partment(egOITandHR)TheappendixesalsolisttherelevantpartiestoassistUSCISin reviewingeachissuemoregranularlyandtodecidewhetherUSCIShasresourcestoimple mentaparticularrecommendation
Recommendation1Instituteanenterpriseriskmanagementplan USCISmustensurethattheentireorganizationisriskawareandimplementaformalrisk managementprocesstoaddressriskconsistentlyandcontinuallyacrosstheenterprise Theredoesnotappeartobeaconsistentunderstandingofthebroadspectrumofrisksfac ingUSCISTheOITperformsriskmanagementforITandFinancialManagementperforms riskmanagementforfinancialmattersbutnoonewasawareofanyenterprisewideefforts InadditioneachfieldofficeandservicecenterappearstooperatefairlyindependentlyItis importantforthoseorganizationstoworktogethertoidentifyprioritizeandaddressrisk OngoingcommunicationbetweenallcomponentsofUSCISwillhelpensurethatnew threatsattackvectorsandcountermeasuresarecommunicatedandhandledeffectivelyby all
Recommendation2Incorporateinsiderthreatriskmitigation strategiesintotheTransformationeffort TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesRiskmanagementiswithinthescopeofTransformationbutonlyasitpertainsto automatedriskscoringofapplicantsandtoworkflowmanagementtooptimizeadjudicator workloadUSCISshouldincorporatecomprehensiveinsiderthreatriskmitigationrequire mentsintotheTransformationeffort
Recommendation3Centralizerecordsofmisconductandviola tionstobetterenableacoordinatedresponsetoinsiderthreats USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductThiscomplexandwidely distributedbusinessprocesshasresultedinasituationinwhichitisverydifficulttoobtaina completepictureofanindividualrsquosinsiderthreatrisklevelUSCISshouldcreateacentral repositoryofemployeeandcontractormisconductsecurityviolationsSignificantIncident Reports(SIRs)andothersuspiciousactivityreportssorepeatoffenderscanbeeasilyidenti
CERT | SOFTWARE ENGINEERING INSTITUTE | 22
CERT | SOFTWARE ENGINEERING INSTITUTE | 23
storesphysicalfilesforbenefitapplicantsintheVermontServiceCenterwithnophysical protectionbeyondtheexteriorbuildingandguardcontrolsUSCISshouldevaluatecurrent physicalaccessprocedurestodetermineiftheyadequatelyaddressriskandiftheyareen forcedconsistentlyacrosstheenterprise
Recommendation8Consistentlyenforceexitprocedures Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerandCOTRIt alsoappearsthatdifferentmanagersfollowdifferentprocedurestoensurethataccessis disabledandequipmentisreturnedasemployeesandcontractorsleaveUSCISThisgap maymanifestitselfintheinconsistentcollectionofbadgeslaptopsmobiledevicesand otherUSCISequipmentandimproperdisablingorterminationofaccessUSCISshould adoptanenterprisewideexitproceduretoensureconsistentterminationofallemployees andcontractors
Recommendation9ExamineHRscreeningproceduresforhighrisk positionsandFSNs ChangesshouldbemadetotheUSCIShiringprocessesforselecthighriskpositionsFor exampleUSCISshouldconsideradditionalscreeningforadjudicatorsUSCISshouldbe moreinvolvedindecidingwhoisgrantedauthorizedaccessbecauseofthesensitivenature ofthesystemsanddatathatUSCISmanages
Recommendation10Ensurethatphysicalandcomputeraccessis terminatedinatimelyfashion
USCISshouldautomatetherevocationofemployeeandcontractorphysicalaccesswhena terminationoccursTheterminationchecklistshouldincludeanotificationtoPhysicalSecu ritysophysicalaccesscanbedisabledinatimelymannerUSCISshouldalsoreviewaccount managementprocedurestoensurethatthestepstakentoremoveoralteraccountaccess arecompleteunderstoodbyallrelevantpartiesandconsistentlyfollowed
CERT | SOFTWARE ENGINEERING INSTITUTE | 24
Recommendation11Enforcearequirementforindividualaccounts oncriticalsystems
InsomecasesUSCISisawareofaccountsharingtakingplaceatthirdpartyemployerswho useUSCISsystemstoverifyimmigrationstatusToconsistentlyidentifymaliciousinsider activityallactionsmustbeattributabletooneandonlyoneindividualUSCISshouldcon siderincreasingtheconsequencesforinfractionsandpossiblyimplementstrongerauthen ticationtomakesharingofaccountsmoredifficult
Recommendation12
Recommendation13Reducethenumberofprivilegedaccountsfor criticaldatasystems SomedatasystemsincludingFDNSDShaveahighnumberofprivilegedusersManyof theseusersdonotneedtheescalatedaccesstocompletetheirjobresponsibilitiesUSCIS shouldaudittheprivilegeduseraccountsandreducethoseaccountscommensuratewith jobresponsibilities
Recommendation14
Recommendation15Implementproceduralandtechnicalcontrols topreventsourcecodeunderdevelopmentfrombeingreleased withoutappropriatereview USCISshouldconsiderimplementingproceduralandtechnicalcontrolstoenforcesepara tionofdutiesbetweensoftwareengineersandthesystemadministratorsresponsiblefor
CERT | SOFTWARE ENGINEERING INSTITUTE | 25
releasingchangesintoproductionsystemsUSCISshouldconsideridentifyinghighrisk criticalsoftwaremodulesthatcouldbeusedtocarryoutillicitactivityInadditionformal softwaredevelopmentpracticesshouldbefollowed
Recommendation16
Recommendation17
Recommendation18Periodicsecurityrefreshertrainingshouldbe regularlyconductedandrequiredforallemployees USCISshouldreinforcesecuritypracticesandproceduresforallemployeesespeciallythose assignedtosecurityrolesthroughInformationAssurancerefreshertrainingThoughannual refreshertrainingismandatedithasnotbeencompletedinatimelymannerforallroles USCISshouldensurethatthistrainingisadaptedtospecificrolesregularlyconductedand trackedandconsequencesimposedforthosewhohavenotcompletedthetraining
CERT | SOFTWARE ENGINEERING INSTITUTE | 26
ManagementCommentsandOIGAnalysis
WeobtainedwrittencommentsonadraftofthisreportfromtheUSCISDeputyDirector WehaveincludedacopyofthecommentsinitsentiretyinappendixI
USCISconcurredwithourfindingsandrecommendationsandindicatedthatthereportwill beofgreatassistanceastheyseektofurtherstrengtheninternalcontrolsinthisareaInthe writtencommentsUSCISdidnotprovideinformationonhowitintendstoaddressourrec ommendationsThereforeweconsiderourrecommendationsunresolvedandopenpend ingourreviewofUSCIScorrectiveactionplans
CERT | SOFTWARE ENGINEERING INSTITUTE | 27
Appendixes
ThefollowingpagescontainappendixesAthroughGthatcontainacompletedetailedlistof findingsfromtheassessment
Theappendixesareorganizedintothefollowingsections
AppendixAOrganizational
AppendixBHumanResources
AppendixCPhysicalSecurity
AppendixDBusinessProcess
AppendixEIncidentResponse
AppendixFSoftwareEngineering
AppendixGInformationTechnology
AppendixHAcronyms
AppendixIManagementCommentstotheDraftReport
AppendixJContributorstothisReport
AppendixKReportDistribution
EachsectioninappendixesAndashGcontainsabriefintroductionsummaryofthefindingsfor thatareaandatablelistingdetailedfindingsThetablesarestructuredasfollows
Areaof Responsible PolicyandorSecu PolicyorPrac SuggestedCounter Concern Personnel rityMeasure ticeGaps measures
EachrowrepresentsauniqueareaofconcernResponsiblePersonnelliststhegroups withinUSCISthatwouldberesponsibleforimplementingsuggestedcountermeasuresfor thatareaPolicyandorSecurityMeasurelistsinformationrelatedtothatareaofconcern specifictoUSCISobtainedininterviewsIfthatcolumnwasintentionallyleftblankitindi catesthatnoevidencewasprovidedfortheexistenceofapolicyandorsecuritymeasure PolicyorPracticeGapsdescribesgapsidentifiedbyintervieweesorgapsnotedbyCERT staffFinallySuggestedCountermeasuresdescribescountermeasuresthatUSCIScouldim plementtoaddressaparticularvulnerability
Itisimportanttonotethatallsuggestedcountermeasuresmustbeconsideredinthecon textofabroaderriskanalysisItisnotpracticalformostorganizationstoimplement100 protectionagainsteverythreattoeveryorganizationalresourceThereforeitisimportant toadequatelyprotectcriticalinformationandotherresourcesandnotdirectsignificantef forttowardprotectingrelativelyunimportantdataandresourcesArealisticandachievable
CERT | SOFTWARE ENGINEERING INSTITUTE | 28
securitygoalistoprotectthoseassetsdeemedcriticaltotheorganizationrsquosmissionfrom bothexternalandinternalthreats
RiskisthecombinationofthreatvulnerabilityandmissionimpactSomecountermeasures inthisreportareintendedtohelpUSCISrecognizeandunderstandtheinsiderthreatOth ersfocusonclosinggapsthatleaveUSCISmorevulnerabletoinsiderattackMissionimpact cannotbeadequatelyassessedbyCERTthroughthisexercisebecauseitwillvarydepending onthecriticalityofsystemsandinformation
Theresultsofthisinsiderthreatvulnerabilityassessmentshouldbeusedtodeveloporre finetheorganizationrsquosoverallstrategyforsecuringitsnetworkedsystemsstrikingthe properbalancebetweencounteringthethreatandaccomplishingtheorganizationalmis sion
Manyofthefindingsinthisreportincludetherelativefrequencyoftheissueraisedinthe CERTInsiderThreatCasedatabaseAtthetimethisreportwaswrittentherewere386 casesofmaliciousinsideractivityagainstwhichthesuggestedcountermeasurepercentage iscalculatedSoifaparticularactivitywasseenin38ofourcaseswemayindicatethatit wasseenin10ofthecasesintheInsiderThreatCasedatabase
CERT | SOFTWARE ENGINEERING INSTITUTE | 29
Ap
pen
dix
AO
rgan
izat
ion
al
Risk
Man
agem
ent
Co
mm
unic
atio
n
Secu
rity
Pro
cess
Impr
ovem
ent
USC
ISis
ina
diff
icul
tpos
ition
Pa
rto
fits
mis
sion
isto
pro
vide
cus
tom
ers
ervi
ceto
thos
ese
ekin
gim
mig
ratio
nan
dci
tizen
ship
ben
efits
from
the
US
Gov
ernm
ent
How
ever
iti
sch
alle
ngin
gto
opt
imiz
ebu
sine
ssp
roce
sses
for
cust
omer
ser
vice
whi
lea
tthe
sam
etim
eim
plem
entin
gpr
otec
tiv
em
easu
res
toc
ount
erth
eri
skp
osed
by
gran
ting
thos
eve
ryb
enef
its
Man
yU
SCIS
em
ploy
ees
inte
rvie
wed
for
this
ass
essm
enti
dent
ified
the
orga
niza
tionrsquo
spr
imar
yri
ska
sal
low
ing
the
next
terr
oris
tto
live
and
wor
kle
gally
inth
eU
nite
dSt
ates
Th
eyd
esir
ehe
lpin
iden
tifyi
nga
ndim
ple
men
ting
inte
rnal
con
trol
sto
cou
nter
that
ris
kS
ome
ofth
ein
terv
iew
ees
how
ever
mdashev
ens
ome
ofth
eIS
SOs
and
data
ow
ners
mdashfo
cuse
don
leak
ag
eof
PII
asth
eir
prim
ary
conc
ern
Aft
erd
elvi
ngin
toth
em
atte
rw
ithth
eas
sess
men
ttea
mt
hey
cam
eto
und
erst
and
the
risk
pos
edb
yex
po
sure
or
mis
use
ofc
ritic
ald
ata
asth
egr
eate
str
isk
face
dby
USC
ISp
rim
arily
bec
ause
suc
ha
secu
rity
bre
ach
coul
dre
sult
ina
llow
ing
ate
rror
isti
nto
the
coun
try
Ac
ritic
alis
sue
for
USC
ISis
ens
urin
gth
een
tire
orga
niza
tion
isr
isk
awar
ea
ndim
plem
entin
ga
form
alr
isk
man
agem
entp
roce
ssto
add
ress
ris
kco
nsis
tent
lya
ndc
ontin
ually
acr
oss
the
ente
rpri
se
Ther
edo
esn
ota
ppea
rto
be
aco
nsis
tent
und
erst
andi
ngo
fthe
bro
ads
pect
rum
ofr
isks
faci
ng
USC
IS
The
asse
ssm
entt
eam
was
told
ther
eis
no
ente
rpri
sew
ide
risk
man
agem
entp
rogr
ama
tUSC
IS
OIT
per
form
sri
skm
anag
emen
tfor
ITa
nd
Fina
ncia
lMan
agem
entp
erfo
rms
risk
man
agem
entf
orfi
nanc
ialm
atte
rsb
utn
oon
ew
asa
war
eof
any
ent
erpr
ise
wid
eef
fort
sI
nad
ditio
ne
ach
field
off
ice
and
serv
ice
cent
era
ppea
rsto
ope
rate
fair
lyin
depe
nden
tly
Itis
impo
rtan
tfor
thos
eor
gani
zatio
nsto
wor
kto
geth
erto
iden
tify
pri
or
itize
and
add
ress
ris
kO
ngoi
ngc
omm
unic
atio
nbe
twee
nal
lcom
pone
nts
ofU
SCIS
will
hel
pen
sure
that
new
thre
ats
att
ack
vect
ors
and
cou
nte
rmea
sure
sar
eco
mm
unic
ated
and
han
dled
eff
ectiv
ely
bya
ll
Ina
dditi
onU
SCIS
em
ploy
ees
and
cont
ract
ors
hold
the
keys
too
neo
fthe
wor
ldrsquos
mos
tcov
eted
kin
gdom
smdashU
Sc
itize
nshi
pT
his
mak
ese
mpl
oy
ees
and
cont
ract
ors
attr
activ
eta
rget
sfo
rre
crui
tmen
tB
ecau
seo
fthe
sen
sitiv
ena
ture
ofU
SCIS
mis
sion
som
eof
its
empl
oyee
san
dco
ntra
ctor
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 30
have
bee
nta
rget
sfo
rre
crui
tmen
tfor
thef
tor
unau
thor
ized
mod
ifica
tion
ofU
SCIS
dat
aA
llem
ploy
ees
shou
ldb
eaw
are
ofth
eco
nseq
uenc
eso
fpa
rtic
ipat
ing
infr
aud
agai
nstU
SCIS
Th
eys
houl
dal
sob
ein
stru
cted
on
how
tor
epor
tsol
icita
tions
mad
eto
com
mit
frau
d
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEn
terp
rise
Ris
kM
anag
emen
t
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Indi
vidu
alo
rgan
izat
ions
with
inU
SCIS
do
ris
km
anag
emen
trel
ated
toth
eir
part
icul
ard
omai
nF
orin
stan
ceI
Tdo
esr
isk
man
agem
entf
rom
an
IT
pers
pect
ive
and
the
Fina
ncia
lMan
ag
emen
tdoe
sfin
anci
alr
isk
man
ag
emen
t
USC
ISp
erso
nnel
sta
ted
ther
eis
no
ente
rpri
ser
isk
man
agem
entp
roce
ss
for
anal
yzin
gth
eor
gani
zatio
nrsquos
over
al
lris
k
We
sugg
estt
hatU
SCIS
inst
itute
an
ent
erpr
ise
risk
man
agem
ent
prog
ram
W
ithou
tac
omm
on
visi
onfo
rri
skm
anag
emen
tth
eIS
SOs
and
allo
rgan
izat
ions
w
ithin
USC
ISc
anno
teff
ectiv
ely
unde
rsta
ndth
eri
ske
nvir
onm
ent
and
wor
kto
geth
erto
eff
ectiv
ely
miti
gate
ris
k
Inin
terv
iew
ss
ome
USC
ISs
taff
in
clud
ing
som
eIS
SOs
dat
aow
ners
an
dO
ITs
taff
see
med
tov
iew
loss
of
PIIa
sth
em
osti
mpo
rtan
tins
ider
th
reat
ris
kA
llof
the
asse
ssm
ent
ques
tions
wer
ean
swer
edin
the
con
text
ofl
oss
ofP
II
Whe
nw
eas
ked
spec
ifica
llyw
hatt
hey
see
asth
ebi
gges
tins
ider
thre
atr
isk
ev
eryo
nes
eem
edto
agr
eeit
isc
rea
tion
ofr
ealc
itize
nshi
pdo
cum
ents
for
peop
lew
hos
houl
dno
thav
eth
em
In
fact
int
ervi
ewee
sat
the
Verm
ont
Serv
ice
Cent
erc
ateg
oriz
edth
efu
nc
tions
cha
ract
eriz
edb
yth
ehi
ghes
tris
kas
follo
ws
1)
Unl
awfu
lalie
nin
the
Uni
ted
Stat
es
gran
ted
non
imm
igra
nts
tatu
s
2)S
omeo
new
ithn
onim
mig
rant
st
atus
gra
nted
per
man
entr
esid
ency
w
hich
mea
nsh
eor
she
can
live
and
w
ork
inde
finite
lyin
the
Uni
ted
Stat
es
Aga
ina
nen
terp
rise
ris
km
an
agem
entp
rogr
amw
ille
nsur
eth
ate
very
one
acro
ssU
SCIS
is
wor
king
toge
ther
tom
itiga
teth
ehi
ghes
tpri
ority
ris
ks
Ther
ear
ere
gula
tions
and
law
ssu
rrou
nd
ing
prot
ectio
nof
PII
but
focu
sin
gpr
imar
ilyo
nth
atis
sue
can
lead
toa
fals
ese
nse
ofs
ecur
ity
ifot
her
mor
eim
port
antr
isk
ar
eas
are
give
nle
ssa
tten
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 31
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dal
soc
anp
etiti
onfo
rre
lativ
es
The
Verm
ontS
ervi
ceC
ente
ris
im
plem
entin
gse
para
tion
ofd
utie
sfo
rpe
rfor
min
gfu
nctio
ns
1an
d2
ab
ove
(gra
ntin
gno
nim
mig
rant
st
atus
and
mov
ing
som
eone
from
no
nim
mig
rant
sta
tus
top
erm
anen
tre
side
ncy)
so
that
one
USC
ISa
djud
ica
tor
alon
eca
nnot
take
an
appl
ican
tfr
omu
nlaw
fult
ope
rman
entr
esi
dent
Th
ese
two
func
tions
will
be
perf
orm
eda
tdiff
eren
tphy
sica
lloc
atio
ns2
9m
iles
apar
t
The
Verm
ontS
ervi
ceC
ente
rhas
not
ha
dan
adj
udic
ator
who
per
form
ed
both
func
tions
1
and
2fo
rth
esa
me
appl
ican
t
This
dec
isio
nde
mon
stra
tes
that
le
ader
ship
att
heV
erm
ontS
er
vice
Cen
terr
ecog
nize
sth
esi
gni
fican
tris
kof
cre
atin
gle
gal
citiz
ensh
ipd
ocum
ents
fori
llega
lal
iens
and
ista
king
ste
psto
m
itiga
teth
atr
isk
How
ever
our
in
side
rth
reat
ass
essm
enth
as
unco
vere
dot
her
issu
esth
at
coul
dbe
add
ress
edto
miti
gate
th
atr
isk
Aga
ina
form
alr
isk
anal
ysis
wou
lde
nabl
eU
SCIS
to
thor
ough
lye
xam
ine
the
issu
es
and
prio
ritiz
eco
unte
rmea
sure
sus
ing
afo
rmal
pro
cess
Fo
rex
am
ple
an
alte
rnat
ive
toth
eph
ysic
alm
ove
coul
dbe
toim
pl
emen
tan
audi
tmec
hani
smto
lo
okfo
rad
judi
cato
rsw
hop
er
form
edb
oth
func
tions
1
and
2
for
the
sam
eap
plic
ant
Ente
rpri
seW
ide
Com
mun
icat
ion
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ther
eis
no
cons
iste
ncy
ofc
ontr
ols
from
one
ser
vice
cen
ter
toth
ene
xt
We
wer
eto
ldth
eye
ach
oper
ate
fair
ly
inde
pend
ently
USC
ISw
ould
ben
efit
from
ong
oin
gco
mm
unic
atio
nsa
bout
ris
kba
sed
issu
esb
etw
een
the
ser
vice
cen
ters
Fo
rin
stan
ce
com
mun
icat
ions
con
cern
ing
prob
lem
se
ffec
tive
coun
ter
mea
sure
sm
odifi
catio
nsto
CERT | SOFTWARE ENGINEERING INSTITUTE | 32
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sbu
sine
ssp
roce
sses
or
idea
sfo
rco
unte
ring
incr
ease
dri
skc
ould
le
adto
an
impr
oved
ris
kpo
stur
efo
rth
een
tire
USC
ISe
nter
pris
e
Cont
inua
lSec
urit
yPr
oces
sIm
prov
em
ent
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
The
USC
ISC
onvi
ctio
nsT
ask
Forc
eis
an
exc
elle
ntfo
rum
for
anal
yzin
gpa
st
crim
inal
cas
esa
ndd
eter
min
ing
mea
sure
sth
ats
houl
dbe
inst
itute
dto
pre
vent
sim
ilar
crim
esin
the
fu
ture
Ther
eis
no
proc
ess
for
follo
win
gup
on
ac
ase
afte
rthe
Off
ice
ofS
peci
al
Inve
stig
atio
n(O
SI)f
inis
hes
anin
vest
iga
tion
Th
eCo
nvic
tions
Tas
kFo
rce
isth
eon
ly
proc
ess
we
foun
dfo
rfor
mal
trac
king
an
alys
isa
ndp
roce
ssim
prov
emen
tba
sed
ona
ctua
linc
iden
ts
The
as
sess
men
ttea
ma
sked
var
ious
gro
ups
ifth
ere
isa
nyfo
llow
up
toin
cide
nts
fo
rin
stan
ceim
plem
entin
gau
tom
ated
sc
ript
sor
con
trol
sto
det
ectt
hes
ame
inci
dent
inth
efu
ture
Th
ete
amc
ould
no
tfin
da
sing
lep
erso
nw
hok
now
sof
su
cha
nac
tivity
Man
yex
ampl
eso
fem
ploy
eem
isco
ndu
ctc
ited
toth
eas
sess
men
ttea
m
coul
dea
sily
hav
ebe
end
etec
ted
or
even
pre
vent
edv
iaa
utom
ated
con
tr
ols
In
add
ition
the
reis
no
mec
hani
smfo
rco
mm
unic
atin
gis
sues
out
side
ofa
In
nea
rly2
5(9
1)o
fthe
cas
esin
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
hein
side
rw
asa
ble
to
carr
you
tthe
cri
me
beca
use
of
inad
equa
tea
uditi
ngo
fcri
tical
pr
oces
ses
in2
8of
thes
eca
ses
it
was
bec
ause
ofi
nade
quat
eau
ditin
gof
irre
gula
rpr
oces
ses
In
29
ofth
eca
ses
the
orga
niza
tio
nha
dre
peat
edin
cide
nts
ofa
si
mila
rna
ture
A
utom
ated
sc
ript
sar
ean
exc
elle
ntm
echa
ni
smfo
rde
tect
ing
susp
icio
us
tran
sact
ions
as
wel
las
hone
st
mis
take
sU
SCIS
sho
uld
cons
ider
a
form
alp
roce
ssfo
ran
alys
iso
fth
eO
SIrsquos
find
ings
and
the
deve
lop
men
tofa
utom
ated
che
cks
impl
emen
ted
natio
nally
CERT | SOFTWARE ENGINEERING INSTITUTE | 33
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sgi
ven
serv
ice
cent
er
U
SCIS
Em
ploy
ees
are
Pote
ntia
lTar
ge
tsfo
rRe
crui
tm
ent
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
No
evid
ence
pro
vide
d
Som
eU
SCIS
em
ploy
ees
inte
rvie
wed
ha
ver
ecei
ved
are
ques
tfor
ass
ista
nce
from
afr
iend
rel
ativ
eo
rst
rang
er
seek
ing
top
rom
ote
aca
sefo
rso
me
form
ofa
pplic
ant
One
adj
udic
ator
sa
idh
edo
esn
otte
llot
hers
who
he
wor
ksfo
rH
owev
ert
hed
istin
ctiv
egr
een
park
ing
stic
ker
onh
isc
arc
ould
in
as
mal
ltow
nlik
eBu
rlin
gton
VT
re
veal
the
iden
tity
ofh
ise
mpl
oyer
U
SCIS
per
sonn
ela
reth
eref
ore
unus
ual
lyv
ulne
rabl
eto
sol
icita
tion
byo
ut
side
rs
Twen
tyn
ine
perc
ento
fthe
in
side
rsin
the
CERT
Insi
der
Thre
at
Case
dat
abas
ew
ere
recr
uite
dby
ou
tsid
ers
toc
omm
itth
eir
crim
es
USC
ISs
houl
dco
nsid
er
incr
easi
ngth
ese
curi
tya
war
ene
sstr
aini
ngp
rovi
ded
toU
SCIS
em
ploy
ees
and
cont
ract
ors
The
tr
aini
ngs
houl
dbe
con
tinuo
us
incl
udin
gpo
rtio
nsin
tend
edto
ra
ise
awar
enes
sof
the
pote
ntia
lta
rget
that
USC
ISe
mpl
oyee
spr
esen
tA
llem
ploy
ees
shou
ld
bea
war
eof
the
cons
eque
nces
of
par
ticip
atin
gin
frau
dag
ains
tU
SCIS
as
wel
las
how
tor
epor
tso
licita
tions
mad
eto
com
mit
frau
d
Tran
sfor
mat
ion
USC
ISL
eade
rshi
p D
ata
Ow
ners
In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Tran
sfor
mat
ion
isa
larg
ebu
sine
ss
proc
ess
reen
gine
erin
gef
fort
inU
SCIS
th
atis
pri
mar
ilyfo
cuse
don
impr
oved
cu
stom
ers
ervi
cea
ndfr
aud
dete
ctio
nF
ore
xam
ple
the
asse
ssm
ent
team
was
told
that
Tra
nsfo
rmat
ion
will
aut
omat
ical
lyv
alid
ate
data
in
CLA
IMS
agai
nsto
ther
ext
erna
lsys
te
ms
(eg
IC
Ean
dFB
I)a
ndth
at
secu
rity
req
uire
men
tsa
ndc
ontr
ols
Tran
sfor
mat
ion
was
men
tione
din
m
osti
nter
view
sfo
rth
isa
sses
smen
t
Ita
ppea
rsth
atU
SCIS
isr
elyi
ngh
eavi
ly
upon
Tra
nsfo
rmat
ion
toc
orre
ctm
any
ofth
epr
oble
ms
resu
lting
from
lega
cy
syst
ems
How
ever
iti
sun
clea
rw
heth
erin
tern
alp
erso
nnel
sec
urity
an
din
form
atio
nse
curi
tyc
once
rns
will
bein
clud
edin
this
pro
gram
This
rel
ianc
eon
as
ingl
eef
fort
m
akes
the
effe
ctiv
enes
sof
this
ef
fort
ver
yim
port
ant
USC
IS
shou
ldc
onsi
der
the
Tran
sfor
ma
tion
proj
ectf
rom
an
ente
rpris
ew
ide
pers
pect
ive
Iti
sim
port
ant
for
itto
use
afo
rmal
req
uire
m
ents
gat
herin
gpr
oces
sin
or
der
toe
ffec
tivel
ym
itiga
teb
oth
inte
rnal
and
ext
erna
lthr
eats
CERT | SOFTWARE ENGINEERING INSTITUTE | 34
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
veb
een
iden
tifie
dby
cur
rent
C3
LAN
dat
aow
ners
Read
ing
the
Tran
sfor
mat
ion
requ
ire
men
tsd
ocum
enta
tion
itis
not
cle
ar
that
insi
ders
are
con
side
red
inth
ese
curi
tyr
equi
rem
ents
for
prev
entio
nan
dde
tect
ion
offr
aud
orn
atio
nal
secu
rity
inU
SCIS
sys
tem
s
Pers
onne
lsec
urity
sho
uld
be
incl
uded
as
wel
las
info
rmat
ion
secu
rity
to
ensu
reth
atth
eap
pr
opri
ate
inte
rnal
con
trol
sar
ein
pl
ace
tor
educ
eth
eri
skp
osed
by
mal
icio
usin
side
rs
CERT | SOFTWARE ENGINEERING INSTITUTE | 35
Trai
ning
and
Aw
aren
ess
Itis
ess
entia
ltha
tsec
urity
aw
aren
ess
trai
ning
be
cons
iste
ntly
pro
vide
dto
all
empl
oyee
sto
ens
ure
that
sec
urity
pol
icie
san
dpr
actic
esa
rein
stitu
tio
naliz
edth
roug
hout
an
orga
niza
tion
Man
ytim
esc
owor
kers
and
sup
ervi
sors
are
the
first
peo
ple
too
bser
vec
once
rnin
gbe
havi
ore
xhib
ited
by
mal
icio
usin
side
rs
Failu
reb
yco
wor
kers
or
othe
rsin
an
orga
niza
tion
tor
epor
tcon
cern
ing
beha
vior
was
ap
rim
ary
reas
onin
side
rsin
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
tos
etu
por
car
ryo
utth
eir
atta
cks
USC
ISs
houl
dco
ntin
ueto
pro
vide
sec
urity
aw
aren
ess
trai
ning
toa
llem
ploy
ees
and
cont
ract
ors
acro
ssth
egl
obe
Thi
str
aini
ngs
houl
dbe
con
sis
tent
lya
pplie
dto
eac
hsi
tew
itha
con
sist
entm
essa
geo
fsec
urity
ofU
SCIS
peo
ple
sys
tem
sa
ndd
ata
Iti
sim
pera
tive
that
all
USC
ISe
mpl
oyee
sbe
re
spon
sibl
efo
rac
hiev
ing
the
mis
sion
ofU
SCIS
and
pro
tect
ing
the
criti
cala
sset
sto
the
high
este
xten
tpos
sibl
e
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sTr
aini
ngo
rSk
ills
Requ
ired
ofT
hose
in
App
oint
edS
ecu
rity
Rol
es
USC
ISL
eade
rshi
p
USC
ISh
asa
trai
ning
pro
cess
thro
ugh
anin
form
atio
nsy
stem
sse
curi
ty
man
ager
(ISS
M)
USC
ISr
elie
she
av
ilyo
nco
ntra
ctor
sto
pro
vide
ade
qu
atel
ytr
aine
dst
aff
Man
yIS
SOs
are
notw
ellv
erse
din
se
curi
ty
ISSO
sar
ecu
rren
tlyin
an
educ
atio
npr
oces
sb
utIS
SOs
are
typi
ca
llyn
ots
ecur
ityw
atch
dogs
ISSO
sm
usth
ave
prop
ertr
aini
ng
ino
rder
tok
eep
upw
ithth
eev
erc
hang
ing
info
rmat
ion
secu
ri
tye
nvir
onm
enta
ndto
be
able
to
dea
lwith
the
myr
iad
tech
no
logi
esa
ndto
ols
avai
labl
eto
th
em
App
ropr
iate
bud
get
shou
ldb
eal
loca
ted
forI
SSO
tr
aini
ngi
nclu
ding
ven
dor
spec
ific
trai
ning
(eg
M
cAfe
ean
dCi
sco)
and
indu
stry
spe
cific
tr
aini
ng(e
g
SAN
S)
CERT | SOFTWARE ENGINEERING INSTITUTE | 36
Ap
pen
dix
BH
um
anR
esou
rces
Empl
oyee
Issu
es
An
orga
niza
tionrsquo
sap
proa
chto
red
ucin
gin
side
rth
reat
sho
uld
focu
son
pro
activ
ely
man
agin
gem
ploy
eeis
sues
and
beh
avio
rs
This
con
cept
beg
ins
with
eff
ectiv
ehi
ring
pro
cess
esa
ndb
ackg
roun
din
vest
igat
ions
tos
cree
npo
tent
ialc
andi
date
sO
rgan
izat
ions
sho
uld
also
trai
nsu
perv
isor
sto
m
onito
ran
dre
spon
dto
beh
avio
rso
fcon
cern
by
curr
ente
mpl
oyee
sS
ome
case
sfr
omth
eCE
RTIn
sid e
rTh
reat
Cas
eda
taba
ser
evea
led
that
sus
pi
ciou
sac
tivity
was
not
iced
inth
ew
orkp
lace
but
not
act
edu
pon
Org
aniz
atio
nss
houl
des
tabl
ish
aw
ello
rgan
ized
and
pro
fess
iona
lmet
hod
for
hand
ling
nega
tive
empl
oym
enti
ssue
san
den
suri
ngth
ath
uman
res
ourc
epo
licy
viol
atio
nsa
rea
ddre
ssed
Org
aniz
atio
nali
ssue
sre
late
dto
func
tions
sha
red
byH
Ran
dse
curi
typ
erso
nnel
are
att
heh
eart
ofi
nsid
err
isk
man
agem
ent
Em
ploy
ees
cree
ning
an
dse
lect
ion
isv
italt
opr
even
ting
cand
idat
esw
ithk
now
nbe
havi
oral
ris
kfa
ctor
sfr
ome
nter
ing
the
orga
niza
tion
or
ifth
eyd
oe
nsur
ing
that
th
ese
risk
sar
eun
ders
tood
and
mon
itore
dC
lear
pol
icy
guid
elin
esa
ddre
ssin
gbo
thp
erm
itted
and
pro
hibi
ted
empl
oyee
beh
avio
rar
evi
talt
ori
sk
dete
ctio
nan
dm
onito
ring
and
cle
arr
equi
rem
ents
for
ensu
ring
em
ploy
eesrsquo
kno
wle
dge
ofth
ese
guid
elin
esa
ree
ssen
tialt
oth
eir
succ
ess
In
addi
tio
nr
epor
tso
fpol
icy
ques
tions
and
vio
latio
nsn
eed
tob
esy
stem
atic
ally
rec
orde
dso
that
man
agem
ent
HR
and
sec
urity
per
sonn
elc
ana
ppr
oach
cas
ede
cisi
ons
with
com
plet
eba
ckgr
ound
info
rmat
ion
Ana
lysi
sof
thes
ere
port
sac
ross
indi
vidu
als
and
depa
rtm
ents
can
sup
ply
vita
lkno
wle
dge
ofp
robl
ema
reas
bey
ond
indi
vidu
alc
ases
Re
latio
nshi
ps
inw
hich
HR
sec
urity
and
man
agem
entp
erso
nnel
col
labo
rate
as
educ
ator
san
dco
nsul
tant
sar
evi
talt
oea
rly
dete
ctio
nan
def
fect
ive
man
age
men
tofe
mpl
oyee
spo
sing
an
insi
der
risk
Th
ene
edfo
rcl
ear
polic
ies
com
plet
epe
rson
nelr
isk
data
and
clo
sem
anag
emen
tH
Rse
curi
tyc
olla
bo
ratio
nis
rar
ely
grea
ter
than
whe
nha
ndlin
gem
ploy
eete
rmin
atio
nis
sues
whe
ther
vol
unta
ryo
rin
volu
ntar
y
CERT
sug
gest
sen
hanc
emen
tsto
the
USC
ISh
irin
gan
dte
rmin
atio
npr
oces
ses
For
exa
mpl
eU
SCIS
sho
uld
cons
ider
add
ition
als
cree
ning
for
high
ri
skp
ositi
ons
suc
has
adj
udic
ator
sU
SCIS
sho
uld
als o
con
side
rbe
com
ing
mor
ein
volv
edin
vet
ting
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)p
rior
tog
rant
CERT | SOFTWARE ENGINEERING INSTITUTE | 37
ing
them
acc
ess
toU
SCIS
cri
tical
sys
tem
san
dda
ta
Fina
llyU
SCIS
sho
uld
cons
ider
ado
ptin
gan
ent
erpr
ise
wid
eex
itpr
oced
ure
toe
nsur
eco
nsis
te
ntte
rmin
atio
nof
all
empl
oyee
san
dco
ntra
ctor
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPr
eEm
ploy
men
tSc
reen
ing
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
No
evid
ence
pro
vide
d
The
empl
oyee
scr
eeni
ngp
roce
ssla
cks
any
form
ofp
sych
olog
ical
scr
eeni
ng
for
ara
nge
ofp
ositi
ons
incl
udin
gad
ju
dica
tors
Five
per
cent
(18)
oft
hein
side
rs
inth
eCE
RTd
atab
ase
had
poss
ibl
eps
ycho
logi
cali
ssue
sU
SCIS
sh
ould
con
side
rin
clud
ing
psy
chol
ogic
alte
stin
gas
par
toft
h e
new
hir
epr
oces
sfo
rse
lect
pos
itio
nsi
nclu
ding
adj
udic
ator
s
Giv
enth
esi
gnifi
cant
soc
ialp
res
sure
son
adj
udic
ator
san
dth
ere
lativ
ela
cko
fmon
itori
ngfo
rin
side
rri
ski
tsee
ms
impo
rtan
tto
impr
ove
this
asp
ecto
fscr
een
ing
Hum
anR
esou
rces
App
lican
tsa
rea
ssig
ned
ara
ting
by
HR
the
ratin
gis
use
dto
ran
kap
pli
cant
s
Ther
eis
cur
rent
lyn
oau
ditl
ogth
at
wou
ldc
aptu
rein
stan
ces
inw
hich
so
meo
nein
HR
chan
ged
ara
ting
to
enab
les
omeo
neto
get
hir
edm
ore
easi
ly
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
udit
log
totr
a ck
the
cand
idat
era
tings
and
ale
rtw
hen
cand
idat
era
tings
are
cha
nged
by
som
eone
inH
R
CERT | SOFTWARE ENGINEERING INSTITUTE | 38
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Ifa
pers
onal
issu
e(e
g
subs
tanc
eab
use
rel
ativ
ely
larg
efin
anci
alin
de
bted
ness
)aris
esd
urin
gPe
rson
nel
Secu
rity
rsquos(P
ERSE
Crsquos)
scr
eeni
ng
PERS
ECm
ayis
sue
ale
tter
ofa
dvis
em
entt
oth
eca
ndid
ate
and
clea
rth
at
pers
onfo
rhir
eP
ERSE
RCis
hes
itant
to
sha
ren
egat
ive
info
rmat
ion
abou
tap
plic
ants
with
USC
ISb
eca u
seo
fpr
ivac
yco
ncer
ns
Beca
use
ofth
ese
conc
erns
am
anag
erm
ayn
otk
now
th
ats
omeo
neis
com
ing
into
ap
osi
tion
with
ah
isto
ryo
falc
ohol
and
or
drug
abu
sef
inan
cial
inde
bted
ness
et
c
The
priv
acy
wal
lbet
wee
nPE
RSEC
and
fie
ldp
erso
nnel
con
cern
edw
ithh
irin
gis
trou
blin
gI
tis
diff
icul
tfor
PER
SEC
repr
esen
tativ
esto
indi
cate
thei
rco
nce
rns
abou
tpot
entia
lhir
esw
hoh
ave
risk
fact
ors
that
do
notc
ross
adj
udic
atio
ngu
idel
ines
for
disq
ualif
icat
ion
USC
ISs
houl
dco
nsid
era
dditi
onal
sc
reen
ing
for
adju
dica
tors
U
SCIS
sho
uld
bem
ore
invo
lved
in
dec
idin
gw
hois
gra
nted
au
thor
ized
acc
ess
beca
use
ofth
ese
nsiti
ven
atur
eof
the
syst
ems
and
data
tha t
USC
ISm
anag
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Each
fiel
dof
fice
dete
rmin
esw
heth
er
orn
otto
mee
tan
appl
ican
tfac
eto
fa
ceb
efor
ehi
ring
Ther
ew
asa
nim
pres
sion
ath
eadq
uar
ters
that
nea
rly1
00
oft
hose
hir
ed
bym
anag
ers
are
inte
rvie
wed
but
re
pres
enta
tives
inB
urlin
gton
Ver
m
ontt
old
uso
ther
wis
eT
his
gap
be
twee
npe
rcep
tion
(the
reis
not
ap
ol
icy
stat
ing
this
mus
tbe
done
)and
re
ality
iso
fcon
cern
Ther
eha
veb
een
know
nin
stan
ces
in
whi
cha
pplic
ants
wer
eon
lys
cree
ned
USC
ISs
houl
dre
quir
ein
terv
iew
sfo
ral
lpos
ition
sT
hein
terv
iew
sne
edto
be
cond
ucte
dby
som
eon
ein
volv
edin
the
day
tod
ay
supe
rvis
ion
ofth
epo
sitio
nto
be
fille
d
CERT | SOFTWARE ENGINEERING INSTITUTE | 39
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
son
pap
ero
rove
rth
eph
one
befo
re
bein
ghi
red
Sta
ndar
dop
erat
ing
pro
cedu
res
are
notf
ollo
wed
ata
llfie
ld
offic
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
PERS
ECv
ets
fede
rale
mpl
oyee
san
dco
ntra
ctor
s(w
itha
min
imum
bac
kgr
ound
inve
stig
atio
n)
USC
ISr
elie
son
the
US
Dep
artm
ent
ofS
tate
tov
etfo
reig
nna
tiona
lem
pl
oyee
sw
how
ork
ate
mba
ssie
sor
co
nsul
ates
abr
oad
FSN
sin
som
ein
stan
ces
are
gra
nted
ac
coun
tso
nU
SCIS
info
rmat
ion
sys
tem
sI
fFSN
sne
eda
cces
sto
DH
Ssy
ste
ms
(incl
udin
gU
SCIS
)cur
rent
lyt
his
acce
ssm
ustb
eap
prov
edb
yth
eCS
O
and
CIO
for
DH
ST
his
prac
tice
was
no
talw
ays
follo
wed
con
sist
ently
in
the
past
so
ther
em
ayb
eFS
Ns
who
w
ere
gran
ted
acce
ssw
ithou
tall
the
curr
entv
ettin
gan
dap
prov
als
U
SCIS
sho
uld
cons
ider
be c
omin
gm
ore
invo
lved
inv
ettin
gof
FSN
spr
ior
tog
rant
ing
them
acc
ess
to
USC
ISs
yste
ms
In
addi
tion
U
SCIS
sho
uld
audi
tcur
rent
FSN
sw
itha
cces
sto
USC
ISs
yste
ms
and
ensu
reth
ata
ppro
pria
te
vett
ing
was
per
form
ed
Cand
idat
eCe
rtifi
ca
tion
Ver
ifica
tion
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
USC
ISd
oes
noth
ave
ast
anda
rdp
ro
cedu
refo
rve
rifyi
ngth
ece
rtifi
catio
ns
ofjo
bap
plic
ants
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ast
epin
the
new
hir
epr
oces
sto
ver
ifyc
ertif
icat
ions
of
allc
andi
date
sA
few
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 40
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sto
obt
ain
posi
tions
ino
rgan
iza
tions
by
prov
idin
gfa
lsifi
edc
erti
ficat
ions
Empl
oyee
and
Co
ntra
ctor
Ter
mi
nati
on
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Exit
proc
edur
esa
rer
ecen
tlyd
evel
op
eda
ndi
nso
me
case
ss
tillu
nder
de
velo
pmen
t(ie
fo
rmal
exi
tpro
ce
dure
sar
eex
pect
edto
be
rele
ased
in
3m
onth
s)
This
gap
may
man
ifest
itse
lfin
the
inco
nsis
tent
col
lect
ion
ofb
adge
sla
pto
psm
obile
dev
ices
and
oth
erU
SCIS
eq
uipm
ent
USC
ISs
houl
dco
nsid
era
dopt
ing
ane
nter
pris
ew
ide
exit
proc
edu
reto
ens
ure
cons
iste
ntte
rmi
natio
nof
all
empl
oyee
san
dco
ntr
acto
rs
Ita
ppea
rsth
ere
spon
sibi
lity
for
ensu
ring
that
em
ploy
ees
and
cont
ract
ors
are
term
inat
edr
ests
sol
ely
with
the
man
ager
It
als
oap
pear
sdi
ffer
en
tman
ager
sfo
llow
diff
eren
tpr
oced
ures
toe
nsur
eth
ata
cce
ssis
dis
able
dan
deq
uipm
ent
isr
etur
ned
ase
mpl
oyee
san
dco
ntra
ctor
sle
ave
USC
IS
Empl
oyee
and
Co
ntra
ctor
Man
da
tory
Dru
gTe
stin
g
Hum
anR
esou
rces
All
fede
ralp
ositi
ons
are
subj
ectt
odr
ugte
stin
gb
uto
nly
forn
ewh
ires
Acc
ordi
ngto
aU
SCIS
Con
vict
ions
Tas
kFo
rce
inve
stig
atio
nca
sec
all
cont
rac
tor
posi
tions
do
notr
equi
red
rug
test
in
g
Fift
een
insi
ders
doc
umen
ted
in
the
CERT
Insi
der
Thre
atC
ase
data
base
exh
ibite
dsu
bsta
nce
abus
eU
SCIS
sho
uld
cons
ider
im
plem
entin
gm
anda
tory
pos
thi
red
rug
test
ing
for
alle
mpl
oy
ees
and
cont
ract
ors
CERT | SOFTWARE ENGINEERING INSTITUTE | 41
Ap
pen
dix
CP
hys
ical
Sec
uri
ty
Fiel
dof
fices
A
cces
sFo
llow
ing
Term
inat
ion
Se
curi
tyo
fPhy
sica
lCas
eFi
les
Som
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
exp
loite
dph
ysic
als
ecur
ityv
ulne
rabi
litie
s
Som
ew
ere
able
tog
ain
acce
ss
too
rgan
izat
ion
faci
litie
sou
tsid
eof
nor
mal
wor
king
hou
rsto
ste
alc
ontr
olle
din
form
atio
nor
toe
xact
rev
enge
on
the
orga
niza
tion
bys
abot
agin
gcr
itica
lope
ratio
ns
Phys
ical
sec
urity
can
als
opr
ovid
ean
othe
rla
yer
ofd
efen
sea
gain
stte
rmin
ated
insi
ders
who
wis
hto
reg
ain
phys
ical
acc
ess
to
atta
ck
Just
as
with
ele
ctro
nic
secu
rity
how
ever
for
mer
em
ploy
ees
have
bee
nsu
cces
sful
inw
orki
nga
roun
dth
eir
orga
niza
tionrsquo
sph
ysic
als
ecu
rity
mea
sure
sI
tis
impo
rtan
tfor
org
aniz
atio
nsto
man
age
phys
ical
sec
urity
for
full
time
par
ttim
ea
ndte
mpo
rary
em
ploy
ees
con
trac
tors
and
co
ntra
ctla
bore
rs
USC
ISP
hysi
calS
ecur
ityh
asm
ade
sign
ifica
ntp
rogr
ess
prot
ectin
gU
SCIS
faci
litie
san
das
sets
inth
ena
tiona
lcap
italr
egio
n(N
CR)s
ince
Janu
ary
2008
whe
nit
stoo
dup
an
ewp
hysi
cals
ecur
ityp
rogr
am
Alth
ough
phy
sica
lsec
urity
inth
eN
CRis
con
sist
ently
dir
ecte
dan
den
forc
edb
yPh
ysic
al
Secu
rity
eac
hfie
ldo
ffic
ese
tsit
sow
npo
licie
san
dac
cess
con
trol
sI
nad
ditio
ng
aps
inte
rmin
atio
npr
oced
ures
hav
ere
sulte
din
ong
oing
phy
sica
lac
cess
follo
win
gte
rmin
atio
nF
inal
lyi
ssue
sco
ncer
ning
the
secu
rity
ofp
hysi
calc
ase
files
sho
uld
bec
onsi
dere
das
par
tofa
USC
ISr
isk
man
age
men
tstr
ateg
y
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPh
ysic
alS
ecur
ity
ofF
ield
Off
ices
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
USC
ISis
inth
epr
oces
sof
put
ting
ane
wa
cces
sco
ntro
lsys
tem
inp
lace
fo
rth
eN
CR
Befo
reit
doe
sit
will
di
sabl
eac
cess
for
anyo
new
hoh
as
notu
sed
phys
ical
acc
ess
inm
ore
Each
USC
ISfa
cilit
yha
sits
ow
n
polic
ies
and
acce
ssc
ontr
ols
syst
ems
Som
efie
ldo
ffic
esw
ithin
USC
ISh
ave
acce
ss
cont
rols
yste
ms
oth
ers
don
ot
Not
al
loff
ices
inth
efie
ldh
ave
elec
tron
ic
Fort
yof
the
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
took
adv
an
tage
ofi
nade
quat
eph
ysic
als
ecu
rity
toc
arry
out
thei
rcr
imes
El
ectr
onic
acc
ess
cont
rols
pro
vide
CERT | SOFTWARE ENGINEERING INSTITUTE | 42
Sugg
este
dCo
unte
rmea
sure
slo
gsth
atc
ould
be
usef
ulin
inve
s
tigat
ions
ofi
llici
tact
ivity
out
side
of
nor
mal
wor
king
hou
rs
USC
IS
shou
ldc
onsi
der
deve
lopi
nge
nte
rpri
sew
ide
phys
ical
sec
urity
pr
oced
ures
rol
ltho
seo
utto
ea
chfi
eld
offic
ea
ndr
equi
rea
ph
ysic
als
ecur
ityr
epre
sent
ativ
eat
eac
hsi
teto
ens
ure
cons
iste
nt
enfo
rcem
ento
fthe
pol
icie
s
USC
ISs
houl
dco
nsid
erp
rohi
bitin
gea
chfi
eld
offic
efr
omd
evel
opin
gsi
tes
peci
ficp
olic
ies
and
rem
ov
ing
enfo
rcem
entc
ontr
olfr
om
each
site
In1
0ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
follo
win
gte
rmin
atio
ndu
eto
fa
ilure
ton
otify
sec
urity
em
pl
oyee
san
dbu
sine
ssp
artn
ers
of
the
term
inat
ion
To
cont
rola
cce
ssto
USC
ISfa
cilit
ies
itis
im
port
antf
orU
SCIS
toc
ompa
re
curr
ente
mpl
oyee
san
dco
ntra
cto
rsto
the
auth
oriz
eda
cces
slis
t
Polic
yor
Pra
ctic
eG
aps
acce
ssc
ontr
ols
ndashso
me
only
hav
elo
cks
and
keys
N
ote
very
USC
ISs
iteh
asa
phy
sica
lse
curi
tyr
epre
sent
ativ
eW
here
no
re
pres
enta
tive
isp
rese
ntt
his
resp
on
sibi
lity
falls
on
othe
rm
anag
emen
t pe
rson
nelw
hom
ayn
otb
eeq
uipp
ed
toh
andl
eth
ese
issu
esp
rope
rly
and
repo
rtth
emin
ati
mel
ym
anne
r
So
me
man
ager
str
ack
who
acc
esse
s
wha
twhe
nan
dot
hers
do
not
Ac
cord
ing
toP
hysi
calS
ecur
ityin
Ver
m
ont
onl
y20
o
fvio
latio
nsa
reb
ein
gre
port
edto
sec
urity
Polic
yan
dor
Sec
urit
yM
easu
re
than
12
mon
ths
as
wel
las
anyo
ne
nolo
nger
em
ploy
edb
yU
SCIS
It
als
opl
ans
one
xam
inin
gal
lacc
ount
sth
at
have
not
use
dph
ysic
ala
cces
sin
m
ore
than
30
days
Se
curi
tyo
ffie
ldo
ffic
esfa
llsu
nder
th
eFi
eld
Secu
rity
Div
isio
n(F
SD)
The
O
ffic
eof
Sec
urity
and
Inte
grity
(OSI
)re
cent
lyd
evel
oped
an
insp
ectio
nw
orkb
ook
and
isfi
eld
test
ing
itw
ith
FSD
U
SCIS
Fie
ldS
ecur
ityD
ivis
ion
isp
lan
ning
top
uta
sec
urity
rep
rese
ntat
ive
ine
very
fiel
dof
fice
Ite
xpec
tstw
oto
thre
etim
esm
ore
repo
rts
ofv
iola
tio
nso
nce
itha
sa
repr
esen
tativ
ein
ever
ylo
catio
n
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
Phys
ical
Acc
ess
Follo
win
gTe
rmi
nati
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 43
Sugg
este
dCo
unte
rmea
sure
s
ine
ach
faci
lityrsquo
sac
cess
con
trol
syst
em
D
isab
ling
phys
ical
acc
ess
tofa
cili
ties
whe
nem
ploy
ees
and
con
trac
tors
term
inat
eis
ess
entia
lto
prot
ectin
gU
SCIS
em
ploy
ees
and
faci
litie
sU
SCIS
sho
uld
cons
ider
au
tom
atin
gth
ere
voca
tion
of
empl
oyee
and
con
trac
tor
phys
ica
lacc
ess
whe
na
term
inat
ion
occu
rs
The
term
inat
ion
chec
klis
tsh
ould
incl
ude
ano
tific
atio
nto
ph
ysic
als
ecur
itys
oph
ysic
ala
cce
ssc
anb
edi
sabl
ed
Cons
ider
con
sist
ente
nfor
cem
ent
and
inve
stig
atio
nof
USC
ISp
hysi
ca
lsec
urity
inci
dent
sA
llal
erts
sh
ould
be
inve
stig
ated
and
Polic
yor
Pra
ctic
eG
aps
Secu
rity
gua
rds
ats
itelo
catio
nsh
ave
on
occ
asio
nig
nore
ddo
orp
ropp
ed
open
ala
rms
beca
use
thef
thas
trad
itio
nally
bee
na
very
sm
allp
robl
ema
t
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
No
Two
Pers
on
Cont
rol
CERT | SOFTWARE ENGINEERING INSTITUTE | 44
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
docu
men
ted
ifth
eal
erti
sde
emed
unn
eces
sary
then
it
shou
ldb
edi
scon
tinue
dA
llse
cu
rity
vio
latio
nss
houl
dbe
trac
ked
ina
cen
tral
rep
osito
rys
oa
com
pl
ete
hist
ory
for
each
indi
vidu
alis
av
aila
ble
Aft
erH
ours
Acc
ess
Phys
ical
Sec
urit
y
Aut
hori
zed
Acc
ess
Mos
tacc
ess
is2
4ho
urs
ada
y7
days
a
wee
kndash
Tw
enty
nin
eof
the
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seu
sed
phys
ical
acc
ess
outs
ide
ofn
orm
alw
orki
ngh
ours
toa
tta
ck
USC
ISs
houl
dco
nsid
erim
pl
emen
ting
ana
cces
sco
ntro
lsy
stem
that
gra
nts
acce
ssc
om
men
sura
tew
ithth
epo
sitio
nan
em
ploy
eeo
rcon
trac
tor
fills
If
apo
sitio
ndo
esn
otr
equi
rea
cces
sou
tsid
eof
nor
mal
wor
king
hou
rs
the
acce
ssc
ontr
ols
yste
ms
houl
dpr
ohib
itsu
cha
cces
san
dlo
gun
su
cces
sful
acc
ess
atte
mpt
s
Secu
rity
ofP
hysi
ca
lCas
eFi
les
Phys
ical
Sec
urit
y
Prot
ectio
nof
USC
ISC
ase
File
Dat
a
Phys
ical
file
sw
ere
obse
rved
inc
rate
sst
acke
din
the
hallw
ays
inth
eVe
rm
ontS
ervi
ceC
ente
rA
ccor
ding
toa
nin
terv
iew
att
heS
ervi
ceC
ente
ra
ny
one
coul
dw
alk
outw
itha
ldquocr
ate
fullrdquo
of
file
saf
ter
hour
se
spec
ially
ify
ou
are
ate
lew
orke
r
USC
ISa
ssum
esit
sca
sefi
led
ata
is
secu
reb
ecau
seit
sem
ploy
ees
and
cont
ract
ors
have
ac
lear
ance
or
hav
eha
da
back
grou
ndc
heck
It
isim
port
antt
ono
teth
at4
9in
side
rsd
ocum
ente
din
the
CERT
da
taba
sev
iola
ted
need
to
know
CERT | SOFTWARE ENGINEERING INSTITUTE | 45
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ca
sefi
les
are
assu
med
tob
ese
cure
on
ceth
eya
rec
onta
ined
with
ina
Ser
vi
ceC
ente
rb
utth
eyc
ould
be
phys
ica
llya
ltere
dor
sto
len
bya
nyon
ew
ith
phys
ical
acc
ess
toth
efa
cilit
y
One
inte
rvie
wee
sta
ted
that
adj
udic
ato
rsty
pica
llyh
ave
50to
100
file
ssc
at
tere
dar
ound
thei
rof
fice
ord
esk
So
me
are
trac
ked
and
som
em
ayn
ot
be
Adj
udic
ator
sco
nduc
tint
ervi
ews
with
app
lican
tsin
thei
rof
fices
and
th
eym
ight
leav
eap
plic
ants
une
sco
rted
inth
eir
offic
esw
ithth
eca
se
files
whe
nfo
rin
stan
cem
akin
gco
pie
sor
att
endi
ngto
oth
erU
SCIS
bus
ine
ss
Acc
ordi
ngto
the
sam
ein
terv
iew
eei
non
efie
ldo
ffic
en
atur
aliz
atio
nce
rtifi
ca
tes
pas
spor
tsa
ndc
redi
tcar
din
fo
rmat
ion
has
been
foun
din
gar
bage
ca
nsin
the
hallw
ay
Adj
udic
ator
spi
cku
pth
eir
case
sin
an
enve
lope
inth
eir
mai
lbox
D
urin
gth
esi
tev
isit
the
asse
ssm
entt
eam
ob
serv
edth
em
ailr
oom
att
heV
erm
ont
Serv
ice
Cent
eru
natt
ende
dbe
twee
n
polic
ies
inth
eco
mm
issi
ono
fth
eir
crim
es
Ther
efor
er
elyi
ng
onc
lear
ance
sal
one
can
bev
ery
dang
erou
s
Thir
teen
insi
ders
doc
umen
ted
in
the
CERT
dat
abas
est
ole
phys
ical
pr
oper
tyb
elon
ging
toth
eor
gani
za
tion
CER
Tsu
gges
tsU
SCIS
con
si
der
the
cons
eque
nces
oft
heft
or
una
utho
rize
dac
cess
top
hysi
ca
lcas
efil
esa
ndm
ake
ari
sk
base
dde
cisi
onr
egar
ding
pot
en
tialp
olic
yan
dpr
oced
ure
chan
ges
Th
ere
are
stan
dard
pol
icie
san
dpr
oced
ures
forh
andl
ing
sens
itive
in
form
atio
nb
uta
str
ong
educ
atio
nalc
ampa
ign
isn
eede
dto
en
sure
the
prot
ectio
nof
dat
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 46
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
ssh
ifts
(app
roxi
mat
ely
3p
m)
Whe
nad
judi
cato
rsfi
nish
with
afi
let
hey
retu
rnit
toa
dro
pof
fspo
tT
hea
sse
ssm
entt
eam
obs
erve
dth
ose
spot
s
whi
cha
rein
the
open
and
una
tte
nded
A
djud
icat
ors
may
kee
pca
ses
over
nigh
tand
usu
ally
ret
urn
them
w
ithin
1w
eek
Tele
wor
kers
at
Serv
ice
Cent
ers
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
One
hun
dred
eig
hty
nine
peo
ple
at
the
Verm
ontS
ervi
ceC
ente
rare
au
thor
ized
tow
ork
from
hom
eT
hese
em
ploy
ees
pick
up
files
att
heV
er
mon
tSer
vice
Cen
ter
and
take
them
ho
me
The
yw
ork
2da
ysp
erw
eek
in
the
Serv
ice
Cent
era
nd3
day
spe
rw
eek
ath
ome
USC
ISp
ays
anu
nan
noun
ced
visi
tto
allh
omes
toin
ven
tory
the
empl
oyee
srsquofi
les
atle
ast
quar
terl
yT
hese
em
ploy
ees
mus
tha
vea
lock
edfa
cilit
yin
thei
rho
me
and
mus
talw
ays
have
the
abili
tyto
re
turn
the
files
toth
eSe
rvic
eCe
nter
w
ithin
4h
ours
The
cont
rolo
fUSC
ISd
ata
whe
nit
leav
esth
eVe
rmon
tSer
vice
Cen
ter
is
diff
icul
tto
enfo
rce
Em
ploy
ees
mus
tha
vea
ppro
pria
tes
tora
gefa
cilit
ies
bu
tthe
yco
uld
easi
lyc
opy
USC
ISd
ata
and
shar
eit
with
una
utho
rize
din
di
vidu
als
Twen
tyn
ine
perc
ento
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
taba
sew
ere
recr
uite
dby
out
si
ders
toc
omm
itth
eir
crim
e
Mos
toft
hese
insi
ders
com
mitt
ed
the
crim
efo
rfin
anci
alg
ain
Iti
sim
port
antt
hatU
SCIS
rec
ogni
ze
the
pote
ntia
lfor
recr
uitm
ent
an
dth
ela
cko
fcon
trol
exe
rcis
ed
over
sen
sitiv
eda
taa
tadj
udic
ato
rsrsquor
esid
ence
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 47
Ap
pen
dix
DB
usi
nes
sP
roce
sses
Tech
nica
lCon
trol
s
Aut
hori
zati
onv
iaP
ICS
A
ccou
ntM
anag
emen
t
Av
arie
tyo
fcas
esfr
omth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sed
ocum
enti
nsid
era
ttac
ksw
here
gap
sin
bus
ines
spr
oces
ses
prov
ided
ap
athw
ay
for
atta
ck
Enfo
rcin
gse
para
tion
ofd
utie
san
dth
epr
inci
ple
ofle
astp
rivi
lege
are
pro
ven
met
hods
for
limiti
nga
utho
rize
dac
cess
by
insi
ders
Id
eal
lyo
rgan
izat
ions
sho
uld
incl
ude
sepa
ratio
nof
dut
ies
inth
ede
sign
ofk
eyb
usin
ess
proc
esse
san
dfu
nctio
nsa
nde
nfor
ceth
emv
iate
chni
cala
nd
nont
echn
ical
mea
ns
Acc
ess
cont
rolb
ased
on
sepa
ratio
nof
dut
ies
and
leas
tpri
vile
gei
nbo
thth
eph
ysic
ala
ndv
irtu
ale
nvir
onm
ents
is
cruc
ialt
om
itiga
ting
the
risk
ofi
nsid
era
ttac
kT
hese
con
cept
sal
one
will
not
elim
inat
eth
eth
reat
pos
edb
yin
side
rst
hey
are
how
ever
ano
ther
laye
rin
the
defe
nsiv
epo
stur
eof
an
orga
niza
tion
Beca
use
ofth
ese
nsiti
ven
atur
eof
the
USC
ISm
issi
ons
ome
ofit
sem
ploy
ees
and
cont
ract
ors
are
targ
ets
for
recr
uitm
entf
orth
efto
run
auth
or
ized
mod
ifica
tion
ofU
SCIS
dat
aT
wen
tyn
ine
perc
ento
fthe
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
we r
ere
crui
ted
byo
utsi
ders
toc
omm
itth
eir
crim
eM
osto
fthe
sein
side
rsc
omm
itted
the
crim
efo
rfin
anci
alg
ain
Cri
tical
USC
ISb
usin
ess
proc
esse
ssh
ould
incl
ude
tech
nica
lcon
trol
sto
en
forc
ese
para
tion
ofd
utie
san
ddu
alc
ontr
olto
red
uce
the
risk
ofi
nsid
erfr
aud
In
addi
tion
pot
entia
lvul
nera
bilit
ies
surr
ound
the
use
ofth
eIC
EPI
CSs
yste
mfo
rau
thor
izat
ion
for
criti
calU
SCIS
sys
tem
sA
lthou
ghP
ICS
iso
utsi
deth
eco
ntro
lofU
SCIS
CER
Tre
com
men
dsth
atU
SCIS
exp
lore
the
poss
ibili
tyo
faud
iting
and
con
trol
ling
auth
oriz
atio
nsin
PIC
Sfo
rcr
itica
lUSC
ISs
yste
ms
Fin
ally
acc
ount
man
agem
enti
ssue
sre
late
dto
cri
tical
sys
te
ms
shou
ldb
eco
nsid
ered
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
utho
riza
tion
for
USC
ISC
riti
calS
ys
tem
sth
roug
hP
ICS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Seve
ralc
ritic
alU
SCIS
sys
tem
sar
etie
dto
PIC
Sfo
raut
hent
icat
ion
whi
ch
isa
dmin
istr
ated
by
the
ICE
PI
CSlo
gsa
ccou
ntc
reat
ions
whe
nth
eac
coun
tsw
ere
crea
ted
wha
tro
les
appl
ied
toth
eac
coun
tse
tc
PICS
per
mits
use
rso
utsi
deo
fUSC
ISto
au
thor
ize
user
sfo
ran
yU
SCIS
app
lica
tion
tied
toP
ICS
Tw
oth
ousa
ndlo
cal
PICS
off
icer
s(L
POs)
inth
eIC
Ean
dU
SCIS
can
cre
ate
new
acc
ount
sin
PIC
Sfo
rem
ploy
ees
loca
ted
atth
eir
site
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
utho
riza
tion
proc
es
san
dsy
stem
that
ena
bles
itto
co
ntro
lwho
isg
rant
e da
cces
sto
U
SCIS
sys
tem
san
dda
ta
CERT | SOFTWARE ENGINEERING INSTITUTE | 48
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLP
Os
cont
rola
cces
sfo
rshe
riff
sp
eti
tione
rsC
BPD
OJ
TSA
DH
SO
IGT
er
rori
smT
ask
Forc
ea
ndo
ther
s
Acc
ount
sar
eba
sed
onp
erso
nnel
re
cord
so
LPO
sca
nnot
cre
ate
acco
unts
fo
ran
yone
who
isn
ota
nem
ploy
eea
tth
eir
site
H
owev
erP
ICS
adm
inis
tra
tors
can
cre
ate
acco
unts
for
anyo
ne
wor
king
att
heir
site
for
any
syst
em
tied
toP
ICS
CERT
sug
gest
sth
atU
SCIS
val
ida
tec
urre
ntP
ICS
acco
unts
and
ro
les
agai
nstc
urre
nte
mpl
oyee
lis
ts
Ten
perc
ent(
37)o
fth e
in
side
rsd
ocum
ente
din
the
CERT
da
taba
seh
ade
xces
sive
pri
vi
lege
sw
hich
ena
bled
them
to
atta
ck
Ina
dditi
on
b
ecau
seldquo
priv
ilege
cr
eeprdquo
ena
bled
afe
w(s
ix)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
tab a
seto
car
ryo
utth
eir
crim
es
CERT | SOFTWARE ENGINEERING INSTITUTE | 49
Sugg
este
dCo
unte
rmea
sure
s
Twen
tyfo
ur(6
per
cent
)oft
he
insi
ders
doc
umen
ted
inth
eCE
RT
data
base
wer
eab
leto
car
ryo
ut
thei
rcr
imes
bec
ause
insi
ders
sh
ared
acc
ount
and
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bse
asie
ran
dto
incr
ease
pro
du
ctiv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tio
nsa
ndp
ossi
bly
impl
emen
tst
rong
era
uthe
ntic
atio
nto
ma k
esh
arin
gac
coun
tsm
ore
diff
icul
t
Polic
yor
Pra
ctic
eG
aps
VIS
adm
inis
trat
ors
ine
xter
nalc
ompa
ni
eso
rag
enci
esh
ave
been
cau
ght
le
ttin
gm
ultip
lee
mpl
oyee
sus
eth
e
sa
me
VIS
acco
unt
but
USC
ISh
asn
o ab
ility
tota
kea
nya
ctio
nT
hea
cco
unts
ena
ble
empl
oyee
sto
val
idat
ePI
Iand
citi
zens
hip
info
rmat
ion
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
Mod
ifica
tions
by
VIS
user
sto
cri
tical
da
taa
relo
gged
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
VIS
Ac
coun
ts
Logg
ing
Aud
itin
g
and
Ale
rtin
gin
VIS
Ver
ifica
tion
Info
rmat
ion
Syst
em(V
IS) CERT | SOFTWARE ENGINEERING INSTITUTE | 50
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Com
pute
rLi
nked
App
licat
ion
Info
rmat
ion
Man
agem
ent
Syst
em(C
LAIM
S)3
LA
N
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Su
gges
ted
Coun
term
easu
res
Self
Sele
ctio
nof
A
djud
icat
ion
Case
s
ISSO
s D
ata
Ow
ners
Adj
udic
ator
sca
nse
lfse
lect
cas
es
(acc
ordi
ngto
an
inte
rvie
wc
once
rn
ing
anin
tern
alin
cide
ntth
ato
ccur
red
atth
eU
SCIS
and
inte
rvie
ws
with
da
tao
wne
rsa
tthe
Ver
mon
tSer
vice
Ce
nter
)
With
inth
eSe
rvic
eCe
nter
sa
djud
ica
tors
hav
evi
rtua
llyu
nlim
ited
acce
ssto
ap
plic
antf
ilesmdash
ther
ear
eno
nee
dto
kn
owli
mita
tions
or
cont
rols
top
re
vent
an
adju
dica
tor
from
acc
essi
ng
sens
itive
info
rmat
ion
and
repo
rtin
git
too
utsi
ders
or
mod
ifyin
ga
file
(ent
er
ing
anin
valid
dec
isio
n)
Adj
udic
ator
sca
nal
soa
ppro
vea
cas
eth
atis
not
ass
igne
dto
them
Th
ere
is
noti
ebe
twee
nth
eca
sem
anag
emen
tsy
stem
(ie
N
atio
nalF
ileT
rack
ing
Syst
emo
rN
FTS)
and
the
case
adj
udi
catio
nsy
stem
(ie
CL
AIM
S)
Inth
ein
tern
alc
ase
that
occ
urre
dat
U
SCIS
the
per
petr
ator
cir
cum
vent
ed
the
inte
rvie
wp
roce
ssfo
r14
mon
ths
ndash
USC
ISs
houl
dco
nsid
erim
ple
men
ting
tech
nica
lcon
trol
sto
pr
ohib
itad
judi
cato
rsfr
oms
elf
sele
ctin
gca
ses
toa
djud
icat
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 51
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
she
app
rove
dldquon
osh
owrdquo
case
sT
here
w
ere
noc
ontr
ols
tod
etec
tthi
s
Ina
dditi
ona
djud
icat
ors
can
adju
di
cate
any
type
ofc
ase
eve
nth
ough
th
eya
ree
ach
assi
gned
cer
tain
type
sof
ben
efits
cas
esfo
rad
judi
catio
n
Emph
asis
on
Cus
tom
erS
ervi
ceO
ver
Risk
Dat
aO
wne
rs
No
evid
ence
pro
vide
d
One
inte
rvie
wee
att
heV
erm
ontD
ata
Cent
ers
aid
that
ldquost
atsrdquo
can
be
ast
rain
esp
ecia
llyfo
rne
wh
ires
al
thou
ghth
eyd
oge
ta9
0da
ygr
ace
peri
od
USC
ISs
houl
dus
eca
utio
nin
em
ph
asiz
ing
cust
omer
ser
vice
as
the
only
per
form
ance
met
ric
beca
use
this
cou
lde
ncou
rage
la
cko
fatt
entio
nto
ris
kre
late
dac
tiviti
es(s
uch
asa
ccur
ate
adju
di
catio
nde
cisi
ons)
Lack
ofS
epar
atio
nof
Dut
ies
in
CLA
IMS
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Curr
ently
all
decl
ined
req
uest
sfo
rbe
nefit
sar
ere
view
edb
ya
supe
rvi
sor
H
owev
ert
here
was
ad
iscr
ep
ancy
dur
ing
inte
rvie
ws
adj
udic
ator
ssa
idth
ats
uper
viso
rss
topp
edlo
okin
gat
all
deni
als
beca
use
they
are
too
busy
Su
perv
isor
sal
sor
ecei
vea
rep
orto
fal
ladj
udic
atio
nde
cisi
ons
ente
red
by
ana
djud
icat
orfo
ra
form
type
that
th
ead
judi
cato
rdo
esn
otn
orm
ally
ap
prov
e
Onl
ya
rand
oms
ampl
eof
app
rove
dad
judi
catio
nde
cisi
ons
isr
evie
wed
For
som
eca
ses
(for
inst
ance
vic
tims
case
s)a
sen
ior
adju
dica
tor
has
to
revi
ewth
ede
cisi
ona
fter
the
adju
dica
to
ren
ters
itt
hen
the
supe
rvis
orr
evi
ews
itT
his
isa
man
ually
enf
orce
dpr
oces
s
Ther
ew
asa
noth
erd
iscr
epan
cy
in
inte
rvie
ws
the
adju
dica
tors
sai
dth
at
USC
ISs
houl
dco
nsid
erim
ple
men
ting
auto
mat
edp
roce
sses
to
prev
enta
ndd
etec
tfra
ud
Man
ag
emen
tind
icat
edit
wou
ldli
ke
tos
eea
utom
ated
tech
nica
len
forc
emen
toft
her
evie
wa
nd
appr
oval
pro
cess
Inn
earl y
ten
perc
ent(
39)o
fthe
ca
ses
docu
men
ted
inth
eCE
RT
data
base
ins
ider
sto
oka
dvan
CERT | SOFTWARE ENGINEERING INSTITUTE | 52
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s W
hen
adju
dica
tors
are
intr
aini
ng
they
are
und
er1
00
rev
iew
Th
ey
are
intr
aini
ngo
na
spec
ific
type
of
case
for
atle
ast6
mon
ths
A
uditi
ngfo
rim
prop
erly
gra
nted
be
nefit
sis
bas
edo
nsa
mpl
ing
and
or
blin
dqu
ality
ass
uran
ce(Q
A)a
ccor
din
gldquot
oA
rmy
stan
dard
srdquoa
fter
the
fact
A
rand
omly
sel
ecte
d30
cas
es
per
quar
ter
are
also
rev
iew
edb
yldquos
iste
rce
nter
srdquo
QA
pro
cess
var
ies
offic
eby
off
ice
(no
natio
nalp
roce
ss)
Th
isQ
Ah
asb
een
done
fort
hep
ast
year
and
ah
alf
Inth
eVe
rmon
tfie
ld
offic
ee
ach
supe
rvis
orp
ulls
atl
east
10
cas
esp
era
djud
icat
orp
erm
onth
Th
eyr
evie
wd
ecis
ion
rela
ted
issu
es
secu
rity
rel
ated
issu
esa
ndp
roce
du
rali
ssue
s(d
idth
eyfo
llow
the
righ
tst
eps
)T
hey
also
look
for
less
ons
lear
ned
The
pri
mar
ypu
rpos
eof
QA
is
toid
entif
yth
ene
edfo
rre
med
ial
trai
ning
rath
erth
and
elib
erat
efr
aud
So
me
case
sar
em
ore
than
10
00
page
ss
oev
ery
deta
ilca
nnot
be
prac
tical
lyr
evie
wed
for
ever
yca
se
cler
ksp
ullc
ases
ac
oupl
eof
tim
esp
er
mon
thndash
ac
erta
inn
umbe
rof
cas
es
per
empl
oyee
Th
ose
case
sar
epa
ssed
toQ
Aw
hor
evie
ws
the
case
s
QA
then
sen
dsfe
edba
ckto
the
supe
rvi
sor
and
adju
dica
tor
ifth
eyfi
nd
som
ethi
ngth
atd
oes
notl
ook
righ
t
tage
ofi
nsuf
ficie
nts
epar
atio
nof
du
ties
toc
arr y
out
thei
rcr
imes
U
SCIS
sho
uld
care
fully
con
side
rth
ebi
gges
tris
kto
the
orga
niza
tio
nM
any
ofth
eU
SCIS
em
pl
oyee
sin
terv
iew
edfo
rth
isa
sse
ssm
enti
dent
ified
the
prim
ary
risk
for
the
orga
niza
tion
asa
llo
win
gth
ene
xtte
rror
istt
oliv
ean
dw
ork
lega
llyin
the
Uni
ted
Stat
es
They
des
ire
assi
stan
cein
id
entif
ying
and
impl
emen
ting
inte
rnal
con
trol
sto
cou
nter
that
ri
sk
Aud
iting
eve
ryd
enie
dre
ques
tin
dica
tes
that
the
bigg
estr
isk
to
USC
ISis
toin
corr
ectly
den
ya
bene
fitto
an
appl
ican
trat
her
than
tog
rant
ab
enef
itto
som
eon
ew
hod
oes
notd
eser
veit
IfU
SCIS
agr
ees
that
gra
ntin
gle
gald
ocum
ents
toil
lega
lapp
lica
nts
iso
neo
fthe
big
gest
ris
ks
toth
eor
gani
zatio
nth
enit
sh
ould
con
side
rre
quir
ing
dual
CERT | SOFTWARE ENGINEERING INSTITUTE | 53
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sau
thor
izat
ion
for
thes
ead
judi
ca
tion
deci
sion
s
Lack
ofA
utom
ated
Ch
ecks
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Verm
ontI
Tha
sdo
ned
ata
swee
ps
afte
rit
foun
dso
met
hing
sus
pici
ous
W
hen
itha
sdo
nes
oit
has
foun
dm
ore
ofth
esa
me
activ
ity
Ther
ear
eno
aut
omat
edc
heck
s(t
here
w
illb
ein
Tra
nsfo
rmat
ion)
Chec
ksth
atd
oex
ista
rem
anag
eda
tth
elo
call
evel
rat
her
than
ale
rtin
gto
th
ehe
adqu
arte
rsle
vel
Inn
early
twen
tyf
ive
perc
ent
(91)
ofc
ases
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
ca
rry
outt
hec
rim
ebe
caus
eof
in
adeq
uate
aud
iting
ofc
ritic
al
proc
esse
sin
28
case
sit
was
be
caus
eof
inad
equa
tea
uditi
ng
ofir
regu
lar
proc
esse
sI
n29
of
the
case
sth
eor
gani
zatio
nha
dre
peat
edin
cide
nts
ofa
sim
ilar
natu
re
Aut
omat
eds
crip
tsa
re
ane
xcel
lent
mec
hani
smfo
rde
te
ctin
gsu
spic
ious
tran
sact
ions
as
wel
las
hone
stm
ista
kes
U
SCIS
sho
uld
cons
ider
afo
rmal
pr
oces
sfo
ran
alyz
ing
the
OSI
rsquos
findi
ngs
and
deve
lopi
nga
uto
mat
edc
heck
sth
ata
rer
olle
dou
tna
tiona
lly
Phys
ical
Sec
urit
yof
Ca
seF
iles
Dat
aO
wne
rs
Adj
udic
ator
s
No
evid
ence
pro
vide
d
The
NFT
Str
acks
mill
ions
off
iles
It
was
des
crib
edh
owev
era
sa
very
la
rge
war
ehou
sew
here
file
sdo
occ
a
Ten
perc
ent(
40)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
sec
arri
edo
utth
eir
crim
esb
y
CERT | SOFTWARE ENGINEERING INSTITUTE | 54
C
ER
T | S
OFT
WA
RE
EN
GIN
EE
RIN
G IN
STI
TUTE
| 55
Sugg
este
dCo
unte
rmea
sure
s
the
sam
eap
plic
ant
C3LA
Nw
illb
ere
tired
as
part
of
Tran
sfor
mat
ion
C4
will
als
obe
re
tired
A
cop
yof
sec
urity
con
tr
ols
and
requ
irem
ents
has
bee
npr
ovid
edb
yC3
LAN
dat
aow
ners
to
Tra
nsfo
rmat
ion
Iti
sim
por
tant
for
the
Tran
sfor
mat
ion
team
tom
ake
risk
bas
edd
eci
sion
sin
Tra
nsfo
rmat
ion
desi
gn
and
deve
lopm
ent
Polic
yor
Pra
ctic
eG
aps
T
hen
ewH
Rfo
rmh
asn
otb
een
soci
aliz
edo
rw
idel
yad
vert
ised
It
is
upto
the
COTR
san
dsu
perv
isor
sto
co
nsis
tent
lyr
eque
stth
ata
cces
sbe
di
sabl
edw
hen
ane
mpl
oyee
or
con
trac
tor
nolo
nger
nee
dsa
cces
s
Polic
yan
dor
Sec
urit
yM
easu
re
Curr
ently
eve
rym
onth
USC
ISc
om
pare
sth
eH
uman
Res
ourc
esa
ttri
tion
lista
gain
stth
eC3
LA
Na
ccou
ntli
st
and
disa
bles
inac
tive
empl
oyee
ac
coun
ts
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
cces
sto
CL
AIM
S
CERT | SOFTWARE ENGINEERING INSTITUTE | 56
Are
aof
Con
cern
Non
Att
ribu
tion
fo
rD
BAA
ccou
nts
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 57
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Pend
ing
Redu
ctio
nin
For
cefo
rD
ata
Entr
yCl
erks
Dat
aO
wne
rs
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
Dat
aen
try
cler
ksw
illb
elo
sing
thei
rjo
bsw
hen
they
mov
eto
Loc
kBox
w
hich
will
take
ove
rth
efu
nctio
nal
ityo
facc
eptin
gre
mitt
ance
sfo
rbe
nefit
app
lican
ts
Itw
ass
tate
dth
atth
eda
tae
ntry
cle
rks
mig
htb
ehi
red
away
tow
ork
atth
eor
gani
za
tion
whi
chp
erfo
rms
that
func
tio
n
USC
ISs
houl
dbe
aw
are
ofth
ein
crea
sed
insi
der
risk
inth
efa
ce
ofn
egat
ive
orga
niza
tiona
lev
ents
like
this
It
sho
uld
con
side
rpr
oact
ive
step
sto
dec
reas
est
ress
inth
ew
orkp
lace
and
to
ease
pot
entia
lfin
anci
alb
urde
ns
that
cou
ldm
ake
empl
oyee
sm
ore
susc
eptib
leto
rec
ruitm
ent
byo
utsi
ders
Shar
ing
Acc
ount
sin
CLA
IMS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aEn
try
Cler
ks
The
NFT
Sw
illn
otle
tcle
rks
log
inif
th
eyh
ave
notu
sed
the
syst
emfo
ra
cert
ain
num
ber
ofd
ays
Ac
lerk
rsquosc
ube
mat
ew
illlo
gin
for
thei
rcu
bem
ate
ifit
isth
een
dof
the
day
and
ITh
asg
one
hom
efo
rthe
day
Twen
tyf
our
(6
)oft
hein
side
rs
docu
men
ted
inth
eCE
RTd
ata
base
wer
eab
leto
car
ryo
utth
eir
crim
esb
ecau
sein
side
rss
hare
dac
coun
tand
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bs
easi
era
ndto
incr
ease
pro
duct
iv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tions
an
dpo
ssib
lyim
plem
ents
tron
ger
auth
entic
atio
nto
mak
eac
coun
tsh
arin
gm
ore
diff
icul
t
CERT | SOFTWARE ENGINEERING INSTITUTE | 58
Sugg
este
dCo
unte
rmea
sure
s
Ten
perc
ent(
39)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seto
oka
dvan
tage
ofi
nsuf
fici
enta
cces
sco
ntro
ls
USC
IS
shou
ldc
onsi
der
redu
cing
the
num
ber
ofp
rivi
lege
dac
coun
ts
with
acc
ess
toth
eFD
NS
DS
If
the
num
ber
ofs
uper
user
ac
coun
tsw
ere
redu
ced
then
en
hanc
eda
uditi
ngc
ould
be
em
ploy
edo
ntr
ansa
ctio
ns
cond
ucte
dus
ing
thos
eac
coun
ts
Polic
yor
Pra
ctic
eG
aps
b
ut
ther
ear
ena
tiona
lcon
trol
sto
ens
ure
th
atc
eleb
ritie
srsquofi
les
are
notb
eing
ac
cess
ed
Ther
eis
ala
rge
supe
ruse
rco
mm
unity
m
ore
than
thirt
ype
rcen
tofa
llFD
NS
DS
user
sw
itha
cces
sto
the
FDN
SD
S
Thes
eac
coun
tsh
ave
exte
nsiv
epo
wer
a
mal
icio
uss
uper
user
can
com
plet
ely
dele
tea
rec
ord
orm
odify
the
sum
m
ary
offi
ndin
gs
Polic
yan
dor
Sec
urit
yM
easu
re
The
FDN
SD
Sis
ac
entr
alr
epos
itory
of
frau
dan
dna
tiona
lsec
urity
inve
stig
atio
ns
This
sys
tem
hol
dsa
ppli
cant
san
dpe
titio
ners
as
wel
las
PII
Th
ere
isa
lso
ana
tiona
lsec
urity
tab
N
oev
iden
cep
rovi
ded
nnel
logy
logy
sibl
ePe
rso
wne
rs
tion
Tec
hno
wne
rs
tion
Tec
hno
Resp
onD
ata
O In
form
a
Dat
aO
Info
rma
rn
sac
ges
eCo
ncn e
Priv
ilD
S
Are
aof
ng
oLo
ggi
fTra
tion
s
Elev
ated
N
Sto
FD
Frau
dD
etec
tion
and
Nat
ural
izat
ion
Syst
emndash
Dat
aSy
stem
(FD
NS
DS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 59
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Unk
now
n
Conn
ecti
ons
to
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Failu
reto
Add
ress
Kn
own
Secu
rity
V
ulne
rabi
litie
s
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Ther
eis
no
auto
mat
edp
atch
ing
be
caus
eof
the
age
ofth
ese
rver
san
dth
eap
plic
atio
nO
nly
criti
calp
atch
es
are
appl
ied
forf
ear
ofc
rash
ing
the
serv
ers
Thir
teen
insi
ders
inth
eCE
RT
data
base
exp
loite
dkn
own
secu
ri
tyv
ulne
rabi
litie
sth
atw
ere
not
addr
esse
dby
the
orga
niza
tion
U
SCIS
sho
uld
cons
ider
upg
radi
ng
the
FDN
SD
Ssi
nce
thes
evu
lner
ab
ilitie
sin
crea
ser
isk
ofa
ttac
kfr
omo
utsi
dea
ndin
side
Prod
ucti
onD
ata
Ava
ilabl
eto
Con
tr
acto
rsin
Dev
el
opm
ent
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
CSC
has
prod
uctio
nda
tain
the
deve
lop
men
tenv
iron
men
te
ven
thou
ghit
sh
ould
not
hav
eac
cess
top
rodu
ctio
nda
ta
Onl
yon
ein
side
rdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
ses
tole
pro
duct
ion
data
th
ats
houl
dno
thav
ebe
ena
vail
able
tod
evel
oper
sin
the
deve
lop
men
tenv
iron
men
tH
owev
er
itw
ase
xtre
mel
yse
nsiti
ved
ata
with
ver
yst
rict
con
trol
sin
the
prod
uctio
nen
viro
nmen
ta
nd
was
not
sub
ject
toth
ose
sam
eco
ntro
lsin
the
deve
lopm
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 60
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sen
viro
nmen
tT
his
isv
ery
sim
ilar
toth
esi
tuat
ion
atU
SCIS
U
SCIS
sh
ould
exa
min
eda
tab
eing
use
din
the
rem
ote
con
trac
tor
owne
dde
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
vel
ofs
ecur
ityc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
Conf
igur
atio
nM
anag
emen
tan
dor
Cha
nge
Cont
rolP
roce
ss
Not
Enf
orce
d
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Dev
elop
ers
cann
otr
elea
sen
ewe
xec
utab
les
as
epar
ate
syst
ema
dmin
is
trat
orh
asto
pus
hth
emo
ut
Cont
ract
ors
som
etim
esr
elea
sec
ode
tofi
xpr
oble
ms
with
outf
ollo
win
gth
ech
ange
man
agem
entp
roce
ss
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
ofl
ack
ofa
de
quat
eco
nfig
urat
ion
man
age
men
tU
SCIS
has
afo
rmal
con
fig
urat
ion
man
agem
entp
roce
ss
Itis
impo
rtan
tto
enfo
rce
itsu
se
for
alle
mpl
oyee
san
dco
ntra
cto
rs
Oth
erw
ise
itw
illb
eex
tr
emel
ydi
ffic
ultt
oin
vest
igat
ea
crim
eco
mm
itted
usi
ngfl
aws
inte
ntio
nally
inje
cted
into
sou
rce
code
by
aco
ntra
ctor
CERT | SOFTWARE ENGINEERING INSTITUTE | 61
Ap
pen
dix
EI
nci
den
tR
esp
onse
Inci
dent
Man
agem
ent
Se
curi
tyA
war
enes
s
Conc
erni
ngB
ehav
iors
Thro
ugh
case
ana
lysi
sC
ERT
has
note
dth
atp
roce
dure
sfo
rre
spon
ding
top
oten
tiali
nsid
erin
cide
nts
pres
entu
niqu
ech
alle
nges
an
inci
dent
re
spon
sep
lan
for
insi
der
inci
dent
sdi
ffer
sfr
oma
res
pons
epl
anfo
rin
cide
nts
caus
edb
yan
ext
erna
latt
acke
rI
nad
ditio
nin
adeq
uate
det
ectio
nan
dre
spon
seto
sec
urity
vio
latio
nsc
ould
em
bold
enth
ein
side
rm
akin
gth
eor
gani
zatio
nev
enm
ore
vuln
erab
leto
an
insi
der
crim
eI
nfa
cti
n18
of
the
case
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
the
org
aniz
atio
nex
peri
ence
dre
peat
insi
der
inci
dent
sof
as
imila
rna
ture
In
si
der
inci
dent
man
agem
ents
houl
dle
vera
gee
xist
ing
secu
rity
pol
icie
san
dfo
rmal
pro
cedu
res
for
hand
ling
polic
yvi
olat
ions
So
me
ofth
eca
ses
from
the
CERT
Insi
d er
Thre
atC
ase
data
base
illu
stra
tein
side
rat
tack
sin
whi
cha
nor
gani
zatio
nrsquos
lack
ofi
ncid
entr
espo
nse
proc
edur
esli
mite
dits
ab
ility
tom
anag
eits
res
pons
eef
fort
som
etim
ese
ven
resu
lting
inm
ultip
lec
rim
inal
act
sby
the
sam
ein
side
r
USC
ISis
ac
ompl
exo
rgan
izat
ion
with
man
ydi
ffer
entc
ompo
nent
sin
volv
edin
det
ectin
gtr
acki
ngi
nves
tigat
ing
and
follo
win
gup
on
empl
oyee
m
isco
nduc
tT
his
com
plex
itya
ndw
idel
ydi
stri
bute
dfu
nctio
ncr
eate
sa
situ
atio
nin
whi
chit
isv
ery
diff
icul
tto
obta
ina
com
plet
epi
ctur
eof
an
in
divi
dual
rsquosin
side
rth
reat
ris
kle
vel
Bec
ause
oft
his
itis
pra
ctic
ally
impo
ssib
lefo
rU
SCIS
toim
plem
enta
pro
activ
epr
ogra
mto
miti
gate
insi
der
thre
at
CERT
str
ongl
yre
com
men
dsth
atU
SCIS
cre
ate
ace
ntra
lrep
osito
ryo
fem
ploy
eem
isco
nduc
tso
itca
nde
tect
indi
cato
rso
finc
reas
ing
in
side
rth
reat
ris
kan
dm
itiga
teth
ema
squ
ickl
yas
pos
sibl
e
Furt
herm
ore
81
ofth
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
edc
once
rnin
gbe
havi
ors
inth
ew
orkp
lace
pri
orto
or
whi
lec
arry
ing
out
thei
rcr
imin
ala
ctiv
ities
onl
ine
Sup
ervi
sors
and
em
ploy
ees
shou
ldb
etr
aine
dto
rec
ogni
zea
ndr
espo
ndto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
and
oth
erm
alic
ious
insi
der
acts
Ev
enif
itis
not
pos
sibl
eto
req
uire
non
sup
ervi
sors
to
repo
rtc
o nce
rns
this
tr
aini
ngm
ayin
crea
seth
efr
eque
ncy
ofr
epor
ting
and
the
dete
rren
ceo
fins
ider
act
ions
CERT | SOFTWARE ENGINEERING INSTITUTE | 62
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLa
cko
fCen
tral
Re
posi
tory
ofE
m
ploy
eeM
isco
nduc
t
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
IfFi
eld
Secu
rity
rec
eive
sa
Sign
ifica
nt
Inci
dent
Rep
ort(
SIR)
the
nit
inve
sti
gate
sE
mpl
oyee
mis
cond
ucti
sth
en
repo
rted
toO
ffic
eof
Sec
urity
and
In
tegr
ity(O
SI)
Ifth
eO
SIin
vest
igat
ion
subs
tant
iate
san
em
ploy
eersquos
mis
con
duct
itp
rovi
des
Coun
teri
ntel
ligen
ce
(CI)
am
onth
lyr
epor
tI
tals
opr
ovid
es
the
empl
oyee
rsquosm
anag
emen
tac
opy
CI
iss
tart
ing
tog
etm
ore
repo
rts
of
acce
ptab
leu
sev
iola
tions
and
sec
urity
vi
olat
ions
It
trac
kse
very
thin
gin
a
file
for
late
rus
ein
rei
nves
tigat
ions
La
bor
Empl
oyee
Rel
atio
ns(L
ER)h
asa
re
cord
oft
here
port
sit
rece
ives
of
mis
cond
uct
com
plai
nts
agai
nsta
nem
ploy
eer
ule
viol
atio
nsa
nds
oon
H
Rm
aint
ains
the
Off
icia
lPer
sonn
el
File
whi
chc
onta
ins
reco
rds
ofs
us
pens
ions
etc
LE
Rco
ntac
tsH
Ron
ly
for
thos
ety
pes
ofa
ctio
ns
Th
eO
SIe
valu
ates
all
com
plai
nts
itre
ceiv
esa
ndlo
gsth
emin
toth
eca
se
man
agem
ents
yste
m
Ita
ssig
nsth
em
toa
fiel
dof
fice
Att
hatp
oint
any
co
mpl
aint
sar
eth
ere
spon
sibi
lity
of
the
spec
iala
gent
inc
harg
eat
the
field
of
fice
The
fiel
dof
fice
inve
stig
ates
Ther
eis
no
sing
lep
lace
tog
ofo
ran
em
ploy
eersquos
dis
cipl
inar
yre
cord
sT
he
num
ber
ofo
rgan
izat
ions
invo
lved
an
dm
anag
emen
tofr
ecor
dsis
ver
yco
mpl
exa
ndd
istr
ibut
edth
roug
hout
th
eor
gani
zatio
n
Acc
ordi
ngto
Phy
sica
lSec
urity
the
fie
ldo
ffic
edo
esn
otte
llth
eO
SI
abou
tpro
blem
sndashth
eO
SIfi
nds
out
whe
nit
ldquohits
the
pres
srdquo
For
exa
m
ple
the
OSI
isn
otin
form
edo
fad
is
grun
tled
syst
ema
dmin
istr
ator
who
is
exhi
bitin
gco
ncer
ning
beh
avio
rs
USC
ISs
houl
dco
nsid
err
equi
ring
m
anda
tory
rep
ortin
gof
all
inci
de
nts
toth
eO
SI
This
com
mu
nica
tion
stre
amw
illa
llow
the
OSI
tog
etin
volv
eda
sea
rly
as
poss
ible
and
tod
ocum
enta
nd
mai
ntai
na
cent
ralr
epos
itory
of
alli
ncid
ents
Th
isc
entr
alr
epo
sito
ryis
cri
tical
for
ade
quat
ely
man
agin
gin
side
rth
reat
sin
USC
IS
CERT | SOFTWARE ENGINEERING INSTITUTE | 63
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dse
nds
the
case
for
corr
ectiv
eac
tio
nto
the
regi
onal
dir
ecto
rin
the
chai
nof
com
man
da
ndth
enth
ere
gi
onal
dir
ecto
rret
urns
am
anag
emen
tre
port
ofa
ctio
nto
the
spec
iala
gent
in
cha
rge
Th
eO
SIc
onta
cts
the
DH
SO
IGfo
rpo
te
ntia
llyc
rim
inal
beh
avio
ror
ser
ious
m
isco
nduc
tI
fthe
DH
SO
IGtu
rns
the
case
dow
nth
enit
iss
entt
oth
efie
ld
offic
eor
tola
we
nfor
cem
ent
Th
ePe
rson
nelS
ecur
ityd
ivis
ion
(PER
SEC)
not
ifies
the
OSI
mon
thly
of
arre
sts
(tra
cked
inth
eca
sem
anag
em
ents
yste
m)a
ndth
eO
SIn
otifi
es
PERS
ECo
finv
estig
atio
ns
Trac
king
ofO
nlin
eIn
cide
nts
Info
rmat
ion
Tech
nolo
gy
Com
pute
ror
net
wor
kvi
olat
ion
inci
de
nts
are
trac
ked
bya
Rem
edy
sys
tem
tied
toa
uni
que
com
pute
rid
enti
fier
rath
erth
ana
use
rin
an
atte
mpt
to
kee
pPI
Iout
oft
heti
cket
Itis
diff
icul
tto
tiea
nev
entt
oa
par
ticul
arp
erso
nE
ven
ifth
eid
entit
yof
an
off
ende
ris
know
nr
epea
toff
end
ers
are
nott
rack
edin
any
aut
omat
ed
orc
orre
late
dw
ay
USC
ISs
houl
dco
nsid
erin
clud
ing
user
info
rmat
ion
for
each
inci
de
nts
oth
atr
epea
toff
ende
rs
can
bee
asily
iden
tifie
da
sre
pe
ato
ffen
ses
coul
din
dica
tea
nin
side
rof
hig
her
risk
Cons
iste
ncy
inR
esp
onse
toS
ecur
ity
Vio
lati
ons
and
Con
cern
ing
Beha
vior
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
eis
no
requ
ired
trai
ning
for
su
perv
isor
son
how
tor
espo
ndto
a
rang
eof
beh
avio
rsa
ssoc
iate
dw
ith
man
yfo
rms
ofin
side
rri
sk
Co
mpu
ter
use
viol
atio
nsa
ren
ot
Eigh
tyo
neo
fthe
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
ed
conc
erni
ngb
ehav
iors
pri
orto
or
whi
lec
arry
ing
outt
heir
cri
min
al
activ
ities
Em
ploy
ees
shou
ldb
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 64
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
ndle
dco
nsis
tent
lya
cros
sde
part
m
ents
sup
ervi
sors
and
type
ofe
m
ploy
ee
Egre
giou
svi
olat
ions
are
re
ferr
edto
the
OSI
for
afu
llin
vest
igat
ion
but
the
crite
rion
for
deci
ding
whe
nth
atis
war
rant
edis
a
gutr
eact
ion
trai
ned
tor
ecog
nize
and
re
spon
dto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
an
dot
her
insi
der
acts
Ev
enif
it
isn
otp
ossi
ble
tor
equi
ren
on
supe
rvis
ors
tor
epor
tcon
cern
s
this
trai
ning
may
incr
ease
the
freq
uenc
yof
repo
rtin
gan
dde
te
rren
ceo
fins
ider
act
ions
US
Dep
artm
ento
fSt
ate
Inve
stig
atio
ns
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
OSI
Inve
stig
atio
nsh
ave
been
sub
ject
to
alle
gatio
nso
fvio
latio
nsin
volv
ing
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)
but
the
OIS
rel
ies
onth
eU
SD
epar
tmen
tof
Sta
teto
inve
stig
ate
USC
ISh
asn
ovi
sibi
lity
into
US
De
part
men
tofS
tate
inve
stig
atio
ns
FSN
sw
hoh
ave
acce
ssto
USC
IS
syst
ems
and
data
sho
uld
be
incl
uded
ina
nin
side
rth
reat
risk
m
itiga
tion
stra
tegy
Prep
arat
ion
for
Neg
ativ
eW
ork
Rela
ted
Even
ts
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
edo
not
app
ear
tob
ean
ygu
ide
lines
tra
inin
go
rpe
rson
nela
vaila
ble
toe
valu
ate
empl
oyee
insi
der
risk
be
fore
or
afte
rfre
quen
tlyp
reci
pita
tin
gev
ents
suc
has
term
inat
ion
de
mot
ions
tra
nsfe
rso
rot
her
disa
ppo
intm
ents
or
unm
ete
xpec
tatio
ns
Ther
eal
sod
oes
nota
ppea
rto
bea
gr
oup
char
ged
with
eva
luat
ing
in
side
rri
skfr
omo
rgan
izat
iona
leve
nts
ord
evel
opm
ents
aff
ectin
ggr
oups
of
empl
oyee
ss
uch
asr
eloc
atio
nsc
on
trac
tcha
nges
lay
offs
and
reo
rgan
iza
tions
Fift
yfiv
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
had
neg
ativ
eem
pl
oym
enti
ssue
sN
inet
yfo
ur
had
ach
ange
ine
mpl
oym
ent
stat
usp
rior
toth
eir
atta
cks
20
had
com
pens
atio
nor
ben
efit
issu
esa
nd6
5w
ere
disg
runt
led
Su
perv
isor
ssh
ould
be
trai
ned
in
thes
eri
skin
dica
tors
Th
ere
shou
lda
lso
bea
nav
aila
ble
pane
lofs
peci
alis
tsfr
omth
eO
SI
orth
eLa
bor
Empl
oyee
Rel
atio
ns(L
ER)t
rain
edto
ass
ess
such
ris
k
CERT | SOFTWARE ENGINEERING INSTITUTE | 65
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Si
mila
rsp
ecia
lists
sho
uld
be
avai
labl
eto
par
ticip
ate
inp
lan
ning
and
exe
cutio
nof
res
pons
epl
ans
inp
repa
ratio
nfo
rne
ga
tive
wor
kpla
cee
vent
sth
atp
ote
ntia
llyc
ould
lead
tod
isgr
un
tlem
enta
mon
gth
ew
orkf
orce
at
USC
IS
Cont
ract
orM
an
agem
ent
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Hum
anR
esou
rces
Pers
onne
lscr
eeni
ngp
roce
dure
sfo
rco
ntra
ctor
sar
esi
mila
rto
thos
efo
rem
ploy
ees
Cont
ract
ing
com
pani
esa
rer
equi
red
tor
epor
tany
adv
erse
info
rmat
ion
rega
rdin
gth
eir
empl
oyee
sim
med
iat
ely
(ina
llco
ntra
cts)
LER
has
noin
volv
emen
twith
con
tr
acto
rs
They
hav
eno
rec
ord
of
cont
ract
orm
isbe
havi
ors
orc
om
plai
nts
agai
nstc
ontr
acto
rs
Supe
rvis
ors
the
OSI
LER
and
oth
ers
conc
erne
dw
itho
rgan
izat
iona
lsec
uri
tym
ayb
ela
rgel
yun
awar
eof
in
side
rri
sks
rela
ted
toc
ontr
acto
rs
Cont
ract
ors
are
nots
ubje
ctto
gov
er
nmen
tmon
itori
ngo
rris
kas
sess
m
ent
Ac
ontr
acto
ron
ac
ritic
als
ys
tem
may
dev
elop
or
have
sig
nific
ant
insi
der
risk
fact
ors
that
may
rem
ain
unkn
own
tog
over
nmen
tem
ploy
ees
due
tola
cko
frep
ortin
gre
quir
em
ents
Sixt
ytw
oof
the
insi
ders
doc
um
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eco
ntr
acto
rs
USC
ISc
ontr
actm
an
agem
ents
taff
sho
uld
cons
ider
th
ene
edfo
rre
port
ing
ara
nge
ofp
oten
tiali
ndic
ator
sof
insi
der
risk
am
ong
cont
ract
sta
ff
Inci
de
ntr
espo
nse
plan
ssh
ould
in
clud
ere
spon
seto
em
ploy
ee
and
cont
ract
oris
sues
Empl
oyee
or
Con
trac
tor
Conc
erni
ng
Beha
vior
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Byp
olic
yit
ise
very
em
ploy
eersquos
re
spon
sibi
lity
tor
epor
tsus
pici
ous
be
havi
oro
rm
isco
nduc
tS
uper
viso
rs
Self
repo
rted
dru
gus
ea
rres
ta
nd
asso
ciat
ions
with
fore
ign
natio
nals
du
ring
em
ploy
men
tare
sen
tto
the
Supe
rvis
ors
need
tob
eno
tifie
dim
med
iate
lyw
hen
ane
mpl
oyee
re
port
sdr
ugu
sea
rres
tso
r
CERT | SOFTWARE ENGINEERING INSTITUTE | 66
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Labo
rEm
ploy
eeR
elat
ions
who
obs
erve
con
cern
ing
ors
uspi
ciou
sbe
havi
orr
epor
titt
oLE
Ror
the
OSI
Fo
rlo
wle
velm
isco
nduc
tL
ERa
dvis
es
the
field
off
ice
man
agem
ento
nha
ndl
ing
the
mat
ter
LER
rep
orts
mor
ese
riou
sm
isco
nduc
twith
mor
ese
vere
co
nseq
uenc
esto
HR
M
isco
nduc
tcan
als
obe
rep
orte
dvi
aSi
gnifi
cant
Inci
dent
Rep
orts
(SIR
s)
SIRs
are
sen
tto
Phys
ical
Sec
urity
or
to
the
OSI
for
inve
stig
atio
n
IfCI
dis
cove
rss
omet
hing
sus
pici
ous
duri
nga
rei
nves
tigat
ion
itin
form
sth
eem
ploy
eersquos
sup
ervi
sor
The
su
perv
isor
wor
ksw
ithL
ERa
ndc
ouns
el
tod
ecid
eon
follo
wu
pac
tions
OSI
Th
eO
SIs
ends
res
ults
tos
uper
vi
sor
follo
win
gin
vest
igat
ion
asso
ciat
ion
with
fore
ign
natio
nal
ss
oth
eyh
ave
ana
ccur
ate
perc
eptio
nof
the
risk
ass
oci
ated
with
eac
hof
thei
rem
ploy
ee
sI
nad
ditio
n1
8of
the
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
had
poss
ible
psy
chol
ogic
alis
su
es
Inc
olla
bora
tion
with
the
OSI
and
LER
sup
ervi
sors
con
fr
ontin
gem
ploy
ees
who
dis
play
co
ncer
ning
beh
avio
rss
houl
dha
veth
eab
ility
tor
emov
eth
em
from
the
wor
kfor
cep
endi
nga
m
edic
alo
rps
ycho
logi
cal
eval
uatio
nto
det
erm
ine
whe
ther
they
hav
ea
diso
rder
or
illne
ssth
atm
ayim
pair
thei
rtr
ustw
orth
ines
sor
judg
men
tor
mak
eth
ema
dan
gert
oth
em
selv
eso
rot
hers
Si
mila
rly
em
po
wer
ing
supe
rvis
ors
tom
ake
ane
mpl
oyee
ass
ista
nce
pro
gram
ref
erra
land
eva
luat
ion
man
dato
ryi
nco
llabo
ratio
nw
ithL
ERo
rth
eO
SIm
ight
hel
pre
mov
eat
ris
kin
divi
dual
sfr
om
the
wor
kfor
ceu
ntil
they
can
sa
fely
and
sec
urel
yre
turn
CERT | SOFTWARE ENGINEERING INSTITUTE | 67
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEl
ectr
onic
Inve
sti
gati
ons
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Mos
talle
gatio
nsr
epor
ted
toth
eO
SI
are
notv
ery
tech
nica
lth
eO
ITp
ro
vide
sfo
rens
ics
uppo
rtfo
rin
vest
iga
tions
(pri
mar
ilyd
atab
ase
tran
sac
tions
)
PERS
ECh
asn
ever
ask
edth
eO
ITto
re
view
au
serrsquo
son
line
activ
ity
Onl
yon
epe
rson
inO
SIis
qua
lifie
dto
do
afo
rens
icin
spec
tion
USC
ISs
houl
dco
nsid
erin
clud
ing
the
OIT
inin
vest
igat
ions
ofs
us
pici
ous
activ
ity
CERT
rsquosin
side
rth
reat
res
earc
hha
ssh
own
that
no
ntec
hnic
alc
once
rnin
gbe
hav
iors
can
be
asso
ciat
edw
ith
onlin
ecr
imin
ala
ctiv
ity
It
wou
ldb
ebe
nefic
ialt
och
eck
for
past
tech
nica
lsec
urity
vio
la
tions
and
hav
eth
eO
ITa
naly
ze
curr
ento
nlin
eac
tivity
as
part
of
the
OSI
inve
stig
atio
ns
CERT | SOFTWARE ENGINEERING INSTITUTE | 68
t
efe
w de ti
nth
eca
ses
docu
men
ted
inth
eCE
RTd
atab
ase
inje
cted
cod
ein
tos
ourc
eco
deto
faci
lita
but
ina
ase
the
coo
utb
yso
f
L
oggi
ng
Cri
tica
lDat
aCo
ntro
ls
urce
cod
ew
ere
inte
nded
tos
abot
age
the
orga
niza
tionrsquo
ssy
stem
sc
ases
the
code
n
ino
nec
was
set
toe
xecu
tefo
llow
ing
the
insi
derrsquo
ste
rmin
atio
SCIS
rec
ogni
zeth
epo
dbe
car
ried
tent
iali
llici
tact
ivity
that
cou
lr
the
mos
tcri
tical
sys
tem
san
dsy
stem
com
pone
nts
Cod
eRe
view
s
Conf
igur
atio
nM
anag
emen
t
side
rsb
oth
empl
oyee
san
dco
ntra
ctor
snd
ITs
abot
age
In
mos
tcas
est
hem
odifi
catio
nsto
so
faci
litat
efr
aud
In
man
yde
was
use
dto
impo
rtan
ttha
tUfo
ra
year
bef
ore
final
lye
xecu
ting
Iti
ser
sa
ndim
plem
enta
ppro
pria
tec
ontr
ols
par
ticul
arly
fo
ciou
sin
frau
da
sth
eco
plan
ted
eng
ine
Mal
ibo
thca
sew
as
war
e
Ap
pen
dix
FS
oftw
are
Engi
nee
rin
g CERT | SOFTWARE ENGINEERING INSTITUTE | 69
Are
aof
Con
cern
C
ode
Re
view
s
Resp
onsi
ble
Pers
onne
lIS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Cont
ract
ors
are
requ
ired
tom
aint
ain
ace
rtai
nle
velo
fpro
cess
mat
urity
(C
MM
ILev
el3
)to
bein
com
plia
nce
with
USC
ISp
olic
ies
So
urce
cod
eis
res
tric
ted
toth
ose
with
the
need
tok
now
Ve
rsio
nM
anag
eris
use
dto
con
trol
an
dtr
ack
chan
ges
tos
ourc
eco
de
Sepa
ratio
nof
dut
ies
isim
plem
ente
din
the
soft
war
ere
leas
epr
oces
sC
SC
chec
ksn
ews
ourc
eco
dein
toV
ersi
on
Man
ager
aU
SCIS
em
ploy
eec
heck
sou
tthe
sou
rce
code
and
rel
ease
sit
into
pro
duct
ion
Th
eU
SCIS
DBA
mov
esn
ewd
atab
ase
obje
cts
into
the
prod
uctio
nda
ta
base
Polic
yor
Pra
ctic
eG
aps
Ano
ther
inte
rvie
wee
men
tione
dth
at
anldquo
East
ere
ggrdquo
was
foun
din
sou
rce
code
aft
erth
eco
ntra
ctw
asg
iven
toa
ne
wc
ompa
ny4
Sugg
este
dCo
unte
rmea
sure
s
4 Av
irtu
alE
aste
reg
gis
an
inte
ntio
nalh
idde
nm
essa
gej
oke
orfe
atur
ein
ap
rogr
amm
ovie
boo
ke
tc
CERT | SOFTWARE ENGINEERING INSTITUTE | 70
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
and
orC
hang
eCo
ntro
lPro
cess
N
otE
nfor
ced
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
No
evid
ence
pro
vide
d
Whe
nco
ntra
ctor
sde
velo
pso
ftw
are
rem
otel
yth
eya
res
uppo
sed
tor
egis
te
rco
dein
Ver
sion
Man
ager
but
this
is
not
alw
ays
done
con
sist
ently
Co
ntra
ctor
sso
met
imes
rel
ease
cod
eto
fix
prob
lem
sw
ithou
tfol
low
ing
the
chan
gem
anag
emen
tpro
cess
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
oft
hela
cko
fade
qu
ate
conf
igur
atio
nm
anag
emen
t
Soft
war
eEn
gine
er
ing
Cont
rols
inth
eSe
rvic
eCe
nter
s
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
ISSO
s
No
evid
ence
pro
vide
d
Soft
war
eis
bei
ngd
evel
oped
inth
eSe
rvic
eCe
nter
sw
ithou
tcon
sist
ently
en
forc
ing
the
sam
ech
ange
man
age
men
tpro
cess
ese
nfor
ced
atth
ena
tio
nal(
ente
rpris
e)le
vel
The
cen
ters
us
ea
code
rep
osito
ryb
utn
otV
ersi
on
Man
ager
to
trac
kso
ftw
are
chan
ges
Th
eyd
ope
err
evie
ws
ofc
ode
and
belie
veth
ate
nter
pris
eco
ntro
lsfo
rco
der
evie
wa
rem
ore
deta
iled
(al
thou
ghth
atb
elie
fapp
ears
tob
efa
lse
ac
cord
ing
toin
terv
iew
sat
hea
dqua
rte
rs)
USC
ISs
houl
dco
nsid
erc
onsi
sten
tpo
licie
san
dpr
oced
ures
for
soft
w
are
engi
neer
ing
for
the
entir
een
terp
rise
inc
ludi
ngth
eSe
rvic
eCe
nter
s
Mos
tins
ider
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 71
A
rea
ofC
once
rn
Resp
onsi
ble
Pers
onne
lPo
licy
and
orS
ecur
ity
Mea
sure
Po
licy
orP
ract
ice
Gap
sSu
gges
ted
Coun
term
easu
res
Dat
aO
wne
rs
ba
sew
ere
dete
cted
or
iden
tifie
d
usin
gso
me
kind
ofs
yste
mlo
g
Info
rmat
ion
Tech
nolo
gy
Lo
gsu
sed
incl
ude
data
base
logs
appl
icat
ion
logs
sys
tem
logs
re
mot
eac
cess
logs
and
man
y
othe
rs
Prod
ucti
onD
ata
in
ISSO
sD
evel
opm
enta
ndp
rodu
ctio
nsy
sIn
som
eca
ses
con
trac
tors
hav
eac
O
nly
one
insi
der
docu
men
ted
in
Dev
elop
men
tEnv
i
tem
ssh
ould
be
sepa
rate
inte
rms
of
cess
tob
oth
syst
ems
incl
udin
gpr
oth
eCE
RTIn
side
rTh
reat
Cas
eda
CERT | SOFTWARE ENGINEERING INSTITUTE | 72
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sro
nmen
t
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
data
sha
ring
and
acc
ess
cont
rol
duct
ion
data
inth
ede
velo
pmen
ten
viro
nmen
t
taba
ses
tole
pro
duct
ion
data
that
sh
ould
not
hav
ebe
ena
vaila
ble
to
deve
lope
rsin
the
deve
lopm
ent
envi
ronm
ent
How
ever
itw
as
extr
emel
yse
nsiti
ved
ata
with
ve
rys
tric
tcon
trol
sin
the
prod
uc
tion
envi
ronm
ent
and
was
not
su
bjec
tto
thos
esa
me
cont
rols
in
the
deve
lopm
ente
nvir
onm
ent
Th
isis
ver
ysi
mila
rto
the
situ
atio
nat
USC
IS
USC
ISs
houl
dex
am
ine
data
bei
ngu
sed
inth
ede
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
velo
fse
curi
tyc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 73
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 74
Ap
pen
dix
GI
nfo
rmat
ion
Tec
hn
olog
y
Acc
ount
Man
agem
ent
Rese
arch
has
dem
onst
rate
dth
atif
an
orga
niza
tionrsquo
sco
mpu
ter
acco
unts
can
be
com
prom
ised
ins
ider
sha
vea
nop
port
unity
toc
ircu
mve
ntm
an
uala
nda
utom
ated
con
trol
mec
hani
sms
inte
nded
top
reve
ntin
side
rat
tack
sE
ffec
tive
com
pute
rac
coun
tand
pas
swor
dm
anag
emen
tpol
icie
san
dpr
actic
esa
rec
ritic
alto
impe
dea
nin
side
rrsquos
abili
tyto
use
the
orga
niza
tionrsquo
ssy
stem
sfo
rill
icit
purp
oses
In
av
arie
tyo
fcas
esd
ocum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sei
nsid
ers
expl
oite
dpa
ssw
ord
vuln
erab
ilitie
ss
hare
dac
coun
tsa
ndb
ackd
oor
acco
unts
toc
arry
out
att
acks
It
isim
port
antf
oro
rgan
izat
ions
toli
mit
com
pute
rac
coun
tsto
thos
eth
ata
rea
bsol
utel
yne
cess
ary
usi
ngs
tric
tpro
cedu
res
and
tech
nica
lcon
trol
sth
atfa
cilit
ate
attr
ibut
ion
ofa
llon
line
activ
itya
ssoc
iate
dw
ithe
a ch
acco
untt
oan
indi
vidu
alu
ser
Fur
ther
mor
ea
nor
gani
zatio
nrsquos
acco
unta
nd
pass
wor
dm
anag
emen
tpol
icie
sm
ustb
eap
plie
dco
nsis
tent
lya
cros
sth
een
terp
rise
toin
clud
eco
ntra
ctor
ss
ubco
ntra
ctor
sa
ndv
endo
rsw
hoh
ave
acce
ssto
the
orga
niza
tionrsquo
sin
form
atio
nsy
stem
sor
net
wor
ks
Ins
ome
area
sc
ompu
ter
acco
unts
are
man
aged
fair
lyw
ella
tUSC
IS
USC
ISis
impl
emen
ting
Hom
elan
dSe
curi
tyP
resi
dent
ialD
irec
tive
12(H
SPD
12
)for
phy
sica
land
ele
ctro
nic
acco
untm
anag
emen
tI
nad
ditio
nm
osts
hare
dac
coun
tsa
rec
ontr
olle
dan
dal
lact
ions
per
form
edu
sing
thos
eac
coun
tsc
anb
eat
trib
uted
toa
sin
gle
user
H
owev
ers
ome
acco
untm
anag
emen
tlie
sou
tsid
eth
eco
ntro
lofU
SCIS
Th
i sp
rese
nts
ahi
ghd
egre
eof
ris
kF
irst
ofa
lla
ccou
nts
and
acce
ssfo
rFS
Ns
shou
ldb
eco
nsid
ered
car
eful
lyb
yU
SCIS
A
lthou
ghF
SNs
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
ch
anne
lsw
hich
req
uire
sau
thor
izat
ion
byth
eCS
Oa
ndC
IOo
fDH
Ss
uch
pape
rwor
kw
asn
ots
ubm
itted
con
sist
ently
pri
orto
200
7A
sa
resu
lt
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
tF
urth
erm
ore
an
FSN
acc
ount
and
aU
S
citiz
enfe
dera
lem
ploy
eea
ccou
ntc
anno
tbe
dist
ingu
ishe
don
ceit
isc
reat
ed
Alth
ough
acc
ount
nam
ing
conv
entio
nsa
red
icta
ted
byD
HS
and
the
US
Dep
artm
ento
fSta
teU
SCIS
cou
ldr
eque
sta
nam
ing
conv
entio
nto
diff
eren
tiate
bet
wee
nFS
Na
ndU
Sc
itize
nfe
dera
lem
ploy
eea
ccou
nts
In
addi
tion
USC
ISs
houl
dco
nsis
tent
lytr
ack
the
auth
oriz
atio
nan
dcr
eatio
nof
all
USC
ISa
ccou
nts
To
dete
rmin
eif
unau
thor
ized
or
lega
cya
ccou
nts
exis
tU
SCIS
sho
uld
cons
ider
con
duct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSta
tep
erso
nnel
tov
alid
ate
alle
xist
ing
FSN
ac
coun
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 75
Seco
nda
cces
sto
som
ecr
itica
lUSC
ISs
yste
ms
isc
ontr
olle
dby
the
Pass
wor
dIs
suan
cea
ndC
ontr
olS
yste
m(P
ICS)
Th
epu
rpos
eof
PIC
Sis
tofa
cili
tate
the
adm
inis
trat
ion
ofu
sern
ames
and
pas
swor
dsto
cer
tain
ICE
and
USC
ISin
form
atio
nsy
stem
sO
nea
rea
ofc
once
rnr
egar
ding
PIC
Sis
that
it
isa
dmin
iste
red
byIC
Ea
ndth
ere
are
mor
eth
an2
000
Loc
alP
ICS
Off
icer
s(L
POs)
acr
oss
vari
ous
com
pone
nts
ofD
HS
The
seL
POs
use
PICS
to
gran
taut
hori
zed
acce
ssto
ICE
and
USC
ISs
yste
ms
for
the
pers
onne
latt
heir
res
pect
ive
site
or
agen
cys
uch
aslo
cals
heri
ffs
pet
ition
ers
Cus
tom
san
dBo
rder
Pat
rol(
CBP)
Dep
artm
ento
fJus
tice
(DO
J)T
rans
port
atio
nSe
curi
tyA
dmin
istr
atio
n(T
SA)
Terr
oris
mT
ask
Forc
ea
ndD
HS
OIG
Ea
ch
LPO
can
gra
nta
cces
sto
any
sys
tem
con
trol
led
byP
ICS
In
othe
rw
ords
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
rany
oft
heir
sta
ffto
an
yU
SCIS
sys
tem
Fu
rthe
rmor
eU
SCIS
has
no
visi
bilit
yin
tow
hoh
asa
cces
sto
its
syst
ems
Giv
enth
edi
stri
bute
dna
ture
ofa
ccou
nta
dmin
istr
atio
nit
isv
ery
diff
icul
tfor
USC
ISd
ata
owne
rsa
ndO
ITs
taff
tom
anag
eau
thor
izat
ion
ofu
ser
acco
unts
toU
SCIS
cri
tical
sys
tem
sF
inal
lyt
hep
roc
ess
for
com
mun
icat
ing
chan
ges
ine
mpl
oyee
sta
tus
and
disa
blin
gac
coun
tsv
arie
sw
idel
yam
ong
indi
vidu
alfi
eld
offic
esS
ervi
ceC
ente
rsa
ndo
ffic
esin
the
NCR
D
orm
anta
ccou
nts
prov
ide
aco
nven
ient
unk
now
nac
cess
pat
hfo
rcu
rren
tand
form
ere
mpl
oyee
sto
use
for
illic
itac
tivity
Ala
cko
fcon
sist
ency
exi
sts
inth
eap
plic
atio
nof
acc
ount
man
agem
entp
ract
ices
und
erth
eco
ntro
lofU
SCIS
Fo
rex
ampl
ed
isab
ling
orte
rmin
at
ing
acco
unts
for
empl
oyee
sis
not
alw
ays
com
plet
edin
ati
mel
ym
anne
rup
onth
eem
ploy
eersquos
cha
nge
ins
tatu
sT
his
lack
ofc
onsi
sten
cyis
mad
ew
orse
whe
nde
cent
raliz
edL
POs
acro
ssU
SCIS
do
notf
ollo
wth
esa
me
proc
edur
es
Ino
ther
cas
ese
mpl
oyee
sar
ere
tain
ing
acce
ssa
fter
atr
ansf
er
whe
nth
eys
houl
dno
tw
hich
req
uire
sth
elo
sing
and
gai
ning
sup
e rvi
sors
ton
otify
pro
per
acco
untm
anag
emen
tper
sonn
el
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
ccou
ntE
stab
lis
hmen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ino
rder
for
FSN
sto
gai
nac
cess
to
USC
ISs
yste
ms
they
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
cha
nnel
s
whi
che
vent
ually
req
uire
sau
thor
iza
tion
byth
eCS
Oa
ndC
IOo
fDH
S
Prio
rto
200
7w
aive
rpa
perw
ork
for
FSN
sre
ques
ting
acco
unta
cces
sw
as
nots
ubm
itted
con
sist
ently
A
sa
re
sult
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
t
USC
ISs
houl
dco
nsid
erc
ondu
ct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSt
ate
pers
onne
lto
valid
ate
all
exis
ting
FSN
acc
ount
s
Info
rmat
ion
Tech
nolo
gy
Diff
eren
tper
sonn
ela
rer
espo
nsib
le
for
acco
untc
reat
ion
and
dele
tion
acro
ssth
een
tire
ente
rpri
sed
epe
ndin
gon
the
syst
emo
rne
twor
kin
Dat
abas
ead
min
istr
ator
sm
ayb
eab
le
toc
reat
ean
dde
lete
dat
abas
ean
dap
plic
atio
nac
coun
tsw
ithou
tas
ec
ond
pers
onv
erify
ing
that
act
ion
Beca
use
data
base
adm
inis
trat
ors
have
acc
ess
tos
uch
criti
cald
ata
U
SCIS
sho
uld
cons
ider
sep
arat
ing
the
task
ofa
utho
rizi
nga
cces
sto
CERT | SOFTWARE ENGINEERING INSTITUTE | 76
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
squ
estio
n
USC
ISd
atab
ases
from
the
task
of
man
agin
gth
eda
tain
the
data
ba
ses
Thi
sse
para
tion
ofd
utie
sm
ayr
educ
eth
eri
sko
fad
ata
base
adm
inis
trat
orc
reat
ing
an
unau
thor
ized
acc
ount
and
usi
ng
that
acc
ount
toc
arry
out
am
ali
ciou
sac
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ac
ompu
ter
acco
unti
ses
tabl
ishe
don
lya
fter
an
umbe
rof
cri
teri
aha
ve
been
met
inc
ludi
ngs
ecur
itya
war
ene
sstr
aini
ng
Ina
dditi
onto
the
step
sre
quire
dof
al
lper
sonn
elfo
rac
coun
tacc
ess
co
ntra
ctor
sha
veto
go
thro
ugh
extr
ast
eps
som
eof
whi
chin
clud
eve
rifi
catio
nby
the
COTR
Com
pute
racc
ount
acc
ess
iss
ome
times
gra
nted
bef
ore
secu
rity
aw
are
ness
trai
ning
isc
ompl
eted
Th
isp
rac
tice
may
be
true
esp
ecia
llyfo
rco
ntra
ctor
ss
ince
the
onb
oard
ing
proc
ess
depe
nds
onth
eco
ntra
ctin
gag
ency
and
the
COTR
tov
erify
that
th
etr
aini
ngis
com
plet
ed
USC
ISs
houl
dco
nsid
err
equi
ring
co
mpu
ter
secu
rity
aw
aren
ess
trai
ning
for
allp
erso
nnel
ndashfu
lltim
eem
ploy
ees
par
ttim
eem
pl
oyee
sa
ndc
ontr
acto
rsndash
and
ve
rify
that
itis
com
plet
ebe
fore
cr
eatin
gan
ysy
stem
acc
ount
sfo
rth
ese
pers
onne
l
Acc
ount
Man
age
men
tG
ener
al
Info
rmat
ion
Tech
nolo
gy
PICS
isa
dmin
iste
red
byIC
Ew
hich
ha
sov
er2
000
LPO
sac
ross
var
ious
co
mpo
nent
sof
DH
ST
hese
LPO
sar
ere
spon
sibl
efo
rgra
ntin
gau
thor
ized
ac
cess
toP
ICS
for
the
pers
onne
lat
thei
rre
spec
tive
wor
ksi
tes
Eac
hLP
Oc
ang
rant
acc
ess
toa
nys
yste
m
cont
rolle
dby
PIC
SI
not
her
wor
ds
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
ran
yof
thei
rst
afft
o
Alth
ough
the
PICS
acc
ount
pro
cess
re
quir
esth
eac
coun
tto
beli
nked
toa
va
lide
mpl
oyee
PIC
Sad
min
istr
ator
sco
uld
crea
teu
naut
hori
zed
acco
unts
in
the
nam
eof
val
ide
mpl
oyee
sw
ith
outt
heir
kno
wle
dge
Inv
alid
acc
ount
sar
ety
pica
llyfl
agge
don
lyw
hen
the
acco
unti
sdo
rman
tfor
ac
erta
inp
eri
odo
ftim
eA
nLP
Oc
ana
lso
assi
gn
righ
tsfo
ran
ysy
stem
con
trol
led
by
In1
2of
the
case
sdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
ins
uffic
ient
acc
ount
m
anag
emen
tena
bled
the
insi
der
sto
com
mit
thei
rcr
imes
U
SCIS
sho
uld
cons
ider
con
duct
in
gac
coun
taud
itsa
tthe
loca
lsi
tele
vel
whi
chw
ould
allo
wth
eva
lidat
ion
ofc
urre
ntP
ICS
ac
coun
tsa
ndr
oles
ver
sus
curr
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 77
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
yU
SCIS
sys
tem
PICS
empl
oyee
list
s
Furt
herm
ore
ICE
adm
inis
ters
this
USC
ISs
houl
dex
plor
ea
mea
nso
fsy
stem
and
cou
lda
ffec
tUSC
ISr
e
segr
egat
ing
acco
untm
anag
eco
rds
unbe
know
nstt
oU
SCIS
men
tin
PICS
so
that
LPO
sca
nad
min
iste
rac
coun
tso
nly
for
thei
row
nor
gani
zatio
nrsquos
syst
ems
In
oth
erw
ords
USC
ISL
POs
wou
ldo
nly
bea
ble
toa
dmin
iste
rau
thor
izat
ions
for
USC
ISs
yste
ms
inP
ICS
and
ICE
LPO
sw
ould
onl
ybe
abl
eto
adm
inis
ter
auth
oriz
atio
nsfo
rIC
Esy
stem
s
Info
rmat
ion
Tech
nolo
gy
Acc
ount
man
agem
enti
sha
ndle
dby
a
num
ber
ofd
iffer
entg
roup
sac
ross
U
SCIS
A
lthou
ghth
ere
isa
nef
fort
to
cent
raliz
eac
coun
tman
agem
ent
lo
cala
ndr
egio
nalo
ffic
eso
fUSC
IS
have
his
tori
cally
don
eth
eir
own
ac
coun
tman
agem
ent
Ifan
acc
ount
has
not
bee
nus
edfo
ra
cert
ain
peri
odo
ftim
eit
isa
uto
mat
ical
lyd
isab
led
The
tim
epe
riod
st
ated
by
vari
ous
inte
rvie
wee
sva
rie
dfr
om3
06
0o
r90
days
CERT | SOFTWARE ENGINEERING INSTITUTE | 78
Sugg
este
dCo
unte
rmea
sure
s
Six
insi
ders
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
wer
eab
leto
car
ryo
utth
eir
illeg
ala
ctiv
ities
bec
ause
ofldquo
priv
ile
gec
reep
rdquoU
SCIS
sho
uld
revi
ew
acco
untm
anag
emen
tpro
ce
dure
sto
ens
ure
that
the
step
scu
rren
tlyta
ken
tor
emov
eor
al
ter
acco
unta
cces
sar
eco
m
plet
ean
dbe
ing
cons
iste
ntly
fol
low
ed
Inp
artic
ular
the
pro
ce
dure
sus
edw
hen
som
eone
ch
ange
slo
catio
nso
rde
part
m
ents
with
inU
SCIS
sho
uld
be
exam
ined
A
sem
ploy
ees
tran
sfe
rth
roug
hout
an
agen
cyt
hey
shou
ldn
otb
eac
cum
ulat
ing
priv
ile
ges
The
ysh
ould
onl
yre
tain
pr
ivile
ges
com
men
sura
tew
ith
thei
rjo
bre
spon
sibi
litie
s
Twel
vep
erce
nt(4
6)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
seu
sed
syst
ema
dmin
istr
ator
pri
vile
ges
tos
abot
age
syst
ems
ord
ata
sh
ared
acc
ount
sw
ere
used
by
insi
ders
follo
win
gte
rmin
atio
nin
Polic
yor
Pra
ctic
eG
aps
The
issu
eof
acc
ount
man
agem
entf
or
empl
oyee
tran
sfer
sis
not
bei
nga
d
dres
sed
ina
con
sist
entm
anne
rT
he
O
ITr
elie
son
not
ifica
tion
bye
ither
the
ne
wo
rol
dsu
perv
isor
whe
nan
em
ploy
eetr
ansf
ers
but
ther
eha
veb
een
ca
ses
inU
SCIS
inw
hich
em
ploy
ees
have
ret
aine
dac
cess
whe
nth
ey
shou
ldn
oth
ave
Th
ough
itw
ould
req
uire
phy
sica
lac
cess
toa
USC
ISm
achi
net
hatf
orm
er
Polic
yan
dor
Sec
urit
yM
easu
re
Whe
nan
em
ploy
eem
oves
from
one
po
sitio
nto
ano
ther
or
tran
sfer
sto
an
othe
rdep
artm
ent
the
man
age
men
tin
thos
ede
part
men
tsm
ust
initi
ate
the
requ
ired
com
pute
rac
coun
tcha
nges
Ther
ear
eop
erat
ing
syst
emim
ages
us
edth
roug
hout
USC
ISth
atp
erm
itan
adm
inis
trat
orto
inst
alla
sta
nda
rdc
onfig
urat
ion
ofa
nop
erat
ing
syst
ema
nda
ccom
pany
ing
soft
war
e
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Chan
ging
Pas
sw
ord
ofS
hare
dA
ccou
ntU
pon
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 79
Sugg
este
dCo
unte
rmea
sure
s
14c
ases
A
lthou
gha
nad
min
is
trat
orw
ould
nee
dph
ysic
ala
cce
ssto
ap
iece
ofe
quip
men
t
The
lack
ofc
onsi
sten
cya
nd
awar
enes
sof
the
stan
dard
pro
ce
dure
sm
ayp
erm
itth
eac
coun
tof
an
insi
der
tob
eus
edfo
llow
ing
term
inat
ion
Term
inat
ing
acco
unts
eve
n2
wee
ksfo
llow
ing
term
inat
ion
may
Polic
yor
Pra
ctic
eG
aps
adm
inis
trat
orw
ould
hav
ead
min
istr
ato
rri
ghts
toG
FE
Itis
cle
arfr
omin
terv
iew
sw
ithU
SCIS
pe
rson
nelt
hata
sin
gle
proc
ess
isn
ei
ther
und
erst
ood
norf
ollo
wed
for
dis
ab
ling
acco
unts
follo
win
gan
em
pl
oyee
orc
ontr
acto
rte
rmin
atio
n
The
proc
edur
esu
sed
are
notc
onsi
ste
ntb
etw
een
supe
rvis
ors
orfi
eld
of
fices
and
for
fede
rale
mpl
oyee
sve
rsu
sco
ntra
ctor
sS
omet
imes
the
exit
clea
ranc
efo
rmm
akes
itto
the
OIT
an
dso
met
imes
itd
oes
not
The
OIT
rsquos
task
ism
ade
even
mor
edi
ffic
ultb
yth
efa
ctth
atit
wou
ldn
eed
tok
now
ex
actly
whi
cha
ccou
nts
anin
divi
dual
ha
sac
cess
to
Thou
ghth
isp
roce
ssis
fair
lye
ffec
tive
it
pote
ntia
llya
llow
sun
auth
oriz
ed
Polic
yan
dor
Sec
urit
yM
easu
re
The
OIT
typi
cally
isn
otifi
edo
fan
acco
untt
erm
inat
ion
ino
neo
fthr
ee
way
s
1)A
sta
ndar
dfo
rmc
alle
dan
exi
tcl
eara
nce
form
is
dist
ribu
ted
and
sign
edb
yot
her
part
ies
suc
has
Hu
man
Res
ourc
esa
ndth
eO
ffic
eof
Se
curi
tya
ndIn
tegr
ity(O
SI)
Thi
sfo
rmle
tsth
eO
ITk
now
that
an
em
ploy
eersquos
acc
ount
ssh
ould
be
dis
able
dor
term
inat
ed
2)T
hes
uper
viso
rof
the
depa
rtin
gem
ploy
eec
onta
cts
the
OIT
dire
ctly
an
din
form
sth
emo
fthe
em
ploy
eersquos
de
part
ure
3)
Whe
na
cont
ract
oris
invo
lved
it
is
the
resp
onsi
bilit
yof
the
COTR
to
info
rmth
eO
IT
The
OIT
rec
eive
san
ldquoat
triti
onli
strdquo
ever
y2
wee
ks
Whe
nth
isli
stis
re
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Upo
nEm
ploy
ee
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 80
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sH
uman
Res
ourc
es
ceiv
eda
man
ualc
heck
isd
one
to
ensu
reth
ate
mpl
oyee
sw
hoh
ave
depa
rted
inth
ela
st2
wee
ksh
ave
thei
rac
coun
tacc
ess
dele
ted
acce
ssfo
r2
wee
ksfo
llow
ing
term
ina
tion
Bec
ause
this
isa
man
ualp
roc
ess
ther
eis
cur
rent
lyn
oau
tom
atic
w
ayto
ens
ure
that
ith
appe
ns
USC
IS
pers
onne
lcite
dan
inst
ance
inw
hich
th
ese
proc
edur
esfa
iled
for
ane
m
ploy
eew
how
aste
rmin
ated
as
aco
ntr
acto
ran
dla
ter
hire
das
afe
dera
lem
ploy
ee
notb
een
ough
top
reve
ntu
nau
thor
ized
orc
rimin
ala
ctiv
ity
As
soon
as
HR
isa
war
eof
the
chan
gea
mor
eau
tom
ated
m
echa
nism
ofd
elet
ing
thes
eac
coun
tss
houl
dbe
impl
em
ente
d
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Dur
ing
Empl
oyee
Le
ave
ofA
bsen
ces
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
LPO
sw
ork
inth
eir
resp
ectiv
ere
gion
sor
off
ices
and
are
dec
entr
aliz
edb
yna
ture
Th
epo
licie
san
dpr
oced
ures
fo
llow
edo
ften
dep
end
onh
ow
thin
gsh
ave
been
don
ehi
stor
ical
lyin
th
atp
artic
ular
off
ice
Beca
use
acco
unta
utho
riza
tion
pro
cedu
res
are
nots
tand
ardi
zed
thro
ugho
uta
llor
gani
zatio
nsu
sing
the
PICS
sL
POs
acro
ssth
een
tire
USC
IS
ente
rpri
seh
ave
notb
een
cons
iste
nt
inh
owth
eyh
ave
hand
led
acco
unt
dele
tion
follo
win
gem
ploy
eete
rmin
atio
n
Ther
eis
no
offic
ialg
uida
nce
orp
rac
tice
inth
epr
oper
way
tos
uspe
nd
acce
ssfo
ran
em
ploy
eeo
na
leav
eof
ab
senc
eI
non
eca
sep
rovi
ded
by
USC
ISa
nem
ploy
eer
etai
ned
acce
ss
toc
ritic
als
yste
ms
even
aft
erb
eing
pl
aced
on
ana
dmin
istr
ativ
ele
ave
of
abse
nce
USC
ISs
houl
dco
ntin
ueit
sef
fort
sto
cen
tral
ize
orr
educ
eth
enu
m
ber
ofL
POs
ino
rder
for
stan
dard
pr
oced
ures
tob
efo
llow
ed
Ifth
isc
anno
tbe
acco
mpl
ishe
d
stan
dard
pro
cedu
res
shou
ldb
epu
blis
hed
inst
ruct
eda
ndc
onsi
ste
ntly
enf
orce
d
Afe
win
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
ser
etai
ned
acce
ssto
org
aniz
atio
nsy
stem
sw
hile
on
ale
ave
of
abse
nce
and
used
that
acc
ess
to
stea
linf
orm
atio
nor
com
mit
frau
dU
SCIS
sho
uld
impl
emen
ta
polic
yto
out
line
exac
tlyw
hat
shou
ldb
edo
new
hen
ago
vern
m
ente
mpl
oyee
or
cont
ract
or
goes
on
ale
ave
ofa
bsen
cec
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 81
Sugg
este
dCo
unte
rmea
sure
ssi
deri
ngth
eri
sks
vers
usb
enef
its
ofa
llow
ing
syst
ema
cces
s
Acc
ess
toth
ese
acco
unts
sho
uld
bec
aref
ully
doc
umen
ted
and
trac
ked
soth
atc
rede
ntia
lsc
an
bec
hang
edif
som
eone
inth
at
rest
rict
edg
roup
no
long
erw
ar
rant
sac
cess
Polic
yor
Pra
ctic
eG
aps
Alth
ough
con
cern
has
bee
nex
pres
sed
ab
outt
hee
xist
ence
oft
hese
ac
co
unts
the
bus
ines
sju
stifi
catio
nha
sta
ken
prec
eden
ceo
vert
her
isk
bein
g
assu
med
Polic
yan
dor
Sec
urit
yM
easu
re
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
Acc
ount
an
dPa
ssw
ord
In
form
atio
n
Acc
ess
Cont
rol
An
orga
niza
tionrsquo
sla
cko
fsuf
ficie
nta
cces
sco
ntro
lmec
hani
sms
was
ac
omm
onth
eme
inm
any
ofth
ein
side
rth
reat
cas
ese
xam
ined
by
CERT
In
si
ders
hav
ebe
ena
ble
toe
xplo
itex
cess
ive
priv
ilege
sto
gai
nac
cess
tos
yste
ms
and
info
rmat
ion
they
oth
erw
ise
wou
ldn
oth
ave
been
aut
hori
zed
toa
cces
sA
dditi
onal
lyi
nsid
ers
have
bee
nkn
own
tou
ser
emot
eac
cess
aft
erte
rmin
atio
nto
att
ack
ano
rgan
izat
ionrsquo
sin
tern
aln
etw
ork
Org
ani
zatio
nss
houl
den
sure
that
net
wor
km
onito
ring
and
logg
ing
ise
nabl
edfo
rex
tern
ala
cces
sM
onito
ring
ofn
etw
ork
activ
ityis
ext
rem
ely
impo
rta
nte
spec
ially
inth
epe
riod
bet
wee
nem
ploy
eer
esig
natio
nan
dte
rmin
atio
n
Giv
enth
edi
stri
bute
dna
ture
ofa
cces
sau
thor
izat
ion
via
PICS
ICE
and
the
US
Dep
artm
ento
fSta
ten
onU
SCIS
em
ploy
ees
and
cont
ract
ors
coul
dbe
gra
nted
acc
ess
toU
SCIS
cri
tical
sys
tem
sI
tis
poss
ible
that
the
non
USC
ISe
mpl
oyee
san
dco
ntra
ctor
sha
ven
otb
een
thro
ugh
the
rigo
rous
pr
eem
ploy
men
tscr
eeni
ngr
equi
red
ofU
SCIS
em
ploy
ees
and
cont
ract
ors
par
ticul
arly
thos
egr
ante
dac
cess
thro
ugh
the
US
Dep
artm
ento
fSta
te
for
acce
ssfr
ome
mba
ssie
sov
erse
as
USC
ISs
houl
dco
nsid
erth
eri
skth
ese
insi
ders
pos
eto
the
prot
ectio
nof
the
criti
calU
SCIS
dat
aan
dsy
stem
s
and
impl
emen
tpro
tect
ion
mec
hani
sms
toli
mit
the
dam
age
that
thes
ein
side
rsm
ight
cau
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 82
Oth
era
cces
sco
ntro
liss
ues
that
sho
uld
bec
onsi
dere
din
clud
eun
rest
rict
eda
cces
sto
som
ecr
itica
lsys
tem
sby
OIT
sta
ffl
ack
ofc
onsi
sten
tpro
ces
ses
for
man
agin
gem
ploy
eea
cces
sas
they
mov
efr
omo
ned
epar
tmen
tto
the
next
with
inU
SCIS
abi
lity
tou
sep
erso
nalc
ompu
ters
for
USC
IS
wor
ka
ndla
cko
fmon
itori
nga
ndc
ontr
ols
for
som
ecr
itica
lsys
tem
adm
inis
trat
ion
func
tions
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
cces
sCo
ntro
l
Fore
ign
Serv
ice
Nat
iona
ls
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
O
ffic
eof
Sec
urit
yan
dIn
te
grit
y
Curr
ently
aF
orei
gnS
ervi
ceN
atio
nal
(FSN
)req
uiri
nga
cces
sto
USC
ISs
ys
tem
ssu
bmits
pap
erw
ork
incl
udin
ga
wai
ver
thro
ugh
the
USC
ISd
irec
tor
and
the
CIO
and
CSO
ofD
HS
Alth
ough
the
asse
ssm
entt
eam
was
ab
leto
get
lim
ited
visi
bilit
yin
toth
is
prac
tice
its
eem
sto
be
alig
ned
with
th
epo
licy
Ift
rue
ith
asg
iven
USC
IS
and
DH
Sbe
tter
vis
ibili
tyin
toth
isa
ctiv
ity
The
prac
tice
shou
ldb
eco
ntin
ued
and
expa
nded
as
need
edto
in
form
all
rele
vant
USC
ISp
erso
nne
l
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
Pe
rson
nelS
ecur
ity
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Whe
nFS
Ns
requ
ire
acce
ssto
USC
IS
syst
ems
ine
mba
ssie
san
dco
nsul
ates
ab
road
the
yar
eve
tted
by
the
US
D
epar
tmen
tofS
tate
Beca
use
the
US
Dep
artm
ento
fSta
te
isp
erfo
rmin
gth
eve
ttin
gpr
oces
s
USC
ISh
asv
ery
little
con
trol
or
visi
bil
ityin
toth
epr
oces
sfo
rgr
antin
gFS
Ns
acce
ssto
USC
ISs
yste
ms
and
net
wor
ks
Inte
rvie
wee
sst
ated
that
in
som
eca
ses
FSN
sha
vea
dmin
istr
ativ
eco
ntro
love
rso
me
syst
ems
and
that
in
oth
erc
ases
the
yar
ese
rvin
gas
in
form
atio
nsy
stem
sec
urity
off
icer
s(IS
SOs)
USC
ISs
houl
dga
ina
bet
ter
un
ders
tand
ing
ofth
eU
SD
epar
tm
ento
fSta
tersquos
vet
ting
proc
ess
and
clar
ifyit
sow
nre
quir
emen
ts
for
gran
ting
and
trac
king
acc
ess
for
FSN
sto
USC
ISs
yste
ms
If
cont
inue
dac
cess
isr
equi
red
the
proc
edur
esto
doc
umen
tand
co
ntro
ltha
tacc
ess
shou
ldb
ene
gotia
ted
with
the
US
De
part
men
tofS
tate
and
con
sis
tent
lye
nfor
ced
Info
rmat
ion
Tech
nolo
gy
Onc
ea
trad
ition
alu
ser
acco
unti
scr
eate
dth
ere
isli
ttle
ton
ow
ayto
di
stin
guis
han
FSN
acc
ount
from
one
be
long
ing
toa
US
citi
zen
Beca
use
anF
SNa
ccou
ntis
not
dis
tin
guis
habl
efr
omo
ther
acc
ount
sit
w
ould
be
extr
emel
ydi
ffic
ultt
oas
so
ciat
esp
ecifi
con
line
activ
ities
with
ac
coun
tsb
elon
ging
toF
SNs
Em
ail
USC
ISs
houl
dco
nsid
erw
heth
er
orn
otit
wan
tsth
eab
ility
tod
is
tingu
ish
wha
tonl
ine
activ
ities
an
dac
cess
esF
SNs
are
enga
ging
in
If
soi
tsho
uld
inco
rpor
ate
CERT | SOFTWARE ENGINEERING INSTITUTE | 83
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sad
dres
ses
appe
arth
esa
me
and
viol
atio
nac
tiviti
esw
ould
not
eas
ilyb
eat
trib
uted
toa
nFS
N
thos
est
eps
into
the
proc
edur
es
men
tione
dab
ove
Info
rmat
ion
Tech
nolo
gy
DH
Sis
inth
epr
oces
sof
bui
ldin
ga
secu
rein
tran
etc
alle
dO
neN
et
whi
chw
illb
ette
ren
able
info
rmat
ion
shar
ing
amon
gD
HS
com
pone
nts
Th
isp
roje
ctw
illb
een
able
dby
inte
rco
nnec
tion
agre
emen
tsb
etw
een
segm
ents
Onc
eth
eap
prop
riat
ein
terc
onne
ctio
nag
reem
ents
are
inp
lace
itw
illb
eha
rder
tor
estr
icta
cces
sfo
rFSN
sto
sp
ecifi
csy
stem
s(e
g
Shar
ePoi
nt)
USC
ISs
houl
dm
ake
ade
term
ina
tion
abou
twhe
ther
or
notF
SN
acce
sss
houl
dbe
any
diff
eren
tfr
omo
ther
sim
ilar
acco
unts
of
US
citi
zens
If
the
lack
ofr
est
rict
ions
isu
nacc
epta
ble
that
is
sue
shou
ldb
ebr
ough
tto
DH
Spe
rson
nelr
espo
nsib
lefo
rim
pl
emen
ting
the
One
Net
sol
utio
n
Acc
ess
cont
rols
Ther
ear
ebu
sine
ssp
roce
ssa
ndr
eso
urce
s(e
g
PICS
CLA
IMS
3a
nd
CLA
IMS
4)th
ata
res
hare
dw
ithIC
E
This
par
tner
ship
isa
nar
tifac
toft
he
past
and
cur
rent
rel
atio
nshi
psb
etw
een
depa
rtm
ents
with
inD
HS
For
thes
esh
ared
res
ourc
esto
func
tio
npr
oper
lyt
hey
requ
ire
care
ful
coor
dina
tion
whi
chd
oes
nott
ake
plac
ein
all
case
sF
ore
xam
ple
USC
IS
does
not
rec
eive
ac
opy
ofth
efo
rmal
ac
cess
req
uest
sub
mitt
edto
ICE
for
anIC
Eem
ploy
eeto
acc
ess
aU
SCIS
sy
stem
USC
ISs
houl
dca
refu
llyd
ocum
ent
wha
tacc
ess
isb
eing
gra
nted
to
any
part
ies
exte
rnal
toU
SCIS
If
addi
tiona
lcoo
rdin
atio
nis
re
quir
edi
tsho
uld
bed
one
with
th
ere
leva
ntd
epar
tmen
tso
fD
HS
For
cert
ain
info
rmat
ion
syst
ems
lo
cala
ndr
emot
elo
gins
are
not
per
m
itted
bet
wee
nth
eho
urs
of1
130
p
ma
nd6
00
am
Th
isp
ract
ice
clos
ely
adhe
res
toth
epo
licy
for
spec
ific
syst
ems
Enfo
rcin
ga
man
dato
rya
cces
spe
riod
may
hel
pen
sure
that
a
mal
icio
usin
side
ris
not
usi
ngs
ys
tem
sw
hen
supe
rvis
ion
isle
ss
ened
Ei
ghtp
erce
nt(2
9)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 84
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sus
eda
cces
sou
tsid
eof
nor
mal
w
orki
ngh
ours
toc
arry
out
thei
rill
icit
activ
ities
Whe
nan
em
ploy
eea
ttem
pts
tolo
gin
toa
res
tric
ted
syst
emd
urin
gof
fpe
akh
ours
an
auto
mat
ice
mai
lno
tice
iss
entb
yth
eO
ITto
per
sons
in
the
empl
oyee
rsquosm
anag
emen
tch
ain
ofc
omm
and
This
pra
ctic
eis
not
con
sist
enta
cros
sal
lsys
tem
san
dis
not
par
tofo
ther
in
cide
ntr
espo
nse
proc
edur
es
USC
ISs
houl
dco
nsid
erim
ple
men
ting
this
pra
ctic
ein
toth
ela
rger
sys
tem
ofi
ncid
entr
esp
onse
to
incl
ude
corr
elat
ion
with
oth
ere
vent
san
dov
era
pe
riod
oft
ime
Acc
ess
Priv
ilege
sndash
Gen
eral
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Att
heV
erm
ontS
ervi
ceC
ente
rO
IT
staf
fare
the
only
one
spr
esen
tlat
eat
nig
ht
As
part
oft
heir
dut
ies
they
al
soh
ave
elec
tron
ica
cces
sto
the
CLA
IMS3
info
rmat
ion
syst
em
As
afu
nctio
nof
the
elec
tron
ica
cces
san
dth
eph
ysic
alla
yout
oft
heS
ervi
ce
Cent
erO
ITp
erso
nnel
hav
eac
cess
to
CLA
IMS3
as
wel
las
the
phys
ical
file
sin
the
build
ing
U
SCIS
sho
uld
cons
ider
the
min
im
umle
velo
facc
ess
(leas
tpriv
ile
ge)n
eede
dfo
ral
lper
sonn
elto
ac
com
plis
hth
eir
job
dutie
sT
hir
teen
per
cent
(49)
oft
hein
side
rs
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sev
iola
ted
ane
edto
kno
win
ord
erto
per
pe
trat
eth
eir
crim
esi
nclu
ding
st
ealin
gPI
Iand
pro
prie
tary
in
form
atio
nI
nad
ditio
ns
ever
al
insi
ders
com
mitt
edth
eir
crim
es
whi
lew
orki
ngo
nth
eni
ghts
hift
w
here
they
enj
oyed
ar
educ
ed
leve
lofs
crut
iny
Unr
estr
icte
del
ectr
onic
and
phy
sica
lacc
ess
to
such
hig
hri
skd
ata
and
syst
ems
outs
ide
ofn
orm
alw
orki
ngh
ours
pr
esen
tsa
hig
hde
gree
ofr
isk
to
CERT | SOFTWARE ENGINEERING INSTITUTE | 85
Sugg
este
dCo
unte
rmea
sure
s
USC
IS
Sinc
eU
SCIS
can
notd
eter
min
ew
hata
cces
sth
eU
SD
epar
tmen
tof
Sta
teg
rant
sto
FSN
son
its
sys
tem
sU
SCIS
sho
uld
cont
inue
to
use
tech
nica
lmea
sure
sto
pre
ve
ntu
naut
hori
zed
acce
ssw
hile
w
orki
ngw
ithc
ount
erin
telli
genc
epe
rson
nelt
ode
alw
iths
uspe
cted
fo
reig
nag
ents
wor
king
aro
und
US
gov
ernm
entf
acili
ties
A
few
insi
ders
inth
eca
ses
ana
lyze
dby
CER
Tus
edth
eir
un
revo
ked
acce
ssto
the
orga
niza
Polic
yor
Pra
ctic
eG
aps
Acc
ordi
ngto
one
inte
rvie
wee
som
eFS
Ns
onth
eCo
nsul
arA
ffai
rsn
etw
ork
are
susp
ecte
dto
be
wor
king
for
arm
sof
fore
ign
inte
llige
nce
ors
ecur
ity
agen
cies
U
SCIS
has
use
dte
chni
cal
met
hods
(eg
fir
ewal
ls)t
oen
sure
th
atU
SCIS
sys
tem
sar
epr
otec
ted
from
any
inte
rcon
nect
ions
with
the
US
Dep
artm
ento
fSta
tersquos
net
wor
ks
This
sin
gle
poin
toff
ailu
rem
akes
it
diff
icul
tto
reco
ver
from
am
alic
ious
ac
ton
this
par
ticul
ars
yste
m
Polic
yan
dor
Sec
urit
yM
easu
re
The
US
Dep
artm
ento
fSta
teC
onsu
la
rA
ffai
rsn
etw
ork
gran
tsa
cces
sto
FSN
sw
orki
ngin
em
bass
ies
and
con
su
late
san
dit
conn
ects
toU
SCIS
sys
te
ms
Ther
eis
as
ingl
epe
rson
who
has
the
know
ledg
eof
and
res
pons
ibili
tyfo
rad
min
iste
ring
the
voic
emai
lsys
tem
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Are
aof
Con
cern
Acc
ess
Priv
ilege
sndash
Syst
emA
dmin
is
trat
or
CERT | SOFTWARE ENGINEERING INSTITUTE | 86
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sfo
rU
SCIS
tionrsquo
sph
one
syst
emto
har
mth
eor
gani
zatio
nI
non
eca
set
he
entir
ecu
stom
ers
ervi
cev
oice
m
ails
yste
mw
asr
edir
ecte
dto
a
porn
ogra
phic
pho
nes
ite
Ina
not
her
der
ogat
ory
com
men
ts
abou
tthe
org
aniz
atio
nw
ere
re
cord
eda
ndp
laye
dfo
rev
ery
voic
em
ailb
ox
USC
ISs
houl
dpl
ace
addi
tiona
lst
affi
nth
ero
leo
fadm
inis
trat
ors
for
the
USC
ISv
oice
mai
lsys
tem
Th
isw
ould
allo
wU
SCIS
toim
pl
emen
tsom
efo
rmo
fsep
ara
tion
ofd
utie
so
rat
the
very
le
ast
min
imal
che
cks
and
bal
ance
sto
pre
vent
tam
peri
ngw
ith
the
voic
emai
lsys
tem
U
SCIS
sho
uld
ensu
reth
atit
man
ag
esa
ccou
nts
and
pass
wor
dsfo
rin
tern
als
yste
ms
such
as
voic
em
ail
asw
ella
sex
tern
ala
cco
unts
O
nein
side
rdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
cha
nged
the
dom
ain
nam
esy
stem
reg
istr
yfo
rhis
or
gani
zatio
nrsquos
web
site
so
that
vis
ito
rsw
ere
sent
toa
por
nogr
aphi
c
CERT | SOFTWARE ENGINEERING INSTITUTE | 87
Sugg
este
dCo
unte
rmea
sure
sw
ebsi
te
Thes
ety
pes
ofa
ccou
nts
are
used
ver
yin
freq
uent
lya
nd
are
ofte
nno
tinc
lude
din
form
al
term
inat
ion
proc
edur
es
USC
ISs
houl
dco
ordi
nate
with
D
HS
pers
onne
lto
ensu
reth
at
desi
red
USC
ISs
ecur
ityp
olic
ies
are
enfo
rced
for
pers
onne
lac
cess
ing
USC
ISs
yste
ms
and
data
Se
ven
perc
ent(
26)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
toa
ttac
kin
par
tbec
ause
of
insu
ffic
ient
mon
itori
ngo
fext
er
nala
cces
s
Polic
yor
Pra
ctic
eG
aps
A
lthou
ghc
onne
ctin
ga
pers
onal
lap
top
toa
USC
ISn
etw
ork
via
are
mot
eco
nnec
tion
may
or
may
not
be
bloc
ked
the
SNO
Cw
asn
otc
onfid
ent
itw
ould
be
bloc
ked
beca
use
itdo
es
notc
ontr
olth
ata
cces
sI
tis
poss
ible
th
ata
use
rco
uld
conn
ectw
itha
per
so
nalm
achi
neif
DH
Sal
low
edit
Polic
yan
dor
Sec
urit
yM
easu
re
Port
sec
urity
wou
ldp
reve
nta
use
rfr
omc
onne
ctin
ga
pers
onal
mac
hine
di
rect
lyto
aU
SCIS
net
wor
kT
his
secu
rity
mec
hani
smis
han
dled
by
the
SNO
C
Rem
ote
acce
sso
nth
eot
herh
and
is
hand
led
byD
HS
USC
ISh
asa
cces
sto
ve
ryli
mite
din
form
atio
nin
clud
ing
logs
for
rem
ote
conn
ectio
nsb
eca
use
ofc
ontr
acts
tipul
atio
nsw
ith
Spri
nt
The
asse
ssm
entt
eam
re
ceiv
edc
onfli
ctin
gop
inio
nsa
bout
w
heth
era
per
sona
lmac
hine
cou
ld
bec
onne
cted
with
ar
emot
eac
coun
t
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Secu
rity
Net
wor
kO
pera
ti
ons
Cent
er
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Man
agem
ento
fRe
mot
eA
cces
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 88
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
The
cont
ract
ors
resp
onsi
ble
for
VIS
have
impl
emen
ted
ast
rict
acc
ess
cont
rols
olut
ion
with
Fir
epas
san
dit
appe
ars
toa
ccom
plis
hits
goa
lofe
nsu
ring
that
onl
yth
epr
oper
per
sonn
el
are
gran
ted
acce
ssa
ndth
atth
eyp
er
form
aut
hori
zed
actio
nso
nce
they
ar
eco
nnec
ted
Unf
ortu
nate
lyt
hey
are
the
only
con
trac
tors
and
sys
tem
us
ing
Fire
pass
and
itw
illn
otb
eus
ed
once
the
mov
eis
mad
eto
Ste
nnis
Sp
ace
Cent
er
They
are
uns
ure
of
wha
tcon
trol
sw
illb
eus
eda
tSte
nnis
Sugg
este
dCo
unte
rmea
sure
s
Impl
emen
ting
aFi
repa
sss
olut
ion
for
allU
SCIS
sys
tem
sm
ight
not
be
cos
tef
fect
ive
USC
ISm
an
agem
ents
houl
dat
leas
texa
min
eth
eri
skp
osed
toth
em
ostc
ritic
al
syst
ems
and
impl
emen
taF
ire
pass
like
sol
utio
nfo
rth
ose
that
re
quir
ere
mot
eac
cess
A
sst
ated
ab
ove
one
inte
nin
side
rsd
ocu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
seu
sed
the
crea
tion
ofu
nkno
wn
path
sin
to
orga
niza
tion
syst
ems
pro
per
mea
sure
sm
ight
hav
epr
even
ted
man
yof
thos
ein
stan
ces
CERT | SOFTWARE ENGINEERING INSTITUTE | 89
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Non
Sys
tem
Ad
USC
ISL
eade
rshi
pA
ccor
ding
too
nein
terv
iew
eeF
SNs
An
FSN
who
isa
sys
tem
adm
inis
trat
or
Ten
perc
ent(
39)o
fins
ider
sm
inis
trat
ors
Wit
h
are
syst
ema
dmin
istr
ator
son
som
efo
rU
SD
epar
tmen
tofS
tate
sys
tem
sdo
cum
ente
din
the
CERT
Insi
der
A
utho
rize
dA
cces
sIn
form
atio
nTe
chno
logy
U
SD
epar
tmen
tofS
tate
sys
tem
sin
do
esn
otn
eces
sari
lyh
ave
adm
inis
tra
Thre
atC
ase
data
base
took
ad
toA
dmin
istr
ator
em
bass
ies
orc
onsu
late
sab
road
to
rri
ghts
on
USC
ISs
yste
ms
One
in
vant
age
ofin
suff
icie
nta
cces
sA
ccou
nts
The
US
Dep
artm
ento
fSta
teh
as
terv
iew
eee
xpre
ssed
con
cern
how
co
ntro
lsto
con
duct
thei
rcr
imes
au
thor
ized
acc
ess
for
som
eFS
Ns
to
ever
tha
tan
adm
inis
trat
orw
hois
a
USC
ISs
houl
dex
amin
eU
SCIS
sys
so
me
USC
ISs
yste
ms
need
edfo
rth
eci
tizen
ofa
fore
ign
coun
try
coul
des
te
ma
cces
sfo
rU
SD
epar
tmen
tpe
rfor
man
ceo
fthe
ird
utie
s
cala
tep
rivi
lege
sor
use
soc
iale
ngi
ofS
tate
sys
tem
adm
inis
trat
ors
ne
erin
gta
ctic
sto
gai
nun
auth
oriz
ed
asw
ella
sho
wth
ose
conn
ectio
ns
acce
ssto
USC
ISs
yste
ms
ar
em
onito
red
orlo
gged
Th
ey
sh
ould
als
ow
ork
with
the
US
Dep
artm
ento
fSta
teto
und
er
stan
dits
pro
cess
esfo
rgr
antin
g
FSN
sac
cess
toU
SD
epar
tmen
t
ofS
tate
sys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 90
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
Lea
ders
hip
Ther
ear
ecu
rren
tlyn
olim
itso
nTh
ela
cko
flim
itsp
lace
don
req
uest
Th
ere
shou
ldb
elo
gica
lcon
trol
s
w
hich
Af
iles
ana
djud
icat
orc
anr
ein
gA
file
sin
NFT
Sm
aya
llow
adj
udi
tod
etec
tldquoex
trao
rdin
aryrdquo
or
sus
Info
rmat
ion
Tech
nolo
gy
ques
tin
the
Nat
iona
lFile
Tra
ckin
gca
tors
tor
eque
sta
file
by
nam
eev
en
pici
ous
file
tran
sfer
req
uest
sI
n
Syst
em(N
FTS)
if
they
sho
uld
notb
eac
cess
ing
that
on
eU
SCIS
cas
eth
ein
side
rre
fil
e
ques
ted
afil
etr
ansf
erto
ar
egio
nfo
ran
indi
vidu
alw
hose
file
sw
ere
ina
noth
err
egio
nan
dw
hose
form
sha
dbe
enp
revi
ousl
yde
ni
ed
CERT | SOFTWARE ENGINEERING INSTITUTE | 91
cri
tilt
om
itiga
ting
the
insi
der
rsc
arri
edo
uta
nat
tack
ta
nce
mal
icio
usin
side
rsu
sed
uste
nsur
end
enf
orce
cn
have
dev
eff
ects
on
ano
ras
tatin
gta
r
nom
alou
sin
crea
sein
net
ay
Sugg
este
dCo
unte
rmea
sure
s
ca sn
toc
ompe
titor
sor
con
spir
ator
sO
rgan
izat
ions
mth
ate
mpl
oyee
sr
esou
rces
inc
ludi
ngin
form
atio
nas
sets
aom
plia
nce
sen
sitiv
ebu
tunc
lass
ified
or
prop
rie
y)is
cri
tical
tom
itiga
ting
an
am
onito
ring
net
wor
ktr
affic
mh
elp
prot
ectc
ontr
olle
d
side
unc
lass
ified
or
prop
riet
ary)
isea
led
circ
umst
ance
sin
whi
chin
tern
ales
In
som
ein
ss
tora
ged
evic
tion
mal
icio
usin
side
rsc
ab
y
mou
nts
ofd
ata
dow
nloa
ded
orou
ghT
h
Polic
yor
Pra
ctic
eG
aps
a re
ono
fCon
trol
led
Info
rmat
ion
ntro
lled
info
rmat
ion
(ie
inf
orm
atio
nth
atis
cla
ssifi
eds
ensi
tive
but
CER
Tr
thre
atr
isk
too
rgan
izat
ions
A
var
iety
ofi
nsid
erth
reat
cas
ess
tudi
edb
yev
thro
ugh
thd
ownl
oad
ofin
form
atio
nto
por
tabl
em
edia
or
exe
unau
thor
ized
ptt
acks
or
toc
omm
unic
ate
sens
itive
info
rmat
ioun
ders
tan
tcon
stitu
tes
acce
ptab
leu
seo
fcom
pany
dpo
licie
sre
gard
ing
wha
thro
ugh
teed
info
rma
chni
calm
eans
Th
eun
auth
oriz
ede
xfilt
ratio
nof
con
trol
l(i
ei
nfor
mat
ion
that
isc
lass
ifie
gani
zatio
nP
rote
ctin
gco
ntro
lled
info
rmat
ion
dth
reat
ris
kto
org
aniz
atio
ns
impl
emen
ted
netw
ork
mon
itori
ngs
trat
egie
sth
atw
ould
det
ectl
arge
wor
ktr
affi
by
tota
lvol
ume
orty
peo
ftra
ffic
(eg
by
ce
ither
por
tor
prot
ocol
)n
Polic
yan
dor
Sec
urit
yM
easu
Resp
onsi
ble
Pers
onne
lIn
form
atio
nTe
chno
logy
ncer
nlo
adto
Prot
ecti
Prot
ectin
gco
emai
lto
lan
thei
ra
the
insi
der
USC
ISh
as
info
rmat
io
Are
aof
Co
Dat
aD
own
Med
ia
CERT | SOFTWARE ENGINEERING INSTITUTE | 92
sure
s
po
1
pria
yte
lld
be
func
he
T ed
s
ecu
itted
em
os
ogs
el
vity
by
org
za
ani
ot
sbe
nter
mea
side
rtw
o
hori
zed
inap
pro
uev
ices
co
bite
dfr
omsy
stem
s
bit
epr
ohi fa
hec
ont
oc
gn
are
per
m hus
eso
fta
ndth
cti
ciou
sa
ngth
es
her
exhi
bitin
glm
alic
iou
Cou
uld
con
ora
ut ed
thes
ed
pro
hi SSC
Iy
ar
rity
aw
aren
ess
ampa
i
evic
es lb
elo
gged
uspi
ted
for
ss
leav
i
ntia
te
Sugg
este
d
Ss
o
ptf
1)E
xce
ces
that
ar
ete
chni
cally
Ung
in
that
the
shou
nte
ldb
et
2)If
USB
dfo
ru
nal
set
held
empl
oyee pl
tion
em
oyee
sign
sof
po c
ore
t
USC
Ih
tions
stan
trac
k
tioni
fact
shou
audi
havi
ns
ider
un
t
of
wor
k
ssed
de
s
onvi
ctio ns
tne
i eng
tel
He
acce
rder
to
Prac
tice
Gap
mth
eU
SCIS
CTa
skF
orc
sho
wed
tha
oe d
ant
pe
rfor
me
sig
nific
aam
oof
ficia
lbus
ines
sin
clud
ill
apto
p
sona
mai
lin
ond
e
Polic
yor
Ac
ase
fro
onh
isp
ersy
stem
sa
sure
pmen
tSC
IS
gov
(G
FE)
orS
ecur
ity
Mea
per
aga
inst
usi
ng
son
ompu
ter
equi
cial
dut
ies
for
Ub
edo
new
ithm
entf
urni
shed
ent
ern
quip
me
Polic
yan
d
Ther
eis
ap
olic
yd
cal
lyo
wne
top
erfo
rmo
ffi
Tele
wor
ksh
ould
on
ly
nel
ble
Pers
on
Resp
onsi
o
ern
Are
aof
Con
c dt
Dat
aD
ownl
oaor
Fro
mH
ome
CERT | SOFTWARE ENGINEERING INSTITUTE | 93
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sve
lop
asy
stem
that
he
was
rew
arde
d
fo
rpr
oduc
ing
The
rea
ren
ote
chni
cal
co
ntro
lsto
cat
chth
isa
ctiv
ityu
nles
s
the
devi
ceis
phy
sica
llyp
lugg
edin
to
the
netw
ork
Prot
ecti
ngC
riti
cal
Info
rmat
ion
Tech
nolo
gy
The
SNO
Cre
spon
dsto
spi
llso
fPII
USC
ISr
espo
nds
toP
IIsp
illag
es
Fi
les
whi
cho
ccur
on
aw
eekl
yba
sis
The
ofte
nen
ough
that
its
staf
fis
wel
l
info
rmat
ion
abou
tthe
inci
dent
is
ve
rsed
inr
espo
nse
proc
edur
es
tran
sfer
red
from
the
data
ow
ner
U
nfor
tuna
tely
the
freq
uenc
yto
w
hob
ecom
esa
war
eof
the
spill
to
w
hich
inci
dent
soc
cur
and
the
the
OSI
whi
chc
reat
esa
Ser
ious
In
re
spon
sep
roce
dure
sin
pla
ced
o
cide
ntR
epor
t(SI
R)th
atit
forw
ards
nots
eem
tor
educ
eth
enu
mbe
rto
the
Priv
acy
Off
icer
and
fina
llyto
Th
ere
spon
see
ffor
tto
aPI
Ispi
llage
of
inci
dent
sor
pro
vide
aut
oth
eSN
OC
in
volv
esm
any
part
ies
and
appe
ars
to
mat
edd
etec
tion
whe
nsp
illag
ebe
ac
ompl
icat
edp
roce
ssfo
ran
eve
nt
occu
rs
that
hap
pens
on
aw
eekl
yba
sis
Thou
ghth
ese
spill
ages
are
acc
iden
tal
even
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 94
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
sho
uld
cont
inue
this
pra
ctic
eas
par
tofi
tsin
cide
ntr
esp
onse
pro
cedu
res
Inc
orpo
rat
ing
ana
ppro
pria
tele
velo
fm
onito
ring
wou
lda
lso
bea
pru
de
ntm
easu
re
Polic
yor
Pra
ctic
eG
aps
This
pra
ctic
eap
pear
sto
be
done
con
si
sten
tly
Polic
yan
dor
Sec
urit
yM
easu
re
Acc
ess
ton
etw
ork
reso
urce
sis
ter
min
ated
imm
edia
tely
whe
na
spill
or
mis
cond
ucti
ssu
spec
ted
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Aud
it
Mon
itor
B
acku
p
Reco
very
Insi
der
thre
atr
esea
rch
cond
ucte
dby
CER
Tha
ssh
own
that
logg
ing
mon
itori
nga
nda
uditi
nge
mpl
oyee
onl
ine
actio
nsc
anp
rovi
dea
nor
gani
za
tion
the
oppo
rtun
ityto
dis
cove
ran
din
vest
igat
esu
spic
ious
insi
der
activ
ityb
efor
em
ore
seri
ous
cons
eque
nces
ens
ue
Org
aniz
atio
nss
houl
dle
ver
age
auto
mat
edp
roce
sses
and
tool
sw
hene
ver
poss
ible
M
oreo
ver
net
wor
kau
ditin
gsh
ould
be
ongo
ing
and
cond
ucte
dra
ndom
lya
nde
m
ploy
ees
shou
ldb
eaw
are
that
cer
tain
act
iviti
esa
rer
egul
arly
mon
itore
dT
his
empl
oyee
aw
aren
ess
can
pote
ntia
llys
erve
as
ade
terr
entt
oin
side
rth
reat
s
Prev
entin
gin
side
rat
tack
sis
the
first
line
ofd
efen
se
Non
ethe
less
eff
ectiv
eba
ckup
and
rec
over
ypr
oces
ses
need
tob
ein
pla
cea
ndo
pera
tion
ally
eff
ectiv
eso
that
ifa
co m
prom
ise
occu
rsb
usin
ess
oper
atio
nsc
anb
esu
stai
ned
with
min
imal
inte
rrup
tion
In
one
case
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sea
nin
side
rw
asa
ble
tom
agni
fyth
eim
pact
ofh
isa
ttac
kby
acc
essi
nga
ndd
estr
oyin
gba
ckup
med
ia
Org
aniz
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 95
Ina
dditi
ont
heS
NO
Cla
cks
the
reso
urce
sto
focu
son
mon
itori
ngfo
rsu
spic
ious
insi
der
activ
ityf
ocus
ing
inst
ead
prim
arily
on
prot
ectio
nfr
om
exte
rnal
inci
dent
s
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sM
odifi
cati
on
In
form
atio
nTe
chno
logy
Lo
gfil
esa
rea
cces
sibl
eby
the
do
D
isab
ling
Log
File
sm
ain
adm
inis
trat
ors
and
syst
em
adm
inis
trat
ors
ofe
ach
resp
ectiv
e
syst
em
USC
ISs
houl
dse
ndc
ritic
allo
gsto
a
cent
raliz
edlo
gse
rver
and
pro
te
ctth
elo
gfil
esto
per
mit
afo
re
nsic
rec
onst
r uct
ion
ofn
etw
ork
orh
ost
base
dev
ents
In
form
atio
nTe
chno
logy
Th
ela
cko
fcon
sist
ency
for
wha
tis
Alth
ough
six
per
cent
(23)
oft
he
logg
eda
cros
sU
SCIS
ser
vers
sys
tem
s
insi
ders
doc
umen
ted
inth
eCE
RT
appl
icat
ions
and
wor
ksta
tions
isc
on
Insi
der
Thre
atC
ase
data
base
cern
ing
Sev
eral
par
ties
addr
esse
dw
ere
able
tom
odify
ord
isab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 96
tions
nee
dto
con
side
rth
eim
port
ance
ofb
acku
pan
dre
cove
ryp
roce
sses
and
car
em
ustb
eta
ken
that
bac
kups
are
per
form
edr
egul
arly
pro
te
cted
and
test
edto
ens
ure
busi
ness
con
tinui
tyin
the
even
tofd
amag
eto
or
loss
ofc
entr
aliz
edd
ata
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
slo
gfil
es
Mon
itor
ing
Susp
ici
ous
Act
ivit
y
Info
rmat
ion
Tech
nolo
gy
are
som
etim
esli
mite
dto
24
hour
sor
less
ofc
olle
ctio
n
the
fact
that
ITp
erso
nnel
mus
tbe
able
top
hysi
cally
rea
cha
mac
hine
in
atim
ely
fash
ion
ifth
eyh
ope
toc
ap
ture
logs
rel
ated
toa
nin
cide
nt
This
as
sum
ptio
nm
akes
itli
kely
that
cri
tica
llog
info
rmat
ion
will
be
mis
sed
CERT | SOFTWARE ENGINEERING INSTITUTE | 97
Sugg
este
dCo
unte
rmea
sure
s
Polic
yor
Pra
ctic
eG
aps
Polic
yan
dor
Sec
urit
yM
easu
re
Dat
abas
ead
min
istr
ator
sar
ere
spon
si
ble
for
mon
itori
nga
nda
lert
ing
whe
nda
taa
cces
sat
tem
pts
are
mad
eto
cri
tical
dat
ain
USC
ISd
ata
base
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 98
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
sho
uld
cons
ider
cle
arly
de
finin
gth
ere
spon
sibi
lity
ofd
ata
base
adm
inis
trat
ors
and
the
SNO
Cfo
rm
onito
ring
ale
rtin
g
and
resp
ondi
ngto
una
utho
rize
dda
taa
cces
sO
nce
the
resp
onsi
bi
lity
isa
ssig
ned
the
appr
opri
ate
grou
psh
ould
dili
gent
lyp
reve
nt
dete
cta
ndr
espo
ndto
una
utho
riz
edd
ata
acce
ssm
odifi
catio
n
and
exfil
trat
ion
atte
mpt
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
mon
itors
and
filte
rs
inbo
und
and
outb
ound
net
wor
ktr
affic
Th
iss
trat
egy
may
pre
ve
nto
rde
tect
the
unau
thor
ized
tr
ansf
ero
fUSC
ISd
ata
outs
ide
the
orga
niza
tion
Man
yin
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
sew
ere
able
toc
omm
itth
eir
mal
icio
usa
ctiv
ities
usi
ngla
ptop
s
Polic
yor
Pra
ctic
eG
aps
Net
wor
ktr
affic
filte
ring
ish
appe
ning
on
lyo
nin
boun
dtr
affic
not
out
boun
dtr
affic
Th
ere
sour
ces
don
ote
xist
toe
xam
ine
ou
tbou
ndtr
affic
onl
yin
boun
dtr
affic
Fu
rthe
rmor
eth
ein
trus
ion
dete
ctio
nsy
stem
sar
eno
topt
imiz
edto
det
ect
secu
rity
eve
nts
Polic
yan
dor
Sec
urit
yM
easu
re
USC
ISh
asth
eab
ility
toc
reat
ein
bo
und
firew
allr
ules
tofi
lter
pote
ntia
llym
alic
ious
net
wor
ktr
affic
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 99
Sugg
este
dCo
unte
rmea
sure
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
incl
udes
fore
nsic
to
ols
toa
idin
vest
igat
ions
Ins
ixp
erce
nt(2
2)o
fthe
cas
es
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
heim
pact
of
the
crim
ew
asm
agni
fied
be
caus
eof
insu
ffic
ient
bac
kups
Polic
yor
Pra
ctic
eG
aps
The
SNO
Cha
sha
dpr
oble
ms
iden
tify
ing
the
root
cau
seo
fan
affe
cted
w
orks
tatio
nor
use
rbe
caus
eof
the
lack
ofn
etw
ork
fore
nsic
app
licat
ions
Id
eally
the
SN
OC
shou
ldb
eab
leto
tr
ace
netw
ork
traf
ficfr
oms
ourc
eto
de
stin
atio
nan
dw
atch
act
ivity
It
has
a
stan
dal
one
fore
nsic
cap
abili
tyb
ut
noth
ing
onth
ene
twor
k
Tabl
etop
exe
rcis
esm
ayn
otg
ive
USC
ISa
true
indi
catio
nof
its
abili
tyto
re
cove
rfr
oma
sys
tem
icfa
ilure
W
hen
poss
ible
bac
kups
sho
uld
be
impl
emen
ted
ons
imila
rha
rdw
are
to
ensu
reth
atth
eba
ckup
tape
isfu
nc
tiona
land
the
back
upis
ope
ratio
nal
Polic
yan
dor
Sec
urit
yM
easu
re
The
SNO
Cis
res
pons
ible
for
dete
rm
inin
gth
ero
otc
ause
ofa
nin
cide
nt
incl
udin
gus
ing
fore
nsic
tool
sto
id
entif
yaf
fect
edw
orks
tatio
nsd
esk
tops
and
lapt
ops
Ba
ckup
test
ing
for
man
ysy
stem
soc
curs
onc
epe
rye
ar
Ins
ome
case
s
the
back
ups
are
only
test
edw
itha
ta
blet
ope
xerc
ise
and
don
otu
se
sim
ilar
orid
entic
alh
ardw
are
toth
at
used
inth
epr
oduc
tion
envi
ronm
ent
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Back
ups
CERT | SOFTWARE ENGINEERING INSTITUTE | 100
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Info
rmat
ion
Tech
nolo
gy
Year
sof
bac
kup
tape
sar
eke
pto
nsi
tea
tthe
Ver
mon
tSer
vice
Cen
ter
an
dsy
stem
adm
inis
trat
ors
have
ac
cess
toth
ese
back
upfi
les
Adm
inis
trat
ors
who
hav
eac
cess
to
the
back
upta
pes
wou
ldb
eab
leto
Back
upm
edia
sho
uld
bec
on
trol
led
care
fully
doc
umen
ted
an
dst
ored
off
site
with
lim
ited
acce
ss
With
outt
hose
con
trol
s
USC
ISc
anno
tbe
sure
its
back
ups
will
giv
eit
the
abili
tyto
rec
over
ss
ecur
ity o wn
Proa
ctiv
ely
addr
essi
ngk
now
nse
curi
tyv
ulne
rabi
litie
ssh
ould
be
apr
iori
tyfo
ran
yor
gani
zatio
nse
ekin
gto
miti
gate
the
risk
ofi
nsid
erth
reat
sa
wel
las
exte
rnal
thre
ats
Cas
est
udie
sha
ves
how
nth
atm
alic
ious
insi
ders
fol
low
ing
term
inat
ion
will
som
etim
ese
xplo
itkn
own
tech
nica
lho
uld
have
ap
roce
sst
vuln
erab
ilitie
sth
atth
eyk
now
hav
eno
tbee
npa
tche
dto
obt
ain
syst
ema
cces
san
dca
rry
outa
nat
tack
O
rgan
izat
ions
sdr
ess
kno
ensu
reth
ato
pera
ting
syst
ems
and
othe
rso
ftw
are
have
bee
nha
rden
edo
rpa
tche
din
ati
mel
ym
anne
rw
hen
poss
ible
Fa
ilure
toa
dvu
lner
abili
ties
prov
ides
an
insi
der
ampl
eop
port
unity
and
pat
hway
sfo
rat
tack
mak
ing
itm
ore
diff
icul
tfor
an
orga
niza
tion
top
rote
ctit
self
Tech
nica
lSec
urit
yV
ulne
rabi
litie
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 101
ount
erm
easu
res
Sugg
este
dC
CERT | SOFTW ARE ENGINE ERING INSTITUTE |102
ceG
aps
Polic
yor
Pra
cti
The
pres
ence
of
host
pe
rim
eter
and
m
prot
ectio
nfo
rCI
Sin
al
war
epu
tsU
Sa
rela
tivel
yse
curd
ing
rep
ositi
onr
ega
oads
m
alic
ious
dow
nl
Polic
yan
dor
Se
easu
re
curi
tyM
Th
eO
ITr
elie
son
tan
ism
sto
w
om
ech
wnl
ode
tect
the
doad
of
licio
us
ma
code
1)
DH
S
nte
mon
itors
the
Ig
atrn
etw
aya
nd
e
2)
orks
ta
age
nto
nw
tio
ns
ale
rts
mm
edi
the
OIT
iat
ely
upon
dis
cov
wn
mal
er
yof
kno
war
eT
heO
ITs
hth
epo
rt
uts
dow
n
tob
lock
mal
ici
ere
ap
ous
code
wh
prop
riat
e
sin
stal
la
als
ode
tect
nel
Resp
onsi
ble
Pers
onog
yIn
form
atio
nTe
chno
l ogy
Info
rmat
ion
Tech
nol
Are
ac
ofC
oner
ne
Add
rss
ino
wn
ngK
Secu
rer
it
yV
uln
ies
abili
t
eA
ddr
ssi
now
nng
KSe
cur
er
ity
Vul
nie
sab
ilit
Sugg
este
dCo
unte
rmea
sure
s
Tw
elve
per
cent
(46)
oft
hec
ases
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
invo
lve
user
sab
usin
gad
min
istr
ator
pri
vi
lege
sto
sab
otag
esy
stem
sor
da
ta
Alth
ough
USC
ISu
sers
nee
dfo
rad
min
istr
ator
righ
tsto
inst
allo
rru
nau
thor
ized
sof
twar
eth
eO
IT
shou
ldc
onsi
der
givi
ngu
sers
se
para
tea
dmin
istr
ator
acc
ount
sfo
rth
ese
expl
icit
purp
oses
U
sers
co
uld
then
use
non
adm
inis
trat
or
acco
unts
for
thei
rda
ilyw
ork
Th
isw
ould
gre
atly
min
imiz
eth
eri
sko
fmal
war
eco
mpr
omis
e
Polic
yor
Pra
ctic
eG
aps
Am
itiga
ting
fact
or
is
that
the
depa
rtin
gem
ploy
eew
ould
ne
edp
hysi
cala
cces
sto
the
syst
emto
lo
gin
A
use
rw
itha
dmin
istr
ator
pri
vile
ges
mus
tnot
rel
yso
lely
on
auto
mat
ic
mec
hani
sms
tos
afeg
uard
his
or
her
com
pute
rA
dmin
istr
ator
rig
hts
give
in
adve
rten
tlyd
ownl
oade
dm
alw
are
the
abili
tyto
com
plet
ely
com
prom
ise
asy
stem
som
etim
esw
ithou
tthe
kn
owle
dge
ofth
eus
er
Polic
yan
dor
Sec
urit
yM
easu
re
tion
ofm
alic
ious
cod
efr
omU
SBs
and
othe
rm
edia
USC
ISu
sers
hav
elo
cala
dmin
istr
ator
ri
ghts
on
thei
row
nm
achi
nes
Thi
sal
low
sus
ers
toin
stal
lsof
twar
eon
th
eirs
yste
ms
So
me
auth
oriz
eds
oftw
are
does
re
quir
ead
min
istr
ator
rig
hts
toin
stal
l
Som
eap
plic
atio
nsa
ctua
llyr
equi
re
adm
inis
trat
orri
ghts
tor
un
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Unm
anag
edS
ys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 103
Conf
igur
atio
nM
anag
emen
t
Effe
ctiv
eco
nfig
urat
ion
man
agem
enth
elps
ens
ure
the
accu
racy
int
egri
tya
ndd
ocum
enta
tion
ofa
llco
mpu
ter
and
netw
ork
syst
emc
onfig
ura
tions
A
wid
eva
riet
yof
cas
esin
the
CERT
Insi
der
Thre
atC
ase
data
base
doc
umen
tins
ider
sw
hor
elie
dhe
avily
on
the
mis
conf
igur
atio
nof
sys
te
ms
The
yhi
ghlig
htth
ene
edfo
rst
rong
erm
ore
effe
ctiv
eim
plem
enta
tion
ofa
utom
ated
con
figur
atio
nm
anag
emen
tcon
trol
sO
rgan
izat
ions
sh
ould
als
oco
nsid
erc
onsi
sten
tdef
initi
ona
nde
nfor
cem
ento
fapp
rove
dco
nfig
urat
ions
Ch
ange
sor
dev
iatio
nsfr
omth
eap
prov
edc
onfig
urat
ion
base
line
shou
ldb
elo
gged
so
they
can
be
inve
stig
ated
for
pote
ntia
lmal
icio
usin
tent
Co
nfig
urat
ion
man
agem
enta
lso
appl
ies
tos
oftw
are
sou
rce
code
and
app
licat
ion
files
O
rgan
izat
ions
that
do
note
nfor
cec
onfig
urat
ion
ma n
agem
enta
cros
sth
een
terp
rise
are
ope
ning
vul
nera
bilit
ies
for
expl
oitb
yte
chni
cali
nsid
ers
with
suf
ficie
ntm
otiv
atio
nan
da
lack
ofe
thic
s
The
OIT
has
ac
onfig
urat
ion
man
agem
entp
olic
yth
atp
rovi
des
base
line
soft
war
eco
nfig
urat
ions
for
USC
ISd
eskt
ops
and
lapt
ops
The
OIT
sca
ns
for
inco
rrec
to
utda
ted
or
unp
atch
edv
ersi
ons
ofs
oftw
are
onth
eap
prov
eds
oftw
are
list
The
OIT
kee
pstr
ack
ofd
iffer
entb
asel
ines
for
diff
er
entc
ontr
acts
D
espi
tetr
acki
nga
nda
rig
orou
sco
nfig
urat
ion
man
agem
entp
olic
yth
eO
ITh
asd
iffic
ulty
kee
ping
trac
kof
the
901
50d
iffer
ents
ys
tem
imag
esin
the
USC
ISe
nvir
onm
ent
Rog
ues
oftw
are
orm
alw
are
iso
ften
dis
cove
red
thro
ugh
ade
liber
ate
man
uals
can
rat
her
than
thro
ugh
ana
utom
ated
pro
cess
To
mak
eth
ista
skm
ore
diff
icul
tth
ere
have
bee
nU
SCIS
em
ploy
ees
with
sen
iori
tyo
rin
fluen
cew
hoa
rea
ble
tou
selo
cal
adm
inis
trat
orp
rivi
lege
sto
inst
alls
oftw
are
for
the
sake
ofc
onve
nien
ce
Conc
erns
reg
ardi
ngc
onfig
urat
ion
man
agem
entm
ake
itdi
ffic
ultf
orth
eO
ITto
ad e
quat
ely
prev
ent
det
ect
and
res
pond
tor
ogue
sof
twar
eor
m
alw
are
usin
gits
cur
rent
pro
cedu
res
We
sugg
ests
ome
cons
ider
atio
nsfo
rle
vera
ging
exi
stin
gde
ploy
men
tsa
ndm
odify
ing
inci
dent
res
pons
epr
actic
esto
incr
ease
eff
ectiv
enes
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
The
OIT
has
ac
onfig
urat
ion
man
ag
emen
tpol
icy
for
soft
war
eco
nfig
ura
tion
base
lines
Th
eO
ITs
cans
for
inco
rrec
to
utda
ted
or
unpa
tche
dve
rsio
nso
fsof
twar
eon
the
ap
Des
pite
rig
orou
sco
nfig
urat
ion
man
ag
emen
tpol
icy
the
OIT
has
diff
icul
ty
keep
ing
trac
kof
the
90to
150
diff
er
ents
yste
mim
ages
inth
eU
SCIS
env
iro
nmen
tR
ogue
sof
twar
eor
mal
war
e
Seve
ntee
nca
ses
docu
men
ted
in
the
CERT
Insi
der
Thre
atC
ase
da
taba
sein
volv
eus
ers
expl
oitin
gth
ela
cko
rw
eakn
ess
ofa
con
fig
urat
ion
man
agem
ents
yste
m
CERT | SOFTWARE ENGINEERING INSTITUTE | 104
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
spr
oved
sof
twar
elis
tT
heO
ITk
eeps
tr
ack
ofd
iffer
entb
asel
ines
for
dif
fere
ntc
ontr
acts
iso
ften
dis
cove
red
thro
ugh
ade
liber
at
em
anua
lsca
nra
ther
than
thro
ugh
ana
utom
ated
pro
cess
toc
arry
out
thei
rat
tack
s
The
OIT
cou
ldle
vera
geth
eex
ist
ing
ePO
dep
loym
entt
oco
mpl
em
enti
tsc
onfig
urat
ion
man
age
men
teff
orts
eP
Oc
and
efin
ea
base
line
for
soft
war
eap
plic
atio
ns
and
aler
ton
any
devi
atio
nsfr
om
that
bas
elin
e
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ins
ome
case
sin
divi
dual
sw
iths
en
iori
tyo
rin
fluen
cea
rea
ble
tou
se
adm
inis
trat
orp
rivi
lege
sto
inst
all
soft
war
efo
rth
esa
keo
fcon
veni
ence
USC
ISs
houl
den
sure
that
con
fig
urat
ion
polic
yis
con
sist
ently
co
mm
unic
ated
and
enf
orce
dth
roug
hout
the
orga
niza
tion
Ev
ens
enio
rle
ader
ship
sho
uld
notb
eab
leto
cas
ually
cir
cum
ve
ntth
ese
polic
ies
with
outg
oing
th
roug
hth
epr
oper
cha
nnel
sas
de
fined
by
the
conf
igur
atio
nm
anag
emen
tpol
icy
Conf
igur
atio
nM
anag
emen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Serv
ice
Cent
ers
are
resp
onsi
ble
for
lock
ing
dow
nde
skto
psto
pre
vent
un
auth
oriz
eds
oftw
are
from
runn
ing
The
lock
dow
npr
oces
sre
lies
onh
um
anin
terv
entio
nI
fcal
lvol
ume
to
the
Serv
ice
Cent
eris
hea
vyt
his
may
in
crea
ser
espo
nse
time
toa
nun
ac
cept
able
leve
l
The
OIT
sho
uld
expl
ore
way
sto
au
tom
ate
lock
dow
nof
pot
en
tially
com
prom
ised
sys
tem
sT
his
wou
ldr
equi
rea
car
eful
bal
ance
of
ser
vice
ver
sus
secu
rity
O
nth
ese
rvic
esi
ded
elay
edr
espo
nse
by
the
Serv
ice
Cent
erm
ayr
esul
tin
loss
ofp
rodu
ctiv
ity
On
the
secu
ri
tys
ide
del
ayed
res
pons
eco
uld
CERT | SOFTWARE ENGINEERING INSTITUTE | 105
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sle
adto
sys
tem
com
prom
ise
M
anag
emen
tsho
uld
eval
uate
the
risk
sof
ac
ompr
omis
ean
dw
eigh
th
ose
risk
sag
ains
tthe
pot
entia
lco
nseq
uenc
eso
fser
vice
dis
rup
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 106
Appendix H Acronyms
C3-LAN CBP CI CIO CLAIMS CMMI COTR CSC CSIRT CSO CMU DBA DHS DOJ FBI FDNS-DS FISMA FSD FSN GFE HR HSPD-12 ICE ISSO IT LER LPO NCR NFTS ODBC OIG OIT OSI PERSEC PICS PII QA SEI SIEM SIR SNOC TSA USB
CLAIMS 3 ndash Local Area Network Customs and Border Protection Counterintelligence Chief Information Officer Computer Linked Application Information Management System Capability Maturity Model Integration Contracting Officerrsquos Technical Representative Computer Sciences Corporation Computer Security Incident Response Team Chief Security Officer Carnegie Mellon University Database Administrator Department of Homeland Security Department of Justice Federal Bureau of Investigation Fraud Detection and National Security Data System Federal Information Security Management Act Field Security Division Foreign Service National Government-furnished Equipment Human Resources Homeland Security Presidential Directive 12 Immigration and Customs Enforcement Information System Security Officer Information Technology Labor and Employee Relations Local PICS Officer National Capital Region National File Tracking System Open Database Connectivity Office of Inspector General Office of Information Technology Office of Security and Integrity Personnel Security Password Issuance and Control System Personally Identifiable Information Quality Assurance Software Engineering Institute Security Information and Event Management Significant Incident Report Security Network Operations Center Transportation Security Administration Universal Serial Bus
107
Appendix H Acronyms
USCIS US Citizenship and Immigration Services VIS Verification Information System
108
Appendix I Management Comments to the Draft Report
109
Appendix J Contributors to this Report
Software Engineering Institute Carnegie Mellon University
Insider Threat Center at CERT
Department of Homeland Security Office of Inspector General
Richard Saunders Director Advanced Technology Division Steve Matthews IT Audit Manager Advanced Technology Division Philip Greene IT AuditorTeam Lead Advanced Technology Division
110
Appendix K Report Distribution
Department of Homeland Security
Secretary Deputy Secretary Chief of Staff Deputy Chiefs of Staff General Counsel Executive Secretariat Director GAOOIG Liaison Office Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs Chief Information Officer Chief Information Security Officer USCIS Chief Information Officer USCIS Chief Information Security Officer USCIS Audit Liaison Office
Office of Management and Budget
Chief Homeland Security Branch DHS OIG Budget Examiner
Congress
Congressional Oversight and Appropriations Committees as appropriate
111
ADDITIONAL INFORMATION AND COPIES
To obtain additional copies of this report please call the Office of Inspector General (OIG) at (202) 254-4100 fax your request to (202) 254-4305 or visit the OIG web site at wwwdhsgovoig
OIG HOTLINE
To report alleged fraud waste abuse or mismanagement or any other kind of criminal or noncriminal misconduct relative to department programs or operations
bull Call our Hotline at 1-800-323-8603
bull Fax the complaint directly to us at (202) 254-4292
bull Email us at DHSOIGHOTLINEdhsgov or
bull Write to us at DHS Office of Inspector GeneralMAIL STOP 2600 Attention Office of Investigations - Hotline 245 Murray Drive SW Building 410 Washington DC 20528
The OIG seeks to protect the identity of each writer and caller
NOWARRANTY
THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIAL ISFURNISHEDONANASISBASISCARNEGIEMELLONUNIVERSITYMAKESNO WARRANTIESOFANYKINDEITHEREXPRESSEDORIMPLIEDASTOANYMATTER INCLUDINGBUTNOTLIMITEDTOWARRANTYOFFITNESSFORPURPOSEOR MERCHANTABILITYEXCLUSIVITYORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITH RESPECTTOFREEDOMFROMPATENTTRADEMARKORCOPYRIGHTINFRINGEMENT
Useofanytrademarksinthisreportisnotintendedinanywaytoinfringeontherightsof thetrademarkholder
TableofContents
ExecutiveSummary 1
Recommendation2Incorporateinsiderthreatriskmitigationstrategiesintothe
Recommendation3Centralizerecordsofmisconductandviolationstobetterenablea
Background 2
Objective 3
Scope 3
AssessmentProcessMethodology 5
ResultsofAssessment 7
Organizational 7
HumanResources 9
PhysicalSecurity 11
BusinessProcesses 12
IncidentResponse 14
SoftwareEngineering 15
InformationTechnology 16
Recommendation1Instituteanenterpriseriskmanagementplan 22
Transformationeffort 22
coordinatedresponsetoinsiderthreats 22
Recommendation4 23
Recommendation5Considerseparationofdutiesforcriticalbusinessprocessesand theirrelatedinformationsystems 23
Recommendation7Employconsistentphysicalsecuritypoliciesforfieldofficesand
Recommendation9ExamineHRscreeningproceduresforhighriskpositionsandFSNs
Recommendation10Ensurethatphysicalandcomputeraccessisterminatedinatimely
Recommendation11Enforcearequirementforindividualaccountsoncriticalsystems
Recommendation6ConductauditofPICSandFSNaccountsforUSCISsystems 23
servicecentersincludingthephysicalcasefiles 23
Recommendation8Consistentlyenforceexitprocedures 24
24
fashion 24
25
CERT | SOFTWARE ENGINEERING INSTITUTE | i
Recommendation12 25
Recommendation13Reducethenumberofprivilegedaccountsforcriticaldatasystems
25
Recommendation14 25
Recommendation15Implementproceduralandtechnicalcontrolstopreventsource codeunderdevelopmentfrombeingreleasedwithoutappropriatereview 25
Recommendation16 26
Recommendation17 26
Recommendation18Periodicsecurityrefreshertrainingshouldberegularlyconducted andrequiredforallemployees 26
AppendixHAcronyms 107
AppendixIManagementCommentstotheDraftReport 109
AppendixJContributorstothisReport 110
AppendixKReportDistribution 111
ManagementCommentsandOIGAnalysis 27
Appendixes 28
AppendixAOrganizational 30
AppendixBHumanResources 37
AppendixCPhysicalSecurity 42
AppendixDBusinessProcesses 48
AppendixEIncidentResponse 62
AppendixFSoftwareEngineering 69
AppendixGInformationTechnology 75
CERT | SOFTWARE ENGINEERING INSTITUTE | ii
ExecutiveSummary
TheUSDepartmentofHomelandSecurityOfficeofInspectorGeneralengagedtheInsider ThreatCenteratCERToftheSoftwareEngineeringInstituteatCarnegieMellonUniversity toconductaninsiderthreatassessmentofUSCitizenshipandImmigrationServicesThe objectiveoftheassessmentwastodeterminehowUSCitizenshipandImmigrationSer viceshastakenstepstoprotectitsinformationtechnologysystemsanddatafromthe threatsposedbyemployeesandcontractorsTheassessmentevaluatedUSCitizenship andImmigrationServicesagainstapproximately400realinsiderthreatcompromisesdocu mentedintheCERTInsiderThreatCasedatabaseThesecasesallprosecutedintheUnited Statesincludefraudsabotageandtheftofintellectualproperty
TheassessmentteamperformedfieldworkinthenationalcapitalregionVermontService CenterandUSCitizenshipandImmigrationServicesBurlingtonofficesDuetothelimited scopeoftheassessmentsystemsreviewedandlocationsvisitedCERTwasnotabletover ifytheinstitutionalizationandenforcementofanyUSCitizenshipandImmigrationSer vicesrsquopoliciesorrenderanoverallopinionoftheeffectivenessofUSCitizenshipandImmi grationServicesinsiderthreatpostureTheOfficeofInspectorGeneraldidnotrequest CERTtoconductacomprehensiveinformationsystemrsquostechnicalsecuritycontrolsreviewor vulnerabilityassessmenttodeterminethesusceptibilitytointernalthreatsTheOfficeof InspectorGeneralmayperformanindepthfollowupreviewtorenderanoverallopinionof theeffectivenessofUSCitizenshipandImmigrationServicesinsiderthreatposture
USCitizenshipandImmigrationServiceshasmadeprogressinimplementingelementsof aneffectiveinsiderthreatprogramSpecificallyithasestablishedaConvictionTaskForce toreviewformeremployeesconvictedofcriminalmisconductwithinthescopeoftheirdu tiesperformsriskmanagementforinformationtechnologyandfinancialmanagementde velopedexitproceduresforemployeesimprovedprotectionofitsfacilitiesandassetsand adherestoformalizedprocessesforsomesystemsInadditionitisimplementingHome landSecurityPresidentialDirective12forphysicalandelectronicaccountmanagement
WhiletheseeffortshaveresultedinsomeimprovementsUSCitizenshipandImmigration Serviceshasopportunitiestoimproveitssecuritypostureagainstthreatsposedbyemploy eesandcontractorsForexampleitcaninstituteanenterpriseriskmanagementplanand incorporateinsiderthreatriskmitigationstrategiesintoitsnewbusinessprocessesItcan alsocentralizerecordsofmisconductandviolationsinstitutealoggingstrategytopreserve systemactivitiesimplementseparationofdutiesforadjudicativedecisionsconductaudits ofnonUSCitizenshipandImmigrationServicesaccountsemployconsistentpoliciesfor physicalsecurityandconsistentlyenforceemployeeexitprocedures
Theassessmentteamismaking18recommendationstotheDirectorofUSCitizenshipand ImmigrationServicestostrengthenthedepartmentrsquossecuritypostureagainstmaliciousin siderthreatsUSCISconcurredwithallofourrecommendationsandhasalreadybegunto takeactionstoimplementthemThedepartmentrsquosresponseisincludedinitsentiretyas appendixI
CERT | SOFTWARE ENGINEERING INSTITUTE | 1
Background
TheUSDepartmentofHomelandSecurity(DHS)OfficeofInspectorGeneral(DHSOIG) engagedtheCERTprogramintheSoftwareEngineeringInstituteatCarnegieMellonUniver sitytoconductaninsiderthreatvulnerabilityassessmentofUSCitizenshipandImmigra tionServices(USCIS)Theprojectapproachestheinsiderthreatproblemontwoprimary fronts
Thehumanbehavioralcomponent
Thetechnologicalsolutionforautomatingpreventionanddetectioncapabilitiesto identifymeasuremonitorandcontrolinsiderthreatvectors
Insiderscanbecurrentorformeremployeescontractorsorbusinesspartnerswhohaveor hadauthorizedaccesstotheirorganizationssystemandnetworksTheyarefamiliarwith internalpoliciesproceduresandtechnologyandcanexploitthatknowledgetofacilitate attacksandevencolludewithexternalattackersCERTrsquosresearchconductedsince2001 hasfocusedongatheringdataaboutactualmaliciousinsideractsincludinginformation technology(IT)sabotagefraudtheftofconfidentialorproprietaryinformationespionage andpotentialthreatstoourNationscriticalinfrastructures
CERTdevelopedaninsiderthreatvulnerabilityassessmentinstrumentforevaluatingvulner abilitiestoinsiderthreatbasedonresearchtodateBecauseofthecomplexityofthein siderthreatproblemmdashinvolvingsecurityofficersinformationtechnologyinformationsecu ritymanagementdataownerssoftwareengineeringandhumanresourcesmdashorganizations needassistanceinmergingthewealthofavailableguidanceintoasingleactionableframe workCERTadvisesorganizationstousethisassessmentinstrumenttohelpsafeguardtheir criticalinfrastructure
CERTbuilttheassessmentbasedonresearchofapproximately400insiderthreatcasesin theCERTInsiderThreatCasedatabase1Thesecasesareacollectionofrealinsiderthreat compromisesmdashprimarilyfraudsabotageandtheftofintellectualpropertymdashthathavebeen prosecutedintheUnitedStatesStartingin2002CERTcollaboratedwithUSSecretSer vicebehavioralpsychologiststocollectapproximately150actualinsiderthreatcasesthat occurredinUScriticalinfrastructuresectorsbetween1996and2002andexaminedthem frombothatechnicalandabehavioralperspectiveSincethatoriginalstudyCERThascon tinuedtoaddcaseswithfundingfromCarnegieMellonrsquosCyLab2bringingthecaselibraryto atotalofapproximately400casesTheinstrumentencompassestechnicalbehavioral processandpolicyissuesandisstructuredaroundinformationtechnologyinformation securityhumanresourcesphysicalsecuritybusinessprocesseslegalandcontracting managementandorganizationalissues
1Notethatthedatabasedoesnotcontainnationalsecurityespionagecasesinvolvingclassifiedin formation 2httpwwwcylabcmuedu
CERT | SOFTWARE ENGINEERING INSTITUTE | 2
Objective
TheobjectiveoftheinsiderthreatvulnerabilityassessmentwastodeterminehowUSCIShas takenstepstoprotectitsITsystemsanddatafromthethreatposedbyemployeesandcon tractorsThisassessmentwasbasedonbehavioralaswellastechnicalexperienceanditis intendedtoassistUSCISinsafeguardingitscriticalinfrastructureTheassessmentwill
EnableUSCIStogainabetterunderstandingofitsvulnerabilitytoinsiderthreatand provideanabilitytoidentifyandmanageassociatedrisks
Identifytechnicalorganizationalpersonnelbusinesssecurityandprocessissues intoasingleactionableframework
Identityshorttermcountermeasuresagainstinsiderthreats
HelpguideUSCISinitsongoingriskmanagementprocessforimplementinglong termstrategiccountermeasuresagainstinsiderthreats
Scope
USCISemploysapproximately18000governmentemployeesandcontractorslocatedat250 officesthroughouttheworld3Theinsiderthreatvulnerabilityassessmentisintendedto focusoncriticalsystemsandhighriskareasofconcernthatcanbeassessedina3to5day timeframeThereforeatapreassessmentwalkthroughmeetingUSCISstaffidentified3 systemsofthe96systemsusedbytheagencyascriticaltoitsoverallmission
VerificationInformationSystem(VIS)mdashthispublicfacingsystemiscomposedoffive differentapplicationsThepurposeofthesystemistoprovidemdash
o Immigrationstatusinformationtogovernmentbenefitgrantingorganiza tionstohelpthemdeterminetheeligibilityofalienswhoapplyforbenefits
o Ameansforprivateemployerstoperformemploymenteligibilityverifica tionofnewlyhiredemployees
ComputerLinkedApplicationInformationManagementSystem(CLAIMS)mdashThissys temprovidesthefollowingfunctions
3httpwwwuscisgovportalsiteuscismenuitemeb1d4c2a3e5b9ac89243c6a7543f6d1avgnextoi d=2af29c7755cb9010VgnVCM10000045f3d6a1RCRDampvgnextchannel=2af29c7755cb9010Vgn VCM10000045f3d6a1RCRD
CERT | SOFTWARE ENGINEERING INSTITUTE | 3
o CLAIMS3LocalAreaNetwork(C3LAN)wasoriginallydevelopedtotrack thereceiptingofapplicantorpetitionerremittancesandtoproducenotices documentingtheremittanceC3LANnowincludesadjudicationarchive cardproductioncasehistorycasetransferondemandreportselectronic filetrackingimagecaptureproductionstatisticsstatusupdateandelec tronicingestofapplicationdatacapturedthroughtheEFilingwebapplica tionandtheDepartmentofTreasurysponsoredlockboxoperations
o C3mainframesupportsprocessingofUSCISapplicationsandpetitionsfor variousimmigrantbenefits(egchangeofstatusemploymentauthoriza tionandextensionofstay)
FraudDetectionandNationalSecurityDataSystem(FDNSDS)mdashThissystemwasde velopedtoidentifythreatstonationalsecuritycombatbenefitfraudandlocate andremovevulnerabilitiesthatcompromisetheintegrityofthelegalimmigration system
Itisimportanttonotethattheinsiderthreatvulnerabilityassessmentislimitedtoareasof concernobservedinthehundredsofcasesintheCERTInsiderThreatdatabasePeople technologyandorganizationsareconstantlychangingandmaliciousinsiderscontinueto comeupwithnewavenuesofattackinordertodefeatapreviouslyeffectivecountermea sureHowevermanyofthecountermeasuressuggestedinthisreportareapplicabletoa multitudeofattackvectors
ItisalsoimportanttonotethatCERTrsquosinsiderthreatresearchhasonlyexploredintentional insidercrimesAccidentaldataleakageisanareaofsignificantconcernfororganizations howeverCERThasnotyetexploredthataspectofinsiderthreatInadditionthefocusof theresearchtodateistodescribehowtheinsiderthreatproblemevolvesovertimeCERTrsquos longtermresearchdoesincludemeasuringtheeffectivenessofmitigationstrategies
CERT | SOFTWARE ENGINEERING INSTITUTE | 4
AssessmentProcessMethodology
AnentranceconferencewasconductedbytheDHSOIGCERTandUSCISonFebruary23 2010TheentranceconferenceintroducedUSCIStotheCERTassessmentteamFollowing theentranceconferenceapreassessmentwalkthroughwasheldatUSCISheadquarterson March102010AtthatmeetingtheCERTassessmentteamandtheDHSOIGteamex plainedtheassessmentprocesstorepresentativesofUSCISUSCISprovidedsomedocu mentationtotheassessmentteamatthattimeandmoredocumentsthroughouttheas sessmentthosedocumentswerereviewedtoprovidesubstantiationforfindingsinthis report
USCISidentified96systemsitusesFollowingtheinitialmeetingUSCISleadershipandthe assessmentteamchosetheVISCLAIMSandFDNSDSsystemsbecausetheywerecriticalto theoverallmissionofUSCISThesethreesystemswerethefocusofthe5dayonsiteas sessment
AtthepreassessmentwalkthroughUSCISindicatedthatithadcreatedaConvictionsTask Forcetoreviewtheactivitiesof10formeremployeesconvictedofcriminalmisconduct withinthescopeoftheirofficialdutiesThepurposeofthetaskforceistoidentifyissues theseemployeesexploitedtocommittheircrimesThetaskforceintendedtodevelopfind ingsandrecommendationsaimedatpreventingsimilarcrimesinthefutureItgraciously extendedaninvitationtotheCERTandDHSOIGteamstoparticipateAsaresulttheteams observedorreviewedtranscriptsofalltelephoneconferencesconductedbythetaskforce Thesefindingsarereflectedinthisreport
TheCERTinsiderthreatteamandtheDHSOIGliaisonwereonsiteatvariousUSCISloca tionsinthenationalcapitalregion(NCR)fromMarch30throughApril12010
TheDHSOIGliaisonswerepresentatallinterviewsTheDHSOIGattendedtheseinterviews asanobserverandassistedCERTasneeded
Facetofaceinterviewswereconductedwithapproximately58representativesintheNCR followedby32representativesintheVermontServiceCenterandUSCISBurlingtonoffices InadditiontelephoneconferenceswereheldwithstafffromtheOfficeofSecurityandIn tegrity(OSI)InvestigationsDivisionandtheSecurityNetworkOperationsCenter(SNOC) Intervieweesrepresentedthefollowingareas
DataOwners(VISCLAIMSandFDNSDS)
ComputerSciencesCorporation(CSC)(softwareengineeringandoperationalsup portforVISCLAIMSandFDNSDS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 5
OSI(PhysicalSecurityRegionalSecurityInvestigationsPersonnelSecurityCounter intelligence)
HumanCapitalandTraining(TrainingHumanResourcesOperationsCenterLabor EmployeeRelations)
OfficeofInformationTechnology(OIT)(ITSecurityComputerSecurityIncidentRe sponseTeamSecurityandNetworkOperationsCenterAccountManagementEn terpriseOperations)
Legal(ProcurementLaw)
VermontServiceCenter(adjudicatorsdataentryclerkssupervisordirectorsOIT softwareengineering)
Allinterviewswereconsideredconfidentialnorecordofparticipatingemployeesisincluded inthisreportorinsubsequentbriefingsFindingsareattributedonlytoagroupordepart mentinterviewedadocumenttheConvictionsTaskForcetelephoneconferencesordirect observation
CERT | SOFTWARE ENGINEERING INSTITUTE | 6
CERT | SOFTWARE ENGINEERING INSTITUTE | 7
AcriticalissueforUSCISisensuringthattheentireorganizationisriskawareandimple mentingaformalriskmanagementprocesstoaddressriskconsistentlyandcontinually acrosstheenterpriseTheredoesnotappeartobeaconsistentunderstandingofthebroad spectrumofrisksfacingUSCISTheassessmentteamwastoldthereisnoenterprisewide riskmanagementprogramatUSCISOITperformsriskmanagementforInformationTech nology(IT)andFinancialManagementperformsriskmanagementforfinancialmattersbut noonewasawareofanyenterprisewideeffortsInadditioneachfieldofficeandservice centerappearstooperatefairlyindependentlyItisimportantforthoseorganizationsto worktogethertoidentifyprioritizeandaddressriskOngoingcommunicationbetweenall componentsofUSCISwillhelpensurethatnewthreatsattackvectorsandcountermea suresarecommunicatedandhandledeffectivelybyall
InadditionUSCISemployeesandcontractorsholdthekeystooneoftheworldrsquosmostcov etedkingdomsmdashUScitizenshipThismakesemployeesandcontractorsattractivetargets forrecruitmentBecauseofthesensitivenatureofUSCISmissionsomeofitsemployees andcontractorshavebeentargetsforrecruitmentfortheftorunauthorizedmodificationof USCISdataAllemployeesshouldbeawareoftheconsequencesofparticipatinginfraud againstUSCISTheyshouldalsobeinstructedonhowtoreportsolicitationsmadetocom mitfraud
Transformation
TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesUSCISisrelyingheavilyonTransformationtocorrectmanyoftheproblemsresulting fromlegacysystemsThisrelianceonasingleeffortmakesitseffectivenessveryimportant TheteamfoundtheTransformationefforttobeamassiveundertakingthatappearstobe implementingaverydetailedprojectplan
Basedontheteamrsquosreviewoftherequirementsforfrauddetectionandnationalsecurity issuesitappearstherearenorequirementstoaddressinsiderthreatsTheassessment teamreviewedfivecomprehensiveTransformationdocumentsaspartofthisassessment ThedocumentsdescribesystemrequirementsindetailFrauddetectionreferstodetection offraudperpetratedbyapplicantsandpetitionersnationalsecurityissuesfocusonthe handlingofinvestigationswithinUSCISthatinvolvenationalsecurityissues
Againanenterpriseriskmanagementapproachshouldbeconsideredwhendefiningre quirementsforTransformationInsidersatUSCIShaveperpetratedfraudinthepastasevi dencedbytheConvictionsTaskForceInadditionUSCISinsidersarecapableofgranting legalresidencyorcitizenshipstatustosomeonewhoposesanationalsecurityrisktothe UnitedStates
CERT | SOFTWARE ENGINEERING INSTITUTE | 8
TrainingandAwareness
Itisessentialthatsecurityawarenesstrainingisconsistentlyprovidedtoallemployeesto ensuresecuritypoliciesandpracticesareinstitutionalizedthroughoutanorganization Manytimescoworkersandsupervisorsarethefirstpeopletoobserveconcerningbehavior exhibitedbymaliciousinsidersFailuretoreportconcerningbehaviorbycoworkersoroth ersinanorganizationwasaprimaryreasoninsidersintheCERTInsiderThreatCasedata basecontinuedtosetuporcarryouttheirattacks
USCISshouldcontinuetoprovidesecurityawarenesstrainingtoallemployeesandcontrac torsacrosstheglobeThistrainingshouldbeconsistentlyappliedtoeachsitewithaconsis tentmessageofsecurityofUSCISpeoplesystemsanddataItisimperativethatallUSCIS employeesberesponsibleforachievingthemissionofUSCISandprotectingthecriticalas setstothehighestextentpossible
HumanResources
Anorganizationrsquosapproachtoreducinginsiderthreatshouldfocusonproactivelymanaging employeeissuesandbehaviorsThisconceptbeginswitheffectivehiringprocessesand backgroundinvestigationstoscreenpotentialcandidatesOrganizationsshouldalsotrain supervisorstomonitorandrespondtobehaviorsofconcernexhibitedbycurrentemploy eesSomecasesfromtheCERTInsiderThreatdatabaserevealedthatsuspiciousactivity wasnoticedintheworkplacebutnotacteduponOrganizationsmustestablishawell organizedandprofessionalmethodforhandlingnegativeemploymentissuesandensuring thathumanresourcepolicyviolationsareaddressed
Organizationalissuesrelatedtofunctionssharedbyhumanresources(HR)andsecurityper sonnelareattheheartofinsiderriskmanagementEmployeescreeningandselectionis vitaltopreventingcandidateswithknownbehavioralriskfactorsfromenteringtheorgani zationoriftheydoensuringthattheserisksareunderstoodandmonitoredClearpolicy guidelinesaddressingbothpermittedandprohibitedemployeebehaviorarevitaltorisk detectionandmonitoringClearrequirementsforensuringemployeesrsquoknowledgeofthese guidelinesarealsoessentialtotheirsuccessInadditionreportsofpolicyquestionsand violationsneedtobesystematicallyrecordedsothatmanagementHRandsecurityper sonnelcanapproachcasedecisionswithcompletebackgroundinformation
Analysisofthesereportsacrossindividualsanddepartmentscansupplyvitalknowledgeof problemareasbeyondindividualcasesRelationshipsinwhichHRsecurityandmanage mentpersonnelcollaborateaseducatorsandconsultantsarevitaltoearlydetectionand effectivemanagementofemployeesposinganinsiderriskTheneedforclearpolicies
CERT | SOFTWARE ENGINEERING INSTITUTE | 9
completepersonnelriskdataandclosemanagementHRsecuritycollaborationisrarely greaterthanwhenhandlingemployeeterminationissueswhethervoluntaryorinvoluntary
ScreeningandHiringPractices
SeveralpersonnelscreeningandhiringpracticesposearisktoUSCISsystemsanddata
USCISdoesnothaveaconsistentprocedurefordecidingwhethertoconductafacetoface interviewpriortohiringanapplicantbeingscreenedforgovernmentemploymentThere wasanimpressionatUSCISheadquartersthatnearly100ofthoseemployeeshiredby managersareinterviewedbutrepresentativesinBurlingtonVermonttoldusotherwise Thisgapbetweenperceptionandreality(thereisnotapolicystatingthatthismustbedone) isaconcernUSCISshouldrequireinterviewsforallpositionsTheinterviewsneedtobe conductedbysomeoneinvolvedinthedaytodaysupervisionofthepositiontobefilled
Ifapersonalissue(egsubstanceabuserelativelylargefinancialindebtedness)arisesdur ingPersonnelSecurityrsquos(PERSECrsquos)screeningPERSECmayissuealetterofadvisementto thecandidateandclearthatpersonforhirePERSECishesitanttosharenegativeinforma tionaboutapplicantswithUSCISbecauseofprivacyconcernsBecauseoftheseconcernsa managermaynotknowthatsomeoneiscomingintoapositionwithahistoryofalcohol andordrugabusefinancialindebtednessetcTheprivacywallbetweenPERSECandfield personnelconcernedwithhiringistroublingItisdifficultforPERSECrepresentativestoin dicatetheirconcernsaboutpotentialhiresiftheyhaveriskfactorsthatdonotcrossadjudi cationguidelinesfordisqualification
ForeignServiceNational(FSN)employeeswhoworkatUSembassiesandconsulates abroadhaveaccesstoUSCIScriticalsystemsanddatainsomecasesInordertobehired andgrantedaccesstoanyofthosesystemsFSNsarevettedbytheUSDepartmentof StateAlthoughtheaccesstoUSCISsystemsmustbeapprovedbythechiefsecurityofficer (CSO)andchiefinformationofficer(CIO)forDHSUSCIShasverylittlevisibilityintothe screeningprocessforFSNs
ExitProcedures
Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerorContract ingOfficerrsquosTechnicalRepresentative(COTR)Italsoappearsdifferentmanagersfollow
CERT | SOFTWARE ENGINEERING INSTITUTE | 10
differentprocedurestoensurethataccessisdisabledandequipmentisreturnedasem ployeesandcontractorsleaveUSCISThisgapmaymanifestitselfintheinconsistentcollec tionofbadgeslaptopsmobiledevicesandotherUSCISequipmentandimproperdisabling orterminationofaccess
PhysicalSecurity
SomeinsidersdocumentedintheCERTInsiderThreatCasedatabaseexploitedphysicalse curityvulnerabilitiesSomewereabletogainaccesstoorganizationfacilitiesoutsideof normalworkinghourstostealcontrolledinformationortoexactrevengeontheorganiza tionbysabotagingcriticaloperationsPhysicalsecuritycanprovideanotherlayerofdefense againstterminatedinsiderswhowishtoregainphysicalaccesstoattackJustaswithelec tronicsecurityhoweverformeremployeeshavebeensuccessfulinworkingaroundtheir organizationrsquosphysicalsecuritymeasuresItisimportantfororganizationstomanage physicalsecurityforfulltimeparttimeandtemporaryemployeescontractorsandcon tractlaborers
USCISPhysicalSecurityhasmadesignificantprogressprotectingUSCISfacilitiesandassetsin theNCRsinceJanuary2008whenitstoodupanewphysicalsecurityprogramAlthough physicalsecurityintheNCRisconsistentlydirectedandenforcedbyPhysicalSecurityeach fieldofficesetsitsownpoliciesandaccesscontrols
Finallyissuescon cerningthesecurityofapplicantsrsquophysicalcasefilesshouldbeconsideredaspartofaUSCIS riskmanagementstrategybyUSCIS
ControllingandMonitoringProperAccessAuthorization
USCIShandlesthephysicalsecurityandaccessauthorizationoffacilitiesdifferentlydepend ingonwherethefacilityislocatedThephysicalsecurityofNCRfacilitiesishandledbyone groupofUSCISpersonnelbutthephysicalsecurityoffieldofficesfallsundertheFieldSecu rityDivision(FSD)Insomecasesaphysicalsecurityrepresentativeisnotlocatedinafield officeatallWhenthisisthecasetheresponsibilityfallsonothermanagementpersonnel whomaynotbeequippedtohandletheseissuesproperlyandreporttheminatimelyman ner
In10casesdocumentedin
CERT | SOFTWARE ENGINEERING INSTITUTE | 11
theCERTInsiderThreatCasedatabasetheinsiderwasabletocommitacrimefollowing terminationbecauseoffailuretonotifysecurityemployeesandbusinesspartnersofthe terminationTocontrolaccesstoUSCISfacilitiesitisimportantforUSCIStocomparecur rentemployeesandcontractorstotheauthorizedaccesslistineachfacilityrsquosaccesscontrol systemDisablingphysicalaccesstofacilitieswhenemployeesandcontractorsterminateis essentialtoprotectingUSCISemployeesandfacilities
SecurityofPhysicalCaseFiles
AttheVermontServiceCentertheassessmentteamobservedphysicalcasefilesofbenefit applicantsstackedincratesinthehallwaysCasefilesareassumedtobesecureoncethey arecontainedwithinaServiceCenterbuttheycouldbephysicallyalteredorstolenbyany onewithphysicalaccesstothefacilityOneintervieweestatedthatadjudicatorstypically have50to100filesscatteredaroundtheirofficesordesksSomearetrackedandsome maynotbeAdjudicatorsconductinterviewswithapplicantsintheirofficesandtheymay leaveapplicantsunescortedintheirofficeswiththecasefileswhenforinstancemaking copiesorattendingtootherUSCISbusinessAccordingtothesameintervieweeinonefield officenaturalizationcertificatespassportsandcreditcardinformationhavebeenfoundin garbagecansinthehallwayThirteeninsidersdocumentedintheCERTdatabasestole physicalpropertybelongingtotheirorganization
BusinessProcesses
AvarietyofcasesfromtheCERTInsiderThreatCasedatabasedocumentinsiderattacksin whichgapsinbusinessprocessesprovidedapathwayforattackEnforcingseparationof dutiesandtheprincipleofleastprivilegeareprovenmethodsforlimitingauthorizedaccess byinsidersIdeallyorganizationsshouldincludeseparationofdutiesinthedesignofkey businessprocessesandfunctionsandenforcethemviatechnicalandnontechnicalmeans Accesscontrolbasedonseparationofdutiesandleastprivilegeinboththephysicaland virtualenvironmentiscrucialtomitigatingtheriskofinsiderattackTheseconceptsalone willnoteliminatethethreatposedbyinsiderstheyarehoweveranotherlayerinthede fensivepostureofanorganization
BecauseofthesensitivenatureoftheUSCISmissionsomeofitsemployeesandcontractors havebeentargetsforrecruitmentfortheftorunauthorizedmodificationofUSCISdata TwentyninepercentoftheinsidersdocumentedintheCERTdatabasewererecruitedby outsiderstocommittheircrimesMostoftheseinsiderscommittedtheircrimesforfinan cialgainCriticalUSCISbusinessprocessesshouldincludetechnicalcontrolstoenforce separationofdutiesanddualcontroltoreducetheriskofinsiderfraudInadditionpoten tialvulnerabilitiessurroundtheuseoftheICEPasswordIssuanceandControlSystem(PICS) forauthorizationforcriticalUSCISsystemsAlthoughPICSisoutsidethecontrolofUSCIS
CERT | SOFTWARE ENGINEERING INSTITUTE | 12
CERTrecommendsthatUSCISexplorethepossibilityofauditingandcontrollingauthoriza tionsinPICSforcriticalUSCISsystemsFinallyaccountmanagementissuesrelatedtocriti calsystemsshouldbeconsidered
VerificationInformationSystem
TheVerificationInformationSystem(VIS)providesimmigrantstatusinformationtoboth governmentagenciesandprivateemployersinordertoverifybenefitandemploymenteli gibilityBecausethesefunctionsrequiregrantingVISaccesstopartiesexternaltoUSCIS USCISmustissueaccountsandrequirethatthoseaccountsbeusedproperlyTwentyfour (6)oftheinsidersdocumentedintheCERTdatabasewereabletocarryouttheircrimes becauseinsiderssharedaccountandpasswordinformationoftentomaketheirjobseasier andtoincreaseproductivity
ModificationsbyVISuserstocriticaldataarelogged
CLAIMS3LAN
Currentlyalldeniedbenefitsapplicationsarereviewedbyasupervisoronlyasubsetofap provedapplicationsarereviewedAdiscrepancyaroseduringinterviewsadjudicatorssaid thatsupervisorsstoppedlookingatalldenialsbecausetheyaretoobusySupervisorsalso receiveareportofalladjudicationdecisionsenteredbyanadjudicatorforaformtypethat theadjudicatordoesnotnormallyapproveWhenadjudicatorsareintrainingwhichtakes placeforatleast6monthsonaspecifictypeofcasetheyareunder100reviewAquality assurance(QA)processisalsoinplaceOnepartofQAinvolvesasupervisorpulling10 casespermonthperadjudicatortoreviewThesupervisorexaminesadjudicativedecision securityandproceduralissuesInanotheraspectoftheQAotherldquosisterrdquoUSCISService CentersreviewarandomselectionofcasesTheprimarypurposeofQAistoidentifythe needforremedialtrainingratherthandeliberatefraudAuditingeverydeniedrequestindi catesthatthebiggestrisktoUSCISistoincorrectlydenyabenefittoanapplicantrather thantograntabenefittosomeonewhodoesnotdeserveit
FDNSDS
CERT | SOFTWARE ENGINEERING INSTITUTE | 13
IncidentResponse
ThroughcaseanalysisCERThasnotedthatproceduresforrespondingtopotentialinsider incidentspresentuniquechallengesanincidentresponseplanforinsiderincidentsdiffers fromaresponseplanforincidentscausedbyanexternalattackerInadditioninadequate detectionandresponsetosecurityviolationscouldemboldentheinsidermakingtheor ganizationevenmorevulnerabletoaninsidercrimeInfactin18ofthecasesdocumented intheCERTInsiderThreatCasedatabasetheorganizationexperiencedrepeatinsiderinci dentsofasimilarnatureInsiderincidentmanagementshouldleverageexistingsecurity policiesandformalproceduresforhandlingpolicyviolationsSomeofthecasesfromthe CERTInsiderThreatCasedatabaseillustrateinsiderattacksinwhichanorganizationrsquoslackof incidentresponseprocedureslimiteditsabilitytomanageitsresponseeffortsometimes evenresultinginmultiplecriminalactsbythesameinsider
Furthermore81oftheinsidersdocumentedintheCERTInsiderThreatCasedatabasedis playedconcerningbehaviorsintheworkplacepriortoorwhilecarryingouttheircriminal activitiesonlineSupervisorsandemployeesshouldbetrainedtorecognizeandrespondto indicatorsofriskforviolencesabotagefraudtheftandothermaliciousinsideractsEvenif itisnotpossibletorequirenonsupervisorstoreportconcernsthistrainingmayincreasethe frequencyofreportingandthedeterrenceofinsideractions
IncidentManagement
USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductOrganizationsinvolved includetheOfficeofInvestigationswithintheOSILaborandEmployeeRelations(LER)HR ComputerSecurityIncidentResponseTeam(CSIRT)PERSECCounterintelligence(CI) COTRsOITDHSOIGPhysicalSecuritysupervisorsandpossiblydataownersandISSOs Manydifferentpartiesexplainedhowtheymightbeinvolvedinoneaspectofanincident butnosingledepartmentcoordinatestheseactivitiesorconductsaholisticriskanalysisof individualswhohavecommittedviolationsThiscomplexandwidelydistributedbusiness processhasresultedinasituationinwhichitisverydifficulttoobtainacompletepictureof anindividualrsquosinsiderthreatrisklevelConsequentlyanyefforttocoordinateaproactive
CERT | SOFTWARE ENGINEERING INSTITUTE | 14
programforinsiderthreatmitigationwouldhavetocrosssignificantbureaucraticbounda rieswithinthesemyriaddepartmentsofUSCIS
SoftwareEngineering
CodeReviews
SomeUSCISsystemsadheretoaformalizedprocessofsoftwareengineeringusingcontrac torswithaspecifiedlevelofprocessmaturity(iecapabilitymaturitymodelintegration (CMMI)level3)
Therewasevenadocumentedcaseinwhichsourcecodecontainedsomethinginap propriateandwasonlydiscoveredonlyafterthecodewasturnedoverfromonecontractor toanother
CERT | SOFTWARE ENGINEERING INSTITUTE | 15
Insidersinsertedmaliciouscodeintoanoperationalsystemin33casesdocumentedinthe CERTInsiderThreatCasedatabaseandintosourcecodein10casesThesetypesofcrimes canhaveseriousresultsenablinginsiderstoconcealtheiractionsoveranextendedperiod oftimeTheseactionshavebeenusedtocreatemechanismsforcommittingfraudwithout detectionandtosetupfutureITsabotageattacks
Codereviewscanbeverytimeconsumingbutmostmaliciousinsidersinsertmaliciouscode intoproductionsystemsoncetheyarestableandinthemaintenancephasewhenchanges arelessfrequentandlesssubstantial
InformationTechnology
AccountManagement
Researchhasdemonstratedthatifanorganizationrsquoscomputeraccountscanbecompro misedinsidershaveanopportunitytocircumventmanualandautomatedcontrolmecha nismsintendedtopreventinsiderattacksEffectivecomputeraccountandpasswordman agementpoliciesandpracticesarecriticaltoimpedeaninsiderrsquosabilitytousethe organizationrsquossystemsforillicitpurposesInavarietyofcasesdocumentedintheCERTIn siderThreatCasedatabaseinsidersexploitedpasswordvulnerabilitiessharedaccounts andbackdooraccountstocarryoutattacksItisimportantfororganizationstolimitcom puteraccountstothosethatareabsolutelynecessaryusingstrictproceduresandtechnical controlsthatfacilitateattributionofallonlineactivityassociatedwitheachaccounttoan individualuserFurthermoreanorganizationrsquosaccountandpasswordmanagementpolicies mustbeappliedconsistentlyacrosstheenterprisetoincludecontractorssubcontractors andvendorswhohaveaccesstotheorganizationrsquosinformationsystemsandornetworks
InsomeareascomputeraccountsaremanagedfairlywellatUSCISItisimplementing HomelandSecurityPresidentialDirective12(HSPD12)forphysicalandelectronicaccount managementInadditionmostsharedaccountsarecontrolledandallactionsperformed usingthoseaccountscanbeattributedtoasingleuserHoweversomeaccountmanage mentliesoutsidethecontrolofUSCISThispresentsahighdegreeofriskFirstofallac countsandaccessforFSNsshouldbeconsideredcarefullybyUSCISAlthoughFSNsmust submitpaperworkthroughproperchannelswhichrequiresauthorizationbytheCSOand CIOofDHSsuchpaperworkwasnotsubmittedconsistentlypriorto2007Asaresultthere maybeactiveaccountsforwhichthereislittletonoaccountingforthecreationoftheac count
Althoughaccountnamingconventionsaredictatedby DHSandtheUSDepartmentofStateUSCIScouldrequestanamingconventiontodiffer entiatebetweenFSNandUScitizenfederalemployeeaccountsInadditionUSCISshould consistentlytracktheauthorizationandcreationofallUSCISaccountsTodetermineifun
CERT | SOFTWARE ENGINEERING INSTITUTE | 16
authorizedorlegacyaccountsexistUSCISshouldconsiderconductinganaccountauditwith theassistanceofUSDepartmentofStatepersonneltovalidateallexistingFSNaccounts
SecondaccesstosomecriticalUSCISsystemsiscontrolledbythePasswordIssuanceand ControlSystem(PICS)ThepurposeofPICSistofacilitatetheadministrationofusernames andpasswordstocertainICEandUSCISinformationsystemsOneareaofconcernregard ingPICSisthatitisadministeredbyICEandtherearemorethan2000LocalPICSOfficers (LPOs)acrossvariouscomponentsofDHSTheseLPOsusePICStograntauthorizedaccess toICEandUSCISsystemsforthepersonnelattheirrespectivesiteoragencysuchaslocal sheriffspetitionersCustomsandBorderPatrol(CBP)DepartmentofJustice(DOJ)Trans portationSecurityAdministration(TSA)TerrorismTaskForceandDHSOIGEachLPOcan grantaccesstoanysystemcontrolledbyPICSInotherwordsLPOsthroughoutUSCISand ICEcangrantaccessforanyoftheirstafftoanyUSCISsystemFurthermore
Giventhedistributednatureofaccountadmini strationitisverydifficultforUSCISdataownersandOITstafftomanageauthorizationof useraccountstoUSCIScriticalsystemsFinallytheprocessforcommunicatingchangesin employeestatusanddisablingaccountsvarieswidelyamongindividualfieldofficesService CentersandofficesintheNCR
TheapplicationofaccountmanagementpracticesunderthecontrolofUSCISisinconsistent Forexampledisablingorterminatingaccountsforemployeesisnotalwayscompletedina timelymannerupontheemployeersquoschangeinstatusThislackofconsistencyismade worsewhendecentralizedLPOsacrossUSCISdonotfollowthesameproceduresInother casesemployeesareretainingaccessafteratransferwhentheyshouldnotwhichrequires thelosingandgainingsupervisorstonotifyproperaccountmanagementpersonnel
AccessControl
Anorganizationrsquoslackofsufficientaccesscontrolmechanismswasacommonthemein manyoftheinsiderthreatcasesexaminedbyCERTInsidershavebeenabletoexploitex cessiveprivilegestogainaccesstosystemsandinformationtheyotherwisewouldnothave beenauthorizedtoaccessAdditionallyinsidershavebeenknowntouseremoteaccess afterterminationtoattackanorganizationrsquosinternalnetworkOrganizationsshouldensure networkmonitoringandloggingisenabledforexternalaccessMonitoringofnetworkactiv ityisextremelyimportantespeciallyintheperiodbetweenemployeeresignationandter mination
GiventhedistributednatureofaccessauthorizationviaPICSICEandtheUSDepartment ofStatenonUSCISemployeesandcontractorscouldbegrantedaccesstoUSCIScriticalsys temsItispossiblethatthenonUSCISemployeesandcontractorsparticularlythose
CERT | SOFTWARE ENGINEERING INSTITUTE | 17
grantedaccessthroughtheUSDepartmentofStateforaccessfromembassiesoverseas havenotbeenthroughtherigorouspreemploymentscreeningrequiredofUSCISemploy eesandcontractorsUSCISshouldconsidertherisktheseinsidersposetotheprotectionof thecriticalUSCISdataandsystemsandimplementprotectionmechanismstolimitthe damagethattheseinsidersmightcause
OtheraccesscontrolissuesthatshouldbeconsideredbyUSCISincludeunrestrictedaccess tosomecriticalsystemsbyOITstafflackofconsistentprocessesformanagingemployee accessastheymovefromonedepartmenttothenextwithinUSCISabilitytousepersonal computersforUSCISworkandlackofmonitoringandcontrolsforsomecriticalsystemad ministrationfunctions
ProtectionofControlledInformation
Protectingcontrolledinformation(ieinformationthatisclassifiedsensitivebutunclassi fiedorproprietary)iscriticaltomitigatingtheinsiderthreatrisktoorganizationsAvariety ofinsiderthreatcasesstudiedbyCERTrevealedcircumstancesinwhichinsiderscarriedout anattackthroughtheunauthorizeddownloadofinformationtoportablemediaorexternal storagedevicesInsomeinstancesmaliciousinsidersusedemailtoplantheirattacksorto communicatesensitiveinformationtocompetitorsorconspiratorsOrganizationsmusten surethatemployeesunderstandpoliciesregardingwhatconstitutesacceptableuseofcom panyresourcesincludinginformationassetsandenforcecompliancethroughtechnical meansTheunauthorizedexfiltrationofcontrolledinformationbymaliciousinsiderscan havedevastatingeffectsonanorganizationProtectingcontrolledinformation(ieinfor mationthatisclassifiedsensitivebutunclassifiedorproprietary)iscriticaltomitigatingthe insiderthreatrisktoorganizations
USCIShasimplementednetworkmonitoringstrategiesthatwoulddetectlargeamountsof datadownloadedorananomalousincreaseinnetworktrafficeitherbytotalvolumeor typeoftraffic(egbyportorprotocol)Thoughmonitoringnetworktrafficmayhelppro tectcontrolledinformation
CERT | SOFTWARE ENGINEERING INSTITUTE | 18
LoggingAuditingMonitoring
InsiderthreatresearchconductedbyCERThasshownthatloggingmonitoringandauditing employeeonlineactionscanprovideanorganizationtheopportunitytodiscoverandinves tigatesuspiciousinsideractivitybeforemoreseriousconsequencesensueOrganizations shouldleverageautomatedprocessesandtoolswheneverpossibleMoreovernetwork auditingshouldbeongoingandconductedrandomlyandemployeesshouldbeawarethat certainactivitiesareregularlymonitoredThisemployeeawarenesscanpotentiallyserveas adeterrenttoinsiderthreats
ThepreventionofinsiderattacksisthefirstlineofdefenseNonethelesseffectivebackup andrecoveryprocessesneedtobeinplaceandoperationallyeffectivesothatifacompro miseoccursbusinessoperationscanbesustainedwithminimalinterruptionInonecase documentedintheCERTInsiderThreatCasedatabaseaninsiderwasabletomagnifythe impactofhisattackbyaccessinganddestroyingbackupmediaOrganizationsneedtocon sidertheimportanceofbackupandrecoveryprocessesandcaremustbetakenthatback upsareperformedregularlyprotectedandtestedtoensurebusinesscontinuityinthe eventofdamagetoorlossofcentralizeddata
TechnicalSecurityVulnerabilities
Proactivelyaddressingknownsecurityvulnerabilitiesshouldbeapriorityforanyorganiza tionseekingtomitigatetheriskofinsiderthreatsaswellasexternalthreatsCasestudies haveshownthatmaliciousinsidersfollowingterminationwillsometimesexploitknown technicalsecurityvulnerabilitiesthattheyknowhavenotbeenpatchedtoobtainsystem accessandcarryoutanattackOrganizationsshouldhaveaprocesstoensurethatoperat ingsystemsandothersoftwarehavebeenhardenedorpatchedinatimelymannerwhen possibleFailuretoaddressknownvulnerabilitiesprovidesaninsiderampleopportunity andpathwaysforattackmakingitmoredifficultforanorganizationtoprotectitself
CERT | SOFTWARE ENGINEERING INSTITUTE | 19
ThereisaprimaryconcerninthisareaatUSCISUSCISshouldconsiderthefrequencywith whichitscansitssystemsfortechnicalsecurityvulnerabilities
ThereisalsoanotherconcerninthisareaatUSCIS
ConfigurationManagement
Effectiveconfigurationmanagementhelpsensuretheaccuracyintegrityanddocumenta tionofallcomputerandnetworksystemconfigurationsAwidevarietyofcasesintheCERT InsiderThreatCasedatabasedocumentinsiderswhoreliedheavilyonthemisconfiguration ofsystemsTheyhighlighttheneedforstrongermoreeffectiveimplementationofauto matedconfigurationmanagementcontrolsOrganizationsshouldalsoconsiderconsistent definitionandenforcementofapprovedconfigurationsChangesordeviationsfromthe approvedconfigurationbaselineshouldbeloggedsotheycanbeinvestigatedforpotential maliciousintentConfigurationmanagementalsoappliestosoftwaresourcecodeandap plicationfilesOrganizationsthatdonotenforceconfigurationmanagementacrosstheen terpriseareopeningvulnerabilitiesforexploitbytechnicalinsiderswithsufficientmotiva tionandalackofethics
TheOIThasaconfigurationmanagementpolicythatprovidesbaselinesoftwareconfigura tionsforUSCISdesktopsandlaptopsTheOITscansforincorrectoutdatedorunpatched versionsofsoftwareontheapprovedsoftwarelistTheOITkeepstrackofdifferentbase linesfordifferentcontractsDespitetrackingandarigorousconfigurationmanagementpol icy
Roguesoftwareormalwareisoftendiscoveredthroughadeliberatemanual scanratherthanthroughanautomatedprocessTomakethistaskmoredifficultUSCIS employeeswithseniorityorinfluencehavebeenabletouselocaladministratorprivilegesto installsoftwareforthesakeofconvenienceConcernsregardingconfigurationmanagement surroundthedifficultyfortheOITtoadequatelypreventdetectandrespondtorogue softwareormalwareusingitscurrentproceduresWesuggestsomeconsiderationsforlev
CERT | SOFTWARE ENGINEERING INSTITUTE | 20
eragingexistingdeploymentsandmodifyingincidentresponsepracticestoincreaseeffec tiveness
CERT | SOFTWARE ENGINEERING INSTITUTE | 21
Recommendations
Thefollowing18recommendationspresentactionablestepsthatwillenableUSCIStoim proveitspostureagainstmaliciousinsiderthreatsThesehighlevelstrategiesshouldbe plannedandimplementedwiththeassistanceofthemanydiversedepartmentswithin USCISAppendixescontainmorespecificrecommendationsthatpertaintoaparticularde partment(egOITandHR)TheappendixesalsolisttherelevantpartiestoassistUSCISin reviewingeachissuemoregranularlyandtodecidewhetherUSCIShasresourcestoimple mentaparticularrecommendation
Recommendation1Instituteanenterpriseriskmanagementplan USCISmustensurethattheentireorganizationisriskawareandimplementaformalrisk managementprocesstoaddressriskconsistentlyandcontinuallyacrosstheenterprise Theredoesnotappeartobeaconsistentunderstandingofthebroadspectrumofrisksfac ingUSCISTheOITperformsriskmanagementforITandFinancialManagementperforms riskmanagementforfinancialmattersbutnoonewasawareofanyenterprisewideefforts InadditioneachfieldofficeandservicecenterappearstooperatefairlyindependentlyItis importantforthoseorganizationstoworktogethertoidentifyprioritizeandaddressrisk OngoingcommunicationbetweenallcomponentsofUSCISwillhelpensurethatnew threatsattackvectorsandcountermeasuresarecommunicatedandhandledeffectivelyby all
Recommendation2Incorporateinsiderthreatriskmitigation strategiesintotheTransformationeffort TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesRiskmanagementiswithinthescopeofTransformationbutonlyasitpertainsto automatedriskscoringofapplicantsandtoworkflowmanagementtooptimizeadjudicator workloadUSCISshouldincorporatecomprehensiveinsiderthreatriskmitigationrequire mentsintotheTransformationeffort
Recommendation3Centralizerecordsofmisconductandviola tionstobetterenableacoordinatedresponsetoinsiderthreats USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductThiscomplexandwidely distributedbusinessprocesshasresultedinasituationinwhichitisverydifficulttoobtaina completepictureofanindividualrsquosinsiderthreatrisklevelUSCISshouldcreateacentral repositoryofemployeeandcontractormisconductsecurityviolationsSignificantIncident Reports(SIRs)andothersuspiciousactivityreportssorepeatoffenderscanbeeasilyidenti
CERT | SOFTWARE ENGINEERING INSTITUTE | 22
CERT | SOFTWARE ENGINEERING INSTITUTE | 23
storesphysicalfilesforbenefitapplicantsintheVermontServiceCenterwithnophysical protectionbeyondtheexteriorbuildingandguardcontrolsUSCISshouldevaluatecurrent physicalaccessprocedurestodetermineiftheyadequatelyaddressriskandiftheyareen forcedconsistentlyacrosstheenterprise
Recommendation8Consistentlyenforceexitprocedures Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerandCOTRIt alsoappearsthatdifferentmanagersfollowdifferentprocedurestoensurethataccessis disabledandequipmentisreturnedasemployeesandcontractorsleaveUSCISThisgap maymanifestitselfintheinconsistentcollectionofbadgeslaptopsmobiledevicesand otherUSCISequipmentandimproperdisablingorterminationofaccessUSCISshould adoptanenterprisewideexitproceduretoensureconsistentterminationofallemployees andcontractors
Recommendation9ExamineHRscreeningproceduresforhighrisk positionsandFSNs ChangesshouldbemadetotheUSCIShiringprocessesforselecthighriskpositionsFor exampleUSCISshouldconsideradditionalscreeningforadjudicatorsUSCISshouldbe moreinvolvedindecidingwhoisgrantedauthorizedaccessbecauseofthesensitivenature ofthesystemsanddatathatUSCISmanages
Recommendation10Ensurethatphysicalandcomputeraccessis terminatedinatimelyfashion
USCISshouldautomatetherevocationofemployeeandcontractorphysicalaccesswhena terminationoccursTheterminationchecklistshouldincludeanotificationtoPhysicalSecu ritysophysicalaccesscanbedisabledinatimelymannerUSCISshouldalsoreviewaccount managementprocedurestoensurethatthestepstakentoremoveoralteraccountaccess arecompleteunderstoodbyallrelevantpartiesandconsistentlyfollowed
CERT | SOFTWARE ENGINEERING INSTITUTE | 24
Recommendation11Enforcearequirementforindividualaccounts oncriticalsystems
InsomecasesUSCISisawareofaccountsharingtakingplaceatthirdpartyemployerswho useUSCISsystemstoverifyimmigrationstatusToconsistentlyidentifymaliciousinsider activityallactionsmustbeattributabletooneandonlyoneindividualUSCISshouldcon siderincreasingtheconsequencesforinfractionsandpossiblyimplementstrongerauthen ticationtomakesharingofaccountsmoredifficult
Recommendation12
Recommendation13Reducethenumberofprivilegedaccountsfor criticaldatasystems SomedatasystemsincludingFDNSDShaveahighnumberofprivilegedusersManyof theseusersdonotneedtheescalatedaccesstocompletetheirjobresponsibilitiesUSCIS shouldaudittheprivilegeduseraccountsandreducethoseaccountscommensuratewith jobresponsibilities
Recommendation14
Recommendation15Implementproceduralandtechnicalcontrols topreventsourcecodeunderdevelopmentfrombeingreleased withoutappropriatereview USCISshouldconsiderimplementingproceduralandtechnicalcontrolstoenforcesepara tionofdutiesbetweensoftwareengineersandthesystemadministratorsresponsiblefor
CERT | SOFTWARE ENGINEERING INSTITUTE | 25
releasingchangesintoproductionsystemsUSCISshouldconsideridentifyinghighrisk criticalsoftwaremodulesthatcouldbeusedtocarryoutillicitactivityInadditionformal softwaredevelopmentpracticesshouldbefollowed
Recommendation16
Recommendation17
Recommendation18Periodicsecurityrefreshertrainingshouldbe regularlyconductedandrequiredforallemployees USCISshouldreinforcesecuritypracticesandproceduresforallemployeesespeciallythose assignedtosecurityrolesthroughInformationAssurancerefreshertrainingThoughannual refreshertrainingismandatedithasnotbeencompletedinatimelymannerforallroles USCISshouldensurethatthistrainingisadaptedtospecificrolesregularlyconductedand trackedandconsequencesimposedforthosewhohavenotcompletedthetraining
CERT | SOFTWARE ENGINEERING INSTITUTE | 26
ManagementCommentsandOIGAnalysis
WeobtainedwrittencommentsonadraftofthisreportfromtheUSCISDeputyDirector WehaveincludedacopyofthecommentsinitsentiretyinappendixI
USCISconcurredwithourfindingsandrecommendationsandindicatedthatthereportwill beofgreatassistanceastheyseektofurtherstrengtheninternalcontrolsinthisareaInthe writtencommentsUSCISdidnotprovideinformationonhowitintendstoaddressourrec ommendationsThereforeweconsiderourrecommendationsunresolvedandopenpend ingourreviewofUSCIScorrectiveactionplans
CERT | SOFTWARE ENGINEERING INSTITUTE | 27
Appendixes
ThefollowingpagescontainappendixesAthroughGthatcontainacompletedetailedlistof findingsfromtheassessment
Theappendixesareorganizedintothefollowingsections
AppendixAOrganizational
AppendixBHumanResources
AppendixCPhysicalSecurity
AppendixDBusinessProcess
AppendixEIncidentResponse
AppendixFSoftwareEngineering
AppendixGInformationTechnology
AppendixHAcronyms
AppendixIManagementCommentstotheDraftReport
AppendixJContributorstothisReport
AppendixKReportDistribution
EachsectioninappendixesAndashGcontainsabriefintroductionsummaryofthefindingsfor thatareaandatablelistingdetailedfindingsThetablesarestructuredasfollows
Areaof Responsible PolicyandorSecu PolicyorPrac SuggestedCounter Concern Personnel rityMeasure ticeGaps measures
EachrowrepresentsauniqueareaofconcernResponsiblePersonnelliststhegroups withinUSCISthatwouldberesponsibleforimplementingsuggestedcountermeasuresfor thatareaPolicyandorSecurityMeasurelistsinformationrelatedtothatareaofconcern specifictoUSCISobtainedininterviewsIfthatcolumnwasintentionallyleftblankitindi catesthatnoevidencewasprovidedfortheexistenceofapolicyandorsecuritymeasure PolicyorPracticeGapsdescribesgapsidentifiedbyintervieweesorgapsnotedbyCERT staffFinallySuggestedCountermeasuresdescribescountermeasuresthatUSCIScouldim plementtoaddressaparticularvulnerability
Itisimportanttonotethatallsuggestedcountermeasuresmustbeconsideredinthecon textofabroaderriskanalysisItisnotpracticalformostorganizationstoimplement100 protectionagainsteverythreattoeveryorganizationalresourceThereforeitisimportant toadequatelyprotectcriticalinformationandotherresourcesandnotdirectsignificantef forttowardprotectingrelativelyunimportantdataandresourcesArealisticandachievable
CERT | SOFTWARE ENGINEERING INSTITUTE | 28
securitygoalistoprotectthoseassetsdeemedcriticaltotheorganizationrsquosmissionfrom bothexternalandinternalthreats
RiskisthecombinationofthreatvulnerabilityandmissionimpactSomecountermeasures inthisreportareintendedtohelpUSCISrecognizeandunderstandtheinsiderthreatOth ersfocusonclosinggapsthatleaveUSCISmorevulnerabletoinsiderattackMissionimpact cannotbeadequatelyassessedbyCERTthroughthisexercisebecauseitwillvarydepending onthecriticalityofsystemsandinformation
Theresultsofthisinsiderthreatvulnerabilityassessmentshouldbeusedtodeveloporre finetheorganizationrsquosoverallstrategyforsecuringitsnetworkedsystemsstrikingthe properbalancebetweencounteringthethreatandaccomplishingtheorganizationalmis sion
Manyofthefindingsinthisreportincludetherelativefrequencyoftheissueraisedinthe CERTInsiderThreatCasedatabaseAtthetimethisreportwaswrittentherewere386 casesofmaliciousinsideractivityagainstwhichthesuggestedcountermeasurepercentage iscalculatedSoifaparticularactivitywasseenin38ofourcaseswemayindicatethatit wasseenin10ofthecasesintheInsiderThreatCasedatabase
CERT | SOFTWARE ENGINEERING INSTITUTE | 29
Ap
pen
dix
AO
rgan
izat
ion
al
Risk
Man
agem
ent
Co
mm
unic
atio
n
Secu
rity
Pro
cess
Impr
ovem
ent
USC
ISis
ina
diff
icul
tpos
ition
Pa
rto
fits
mis
sion
isto
pro
vide
cus
tom
ers
ervi
ceto
thos
ese
ekin
gim
mig
ratio
nan
dci
tizen
ship
ben
efits
from
the
US
Gov
ernm
ent
How
ever
iti
sch
alle
ngin
gto
opt
imiz
ebu
sine
ssp
roce
sses
for
cust
omer
ser
vice
whi
lea
tthe
sam
etim
eim
plem
entin
gpr
otec
tiv
em
easu
res
toc
ount
erth
eri
skp
osed
by
gran
ting
thos
eve
ryb
enef
its
Man
yU
SCIS
em
ploy
ees
inte
rvie
wed
for
this
ass
essm
enti
dent
ified
the
orga
niza
tionrsquo
spr
imar
yri
ska
sal
low
ing
the
next
terr
oris
tto
live
and
wor
kle
gally
inth
eU
nite
dSt
ates
Th
eyd
esir
ehe
lpin
iden
tifyi
nga
ndim
ple
men
ting
inte
rnal
con
trol
sto
cou
nter
that
ris
kS
ome
ofth
ein
terv
iew
ees
how
ever
mdashev
ens
ome
ofth
eIS
SOs
and
data
ow
ners
mdashfo
cuse
don
leak
ag
eof
PII
asth
eir
prim
ary
conc
ern
Aft
erd
elvi
ngin
toth
em
atte
rw
ithth
eas
sess
men
ttea
mt
hey
cam
eto
und
erst
and
the
risk
pos
edb
yex
po
sure
or
mis
use
ofc
ritic
ald
ata
asth
egr
eate
str
isk
face
dby
USC
ISp
rim
arily
bec
ause
suc
ha
secu
rity
bre
ach
coul
dre
sult
ina
llow
ing
ate
rror
isti
nto
the
coun
try
Ac
ritic
alis
sue
for
USC
ISis
ens
urin
gth
een
tire
orga
niza
tion
isr
isk
awar
ea
ndim
plem
entin
ga
form
alr
isk
man
agem
entp
roce
ssto
add
ress
ris
kco
nsis
tent
lya
ndc
ontin
ually
acr
oss
the
ente
rpri
se
Ther
edo
esn
ota
ppea
rto
be
aco
nsis
tent
und
erst
andi
ngo
fthe
bro
ads
pect
rum
ofr
isks
faci
ng
USC
IS
The
asse
ssm
entt
eam
was
told
ther
eis
no
ente
rpri
sew
ide
risk
man
agem
entp
rogr
ama
tUSC
IS
OIT
per
form
sri
skm
anag
emen
tfor
ITa
nd
Fina
ncia
lMan
agem
entp
erfo
rms
risk
man
agem
entf
orfi
nanc
ialm
atte
rsb
utn
oon
ew
asa
war
eof
any
ent
erpr
ise
wid
eef
fort
sI
nad
ditio
ne
ach
field
off
ice
and
serv
ice
cent
era
ppea
rsto
ope
rate
fair
lyin
depe
nden
tly
Itis
impo
rtan
tfor
thos
eor
gani
zatio
nsto
wor
kto
geth
erto
iden
tify
pri
or
itize
and
add
ress
ris
kO
ngoi
ngc
omm
unic
atio
nbe
twee
nal
lcom
pone
nts
ofU
SCIS
will
hel
pen
sure
that
new
thre
ats
att
ack
vect
ors
and
cou
nte
rmea
sure
sar
eco
mm
unic
ated
and
han
dled
eff
ectiv
ely
bya
ll
Ina
dditi
onU
SCIS
em
ploy
ees
and
cont
ract
ors
hold
the
keys
too
neo
fthe
wor
ldrsquos
mos
tcov
eted
kin
gdom
smdashU
Sc
itize
nshi
pT
his
mak
ese
mpl
oy
ees
and
cont
ract
ors
attr
activ
eta
rget
sfo
rre
crui
tmen
tB
ecau
seo
fthe
sen
sitiv
ena
ture
ofU
SCIS
mis
sion
som
eof
its
empl
oyee
san
dco
ntra
ctor
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 30
have
bee
nta
rget
sfo
rre
crui
tmen
tfor
thef
tor
unau
thor
ized
mod
ifica
tion
ofU
SCIS
dat
aA
llem
ploy
ees
shou
ldb
eaw
are
ofth
eco
nseq
uenc
eso
fpa
rtic
ipat
ing
infr
aud
agai
nstU
SCIS
Th
eys
houl
dal
sob
ein
stru
cted
on
how
tor
epor
tsol
icita
tions
mad
eto
com
mit
frau
d
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEn
terp
rise
Ris
kM
anag
emen
t
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Indi
vidu
alo
rgan
izat
ions
with
inU
SCIS
do
ris
km
anag
emen
trel
ated
toth
eir
part
icul
ard
omai
nF
orin
stan
ceI
Tdo
esr
isk
man
agem
entf
rom
an
IT
pers
pect
ive
and
the
Fina
ncia
lMan
ag
emen
tdoe
sfin
anci
alr
isk
man
ag
emen
t
USC
ISp
erso
nnel
sta
ted
ther
eis
no
ente
rpri
ser
isk
man
agem
entp
roce
ss
for
anal
yzin
gth
eor
gani
zatio
nrsquos
over
al
lris
k
We
sugg
estt
hatU
SCIS
inst
itute
an
ent
erpr
ise
risk
man
agem
ent
prog
ram
W
ithou
tac
omm
on
visi
onfo
rri
skm
anag
emen
tth
eIS
SOs
and
allo
rgan
izat
ions
w
ithin
USC
ISc
anno
teff
ectiv
ely
unde
rsta
ndth
eri
ske
nvir
onm
ent
and
wor
kto
geth
erto
eff
ectiv
ely
miti
gate
ris
k
Inin
terv
iew
ss
ome
USC
ISs
taff
in
clud
ing
som
eIS
SOs
dat
aow
ners
an
dO
ITs
taff
see
med
tov
iew
loss
of
PIIa
sth
em
osti
mpo
rtan
tins
ider
th
reat
ris
kA
llof
the
asse
ssm
ent
ques
tions
wer
ean
swer
edin
the
con
text
ofl
oss
ofP
II
Whe
nw
eas
ked
spec
ifica
llyw
hatt
hey
see
asth
ebi
gges
tins
ider
thre
atr
isk
ev
eryo
nes
eem
edto
agr
eeit
isc
rea
tion
ofr
ealc
itize
nshi
pdo
cum
ents
for
peop
lew
hos
houl
dno
thav
eth
em
In
fact
int
ervi
ewee
sat
the
Verm
ont
Serv
ice
Cent
erc
ateg
oriz
edth
efu
nc
tions
cha
ract
eriz
edb
yth
ehi
ghes
tris
kas
follo
ws
1)
Unl
awfu
lalie
nin
the
Uni
ted
Stat
es
gran
ted
non
imm
igra
nts
tatu
s
2)S
omeo
new
ithn
onim
mig
rant
st
atus
gra
nted
per
man
entr
esid
ency
w
hich
mea
nsh
eor
she
can
live
and
w
ork
inde
finite
lyin
the
Uni
ted
Stat
es
Aga
ina
nen
terp
rise
ris
km
an
agem
entp
rogr
amw
ille
nsur
eth
ate
very
one
acro
ssU
SCIS
is
wor
king
toge
ther
tom
itiga
teth
ehi
ghes
tpri
ority
ris
ks
Ther
ear
ere
gula
tions
and
law
ssu
rrou
nd
ing
prot
ectio
nof
PII
but
focu
sin
gpr
imar
ilyo
nth
atis
sue
can
lead
toa
fals
ese
nse
ofs
ecur
ity
ifot
her
mor
eim
port
antr
isk
ar
eas
are
give
nle
ssa
tten
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 31
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dal
soc
anp
etiti
onfo
rre
lativ
es
The
Verm
ontS
ervi
ceC
ente
ris
im
plem
entin
gse
para
tion
ofd
utie
sfo
rpe
rfor
min
gfu
nctio
ns
1an
d2
ab
ove
(gra
ntin
gno
nim
mig
rant
st
atus
and
mov
ing
som
eone
from
no
nim
mig
rant
sta
tus
top
erm
anen
tre
side
ncy)
so
that
one
USC
ISa
djud
ica
tor
alon
eca
nnot
take
an
appl
ican
tfr
omu
nlaw
fult
ope
rman
entr
esi
dent
Th
ese
two
func
tions
will
be
perf
orm
eda
tdiff
eren
tphy
sica
lloc
atio
ns2
9m
iles
apar
t
The
Verm
ontS
ervi
ceC
ente
rhas
not
ha
dan
adj
udic
ator
who
per
form
ed
both
func
tions
1
and
2fo
rth
esa
me
appl
ican
t
This
dec
isio
nde
mon
stra
tes
that
le
ader
ship
att
heV
erm
ontS
er
vice
Cen
terr
ecog
nize
sth
esi
gni
fican
tris
kof
cre
atin
gle
gal
citiz
ensh
ipd
ocum
ents
fori
llega
lal
iens
and
ista
king
ste
psto
m
itiga
teth
atr
isk
How
ever
our
in
side
rth
reat
ass
essm
enth
as
unco
vere
dot
her
issu
esth
at
coul
dbe
add
ress
edto
miti
gate
th
atr
isk
Aga
ina
form
alr
isk
anal
ysis
wou
lde
nabl
eU
SCIS
to
thor
ough
lye
xam
ine
the
issu
es
and
prio
ritiz
eco
unte
rmea
sure
sus
ing
afo
rmal
pro
cess
Fo
rex
am
ple
an
alte
rnat
ive
toth
eph
ysic
alm
ove
coul
dbe
toim
pl
emen
tan
audi
tmec
hani
smto
lo
okfo
rad
judi
cato
rsw
hop
er
form
edb
oth
func
tions
1
and
2
for
the
sam
eap
plic
ant
Ente
rpri
seW
ide
Com
mun
icat
ion
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ther
eis
no
cons
iste
ncy
ofc
ontr
ols
from
one
ser
vice
cen
ter
toth
ene
xt
We
wer
eto
ldth
eye
ach
oper
ate
fair
ly
inde
pend
ently
USC
ISw
ould
ben
efit
from
ong
oin
gco
mm
unic
atio
nsa
bout
ris
kba
sed
issu
esb
etw
een
the
ser
vice
cen
ters
Fo
rin
stan
ce
com
mun
icat
ions
con
cern
ing
prob
lem
se
ffec
tive
coun
ter
mea
sure
sm
odifi
catio
nsto
CERT | SOFTWARE ENGINEERING INSTITUTE | 32
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sbu
sine
ssp
roce
sses
or
idea
sfo
rco
unte
ring
incr
ease
dri
skc
ould
le
adto
an
impr
oved
ris
kpo
stur
efo
rth
een
tire
USC
ISe
nter
pris
e
Cont
inua
lSec
urit
yPr
oces
sIm
prov
em
ent
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
The
USC
ISC
onvi
ctio
nsT
ask
Forc
eis
an
exc
elle
ntfo
rum
for
anal
yzin
gpa
st
crim
inal
cas
esa
ndd
eter
min
ing
mea
sure
sth
ats
houl
dbe
inst
itute
dto
pre
vent
sim
ilar
crim
esin
the
fu
ture
Ther
eis
no
proc
ess
for
follo
win
gup
on
ac
ase
afte
rthe
Off
ice
ofS
peci
al
Inve
stig
atio
n(O
SI)f
inis
hes
anin
vest
iga
tion
Th
eCo
nvic
tions
Tas
kFo
rce
isth
eon
ly
proc
ess
we
foun
dfo
rfor
mal
trac
king
an
alys
isa
ndp
roce
ssim
prov
emen
tba
sed
ona
ctua
linc
iden
ts
The
as
sess
men
ttea
ma
sked
var
ious
gro
ups
ifth
ere
isa
nyfo
llow
up
toin
cide
nts
fo
rin
stan
ceim
plem
entin
gau
tom
ated
sc
ript
sor
con
trol
sto
det
ectt
hes
ame
inci
dent
inth
efu
ture
Th
ete
amc
ould
no
tfin
da
sing
lep
erso
nw
hok
now
sof
su
cha
nac
tivity
Man
yex
ampl
eso
fem
ploy
eem
isco
ndu
ctc
ited
toth
eas
sess
men
ttea
m
coul
dea
sily
hav
ebe
end
etec
ted
or
even
pre
vent
edv
iaa
utom
ated
con
tr
ols
In
add
ition
the
reis
no
mec
hani
smfo
rco
mm
unic
atin
gis
sues
out
side
ofa
In
nea
rly2
5(9
1)o
fthe
cas
esin
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
hein
side
rw
asa
ble
to
carr
you
tthe
cri
me
beca
use
of
inad
equa
tea
uditi
ngo
fcri
tical
pr
oces
ses
in2
8of
thes
eca
ses
it
was
bec
ause
ofi
nade
quat
eau
ditin
gof
irre
gula
rpr
oces
ses
In
29
ofth
eca
ses
the
orga
niza
tio
nha
dre
peat
edin
cide
nts
ofa
si
mila
rna
ture
A
utom
ated
sc
ript
sar
ean
exc
elle
ntm
echa
ni
smfo
rde
tect
ing
susp
icio
us
tran
sact
ions
as
wel
las
hone
st
mis
take
sU
SCIS
sho
uld
cons
ider
a
form
alp
roce
ssfo
ran
alys
iso
fth
eO
SIrsquos
find
ings
and
the
deve
lop
men
tofa
utom
ated
che
cks
impl
emen
ted
natio
nally
CERT | SOFTWARE ENGINEERING INSTITUTE | 33
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sgi
ven
serv
ice
cent
er
U
SCIS
Em
ploy
ees
are
Pote
ntia
lTar
ge
tsfo
rRe
crui
tm
ent
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
No
evid
ence
pro
vide
d
Som
eU
SCIS
em
ploy
ees
inte
rvie
wed
ha
ver
ecei
ved
are
ques
tfor
ass
ista
nce
from
afr
iend
rel
ativ
eo
rst
rang
er
seek
ing
top
rom
ote
aca
sefo
rso
me
form
ofa
pplic
ant
One
adj
udic
ator
sa
idh
edo
esn
otte
llot
hers
who
he
wor
ksfo
rH
owev
ert
hed
istin
ctiv
egr
een
park
ing
stic
ker
onh
isc
arc
ould
in
as
mal
ltow
nlik
eBu
rlin
gton
VT
re
veal
the
iden
tity
ofh
ise
mpl
oyer
U
SCIS
per
sonn
ela
reth
eref
ore
unus
ual
lyv
ulne
rabl
eto
sol
icita
tion
byo
ut
side
rs
Twen
tyn
ine
perc
ento
fthe
in
side
rsin
the
CERT
Insi
der
Thre
at
Case
dat
abas
ew
ere
recr
uite
dby
ou
tsid
ers
toc
omm
itth
eir
crim
es
USC
ISs
houl
dco
nsid
er
incr
easi
ngth
ese
curi
tya
war
ene
sstr
aini
ngp
rovi
ded
toU
SCIS
em
ploy
ees
and
cont
ract
ors
The
tr
aini
ngs
houl
dbe
con
tinuo
us
incl
udin
gpo
rtio
nsin
tend
edto
ra
ise
awar
enes
sof
the
pote
ntia
lta
rget
that
USC
ISe
mpl
oyee
spr
esen
tA
llem
ploy
ees
shou
ld
bea
war
eof
the
cons
eque
nces
of
par
ticip
atin
gin
frau
dag
ains
tU
SCIS
as
wel
las
how
tor
epor
tso
licita
tions
mad
eto
com
mit
frau
d
Tran
sfor
mat
ion
USC
ISL
eade
rshi
p D
ata
Ow
ners
In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Tran
sfor
mat
ion
isa
larg
ebu
sine
ss
proc
ess
reen
gine
erin
gef
fort
inU
SCIS
th
atis
pri
mar
ilyfo
cuse
don
impr
oved
cu
stom
ers
ervi
cea
ndfr
aud
dete
ctio
nF
ore
xam
ple
the
asse
ssm
ent
team
was
told
that
Tra
nsfo
rmat
ion
will
aut
omat
ical
lyv
alid
ate
data
in
CLA
IMS
agai
nsto
ther
ext
erna
lsys
te
ms
(eg
IC
Ean
dFB
I)a
ndth
at
secu
rity
req
uire
men
tsa
ndc
ontr
ols
Tran
sfor
mat
ion
was
men
tione
din
m
osti
nter
view
sfo
rth
isa
sses
smen
t
Ita
ppea
rsth
atU
SCIS
isr
elyi
ngh
eavi
ly
upon
Tra
nsfo
rmat
ion
toc
orre
ctm
any
ofth
epr
oble
ms
resu
lting
from
lega
cy
syst
ems
How
ever
iti
sun
clea
rw
heth
erin
tern
alp
erso
nnel
sec
urity
an
din
form
atio
nse
curi
tyc
once
rns
will
bein
clud
edin
this
pro
gram
This
rel
ianc
eon
as
ingl
eef
fort
m
akes
the
effe
ctiv
enes
sof
this
ef
fort
ver
yim
port
ant
USC
IS
shou
ldc
onsi
der
the
Tran
sfor
ma
tion
proj
ectf
rom
an
ente
rpris
ew
ide
pers
pect
ive
Iti
sim
port
ant
for
itto
use
afo
rmal
req
uire
m
ents
gat
herin
gpr
oces
sin
or
der
toe
ffec
tivel
ym
itiga
teb
oth
inte
rnal
and
ext
erna
lthr
eats
CERT | SOFTWARE ENGINEERING INSTITUTE | 34
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
veb
een
iden
tifie
dby
cur
rent
C3
LAN
dat
aow
ners
Read
ing
the
Tran
sfor
mat
ion
requ
ire
men
tsd
ocum
enta
tion
itis
not
cle
ar
that
insi
ders
are
con
side
red
inth
ese
curi
tyr
equi
rem
ents
for
prev
entio
nan
dde
tect
ion
offr
aud
orn
atio
nal
secu
rity
inU
SCIS
sys
tem
s
Pers
onne
lsec
urity
sho
uld
be
incl
uded
as
wel
las
info
rmat
ion
secu
rity
to
ensu
reth
atth
eap
pr
opri
ate
inte
rnal
con
trol
sar
ein
pl
ace
tor
educ
eth
eri
skp
osed
by
mal
icio
usin
side
rs
CERT | SOFTWARE ENGINEERING INSTITUTE | 35
Trai
ning
and
Aw
aren
ess
Itis
ess
entia
ltha
tsec
urity
aw
aren
ess
trai
ning
be
cons
iste
ntly
pro
vide
dto
all
empl
oyee
sto
ens
ure
that
sec
urity
pol
icie
san
dpr
actic
esa
rein
stitu
tio
naliz
edth
roug
hout
an
orga
niza
tion
Man
ytim
esc
owor
kers
and
sup
ervi
sors
are
the
first
peo
ple
too
bser
vec
once
rnin
gbe
havi
ore
xhib
ited
by
mal
icio
usin
side
rs
Failu
reb
yco
wor
kers
or
othe
rsin
an
orga
niza
tion
tor
epor
tcon
cern
ing
beha
vior
was
ap
rim
ary
reas
onin
side
rsin
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
tos
etu
por
car
ryo
utth
eir
atta
cks
USC
ISs
houl
dco
ntin
ueto
pro
vide
sec
urity
aw
aren
ess
trai
ning
toa
llem
ploy
ees
and
cont
ract
ors
acro
ssth
egl
obe
Thi
str
aini
ngs
houl
dbe
con
sis
tent
lya
pplie
dto
eac
hsi
tew
itha
con
sist
entm
essa
geo
fsec
urity
ofU
SCIS
peo
ple
sys
tem
sa
ndd
ata
Iti
sim
pera
tive
that
all
USC
ISe
mpl
oyee
sbe
re
spon
sibl
efo
rac
hiev
ing
the
mis
sion
ofU
SCIS
and
pro
tect
ing
the
criti
cala
sset
sto
the
high
este
xten
tpos
sibl
e
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sTr
aini
ngo
rSk
ills
Requ
ired
ofT
hose
in
App
oint
edS
ecu
rity
Rol
es
USC
ISL
eade
rshi
p
USC
ISh
asa
trai
ning
pro
cess
thro
ugh
anin
form
atio
nsy
stem
sse
curi
ty
man
ager
(ISS
M)
USC
ISr
elie
she
av
ilyo
nco
ntra
ctor
sto
pro
vide
ade
qu
atel
ytr
aine
dst
aff
Man
yIS
SOs
are
notw
ellv
erse
din
se
curi
ty
ISSO
sar
ecu
rren
tlyin
an
educ
atio
npr
oces
sb
utIS
SOs
are
typi
ca
llyn
ots
ecur
ityw
atch
dogs
ISSO
sm
usth
ave
prop
ertr
aini
ng
ino
rder
tok
eep
upw
ithth
eev
erc
hang
ing
info
rmat
ion
secu
ri
tye
nvir
onm
enta
ndto
be
able
to
dea
lwith
the
myr
iad
tech
no
logi
esa
ndto
ols
avai
labl
eto
th
em
App
ropr
iate
bud
get
shou
ldb
eal
loca
ted
forI
SSO
tr
aini
ngi
nclu
ding
ven
dor
spec
ific
trai
ning
(eg
M
cAfe
ean
dCi
sco)
and
indu
stry
spe
cific
tr
aini
ng(e
g
SAN
S)
CERT | SOFTWARE ENGINEERING INSTITUTE | 36
Ap
pen
dix
BH
um
anR
esou
rces
Empl
oyee
Issu
es
An
orga
niza
tionrsquo
sap
proa
chto
red
ucin
gin
side
rth
reat
sho
uld
focu
son
pro
activ
ely
man
agin
gem
ploy
eeis
sues
and
beh
avio
rs
This
con
cept
beg
ins
with
eff
ectiv
ehi
ring
pro
cess
esa
ndb
ackg
roun
din
vest
igat
ions
tos
cree
npo
tent
ialc
andi
date
sO
rgan
izat
ions
sho
uld
also
trai
nsu
perv
isor
sto
m
onito
ran
dre
spon
dto
beh
avio
rso
fcon
cern
by
curr
ente
mpl
oyee
sS
ome
case
sfr
omth
eCE
RTIn
sid e
rTh
reat
Cas
eda
taba
ser
evea
led
that
sus
pi
ciou
sac
tivity
was
not
iced
inth
ew
orkp
lace
but
not
act
edu
pon
Org
aniz
atio
nss
houl
des
tabl
ish
aw
ello
rgan
ized
and
pro
fess
iona
lmet
hod
for
hand
ling
nega
tive
empl
oym
enti
ssue
san
den
suri
ngth
ath
uman
res
ourc
epo
licy
viol
atio
nsa
rea
ddre
ssed
Org
aniz
atio
nali
ssue
sre
late
dto
func
tions
sha
red
byH
Ran
dse
curi
typ
erso
nnel
are
att
heh
eart
ofi
nsid
err
isk
man
agem
ent
Em
ploy
ees
cree
ning
an
dse
lect
ion
isv
italt
opr
even
ting
cand
idat
esw
ithk
now
nbe
havi
oral
ris
kfa
ctor
sfr
ome
nter
ing
the
orga
niza
tion
or
ifth
eyd
oe
nsur
ing
that
th
ese
risk
sar
eun
ders
tood
and
mon
itore
dC
lear
pol
icy
guid
elin
esa
ddre
ssin
gbo
thp
erm
itted
and
pro
hibi
ted
empl
oyee
beh
avio
rar
evi
talt
ori
sk
dete
ctio
nan
dm
onito
ring
and
cle
arr
equi
rem
ents
for
ensu
ring
em
ploy
eesrsquo
kno
wle
dge
ofth
ese
guid
elin
esa
ree
ssen
tialt
oth
eir
succ
ess
In
addi
tio
nr
epor
tso
fpol
icy
ques
tions
and
vio
latio
nsn
eed
tob
esy
stem
atic
ally
rec
orde
dso
that
man
agem
ent
HR
and
sec
urity
per
sonn
elc
ana
ppr
oach
cas
ede
cisi
ons
with
com
plet
eba
ckgr
ound
info
rmat
ion
Ana
lysi
sof
thes
ere
port
sac
ross
indi
vidu
als
and
depa
rtm
ents
can
sup
ply
vita
lkno
wle
dge
ofp
robl
ema
reas
bey
ond
indi
vidu
alc
ases
Re
latio
nshi
ps
inw
hich
HR
sec
urity
and
man
agem
entp
erso
nnel
col
labo
rate
as
educ
ator
san
dco
nsul
tant
sar
evi
talt
oea
rly
dete
ctio
nan
def
fect
ive
man
age
men
tofe
mpl
oyee
spo
sing
an
insi
der
risk
Th
ene
edfo
rcl
ear
polic
ies
com
plet
epe
rson
nelr
isk
data
and
clo
sem
anag
emen
tH
Rse
curi
tyc
olla
bo
ratio
nis
rar
ely
grea
ter
than
whe
nha
ndlin
gem
ploy
eete
rmin
atio
nis
sues
whe
ther
vol
unta
ryo
rin
volu
ntar
y
CERT
sug
gest
sen
hanc
emen
tsto
the
USC
ISh
irin
gan
dte
rmin
atio
npr
oces
ses
For
exa
mpl
eU
SCIS
sho
uld
cons
ider
add
ition
als
cree
ning
for
high
ri
skp
ositi
ons
suc
has
adj
udic
ator
sU
SCIS
sho
uld
als o
con
side
rbe
com
ing
mor
ein
volv
edin
vet
ting
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)p
rior
tog
rant
CERT | SOFTWARE ENGINEERING INSTITUTE | 37
ing
them
acc
ess
toU
SCIS
cri
tical
sys
tem
san
dda
ta
Fina
llyU
SCIS
sho
uld
cons
ider
ado
ptin
gan
ent
erpr
ise
wid
eex
itpr
oced
ure
toe
nsur
eco
nsis
te
ntte
rmin
atio
nof
all
empl
oyee
san
dco
ntra
ctor
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPr
eEm
ploy
men
tSc
reen
ing
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
No
evid
ence
pro
vide
d
The
empl
oyee
scr
eeni
ngp
roce
ssla
cks
any
form
ofp
sych
olog
ical
scr
eeni
ng
for
ara
nge
ofp
ositi
ons
incl
udin
gad
ju
dica
tors
Five
per
cent
(18)
oft
hein
side
rs
inth
eCE
RTd
atab
ase
had
poss
ibl
eps
ycho
logi
cali
ssue
sU
SCIS
sh
ould
con
side
rin
clud
ing
psy
chol
ogic
alte
stin
gas
par
toft
h e
new
hir
epr
oces
sfo
rse
lect
pos
itio
nsi
nclu
ding
adj
udic
ator
s
Giv
enth
esi
gnifi
cant
soc
ialp
res
sure
son
adj
udic
ator
san
dth
ere
lativ
ela
cko
fmon
itori
ngfo
rin
side
rri
ski
tsee
ms
impo
rtan
tto
impr
ove
this
asp
ecto
fscr
een
ing
Hum
anR
esou
rces
App
lican
tsa
rea
ssig
ned
ara
ting
by
HR
the
ratin
gis
use
dto
ran
kap
pli
cant
s
Ther
eis
cur
rent
lyn
oau
ditl
ogth
at
wou
ldc
aptu
rein
stan
ces
inw
hich
so
meo
nein
HR
chan
ged
ara
ting
to
enab
les
omeo
neto
get
hir
edm
ore
easi
ly
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
udit
log
totr
a ck
the
cand
idat
era
tings
and
ale
rtw
hen
cand
idat
era
tings
are
cha
nged
by
som
eone
inH
R
CERT | SOFTWARE ENGINEERING INSTITUTE | 38
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Ifa
pers
onal
issu
e(e
g
subs
tanc
eab
use
rel
ativ
ely
larg
efin
anci
alin
de
bted
ness
)aris
esd
urin
gPe
rson
nel
Secu
rity
rsquos(P
ERSE
Crsquos)
scr
eeni
ng
PERS
ECm
ayis
sue
ale
tter
ofa
dvis
em
entt
oth
eca
ndid
ate
and
clea
rth
at
pers
onfo
rhir
eP
ERSE
RCis
hes
itant
to
sha
ren
egat
ive
info
rmat
ion
abou
tap
plic
ants
with
USC
ISb
eca u
seo
fpr
ivac
yco
ncer
ns
Beca
use
ofth
ese
conc
erns
am
anag
erm
ayn
otk
now
th
ats
omeo
neis
com
ing
into
ap
osi
tion
with
ah
isto
ryo
falc
ohol
and
or
drug
abu
sef
inan
cial
inde
bted
ness
et
c
The
priv
acy
wal
lbet
wee
nPE
RSEC
and
fie
ldp
erso
nnel
con
cern
edw
ithh
irin
gis
trou
blin
gI
tis
diff
icul
tfor
PER
SEC
repr
esen
tativ
esto
indi
cate
thei
rco
nce
rns
abou
tpot
entia
lhir
esw
hoh
ave
risk
fact
ors
that
do
notc
ross
adj
udic
atio
ngu
idel
ines
for
disq
ualif
icat
ion
USC
ISs
houl
dco
nsid
era
dditi
onal
sc
reen
ing
for
adju
dica
tors
U
SCIS
sho
uld
bem
ore
invo
lved
in
dec
idin
gw
hois
gra
nted
au
thor
ized
acc
ess
beca
use
ofth
ese
nsiti
ven
atur
eof
the
syst
ems
and
data
tha t
USC
ISm
anag
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Each
fiel
dof
fice
dete
rmin
esw
heth
er
orn
otto
mee
tan
appl
ican
tfac
eto
fa
ceb
efor
ehi
ring
Ther
ew
asa
nim
pres
sion
ath
eadq
uar
ters
that
nea
rly1
00
oft
hose
hir
ed
bym
anag
ers
are
inte
rvie
wed
but
re
pres
enta
tives
inB
urlin
gton
Ver
m
ontt
old
uso
ther
wis
eT
his
gap
be
twee
npe
rcep
tion
(the
reis
not
ap
ol
icy
stat
ing
this
mus
tbe
done
)and
re
ality
iso
fcon
cern
Ther
eha
veb
een
know
nin
stan
ces
in
whi
cha
pplic
ants
wer
eon
lys
cree
ned
USC
ISs
houl
dre
quir
ein
terv
iew
sfo
ral
lpos
ition
sT
hein
terv
iew
sne
edto
be
cond
ucte
dby
som
eon
ein
volv
edin
the
day
tod
ay
supe
rvis
ion
ofth
epo
sitio
nto
be
fille
d
CERT | SOFTWARE ENGINEERING INSTITUTE | 39
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
son
pap
ero
rove
rth
eph
one
befo
re
bein
ghi
red
Sta
ndar
dop
erat
ing
pro
cedu
res
are
notf
ollo
wed
ata
llfie
ld
offic
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
PERS
ECv
ets
fede
rale
mpl
oyee
san
dco
ntra
ctor
s(w
itha
min
imum
bac
kgr
ound
inve
stig
atio
n)
USC
ISr
elie
son
the
US
Dep
artm
ent
ofS
tate
tov
etfo
reig
nna
tiona
lem
pl
oyee
sw
how
ork
ate
mba
ssie
sor
co
nsul
ates
abr
oad
FSN
sin
som
ein
stan
ces
are
gra
nted
ac
coun
tso
nU
SCIS
info
rmat
ion
sys
tem
sI
fFSN
sne
eda
cces
sto
DH
Ssy
ste
ms
(incl
udin
gU
SCIS
)cur
rent
lyt
his
acce
ssm
ustb
eap
prov
edb
yth
eCS
O
and
CIO
for
DH
ST
his
prac
tice
was
no
talw
ays
follo
wed
con
sist
ently
in
the
past
so
ther
em
ayb
eFS
Ns
who
w
ere
gran
ted
acce
ssw
ithou
tall
the
curr
entv
ettin
gan
dap
prov
als
U
SCIS
sho
uld
cons
ider
be c
omin
gm
ore
invo
lved
inv
ettin
gof
FSN
spr
ior
tog
rant
ing
them
acc
ess
to
USC
ISs
yste
ms
In
addi
tion
U
SCIS
sho
uld
audi
tcur
rent
FSN
sw
itha
cces
sto
USC
ISs
yste
ms
and
ensu
reth
ata
ppro
pria
te
vett
ing
was
per
form
ed
Cand
idat
eCe
rtifi
ca
tion
Ver
ifica
tion
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
USC
ISd
oes
noth
ave
ast
anda
rdp
ro
cedu
refo
rve
rifyi
ngth
ece
rtifi
catio
ns
ofjo
bap
plic
ants
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ast
epin
the
new
hir
epr
oces
sto
ver
ifyc
ertif
icat
ions
of
allc
andi
date
sA
few
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 40
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sto
obt
ain
posi
tions
ino
rgan
iza
tions
by
prov
idin
gfa
lsifi
edc
erti
ficat
ions
Empl
oyee
and
Co
ntra
ctor
Ter
mi
nati
on
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Exit
proc
edur
esa
rer
ecen
tlyd
evel
op
eda
ndi
nso
me
case
ss
tillu
nder
de
velo
pmen
t(ie
fo
rmal
exi
tpro
ce
dure
sar
eex
pect
edto
be
rele
ased
in
3m
onth
s)
This
gap
may
man
ifest
itse
lfin
the
inco
nsis
tent
col
lect
ion
ofb
adge
sla
pto
psm
obile
dev
ices
and
oth
erU
SCIS
eq
uipm
ent
USC
ISs
houl
dco
nsid
era
dopt
ing
ane
nter
pris
ew
ide
exit
proc
edu
reto
ens
ure
cons
iste
ntte
rmi
natio
nof
all
empl
oyee
san
dco
ntr
acto
rs
Ita
ppea
rsth
ere
spon
sibi
lity
for
ensu
ring
that
em
ploy
ees
and
cont
ract
ors
are
term
inat
edr
ests
sol
ely
with
the
man
ager
It
als
oap
pear
sdi
ffer
en
tman
ager
sfo
llow
diff
eren
tpr
oced
ures
toe
nsur
eth
ata
cce
ssis
dis
able
dan
deq
uipm
ent
isr
etur
ned
ase
mpl
oyee
san
dco
ntra
ctor
sle
ave
USC
IS
Empl
oyee
and
Co
ntra
ctor
Man
da
tory
Dru
gTe
stin
g
Hum
anR
esou
rces
All
fede
ralp
ositi
ons
are
subj
ectt
odr
ugte
stin
gb
uto
nly
forn
ewh
ires
Acc
ordi
ngto
aU
SCIS
Con
vict
ions
Tas
kFo
rce
inve
stig
atio
nca
sec
all
cont
rac
tor
posi
tions
do
notr
equi
red
rug
test
in
g
Fift
een
insi
ders
doc
umen
ted
in
the
CERT
Insi
der
Thre
atC
ase
data
base
exh
ibite
dsu
bsta
nce
abus
eU
SCIS
sho
uld
cons
ider
im
plem
entin
gm
anda
tory
pos
thi
red
rug
test
ing
for
alle
mpl
oy
ees
and
cont
ract
ors
CERT | SOFTWARE ENGINEERING INSTITUTE | 41
Ap
pen
dix
CP
hys
ical
Sec
uri
ty
Fiel
dof
fices
A
cces
sFo
llow
ing
Term
inat
ion
Se
curi
tyo
fPhy
sica
lCas
eFi
les
Som
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
exp
loite
dph
ysic
als
ecur
ityv
ulne
rabi
litie
s
Som
ew
ere
able
tog
ain
acce
ss
too
rgan
izat
ion
faci
litie
sou
tsid
eof
nor
mal
wor
king
hou
rsto
ste
alc
ontr
olle
din
form
atio
nor
toe
xact
rev
enge
on
the
orga
niza
tion
bys
abot
agin
gcr
itica
lope
ratio
ns
Phys
ical
sec
urity
can
als
opr
ovid
ean
othe
rla
yer
ofd
efen
sea
gain
stte
rmin
ated
insi
ders
who
wis
hto
reg
ain
phys
ical
acc
ess
to
atta
ck
Just
as
with
ele
ctro
nic
secu
rity
how
ever
for
mer
em
ploy
ees
have
bee
nsu
cces
sful
inw
orki
nga
roun
dth
eir
orga
niza
tionrsquo
sph
ysic
als
ecu
rity
mea
sure
sI
tis
impo
rtan
tfor
org
aniz
atio
nsto
man
age
phys
ical
sec
urity
for
full
time
par
ttim
ea
ndte
mpo
rary
em
ploy
ees
con
trac
tors
and
co
ntra
ctla
bore
rs
USC
ISP
hysi
calS
ecur
ityh
asm
ade
sign
ifica
ntp
rogr
ess
prot
ectin
gU
SCIS
faci
litie
san
das
sets
inth
ena
tiona
lcap
italr
egio
n(N
CR)s
ince
Janu
ary
2008
whe
nit
stoo
dup
an
ewp
hysi
cals
ecur
ityp
rogr
am
Alth
ough
phy
sica
lsec
urity
inth
eN
CRis
con
sist
ently
dir
ecte
dan
den
forc
edb
yPh
ysic
al
Secu
rity
eac
hfie
ldo
ffic
ese
tsit
sow
npo
licie
san
dac
cess
con
trol
sI
nad
ditio
ng
aps
inte
rmin
atio
npr
oced
ures
hav
ere
sulte
din
ong
oing
phy
sica
lac
cess
follo
win
gte
rmin
atio
nF
inal
lyi
ssue
sco
ncer
ning
the
secu
rity
ofp
hysi
calc
ase
files
sho
uld
bec
onsi
dere
das
par
tofa
USC
ISr
isk
man
age
men
tstr
ateg
y
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPh
ysic
alS
ecur
ity
ofF
ield
Off
ices
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
USC
ISis
inth
epr
oces
sof
put
ting
ane
wa
cces
sco
ntro
lsys
tem
inp
lace
fo
rth
eN
CR
Befo
reit
doe
sit
will
di
sabl
eac
cess
for
anyo
new
hoh
as
notu
sed
phys
ical
acc
ess
inm
ore
Each
USC
ISfa
cilit
yha
sits
ow
n
polic
ies
and
acce
ssc
ontr
ols
syst
ems
Som
efie
ldo
ffic
esw
ithin
USC
ISh
ave
acce
ss
cont
rols
yste
ms
oth
ers
don
ot
Not
al
loff
ices
inth
efie
ldh
ave
elec
tron
ic
Fort
yof
the
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
took
adv
an
tage
ofi
nade
quat
eph
ysic
als
ecu
rity
toc
arry
out
thei
rcr
imes
El
ectr
onic
acc
ess
cont
rols
pro
vide
CERT | SOFTWARE ENGINEERING INSTITUTE | 42
Sugg
este
dCo
unte
rmea
sure
slo
gsth
atc
ould
be
usef
ulin
inve
s
tigat
ions
ofi
llici
tact
ivity
out
side
of
nor
mal
wor
king
hou
rs
USC
IS
shou
ldc
onsi
der
deve
lopi
nge
nte
rpri
sew
ide
phys
ical
sec
urity
pr
oced
ures
rol
ltho
seo
utto
ea
chfi
eld
offic
ea
ndr
equi
rea
ph
ysic
als
ecur
ityr
epre
sent
ativ
eat
eac
hsi
teto
ens
ure
cons
iste
nt
enfo
rcem
ento
fthe
pol
icie
s
USC
ISs
houl
dco
nsid
erp
rohi
bitin
gea
chfi
eld
offic
efr
omd
evel
opin
gsi
tes
peci
ficp
olic
ies
and
rem
ov
ing
enfo
rcem
entc
ontr
olfr
om
each
site
In1
0ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
follo
win
gte
rmin
atio
ndu
eto
fa
ilure
ton
otify
sec
urity
em
pl
oyee
san
dbu
sine
ssp
artn
ers
of
the
term
inat
ion
To
cont
rola
cce
ssto
USC
ISfa
cilit
ies
itis
im
port
antf
orU
SCIS
toc
ompa
re
curr
ente
mpl
oyee
san
dco
ntra
cto
rsto
the
auth
oriz
eda
cces
slis
t
Polic
yor
Pra
ctic
eG
aps
acce
ssc
ontr
ols
ndashso
me
only
hav
elo
cks
and
keys
N
ote
very
USC
ISs
iteh
asa
phy
sica
lse
curi
tyr
epre
sent
ativ
eW
here
no
re
pres
enta
tive
isp
rese
ntt
his
resp
on
sibi
lity
falls
on
othe
rm
anag
emen
t pe
rson
nelw
hom
ayn
otb
eeq
uipp
ed
toh
andl
eth
ese
issu
esp
rope
rly
and
repo
rtth
emin
ati
mel
ym
anne
r
So
me
man
ager
str
ack
who
acc
esse
s
wha
twhe
nan
dot
hers
do
not
Ac
cord
ing
toP
hysi
calS
ecur
ityin
Ver
m
ont
onl
y20
o
fvio
latio
nsa
reb
ein
gre
port
edto
sec
urity
Polic
yan
dor
Sec
urit
yM
easu
re
than
12
mon
ths
as
wel
las
anyo
ne
nolo
nger
em
ploy
edb
yU
SCIS
It
als
opl
ans
one
xam
inin
gal
lacc
ount
sth
at
have
not
use
dph
ysic
ala
cces
sin
m
ore
than
30
days
Se
curi
tyo
ffie
ldo
ffic
esfa
llsu
nder
th
eFi
eld
Secu
rity
Div
isio
n(F
SD)
The
O
ffic
eof
Sec
urity
and
Inte
grity
(OSI
)re
cent
lyd
evel
oped
an
insp
ectio
nw
orkb
ook
and
isfi
eld
test
ing
itw
ith
FSD
U
SCIS
Fie
ldS
ecur
ityD
ivis
ion
isp
lan
ning
top
uta
sec
urity
rep
rese
ntat
ive
ine
very
fiel
dof
fice
Ite
xpec
tstw
oto
thre
etim
esm
ore
repo
rts
ofv
iola
tio
nso
nce
itha
sa
repr
esen
tativ
ein
ever
ylo
catio
n
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
Phys
ical
Acc
ess
Follo
win
gTe
rmi
nati
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 43
Sugg
este
dCo
unte
rmea
sure
s
ine
ach
faci
lityrsquo
sac
cess
con
trol
syst
em
D
isab
ling
phys
ical
acc
ess
tofa
cili
ties
whe
nem
ploy
ees
and
con
trac
tors
term
inat
eis
ess
entia
lto
prot
ectin
gU
SCIS
em
ploy
ees
and
faci
litie
sU
SCIS
sho
uld
cons
ider
au
tom
atin
gth
ere
voca
tion
of
empl
oyee
and
con
trac
tor
phys
ica
lacc
ess
whe
na
term
inat
ion
occu
rs
The
term
inat
ion
chec
klis
tsh
ould
incl
ude
ano
tific
atio
nto
ph
ysic
als
ecur
itys
oph
ysic
ala
cce
ssc
anb
edi
sabl
ed
Cons
ider
con
sist
ente
nfor
cem
ent
and
inve
stig
atio
nof
USC
ISp
hysi
ca
lsec
urity
inci
dent
sA
llal
erts
sh
ould
be
inve
stig
ated
and
Polic
yor
Pra
ctic
eG
aps
Secu
rity
gua
rds
ats
itelo
catio
nsh
ave
on
occ
asio
nig
nore
ddo
orp
ropp
ed
open
ala
rms
beca
use
thef
thas
trad
itio
nally
bee
na
very
sm
allp
robl
ema
t
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
No
Two
Pers
on
Cont
rol
CERT | SOFTWARE ENGINEERING INSTITUTE | 44
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
docu
men
ted
ifth
eal
erti
sde
emed
unn
eces
sary
then
it
shou
ldb
edi
scon
tinue
dA
llse
cu
rity
vio
latio
nss
houl
dbe
trac
ked
ina
cen
tral
rep
osito
rys
oa
com
pl
ete
hist
ory
for
each
indi
vidu
alis
av
aila
ble
Aft
erH
ours
Acc
ess
Phys
ical
Sec
urit
y
Aut
hori
zed
Acc
ess
Mos
tacc
ess
is2
4ho
urs
ada
y7
days
a
wee
kndash
Tw
enty
nin
eof
the
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seu
sed
phys
ical
acc
ess
outs
ide
ofn
orm
alw
orki
ngh
ours
toa
tta
ck
USC
ISs
houl
dco
nsid
erim
pl
emen
ting
ana
cces
sco
ntro
lsy
stem
that
gra
nts
acce
ssc
om
men
sura
tew
ithth
epo
sitio
nan
em
ploy
eeo
rcon
trac
tor
fills
If
apo
sitio
ndo
esn
otr
equi
rea
cces
sou
tsid
eof
nor
mal
wor
king
hou
rs
the
acce
ssc
ontr
ols
yste
ms
houl
dpr
ohib
itsu
cha
cces
san
dlo
gun
su
cces
sful
acc
ess
atte
mpt
s
Secu
rity
ofP
hysi
ca
lCas
eFi
les
Phys
ical
Sec
urit
y
Prot
ectio
nof
USC
ISC
ase
File
Dat
a
Phys
ical
file
sw
ere
obse
rved
inc
rate
sst
acke
din
the
hallw
ays
inth
eVe
rm
ontS
ervi
ceC
ente
rA
ccor
ding
toa
nin
terv
iew
att
heS
ervi
ceC
ente
ra
ny
one
coul
dw
alk
outw
itha
ldquocr
ate
fullrdquo
of
file
saf
ter
hour
se
spec
ially
ify
ou
are
ate
lew
orke
r
USC
ISa
ssum
esit
sca
sefi
led
ata
is
secu
reb
ecau
seit
sem
ploy
ees
and
cont
ract
ors
have
ac
lear
ance
or
hav
eha
da
back
grou
ndc
heck
It
isim
port
antt
ono
teth
at4
9in
side
rsd
ocum
ente
din
the
CERT
da
taba
sev
iola
ted
need
to
know
CERT | SOFTWARE ENGINEERING INSTITUTE | 45
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ca
sefi
les
are
assu
med
tob
ese
cure
on
ceth
eya
rec
onta
ined
with
ina
Ser
vi
ceC
ente
rb
utth
eyc
ould
be
phys
ica
llya
ltere
dor
sto
len
bya
nyon
ew
ith
phys
ical
acc
ess
toth
efa
cilit
y
One
inte
rvie
wee
sta
ted
that
adj
udic
ato
rsty
pica
llyh
ave
50to
100
file
ssc
at
tere
dar
ound
thei
rof
fice
ord
esk
So
me
are
trac
ked
and
som
em
ayn
ot
be
Adj
udic
ator
sco
nduc
tint
ervi
ews
with
app
lican
tsin
thei
rof
fices
and
th
eym
ight
leav
eap
plic
ants
une
sco
rted
inth
eir
offic
esw
ithth
eca
se
files
whe
nfo
rin
stan
cem
akin
gco
pie
sor
att
endi
ngto
oth
erU
SCIS
bus
ine
ss
Acc
ordi
ngto
the
sam
ein
terv
iew
eei
non
efie
ldo
ffic
en
atur
aliz
atio
nce
rtifi
ca
tes
pas
spor
tsa
ndc
redi
tcar
din
fo
rmat
ion
has
been
foun
din
gar
bage
ca
nsin
the
hallw
ay
Adj
udic
ator
spi
cku
pth
eir
case
sin
an
enve
lope
inth
eir
mai
lbox
D
urin
gth
esi
tev
isit
the
asse
ssm
entt
eam
ob
serv
edth
em
ailr
oom
att
heV
erm
ont
Serv
ice
Cent
eru
natt
ende
dbe
twee
n
polic
ies
inth
eco
mm
issi
ono
fth
eir
crim
es
Ther
efor
er
elyi
ng
onc
lear
ance
sal
one
can
bev
ery
dang
erou
s
Thir
teen
insi
ders
doc
umen
ted
in
the
CERT
dat
abas
est
ole
phys
ical
pr
oper
tyb
elon
ging
toth
eor
gani
za
tion
CER
Tsu
gges
tsU
SCIS
con
si
der
the
cons
eque
nces
oft
heft
or
una
utho
rize
dac
cess
top
hysi
ca
lcas
efil
esa
ndm
ake
ari
sk
base
dde
cisi
onr
egar
ding
pot
en
tialp
olic
yan
dpr
oced
ure
chan
ges
Th
ere
are
stan
dard
pol
icie
san
dpr
oced
ures
forh
andl
ing
sens
itive
in
form
atio
nb
uta
str
ong
educ
atio
nalc
ampa
ign
isn
eede
dto
en
sure
the
prot
ectio
nof
dat
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 46
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
ssh
ifts
(app
roxi
mat
ely
3p
m)
Whe
nad
judi
cato
rsfi
nish
with
afi
let
hey
retu
rnit
toa
dro
pof
fspo
tT
hea
sse
ssm
entt
eam
obs
erve
dth
ose
spot
s
whi
cha
rein
the
open
and
una
tte
nded
A
djud
icat
ors
may
kee
pca
ses
over
nigh
tand
usu
ally
ret
urn
them
w
ithin
1w
eek
Tele
wor
kers
at
Serv
ice
Cent
ers
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
One
hun
dred
eig
hty
nine
peo
ple
at
the
Verm
ontS
ervi
ceC
ente
rare
au
thor
ized
tow
ork
from
hom
eT
hese
em
ploy
ees
pick
up
files
att
heV
er
mon
tSer
vice
Cen
ter
and
take
them
ho
me
The
yw
ork
2da
ysp
erw
eek
in
the
Serv
ice
Cent
era
nd3
day
spe
rw
eek
ath
ome
USC
ISp
ays
anu
nan
noun
ced
visi
tto
allh
omes
toin
ven
tory
the
empl
oyee
srsquofi
les
atle
ast
quar
terl
yT
hese
em
ploy
ees
mus
tha
vea
lock
edfa
cilit
yin
thei
rho
me
and
mus
talw
ays
have
the
abili
tyto
re
turn
the
files
toth
eSe
rvic
eCe
nter
w
ithin
4h
ours
The
cont
rolo
fUSC
ISd
ata
whe
nit
leav
esth
eVe
rmon
tSer
vice
Cen
ter
is
diff
icul
tto
enfo
rce
Em
ploy
ees
mus
tha
vea
ppro
pria
tes
tora
gefa
cilit
ies
bu
tthe
yco
uld
easi
lyc
opy
USC
ISd
ata
and
shar
eit
with
una
utho
rize
din
di
vidu
als
Twen
tyn
ine
perc
ento
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
taba
sew
ere
recr
uite
dby
out
si
ders
toc
omm
itth
eir
crim
e
Mos
toft
hese
insi
ders
com
mitt
ed
the
crim
efo
rfin
anci
alg
ain
Iti
sim
port
antt
hatU
SCIS
rec
ogni
ze
the
pote
ntia
lfor
recr
uitm
ent
an
dth
ela
cko
fcon
trol
exe
rcis
ed
over
sen
sitiv
eda
taa
tadj
udic
ato
rsrsquor
esid
ence
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 47
Ap
pen
dix
DB
usi
nes
sP
roce
sses
Tech
nica
lCon
trol
s
Aut
hori
zati
onv
iaP
ICS
A
ccou
ntM
anag
emen
t
Av
arie
tyo
fcas
esfr
omth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sed
ocum
enti
nsid
era
ttac
ksw
here
gap
sin
bus
ines
spr
oces
ses
prov
ided
ap
athw
ay
for
atta
ck
Enfo
rcin
gse
para
tion
ofd
utie
san
dth
epr
inci
ple
ofle
astp
rivi
lege
are
pro
ven
met
hods
for
limiti
nga
utho
rize
dac
cess
by
insi
ders
Id
eal
lyo
rgan
izat
ions
sho
uld
incl
ude
sepa
ratio
nof
dut
ies
inth
ede
sign
ofk
eyb
usin
ess
proc
esse
san
dfu
nctio
nsa
nde
nfor
ceth
emv
iate
chni
cala
nd
nont
echn
ical
mea
ns
Acc
ess
cont
rolb
ased
on
sepa
ratio
nof
dut
ies
and
leas
tpri
vile
gei
nbo
thth
eph
ysic
ala
ndv
irtu
ale
nvir
onm
ents
is
cruc
ialt
om
itiga
ting
the
risk
ofi
nsid
era
ttac
kT
hese
con
cept
sal
one
will
not
elim
inat
eth
eth
reat
pos
edb
yin
side
rst
hey
are
how
ever
ano
ther
laye
rin
the
defe
nsiv
epo
stur
eof
an
orga
niza
tion
Beca
use
ofth
ese
nsiti
ven
atur
eof
the
USC
ISm
issi
ons
ome
ofit
sem
ploy
ees
and
cont
ract
ors
are
targ
ets
for
recr
uitm
entf
orth
efto
run
auth
or
ized
mod
ifica
tion
ofU
SCIS
dat
aT
wen
tyn
ine
perc
ento
fthe
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
we r
ere
crui
ted
byo
utsi
ders
toc
omm
itth
eir
crim
eM
osto
fthe
sein
side
rsc
omm
itted
the
crim
efo
rfin
anci
alg
ain
Cri
tical
USC
ISb
usin
ess
proc
esse
ssh
ould
incl
ude
tech
nica
lcon
trol
sto
en
forc
ese
para
tion
ofd
utie
san
ddu
alc
ontr
olto
red
uce
the
risk
ofi
nsid
erfr
aud
In
addi
tion
pot
entia
lvul
nera
bilit
ies
surr
ound
the
use
ofth
eIC
EPI
CSs
yste
mfo
rau
thor
izat
ion
for
criti
calU
SCIS
sys
tem
sA
lthou
ghP
ICS
iso
utsi
deth
eco
ntro
lofU
SCIS
CER
Tre
com
men
dsth
atU
SCIS
exp
lore
the
poss
ibili
tyo
faud
iting
and
con
trol
ling
auth
oriz
atio
nsin
PIC
Sfo
rcr
itica
lUSC
ISs
yste
ms
Fin
ally
acc
ount
man
agem
enti
ssue
sre
late
dto
cri
tical
sys
te
ms
shou
ldb
eco
nsid
ered
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
utho
riza
tion
for
USC
ISC
riti
calS
ys
tem
sth
roug
hP
ICS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Seve
ralc
ritic
alU
SCIS
sys
tem
sar
etie
dto
PIC
Sfo
raut
hent
icat
ion
whi
ch
isa
dmin
istr
ated
by
the
ICE
PI
CSlo
gsa
ccou
ntc
reat
ions
whe
nth
eac
coun
tsw
ere
crea
ted
wha
tro
les
appl
ied
toth
eac
coun
tse
tc
PICS
per
mits
use
rso
utsi
deo
fUSC
ISto
au
thor
ize
user
sfo
ran
yU
SCIS
app
lica
tion
tied
toP
ICS
Tw
oth
ousa
ndlo
cal
PICS
off
icer
s(L
POs)
inth
eIC
Ean
dU
SCIS
can
cre
ate
new
acc
ount
sin
PIC
Sfo
rem
ploy
ees
loca
ted
atth
eir
site
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
utho
riza
tion
proc
es
san
dsy
stem
that
ena
bles
itto
co
ntro
lwho
isg
rant
e da
cces
sto
U
SCIS
sys
tem
san
dda
ta
CERT | SOFTWARE ENGINEERING INSTITUTE | 48
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLP
Os
cont
rola
cces
sfo
rshe
riff
sp
eti
tione
rsC
BPD
OJ
TSA
DH
SO
IGT
er
rori
smT
ask
Forc
ea
ndo
ther
s
Acc
ount
sar
eba
sed
onp
erso
nnel
re
cord
so
LPO
sca
nnot
cre
ate
acco
unts
fo
ran
yone
who
isn
ota
nem
ploy
eea
tth
eir
site
H
owev
erP
ICS
adm
inis
tra
tors
can
cre
ate
acco
unts
for
anyo
ne
wor
king
att
heir
site
for
any
syst
em
tied
toP
ICS
CERT
sug
gest
sth
atU
SCIS
val
ida
tec
urre
ntP
ICS
acco
unts
and
ro
les
agai
nstc
urre
nte
mpl
oyee
lis
ts
Ten
perc
ent(
37)o
fth e
in
side
rsd
ocum
ente
din
the
CERT
da
taba
seh
ade
xces
sive
pri
vi
lege
sw
hich
ena
bled
them
to
atta
ck
Ina
dditi
on
b
ecau
seldquo
priv
ilege
cr
eeprdquo
ena
bled
afe
w(s
ix)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
tab a
seto
car
ryo
utth
eir
crim
es
CERT | SOFTWARE ENGINEERING INSTITUTE | 49
Sugg
este
dCo
unte
rmea
sure
s
Twen
tyfo
ur(6
per
cent
)oft
he
insi
ders
doc
umen
ted
inth
eCE
RT
data
base
wer
eab
leto
car
ryo
ut
thei
rcr
imes
bec
ause
insi
ders
sh
ared
acc
ount
and
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bse
asie
ran
dto
incr
ease
pro
du
ctiv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tio
nsa
ndp
ossi
bly
impl
emen
tst
rong
era
uthe
ntic
atio
nto
ma k
esh
arin
gac
coun
tsm
ore
diff
icul
t
Polic
yor
Pra
ctic
eG
aps
VIS
adm
inis
trat
ors
ine
xter
nalc
ompa
ni
eso
rag
enci
esh
ave
been
cau
ght
le
ttin
gm
ultip
lee
mpl
oyee
sus
eth
e
sa
me
VIS
acco
unt
but
USC
ISh
asn
o ab
ility
tota
kea
nya
ctio
nT
hea
cco
unts
ena
ble
empl
oyee
sto
val
idat
ePI
Iand
citi
zens
hip
info
rmat
ion
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
Mod
ifica
tions
by
VIS
user
sto
cri
tical
da
taa
relo
gged
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
VIS
Ac
coun
ts
Logg
ing
Aud
itin
g
and
Ale
rtin
gin
VIS
Ver
ifica
tion
Info
rmat
ion
Syst
em(V
IS) CERT | SOFTWARE ENGINEERING INSTITUTE | 50
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Com
pute
rLi
nked
App
licat
ion
Info
rmat
ion
Man
agem
ent
Syst
em(C
LAIM
S)3
LA
N
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Su
gges
ted
Coun
term
easu
res
Self
Sele
ctio
nof
A
djud
icat
ion
Case
s
ISSO
s D
ata
Ow
ners
Adj
udic
ator
sca
nse
lfse
lect
cas
es
(acc
ordi
ngto
an
inte
rvie
wc
once
rn
ing
anin
tern
alin
cide
ntth
ato
ccur
red
atth
eU
SCIS
and
inte
rvie
ws
with
da
tao
wne
rsa
tthe
Ver
mon
tSer
vice
Ce
nter
)
With
inth
eSe
rvic
eCe
nter
sa
djud
ica
tors
hav
evi
rtua
llyu
nlim
ited
acce
ssto
ap
plic
antf
ilesmdash
ther
ear
eno
nee
dto
kn
owli
mita
tions
or
cont
rols
top
re
vent
an
adju
dica
tor
from
acc
essi
ng
sens
itive
info
rmat
ion
and
repo
rtin
git
too
utsi
ders
or
mod
ifyin
ga
file
(ent
er
ing
anin
valid
dec
isio
n)
Adj
udic
ator
sca
nal
soa
ppro
vea
cas
eth
atis
not
ass
igne
dto
them
Th
ere
is
noti
ebe
twee
nth
eca
sem
anag
emen
tsy
stem
(ie
N
atio
nalF
ileT
rack
ing
Syst
emo
rN
FTS)
and
the
case
adj
udi
catio
nsy
stem
(ie
CL
AIM
S)
Inth
ein
tern
alc
ase
that
occ
urre
dat
U
SCIS
the
per
petr
ator
cir
cum
vent
ed
the
inte
rvie
wp
roce
ssfo
r14
mon
ths
ndash
USC
ISs
houl
dco
nsid
erim
ple
men
ting
tech
nica
lcon
trol
sto
pr
ohib
itad
judi
cato
rsfr
oms
elf
sele
ctin
gca
ses
toa
djud
icat
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 51
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
she
app
rove
dldquon
osh
owrdquo
case
sT
here
w
ere
noc
ontr
ols
tod
etec
tthi
s
Ina
dditi
ona
djud
icat
ors
can
adju
di
cate
any
type
ofc
ase
eve
nth
ough
th
eya
ree
ach
assi
gned
cer
tain
type
sof
ben
efits
cas
esfo
rad
judi
catio
n
Emph
asis
on
Cus
tom
erS
ervi
ceO
ver
Risk
Dat
aO
wne
rs
No
evid
ence
pro
vide
d
One
inte
rvie
wee
att
heV
erm
ontD
ata
Cent
ers
aid
that
ldquost
atsrdquo
can
be
ast
rain
esp
ecia
llyfo
rne
wh
ires
al
thou
ghth
eyd
oge
ta9
0da
ygr
ace
peri
od
USC
ISs
houl
dus
eca
utio
nin
em
ph
asiz
ing
cust
omer
ser
vice
as
the
only
per
form
ance
met
ric
beca
use
this
cou
lde
ncou
rage
la
cko
fatt
entio
nto
ris
kre
late
dac
tiviti
es(s
uch
asa
ccur
ate
adju
di
catio
nde
cisi
ons)
Lack
ofS
epar
atio
nof
Dut
ies
in
CLA
IMS
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Curr
ently
all
decl
ined
req
uest
sfo
rbe
nefit
sar
ere
view
edb
ya
supe
rvi
sor
H
owev
ert
here
was
ad
iscr
ep
ancy
dur
ing
inte
rvie
ws
adj
udic
ator
ssa
idth
ats
uper
viso
rss
topp
edlo
okin
gat
all
deni
als
beca
use
they
are
too
busy
Su
perv
isor
sal
sor
ecei
vea
rep
orto
fal
ladj
udic
atio
nde
cisi
ons
ente
red
by
ana
djud
icat
orfo
ra
form
type
that
th
ead
judi
cato
rdo
esn
otn
orm
ally
ap
prov
e
Onl
ya
rand
oms
ampl
eof
app
rove
dad
judi
catio
nde
cisi
ons
isr
evie
wed
For
som
eca
ses
(for
inst
ance
vic
tims
case
s)a
sen
ior
adju
dica
tor
has
to
revi
ewth
ede
cisi
ona
fter
the
adju
dica
to
ren
ters
itt
hen
the
supe
rvis
orr
evi
ews
itT
his
isa
man
ually
enf
orce
dpr
oces
s
Ther
ew
asa
noth
erd
iscr
epan
cy
in
inte
rvie
ws
the
adju
dica
tors
sai
dth
at
USC
ISs
houl
dco
nsid
erim
ple
men
ting
auto
mat
edp
roce
sses
to
prev
enta
ndd
etec
tfra
ud
Man
ag
emen
tind
icat
edit
wou
ldli
ke
tos
eea
utom
ated
tech
nica
len
forc
emen
toft
her
evie
wa
nd
appr
oval
pro
cess
Inn
earl y
ten
perc
ent(
39)o
fthe
ca
ses
docu
men
ted
inth
eCE
RT
data
base
ins
ider
sto
oka
dvan
CERT | SOFTWARE ENGINEERING INSTITUTE | 52
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s W
hen
adju
dica
tors
are
intr
aini
ng
they
are
und
er1
00
rev
iew
Th
ey
are
intr
aini
ngo
na
spec
ific
type
of
case
for
atle
ast6
mon
ths
A
uditi
ngfo
rim
prop
erly
gra
nted
be
nefit
sis
bas
edo
nsa
mpl
ing
and
or
blin
dqu
ality
ass
uran
ce(Q
A)a
ccor
din
gldquot
oA
rmy
stan
dard
srdquoa
fter
the
fact
A
rand
omly
sel
ecte
d30
cas
es
per
quar
ter
are
also
rev
iew
edb
yldquos
iste
rce
nter
srdquo
QA
pro
cess
var
ies
offic
eby
off
ice
(no
natio
nalp
roce
ss)
Th
isQ
Ah
asb
een
done
fort
hep
ast
year
and
ah
alf
Inth
eVe
rmon
tfie
ld
offic
ee
ach
supe
rvis
orp
ulls
atl
east
10
cas
esp
era
djud
icat
orp
erm
onth
Th
eyr
evie
wd
ecis
ion
rela
ted
issu
es
secu
rity
rel
ated
issu
esa
ndp
roce
du
rali
ssue
s(d
idth
eyfo
llow
the
righ
tst
eps
)T
hey
also
look
for
less
ons
lear
ned
The
pri
mar
ypu
rpos
eof
QA
is
toid
entif
yth
ene
edfo
rre
med
ial
trai
ning
rath
erth
and
elib
erat
efr
aud
So
me
case
sar
em
ore
than
10
00
page
ss
oev
ery
deta
ilca
nnot
be
prac
tical
lyr
evie
wed
for
ever
yca
se
cler
ksp
ullc
ases
ac
oupl
eof
tim
esp
er
mon
thndash
ac
erta
inn
umbe
rof
cas
es
per
empl
oyee
Th
ose
case
sar
epa
ssed
toQ
Aw
hor
evie
ws
the
case
s
QA
then
sen
dsfe
edba
ckto
the
supe
rvi
sor
and
adju
dica
tor
ifth
eyfi
nd
som
ethi
ngth
atd
oes
notl
ook
righ
t
tage
ofi
nsuf
ficie
nts
epar
atio
nof
du
ties
toc
arr y
out
thei
rcr
imes
U
SCIS
sho
uld
care
fully
con
side
rth
ebi
gges
tris
kto
the
orga
niza
tio
nM
any
ofth
eU
SCIS
em
pl
oyee
sin
terv
iew
edfo
rth
isa
sse
ssm
enti
dent
ified
the
prim
ary
risk
for
the
orga
niza
tion
asa
llo
win
gth
ene
xtte
rror
istt
oliv
ean
dw
ork
lega
llyin
the
Uni
ted
Stat
es
They
des
ire
assi
stan
cein
id
entif
ying
and
impl
emen
ting
inte
rnal
con
trol
sto
cou
nter
that
ri
sk
Aud
iting
eve
ryd
enie
dre
ques
tin
dica
tes
that
the
bigg
estr
isk
to
USC
ISis
toin
corr
ectly
den
ya
bene
fitto
an
appl
ican
trat
her
than
tog
rant
ab
enef
itto
som
eon
ew
hod
oes
notd
eser
veit
IfU
SCIS
agr
ees
that
gra
ntin
gle
gald
ocum
ents
toil
lega
lapp
lica
nts
iso
neo
fthe
big
gest
ris
ks
toth
eor
gani
zatio
nth
enit
sh
ould
con
side
rre
quir
ing
dual
CERT | SOFTWARE ENGINEERING INSTITUTE | 53
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sau
thor
izat
ion
for
thes
ead
judi
ca
tion
deci
sion
s
Lack
ofA
utom
ated
Ch
ecks
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Verm
ontI
Tha
sdo
ned
ata
swee
ps
afte
rit
foun
dso
met
hing
sus
pici
ous
W
hen
itha
sdo
nes
oit
has
foun
dm
ore
ofth
esa
me
activ
ity
Ther
ear
eno
aut
omat
edc
heck
s(t
here
w
illb
ein
Tra
nsfo
rmat
ion)
Chec
ksth
atd
oex
ista
rem
anag
eda
tth
elo
call
evel
rat
her
than
ale
rtin
gto
th
ehe
adqu
arte
rsle
vel
Inn
early
twen
tyf
ive
perc
ent
(91)
ofc
ases
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
ca
rry
outt
hec
rim
ebe
caus
eof
in
adeq
uate
aud
iting
ofc
ritic
al
proc
esse
sin
28
case
sit
was
be
caus
eof
inad
equa
tea
uditi
ng
ofir
regu
lar
proc
esse
sI
n29
of
the
case
sth
eor
gani
zatio
nha
dre
peat
edin
cide
nts
ofa
sim
ilar
natu
re
Aut
omat
eds
crip
tsa
re
ane
xcel
lent
mec
hani
smfo
rde
te
ctin
gsu
spic
ious
tran
sact
ions
as
wel
las
hone
stm
ista
kes
U
SCIS
sho
uld
cons
ider
afo
rmal
pr
oces
sfo
ran
alyz
ing
the
OSI
rsquos
findi
ngs
and
deve
lopi
nga
uto
mat
edc
heck
sth
ata
rer
olle
dou
tna
tiona
lly
Phys
ical
Sec
urit
yof
Ca
seF
iles
Dat
aO
wne
rs
Adj
udic
ator
s
No
evid
ence
pro
vide
d
The
NFT
Str
acks
mill
ions
off
iles
It
was
des
crib
edh
owev
era
sa
very
la
rge
war
ehou
sew
here
file
sdo
occ
a
Ten
perc
ent(
40)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
sec
arri
edo
utth
eir
crim
esb
y
CERT | SOFTWARE ENGINEERING INSTITUTE | 54
C
ER
T | S
OFT
WA
RE
EN
GIN
EE
RIN
G IN
STI
TUTE
| 55
Sugg
este
dCo
unte
rmea
sure
s
the
sam
eap
plic
ant
C3LA
Nw
illb
ere
tired
as
part
of
Tran
sfor
mat
ion
C4
will
als
obe
re
tired
A
cop
yof
sec
urity
con
tr
ols
and
requ
irem
ents
has
bee
npr
ovid
edb
yC3
LAN
dat
aow
ners
to
Tra
nsfo
rmat
ion
Iti
sim
por
tant
for
the
Tran
sfor
mat
ion
team
tom
ake
risk
bas
edd
eci
sion
sin
Tra
nsfo
rmat
ion
desi
gn
and
deve
lopm
ent
Polic
yor
Pra
ctic
eG
aps
T
hen
ewH
Rfo
rmh
asn
otb
een
soci
aliz
edo
rw
idel
yad
vert
ised
It
is
upto
the
COTR
san
dsu
perv
isor
sto
co
nsis
tent
lyr
eque
stth
ata
cces
sbe
di
sabl
edw
hen
ane
mpl
oyee
or
con
trac
tor
nolo
nger
nee
dsa
cces
s
Polic
yan
dor
Sec
urit
yM
easu
re
Curr
ently
eve
rym
onth
USC
ISc
om
pare
sth
eH
uman
Res
ourc
esa
ttri
tion
lista
gain
stth
eC3
LA
Na
ccou
ntli
st
and
disa
bles
inac
tive
empl
oyee
ac
coun
ts
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
cces
sto
CL
AIM
S
CERT | SOFTWARE ENGINEERING INSTITUTE | 56
Are
aof
Con
cern
Non
Att
ribu
tion
fo
rD
BAA
ccou
nts
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 57
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Pend
ing
Redu
ctio
nin
For
cefo
rD
ata
Entr
yCl
erks
Dat
aO
wne
rs
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
Dat
aen
try
cler
ksw
illb
elo
sing
thei
rjo
bsw
hen
they
mov
eto
Loc
kBox
w
hich
will
take
ove
rth
efu
nctio
nal
ityo
facc
eptin
gre
mitt
ance
sfo
rbe
nefit
app
lican
ts
Itw
ass
tate
dth
atth
eda
tae
ntry
cle
rks
mig
htb
ehi
red
away
tow
ork
atth
eor
gani
za
tion
whi
chp
erfo
rms
that
func
tio
n
USC
ISs
houl
dbe
aw
are
ofth
ein
crea
sed
insi
der
risk
inth
efa
ce
ofn
egat
ive
orga
niza
tiona
lev
ents
like
this
It
sho
uld
con
side
rpr
oact
ive
step
sto
dec
reas
est
ress
inth
ew
orkp
lace
and
to
ease
pot
entia
lfin
anci
alb
urde
ns
that
cou
ldm
ake
empl
oyee
sm
ore
susc
eptib
leto
rec
ruitm
ent
byo
utsi
ders
Shar
ing
Acc
ount
sin
CLA
IMS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aEn
try
Cler
ks
The
NFT
Sw
illn
otle
tcle
rks
log
inif
th
eyh
ave
notu
sed
the
syst
emfo
ra
cert
ain
num
ber
ofd
ays
Ac
lerk
rsquosc
ube
mat
ew
illlo
gin
for
thei
rcu
bem
ate
ifit
isth
een
dof
the
day
and
ITh
asg
one
hom
efo
rthe
day
Twen
tyf
our
(6
)oft
hein
side
rs
docu
men
ted
inth
eCE
RTd
ata
base
wer
eab
leto
car
ryo
utth
eir
crim
esb
ecau
sein
side
rss
hare
dac
coun
tand
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bs
easi
era
ndto
incr
ease
pro
duct
iv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tions
an
dpo
ssib
lyim
plem
ents
tron
ger
auth
entic
atio
nto
mak
eac
coun
tsh
arin
gm
ore
diff
icul
t
CERT | SOFTWARE ENGINEERING INSTITUTE | 58
Sugg
este
dCo
unte
rmea
sure
s
Ten
perc
ent(
39)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seto
oka
dvan
tage
ofi
nsuf
fici
enta
cces
sco
ntro
ls
USC
IS
shou
ldc
onsi
der
redu
cing
the
num
ber
ofp
rivi
lege
dac
coun
ts
with
acc
ess
toth
eFD
NS
DS
If
the
num
ber
ofs
uper
user
ac
coun
tsw
ere
redu
ced
then
en
hanc
eda
uditi
ngc
ould
be
em
ploy
edo
ntr
ansa
ctio
ns
cond
ucte
dus
ing
thos
eac
coun
ts
Polic
yor
Pra
ctic
eG
aps
b
ut
ther
ear
ena
tiona
lcon
trol
sto
ens
ure
th
atc
eleb
ritie
srsquofi
les
are
notb
eing
ac
cess
ed
Ther
eis
ala
rge
supe
ruse
rco
mm
unity
m
ore
than
thirt
ype
rcen
tofa
llFD
NS
DS
user
sw
itha
cces
sto
the
FDN
SD
S
Thes
eac
coun
tsh
ave
exte
nsiv
epo
wer
a
mal
icio
uss
uper
user
can
com
plet
ely
dele
tea
rec
ord
orm
odify
the
sum
m
ary
offi
ndin
gs
Polic
yan
dor
Sec
urit
yM
easu
re
The
FDN
SD
Sis
ac
entr
alr
epos
itory
of
frau
dan
dna
tiona
lsec
urity
inve
stig
atio
ns
This
sys
tem
hol
dsa
ppli
cant
san
dpe
titio
ners
as
wel
las
PII
Th
ere
isa
lso
ana
tiona
lsec
urity
tab
N
oev
iden
cep
rovi
ded
nnel
logy
logy
sibl
ePe
rso
wne
rs
tion
Tec
hno
wne
rs
tion
Tec
hno
Resp
onD
ata
O In
form
a
Dat
aO
Info
rma
rn
sac
ges
eCo
ncn e
Priv
ilD
S
Are
aof
ng
oLo
ggi
fTra
tion
s
Elev
ated
N
Sto
FD
Frau
dD
etec
tion
and
Nat
ural
izat
ion
Syst
emndash
Dat
aSy
stem
(FD
NS
DS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 59
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Unk
now
n
Conn
ecti
ons
to
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Failu
reto
Add
ress
Kn
own
Secu
rity
V
ulne
rabi
litie
s
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Ther
eis
no
auto
mat
edp
atch
ing
be
caus
eof
the
age
ofth
ese
rver
san
dth
eap
plic
atio
nO
nly
criti
calp
atch
es
are
appl
ied
forf
ear
ofc
rash
ing
the
serv
ers
Thir
teen
insi
ders
inth
eCE
RT
data
base
exp
loite
dkn
own
secu
ri
tyv
ulne
rabi
litie
sth
atw
ere
not
addr
esse
dby
the
orga
niza
tion
U
SCIS
sho
uld
cons
ider
upg
radi
ng
the
FDN
SD
Ssi
nce
thes
evu
lner
ab
ilitie
sin
crea
ser
isk
ofa
ttac
kfr
omo
utsi
dea
ndin
side
Prod
ucti
onD
ata
Ava
ilabl
eto
Con
tr
acto
rsin
Dev
el
opm
ent
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
CSC
has
prod
uctio
nda
tain
the
deve
lop
men
tenv
iron
men
te
ven
thou
ghit
sh
ould
not
hav
eac
cess
top
rodu
ctio
nda
ta
Onl
yon
ein
side
rdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
ses
tole
pro
duct
ion
data
th
ats
houl
dno
thav
ebe
ena
vail
able
tod
evel
oper
sin
the
deve
lop
men
tenv
iron
men
tH
owev
er
itw
ase
xtre
mel
yse
nsiti
ved
ata
with
ver
yst
rict
con
trol
sin
the
prod
uctio
nen
viro
nmen
ta
nd
was
not
sub
ject
toth
ose
sam
eco
ntro
lsin
the
deve
lopm
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 60
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sen
viro
nmen
tT
his
isv
ery
sim
ilar
toth
esi
tuat
ion
atU
SCIS
U
SCIS
sh
ould
exa
min
eda
tab
eing
use
din
the
rem
ote
con
trac
tor
owne
dde
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
vel
ofs
ecur
ityc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
Conf
igur
atio
nM
anag
emen
tan
dor
Cha
nge
Cont
rolP
roce
ss
Not
Enf
orce
d
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Dev
elop
ers
cann
otr
elea
sen
ewe
xec
utab
les
as
epar
ate
syst
ema
dmin
is
trat
orh
asto
pus
hth
emo
ut
Cont
ract
ors
som
etim
esr
elea
sec
ode
tofi
xpr
oble
ms
with
outf
ollo
win
gth
ech
ange
man
agem
entp
roce
ss
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
ofl
ack
ofa
de
quat
eco
nfig
urat
ion
man
age
men
tU
SCIS
has
afo
rmal
con
fig
urat
ion
man
agem
entp
roce
ss
Itis
impo
rtan
tto
enfo
rce
itsu
se
for
alle
mpl
oyee
san
dco
ntra
cto
rs
Oth
erw
ise
itw
illb
eex
tr
emel
ydi
ffic
ultt
oin
vest
igat
ea
crim
eco
mm
itted
usi
ngfl
aws
inte
ntio
nally
inje
cted
into
sou
rce
code
by
aco
ntra
ctor
CERT | SOFTWARE ENGINEERING INSTITUTE | 61
Ap
pen
dix
EI
nci
den
tR
esp
onse
Inci
dent
Man
agem
ent
Se
curi
tyA
war
enes
s
Conc
erni
ngB
ehav
iors
Thro
ugh
case
ana
lysi
sC
ERT
has
note
dth
atp
roce
dure
sfo
rre
spon
ding
top
oten
tiali
nsid
erin
cide
nts
pres
entu
niqu
ech
alle
nges
an
inci
dent
re
spon
sep
lan
for
insi
der
inci
dent
sdi
ffer
sfr
oma
res
pons
epl
anfo
rin
cide
nts
caus
edb
yan
ext
erna
latt
acke
rI
nad
ditio
nin
adeq
uate
det
ectio
nan
dre
spon
seto
sec
urity
vio
latio
nsc
ould
em
bold
enth
ein
side
rm
akin
gth
eor
gani
zatio
nev
enm
ore
vuln
erab
leto
an
insi
der
crim
eI
nfa
cti
n18
of
the
case
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
the
org
aniz
atio
nex
peri
ence
dre
peat
insi
der
inci
dent
sof
as
imila
rna
ture
In
si
der
inci
dent
man
agem
ents
houl
dle
vera
gee
xist
ing
secu
rity
pol
icie
san
dfo
rmal
pro
cedu
res
for
hand
ling
polic
yvi
olat
ions
So
me
ofth
eca
ses
from
the
CERT
Insi
d er
Thre
atC
ase
data
base
illu
stra
tein
side
rat
tack
sin
whi
cha
nor
gani
zatio
nrsquos
lack
ofi
ncid
entr
espo
nse
proc
edur
esli
mite
dits
ab
ility
tom
anag
eits
res
pons
eef
fort
som
etim
ese
ven
resu
lting
inm
ultip
lec
rim
inal
act
sby
the
sam
ein
side
r
USC
ISis
ac
ompl
exo
rgan
izat
ion
with
man
ydi
ffer
entc
ompo
nent
sin
volv
edin
det
ectin
gtr
acki
ngi
nves
tigat
ing
and
follo
win
gup
on
empl
oyee
m
isco
nduc
tT
his
com
plex
itya
ndw
idel
ydi
stri
bute
dfu
nctio
ncr
eate
sa
situ
atio
nin
whi
chit
isv
ery
diff
icul
tto
obta
ina
com
plet
epi
ctur
eof
an
in
divi
dual
rsquosin
side
rth
reat
ris
kle
vel
Bec
ause
oft
his
itis
pra
ctic
ally
impo
ssib
lefo
rU
SCIS
toim
plem
enta
pro
activ
epr
ogra
mto
miti
gate
insi
der
thre
at
CERT
str
ongl
yre
com
men
dsth
atU
SCIS
cre
ate
ace
ntra
lrep
osito
ryo
fem
ploy
eem
isco
nduc
tso
itca
nde
tect
indi
cato
rso
finc
reas
ing
in
side
rth
reat
ris
kan
dm
itiga
teth
ema
squ
ickl
yas
pos
sibl
e
Furt
herm
ore
81
ofth
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
edc
once
rnin
gbe
havi
ors
inth
ew
orkp
lace
pri
orto
or
whi
lec
arry
ing
out
thei
rcr
imin
ala
ctiv
ities
onl
ine
Sup
ervi
sors
and
em
ploy
ees
shou
ldb
etr
aine
dto
rec
ogni
zea
ndr
espo
ndto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
and
oth
erm
alic
ious
insi
der
acts
Ev
enif
itis
not
pos
sibl
eto
req
uire
non
sup
ervi
sors
to
repo
rtc
o nce
rns
this
tr
aini
ngm
ayin
crea
seth
efr
eque
ncy
ofr
epor
ting
and
the
dete
rren
ceo
fins
ider
act
ions
CERT | SOFTWARE ENGINEERING INSTITUTE | 62
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLa
cko
fCen
tral
Re
posi
tory
ofE
m
ploy
eeM
isco
nduc
t
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
IfFi
eld
Secu
rity
rec
eive
sa
Sign
ifica
nt
Inci
dent
Rep
ort(
SIR)
the
nit
inve
sti
gate
sE
mpl
oyee
mis
cond
ucti
sth
en
repo
rted
toO
ffic
eof
Sec
urity
and
In
tegr
ity(O
SI)
Ifth
eO
SIin
vest
igat
ion
subs
tant
iate
san
em
ploy
eersquos
mis
con
duct
itp
rovi
des
Coun
teri
ntel
ligen
ce
(CI)
am
onth
lyr
epor
tI
tals
opr
ovid
es
the
empl
oyee
rsquosm
anag
emen
tac
opy
CI
iss
tart
ing
tog
etm
ore
repo
rts
of
acce
ptab
leu
sev
iola
tions
and
sec
urity
vi
olat
ions
It
trac
kse
very
thin
gin
a
file
for
late
rus
ein
rei
nves
tigat
ions
La
bor
Empl
oyee
Rel
atio
ns(L
ER)h
asa
re
cord
oft
here
port
sit
rece
ives
of
mis
cond
uct
com
plai
nts
agai
nsta
nem
ploy
eer
ule
viol
atio
nsa
nds
oon
H
Rm
aint
ains
the
Off
icia
lPer
sonn
el
File
whi
chc
onta
ins
reco
rds
ofs
us
pens
ions
etc
LE
Rco
ntac
tsH
Ron
ly
for
thos
ety
pes
ofa
ctio
ns
Th
eO
SIe
valu
ates
all
com
plai
nts
itre
ceiv
esa
ndlo
gsth
emin
toth
eca
se
man
agem
ents
yste
m
Ita
ssig
nsth
em
toa
fiel
dof
fice
Att
hatp
oint
any
co
mpl
aint
sar
eth
ere
spon
sibi
lity
of
the
spec
iala
gent
inc
harg
eat
the
field
of
fice
The
fiel
dof
fice
inve
stig
ates
Ther
eis
no
sing
lep
lace
tog
ofo
ran
em
ploy
eersquos
dis
cipl
inar
yre
cord
sT
he
num
ber
ofo
rgan
izat
ions
invo
lved
an
dm
anag
emen
tofr
ecor
dsis
ver
yco
mpl
exa
ndd
istr
ibut
edth
roug
hout
th
eor
gani
zatio
n
Acc
ordi
ngto
Phy
sica
lSec
urity
the
fie
ldo
ffic
edo
esn
otte
llth
eO
SI
abou
tpro
blem
sndashth
eO
SIfi
nds
out
whe
nit
ldquohits
the
pres
srdquo
For
exa
m
ple
the
OSI
isn
otin
form
edo
fad
is
grun
tled
syst
ema
dmin
istr
ator
who
is
exhi
bitin
gco
ncer
ning
beh
avio
rs
USC
ISs
houl
dco
nsid
err
equi
ring
m
anda
tory
rep
ortin
gof
all
inci
de
nts
toth
eO
SI
This
com
mu
nica
tion
stre
amw
illa
llow
the
OSI
tog
etin
volv
eda
sea
rly
as
poss
ible
and
tod
ocum
enta
nd
mai
ntai
na
cent
ralr
epos
itory
of
alli
ncid
ents
Th
isc
entr
alr
epo
sito
ryis
cri
tical
for
ade
quat
ely
man
agin
gin
side
rth
reat
sin
USC
IS
CERT | SOFTWARE ENGINEERING INSTITUTE | 63
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dse
nds
the
case
for
corr
ectiv
eac
tio
nto
the
regi
onal
dir
ecto
rin
the
chai
nof
com
man
da
ndth
enth
ere
gi
onal
dir
ecto
rret
urns
am
anag
emen
tre
port
ofa
ctio
nto
the
spec
iala
gent
in
cha
rge
Th
eO
SIc
onta
cts
the
DH
SO
IGfo
rpo
te
ntia
llyc
rim
inal
beh
avio
ror
ser
ious
m
isco
nduc
tI
fthe
DH
SO
IGtu
rns
the
case
dow
nth
enit
iss
entt
oth
efie
ld
offic
eor
tola
we
nfor
cem
ent
Th
ePe
rson
nelS
ecur
ityd
ivis
ion
(PER
SEC)
not
ifies
the
OSI
mon
thly
of
arre
sts
(tra
cked
inth
eca
sem
anag
em
ents
yste
m)a
ndth
eO
SIn
otifi
es
PERS
ECo
finv
estig
atio
ns
Trac
king
ofO
nlin
eIn
cide
nts
Info
rmat
ion
Tech
nolo
gy
Com
pute
ror
net
wor
kvi
olat
ion
inci
de
nts
are
trac
ked
bya
Rem
edy
sys
tem
tied
toa
uni
que
com
pute
rid
enti
fier
rath
erth
ana
use
rin
an
atte
mpt
to
kee
pPI
Iout
oft
heti
cket
Itis
diff
icul
tto
tiea
nev
entt
oa
par
ticul
arp
erso
nE
ven
ifth
eid
entit
yof
an
off
ende
ris
know
nr
epea
toff
end
ers
are
nott
rack
edin
any
aut
omat
ed
orc
orre
late
dw
ay
USC
ISs
houl
dco
nsid
erin
clud
ing
user
info
rmat
ion
for
each
inci
de
nts
oth
atr
epea
toff
ende
rs
can
bee
asily
iden
tifie
da
sre
pe
ato
ffen
ses
coul
din
dica
tea
nin
side
rof
hig
her
risk
Cons
iste
ncy
inR
esp
onse
toS
ecur
ity
Vio
lati
ons
and
Con
cern
ing
Beha
vior
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
eis
no
requ
ired
trai
ning
for
su
perv
isor
son
how
tor
espo
ndto
a
rang
eof
beh
avio
rsa
ssoc
iate
dw
ith
man
yfo
rms
ofin
side
rri
sk
Co
mpu
ter
use
viol
atio
nsa
ren
ot
Eigh
tyo
neo
fthe
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
ed
conc
erni
ngb
ehav
iors
pri
orto
or
whi
lec
arry
ing
outt
heir
cri
min
al
activ
ities
Em
ploy
ees
shou
ldb
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 64
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
ndle
dco
nsis
tent
lya
cros
sde
part
m
ents
sup
ervi
sors
and
type
ofe
m
ploy
ee
Egre
giou
svi
olat
ions
are
re
ferr
edto
the
OSI
for
afu
llin
vest
igat
ion
but
the
crite
rion
for
deci
ding
whe
nth
atis
war
rant
edis
a
gutr
eact
ion
trai
ned
tor
ecog
nize
and
re
spon
dto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
an
dot
her
insi
der
acts
Ev
enif
it
isn
otp
ossi
ble
tor
equi
ren
on
supe
rvis
ors
tor
epor
tcon
cern
s
this
trai
ning
may
incr
ease
the
freq
uenc
yof
repo
rtin
gan
dde
te
rren
ceo
fins
ider
act
ions
US
Dep
artm
ento
fSt
ate
Inve
stig
atio
ns
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
OSI
Inve
stig
atio
nsh
ave
been
sub
ject
to
alle
gatio
nso
fvio
latio
nsin
volv
ing
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)
but
the
OIS
rel
ies
onth
eU
SD
epar
tmen
tof
Sta
teto
inve
stig
ate
USC
ISh
asn
ovi
sibi
lity
into
US
De
part
men
tofS
tate
inve
stig
atio
ns
FSN
sw
hoh
ave
acce
ssto
USC
IS
syst
ems
and
data
sho
uld
be
incl
uded
ina
nin
side
rth
reat
risk
m
itiga
tion
stra
tegy
Prep
arat
ion
for
Neg
ativ
eW
ork
Rela
ted
Even
ts
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
edo
not
app
ear
tob
ean
ygu
ide
lines
tra
inin
go
rpe
rson
nela
vaila
ble
toe
valu
ate
empl
oyee
insi
der
risk
be
fore
or
afte
rfre
quen
tlyp
reci
pita
tin
gev
ents
suc
has
term
inat
ion
de
mot
ions
tra
nsfe
rso
rot
her
disa
ppo
intm
ents
or
unm
ete
xpec
tatio
ns
Ther
eal
sod
oes
nota
ppea
rto
bea
gr
oup
char
ged
with
eva
luat
ing
in
side
rri
skfr
omo
rgan
izat
iona
leve
nts
ord
evel
opm
ents
aff
ectin
ggr
oups
of
empl
oyee
ss
uch
asr
eloc
atio
nsc
on
trac
tcha
nges
lay
offs
and
reo
rgan
iza
tions
Fift
yfiv
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
had
neg
ativ
eem
pl
oym
enti
ssue
sN
inet
yfo
ur
had
ach
ange
ine
mpl
oym
ent
stat
usp
rior
toth
eir
atta
cks
20
had
com
pens
atio
nor
ben
efit
issu
esa
nd6
5w
ere
disg
runt
led
Su
perv
isor
ssh
ould
be
trai
ned
in
thes
eri
skin
dica
tors
Th
ere
shou
lda
lso
bea
nav
aila
ble
pane
lofs
peci
alis
tsfr
omth
eO
SI
orth
eLa
bor
Empl
oyee
Rel
atio
ns(L
ER)t
rain
edto
ass
ess
such
ris
k
CERT | SOFTWARE ENGINEERING INSTITUTE | 65
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Si
mila
rsp
ecia
lists
sho
uld
be
avai
labl
eto
par
ticip
ate
inp
lan
ning
and
exe
cutio
nof
res
pons
epl
ans
inp
repa
ratio
nfo
rne
ga
tive
wor
kpla
cee
vent
sth
atp
ote
ntia
llyc
ould
lead
tod
isgr
un
tlem
enta
mon
gth
ew
orkf
orce
at
USC
IS
Cont
ract
orM
an
agem
ent
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Hum
anR
esou
rces
Pers
onne
lscr
eeni
ngp
roce
dure
sfo
rco
ntra
ctor
sar
esi
mila
rto
thos
efo
rem
ploy
ees
Cont
ract
ing
com
pani
esa
rer
equi
red
tor
epor
tany
adv
erse
info
rmat
ion
rega
rdin
gth
eir
empl
oyee
sim
med
iat
ely
(ina
llco
ntra
cts)
LER
has
noin
volv
emen
twith
con
tr
acto
rs
They
hav
eno
rec
ord
of
cont
ract
orm
isbe
havi
ors
orc
om
plai
nts
agai
nstc
ontr
acto
rs
Supe
rvis
ors
the
OSI
LER
and
oth
ers
conc
erne
dw
itho
rgan
izat
iona
lsec
uri
tym
ayb
ela
rgel
yun
awar
eof
in
side
rri
sks
rela
ted
toc
ontr
acto
rs
Cont
ract
ors
are
nots
ubje
ctto
gov
er
nmen
tmon
itori
ngo
rris
kas
sess
m
ent
Ac
ontr
acto
ron
ac
ritic
als
ys
tem
may
dev
elop
or
have
sig
nific
ant
insi
der
risk
fact
ors
that
may
rem
ain
unkn
own
tog
over
nmen
tem
ploy
ees
due
tola
cko
frep
ortin
gre
quir
em
ents
Sixt
ytw
oof
the
insi
ders
doc
um
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eco
ntr
acto
rs
USC
ISc
ontr
actm
an
agem
ents
taff
sho
uld
cons
ider
th
ene
edfo
rre
port
ing
ara
nge
ofp
oten
tiali
ndic
ator
sof
insi
der
risk
am
ong
cont
ract
sta
ff
Inci
de
ntr
espo
nse
plan
ssh
ould
in
clud
ere
spon
seto
em
ploy
ee
and
cont
ract
oris
sues
Empl
oyee
or
Con
trac
tor
Conc
erni
ng
Beha
vior
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Byp
olic
yit
ise
very
em
ploy
eersquos
re
spon
sibi
lity
tor
epor
tsus
pici
ous
be
havi
oro
rm
isco
nduc
tS
uper
viso
rs
Self
repo
rted
dru
gus
ea
rres
ta
nd
asso
ciat
ions
with
fore
ign
natio
nals
du
ring
em
ploy
men
tare
sen
tto
the
Supe
rvis
ors
need
tob
eno
tifie
dim
med
iate
lyw
hen
ane
mpl
oyee
re
port
sdr
ugu
sea
rres
tso
r
CERT | SOFTWARE ENGINEERING INSTITUTE | 66
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Labo
rEm
ploy
eeR
elat
ions
who
obs
erve
con
cern
ing
ors
uspi
ciou
sbe
havi
orr
epor
titt
oLE
Ror
the
OSI
Fo
rlo
wle
velm
isco
nduc
tL
ERa
dvis
es
the
field
off
ice
man
agem
ento
nha
ndl
ing
the
mat
ter
LER
rep
orts
mor
ese
riou
sm
isco
nduc
twith
mor
ese
vere
co
nseq
uenc
esto
HR
M
isco
nduc
tcan
als
obe
rep
orte
dvi
aSi
gnifi
cant
Inci
dent
Rep
orts
(SIR
s)
SIRs
are
sen
tto
Phys
ical
Sec
urity
or
to
the
OSI
for
inve
stig
atio
n
IfCI
dis
cove
rss
omet
hing
sus
pici
ous
duri
nga
rei
nves
tigat
ion
itin
form
sth
eem
ploy
eersquos
sup
ervi
sor
The
su
perv
isor
wor
ksw
ithL
ERa
ndc
ouns
el
tod
ecid
eon
follo
wu
pac
tions
OSI
Th
eO
SIs
ends
res
ults
tos
uper
vi
sor
follo
win
gin
vest
igat
ion
asso
ciat
ion
with
fore
ign
natio
nal
ss
oth
eyh
ave
ana
ccur
ate
perc
eptio
nof
the
risk
ass
oci
ated
with
eac
hof
thei
rem
ploy
ee
sI
nad
ditio
n1
8of
the
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
had
poss
ible
psy
chol
ogic
alis
su
es
Inc
olla
bora
tion
with
the
OSI
and
LER
sup
ervi
sors
con
fr
ontin
gem
ploy
ees
who
dis
play
co
ncer
ning
beh
avio
rss
houl
dha
veth
eab
ility
tor
emov
eth
em
from
the
wor
kfor
cep
endi
nga
m
edic
alo
rps
ycho
logi
cal
eval
uatio
nto
det
erm
ine
whe
ther
they
hav
ea
diso
rder
or
illne
ssth
atm
ayim
pair
thei
rtr
ustw
orth
ines
sor
judg
men
tor
mak
eth
ema
dan
gert
oth
em
selv
eso
rot
hers
Si
mila
rly
em
po
wer
ing
supe
rvis
ors
tom
ake
ane
mpl
oyee
ass
ista
nce
pro
gram
ref
erra
land
eva
luat
ion
man
dato
ryi
nco
llabo
ratio
nw
ithL
ERo
rth
eO
SIm
ight
hel
pre
mov
eat
ris
kin
divi
dual
sfr
om
the
wor
kfor
ceu
ntil
they
can
sa
fely
and
sec
urel
yre
turn
CERT | SOFTWARE ENGINEERING INSTITUTE | 67
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEl
ectr
onic
Inve
sti
gati
ons
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Mos
talle
gatio
nsr
epor
ted
toth
eO
SI
are
notv
ery
tech
nica
lth
eO
ITp
ro
vide
sfo
rens
ics
uppo
rtfo
rin
vest
iga
tions
(pri
mar
ilyd
atab
ase
tran
sac
tions
)
PERS
ECh
asn
ever
ask
edth
eO
ITto
re
view
au
serrsquo
son
line
activ
ity
Onl
yon
epe
rson
inO
SIis
qua
lifie
dto
do
afo
rens
icin
spec
tion
USC
ISs
houl
dco
nsid
erin
clud
ing
the
OIT
inin
vest
igat
ions
ofs
us
pici
ous
activ
ity
CERT
rsquosin
side
rth
reat
res
earc
hha
ssh
own
that
no
ntec
hnic
alc
once
rnin
gbe
hav
iors
can
be
asso
ciat
edw
ith
onlin
ecr
imin
ala
ctiv
ity
It
wou
ldb
ebe
nefic
ialt
och
eck
for
past
tech
nica
lsec
urity
vio
la
tions
and
hav
eth
eO
ITa
naly
ze
curr
ento
nlin
eac
tivity
as
part
of
the
OSI
inve
stig
atio
ns
CERT | SOFTWARE ENGINEERING INSTITUTE | 68
t
efe
w de ti
nth
eca
ses
docu
men
ted
inth
eCE
RTd
atab
ase
inje
cted
cod
ein
tos
ourc
eco
deto
faci
lita
but
ina
ase
the
coo
utb
yso
f
L
oggi
ng
Cri
tica
lDat
aCo
ntro
ls
urce
cod
ew
ere
inte
nded
tos
abot
age
the
orga
niza
tionrsquo
ssy
stem
sc
ases
the
code
n
ino
nec
was
set
toe
xecu
tefo
llow
ing
the
insi
derrsquo
ste
rmin
atio
SCIS
rec
ogni
zeth
epo
dbe
car
ried
tent
iali
llici
tact
ivity
that
cou
lr
the
mos
tcri
tical
sys
tem
san
dsy
stem
com
pone
nts
Cod
eRe
view
s
Conf
igur
atio
nM
anag
emen
t
side
rsb
oth
empl
oyee
san
dco
ntra
ctor
snd
ITs
abot
age
In
mos
tcas
est
hem
odifi
catio
nsto
so
faci
litat
efr
aud
In
man
yde
was
use
dto
impo
rtan
ttha
tUfo
ra
year
bef
ore
final
lye
xecu
ting
Iti
ser
sa
ndim
plem
enta
ppro
pria
tec
ontr
ols
par
ticul
arly
fo
ciou
sin
frau
da
sth
eco
plan
ted
eng
ine
Mal
ibo
thca
sew
as
war
e
Ap
pen
dix
FS
oftw
are
Engi
nee
rin
g CERT | SOFTWARE ENGINEERING INSTITUTE | 69
Are
aof
Con
cern
C
ode
Re
view
s
Resp
onsi
ble
Pers
onne
lIS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Cont
ract
ors
are
requ
ired
tom
aint
ain
ace
rtai
nle
velo
fpro
cess
mat
urity
(C
MM
ILev
el3
)to
bein
com
plia
nce
with
USC
ISp
olic
ies
So
urce
cod
eis
res
tric
ted
toth
ose
with
the
need
tok
now
Ve
rsio
nM
anag
eris
use
dto
con
trol
an
dtr
ack
chan
ges
tos
ourc
eco
de
Sepa
ratio
nof
dut
ies
isim
plem
ente
din
the
soft
war
ere
leas
epr
oces
sC
SC
chec
ksn
ews
ourc
eco
dein
toV
ersi
on
Man
ager
aU
SCIS
em
ploy
eec
heck
sou
tthe
sou
rce
code
and
rel
ease
sit
into
pro
duct
ion
Th
eU
SCIS
DBA
mov
esn
ewd
atab
ase
obje
cts
into
the
prod
uctio
nda
ta
base
Polic
yor
Pra
ctic
eG
aps
Ano
ther
inte
rvie
wee
men
tione
dth
at
anldquo
East
ere
ggrdquo
was
foun
din
sou
rce
code
aft
erth
eco
ntra
ctw
asg
iven
toa
ne
wc
ompa
ny4
Sugg
este
dCo
unte
rmea
sure
s
4 Av
irtu
alE
aste
reg
gis
an
inte
ntio
nalh
idde
nm
essa
gej
oke
orfe
atur
ein
ap
rogr
amm
ovie
boo
ke
tc
CERT | SOFTWARE ENGINEERING INSTITUTE | 70
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
and
orC
hang
eCo
ntro
lPro
cess
N
otE
nfor
ced
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
No
evid
ence
pro
vide
d
Whe
nco
ntra
ctor
sde
velo
pso
ftw
are
rem
otel
yth
eya
res
uppo
sed
tor
egis
te
rco
dein
Ver
sion
Man
ager
but
this
is
not
alw
ays
done
con
sist
ently
Co
ntra
ctor
sso
met
imes
rel
ease
cod
eto
fix
prob
lem
sw
ithou
tfol
low
ing
the
chan
gem
anag
emen
tpro
cess
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
oft
hela
cko
fade
qu
ate
conf
igur
atio
nm
anag
emen
t
Soft
war
eEn
gine
er
ing
Cont
rols
inth
eSe
rvic
eCe
nter
s
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
ISSO
s
No
evid
ence
pro
vide
d
Soft
war
eis
bei
ngd
evel
oped
inth
eSe
rvic
eCe
nter
sw
ithou
tcon
sist
ently
en
forc
ing
the
sam
ech
ange
man
age
men
tpro
cess
ese
nfor
ced
atth
ena
tio
nal(
ente
rpris
e)le
vel
The
cen
ters
us
ea
code
rep
osito
ryb
utn
otV
ersi
on
Man
ager
to
trac
kso
ftw
are
chan
ges
Th
eyd
ope
err
evie
ws
ofc
ode
and
belie
veth
ate
nter
pris
eco
ntro
lsfo
rco
der
evie
wa
rem
ore
deta
iled
(al
thou
ghth
atb
elie
fapp
ears
tob
efa
lse
ac
cord
ing
toin
terv
iew
sat
hea
dqua
rte
rs)
USC
ISs
houl
dco
nsid
erc
onsi
sten
tpo
licie
san
dpr
oced
ures
for
soft
w
are
engi
neer
ing
for
the
entir
een
terp
rise
inc
ludi
ngth
eSe
rvic
eCe
nter
s
Mos
tins
ider
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 71
A
rea
ofC
once
rn
Resp
onsi
ble
Pers
onne
lPo
licy
and
orS
ecur
ity
Mea
sure
Po
licy
orP
ract
ice
Gap
sSu
gges
ted
Coun
term
easu
res
Dat
aO
wne
rs
ba
sew
ere
dete
cted
or
iden
tifie
d
usin
gso
me
kind
ofs
yste
mlo
g
Info
rmat
ion
Tech
nolo
gy
Lo
gsu
sed
incl
ude
data
base
logs
appl
icat
ion
logs
sys
tem
logs
re
mot
eac
cess
logs
and
man
y
othe
rs
Prod
ucti
onD
ata
in
ISSO
sD
evel
opm
enta
ndp
rodu
ctio
nsy
sIn
som
eca
ses
con
trac
tors
hav
eac
O
nly
one
insi
der
docu
men
ted
in
Dev
elop
men
tEnv
i
tem
ssh
ould
be
sepa
rate
inte
rms
of
cess
tob
oth
syst
ems
incl
udin
gpr
oth
eCE
RTIn
side
rTh
reat
Cas
eda
CERT | SOFTWARE ENGINEERING INSTITUTE | 72
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sro
nmen
t
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
data
sha
ring
and
acc
ess
cont
rol
duct
ion
data
inth
ede
velo
pmen
ten
viro
nmen
t
taba
ses
tole
pro
duct
ion
data
that
sh
ould
not
hav
ebe
ena
vaila
ble
to
deve
lope
rsin
the
deve
lopm
ent
envi
ronm
ent
How
ever
itw
as
extr
emel
yse
nsiti
ved
ata
with
ve
rys
tric
tcon
trol
sin
the
prod
uc
tion
envi
ronm
ent
and
was
not
su
bjec
tto
thos
esa
me
cont
rols
in
the
deve
lopm
ente
nvir
onm
ent
Th
isis
ver
ysi
mila
rto
the
situ
atio
nat
USC
IS
USC
ISs
houl
dex
am
ine
data
bei
ngu
sed
inth
ede
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
velo
fse
curi
tyc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 73
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 74
Ap
pen
dix
GI
nfo
rmat
ion
Tec
hn
olog
y
Acc
ount
Man
agem
ent
Rese
arch
has
dem
onst
rate
dth
atif
an
orga
niza
tionrsquo
sco
mpu
ter
acco
unts
can
be
com
prom
ised
ins
ider
sha
vea
nop
port
unity
toc
ircu
mve
ntm
an
uala
nda
utom
ated
con
trol
mec
hani
sms
inte
nded
top
reve
ntin
side
rat
tack
sE
ffec
tive
com
pute
rac
coun
tand
pas
swor
dm
anag
emen
tpol
icie
san
dpr
actic
esa
rec
ritic
alto
impe
dea
nin
side
rrsquos
abili
tyto
use
the
orga
niza
tionrsquo
ssy
stem
sfo
rill
icit
purp
oses
In
av
arie
tyo
fcas
esd
ocum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sei
nsid
ers
expl
oite
dpa
ssw
ord
vuln
erab
ilitie
ss
hare
dac
coun
tsa
ndb
ackd
oor
acco
unts
toc
arry
out
att
acks
It
isim
port
antf
oro
rgan
izat
ions
toli
mit
com
pute
rac
coun
tsto
thos
eth
ata
rea
bsol
utel
yne
cess
ary
usi
ngs
tric
tpro
cedu
res
and
tech
nica
lcon
trol
sth
atfa
cilit
ate
attr
ibut
ion
ofa
llon
line
activ
itya
ssoc
iate
dw
ithe
a ch
acco
untt
oan
indi
vidu
alu
ser
Fur
ther
mor
ea
nor
gani
zatio
nrsquos
acco
unta
nd
pass
wor
dm
anag
emen
tpol
icie
sm
ustb
eap
plie
dco
nsis
tent
lya
cros
sth
een
terp
rise
toin
clud
eco
ntra
ctor
ss
ubco
ntra
ctor
sa
ndv
endo
rsw
hoh
ave
acce
ssto
the
orga
niza
tionrsquo
sin
form
atio
nsy
stem
sor
net
wor
ks
Ins
ome
area
sc
ompu
ter
acco
unts
are
man
aged
fair
lyw
ella
tUSC
IS
USC
ISis
impl
emen
ting
Hom
elan
dSe
curi
tyP
resi
dent
ialD
irec
tive
12(H
SPD
12
)for
phy
sica
land
ele
ctro
nic
acco
untm
anag
emen
tI
nad
ditio
nm
osts
hare
dac
coun
tsa
rec
ontr
olle
dan
dal
lact
ions
per
form
edu
sing
thos
eac
coun
tsc
anb
eat
trib
uted
toa
sin
gle
user
H
owev
ers
ome
acco
untm
anag
emen
tlie
sou
tsid
eth
eco
ntro
lofU
SCIS
Th
i sp
rese
nts
ahi
ghd
egre
eof
ris
kF
irst
ofa
lla
ccou
nts
and
acce
ssfo
rFS
Ns
shou
ldb
eco
nsid
ered
car
eful
lyb
yU
SCIS
A
lthou
ghF
SNs
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
ch
anne
lsw
hich
req
uire
sau
thor
izat
ion
byth
eCS
Oa
ndC
IOo
fDH
Ss
uch
pape
rwor
kw
asn
ots
ubm
itted
con
sist
ently
pri
orto
200
7A
sa
resu
lt
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
tF
urth
erm
ore
an
FSN
acc
ount
and
aU
S
citiz
enfe
dera
lem
ploy
eea
ccou
ntc
anno
tbe
dist
ingu
ishe
don
ceit
isc
reat
ed
Alth
ough
acc
ount
nam
ing
conv
entio
nsa
red
icta
ted
byD
HS
and
the
US
Dep
artm
ento
fSta
teU
SCIS
cou
ldr
eque
sta
nam
ing
conv
entio
nto
diff
eren
tiate
bet
wee
nFS
Na
ndU
Sc
itize
nfe
dera
lem
ploy
eea
ccou
nts
In
addi
tion
USC
ISs
houl
dco
nsis
tent
lytr
ack
the
auth
oriz
atio
nan
dcr
eatio
nof
all
USC
ISa
ccou
nts
To
dete
rmin
eif
unau
thor
ized
or
lega
cya
ccou
nts
exis
tU
SCIS
sho
uld
cons
ider
con
duct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSta
tep
erso
nnel
tov
alid
ate
alle
xist
ing
FSN
ac
coun
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 75
Seco
nda
cces
sto
som
ecr
itica
lUSC
ISs
yste
ms
isc
ontr
olle
dby
the
Pass
wor
dIs
suan
cea
ndC
ontr
olS
yste
m(P
ICS)
Th
epu
rpos
eof
PIC
Sis
tofa
cili
tate
the
adm
inis
trat
ion
ofu
sern
ames
and
pas
swor
dsto
cer
tain
ICE
and
USC
ISin
form
atio
nsy
stem
sO
nea
rea
ofc
once
rnr
egar
ding
PIC
Sis
that
it
isa
dmin
iste
red
byIC
Ea
ndth
ere
are
mor
eth
an2
000
Loc
alP
ICS
Off
icer
s(L
POs)
acr
oss
vari
ous
com
pone
nts
ofD
HS
The
seL
POs
use
PICS
to
gran
taut
hori
zed
acce
ssto
ICE
and
USC
ISs
yste
ms
for
the
pers
onne
latt
heir
res
pect
ive
site
or
agen
cys
uch
aslo
cals
heri
ffs
pet
ition
ers
Cus
tom
san
dBo
rder
Pat
rol(
CBP)
Dep
artm
ento
fJus
tice
(DO
J)T
rans
port
atio
nSe
curi
tyA
dmin
istr
atio
n(T
SA)
Terr
oris
mT
ask
Forc
ea
ndD
HS
OIG
Ea
ch
LPO
can
gra
nta
cces
sto
any
sys
tem
con
trol
led
byP
ICS
In
othe
rw
ords
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
rany
oft
heir
sta
ffto
an
yU
SCIS
sys
tem
Fu
rthe
rmor
eU
SCIS
has
no
visi
bilit
yin
tow
hoh
asa
cces
sto
its
syst
ems
Giv
enth
edi
stri
bute
dna
ture
ofa
ccou
nta
dmin
istr
atio
nit
isv
ery
diff
icul
tfor
USC
ISd
ata
owne
rsa
ndO
ITs
taff
tom
anag
eau
thor
izat
ion
ofu
ser
acco
unts
toU
SCIS
cri
tical
sys
tem
sF
inal
lyt
hep
roc
ess
for
com
mun
icat
ing
chan
ges
ine
mpl
oyee
sta
tus
and
disa
blin
gac
coun
tsv
arie
sw
idel
yam
ong
indi
vidu
alfi
eld
offic
esS
ervi
ceC
ente
rsa
ndo
ffic
esin
the
NCR
D
orm
anta
ccou
nts
prov
ide
aco
nven
ient
unk
now
nac
cess
pat
hfo
rcu
rren
tand
form
ere
mpl
oyee
sto
use
for
illic
itac
tivity
Ala
cko
fcon
sist
ency
exi
sts
inth
eap
plic
atio
nof
acc
ount
man
agem
entp
ract
ices
und
erth
eco
ntro
lofU
SCIS
Fo
rex
ampl
ed
isab
ling
orte
rmin
at
ing
acco
unts
for
empl
oyee
sis
not
alw
ays
com
plet
edin
ati
mel
ym
anne
rup
onth
eem
ploy
eersquos
cha
nge
ins
tatu
sT
his
lack
ofc
onsi
sten
cyis
mad
ew
orse
whe
nde
cent
raliz
edL
POs
acro
ssU
SCIS
do
notf
ollo
wth
esa
me
proc
edur
es
Ino
ther
cas
ese
mpl
oyee
sar
ere
tain
ing
acce
ssa
fter
atr
ansf
er
whe
nth
eys
houl
dno
tw
hich
req
uire
sth
elo
sing
and
gai
ning
sup
e rvi
sors
ton
otify
pro
per
acco
untm
anag
emen
tper
sonn
el
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
ccou
ntE
stab
lis
hmen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ino
rder
for
FSN
sto
gai
nac
cess
to
USC
ISs
yste
ms
they
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
cha
nnel
s
whi
che
vent
ually
req
uire
sau
thor
iza
tion
byth
eCS
Oa
ndC
IOo
fDH
S
Prio
rto
200
7w
aive
rpa
perw
ork
for
FSN
sre
ques
ting
acco
unta
cces
sw
as
nots
ubm
itted
con
sist
ently
A
sa
re
sult
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
t
USC
ISs
houl
dco
nsid
erc
ondu
ct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSt
ate
pers
onne
lto
valid
ate
all
exis
ting
FSN
acc
ount
s
Info
rmat
ion
Tech
nolo
gy
Diff
eren
tper
sonn
ela
rer
espo
nsib
le
for
acco
untc
reat
ion
and
dele
tion
acro
ssth
een
tire
ente
rpri
sed
epe
ndin
gon
the
syst
emo
rne
twor
kin
Dat
abas
ead
min
istr
ator
sm
ayb
eab
le
toc
reat
ean
dde
lete
dat
abas
ean
dap
plic
atio
nac
coun
tsw
ithou
tas
ec
ond
pers
onv
erify
ing
that
act
ion
Beca
use
data
base
adm
inis
trat
ors
have
acc
ess
tos
uch
criti
cald
ata
U
SCIS
sho
uld
cons
ider
sep
arat
ing
the
task
ofa
utho
rizi
nga
cces
sto
CERT | SOFTWARE ENGINEERING INSTITUTE | 76
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
squ
estio
n
USC
ISd
atab
ases
from
the
task
of
man
agin
gth
eda
tain
the
data
ba
ses
Thi
sse
para
tion
ofd
utie
sm
ayr
educ
eth
eri
sko
fad
ata
base
adm
inis
trat
orc
reat
ing
an
unau
thor
ized
acc
ount
and
usi
ng
that
acc
ount
toc
arry
out
am
ali
ciou
sac
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ac
ompu
ter
acco
unti
ses
tabl
ishe
don
lya
fter
an
umbe
rof
cri
teri
aha
ve
been
met
inc
ludi
ngs
ecur
itya
war
ene
sstr
aini
ng
Ina
dditi
onto
the
step
sre
quire
dof
al
lper
sonn
elfo
rac
coun
tacc
ess
co
ntra
ctor
sha
veto
go
thro
ugh
extr
ast
eps
som
eof
whi
chin
clud
eve
rifi
catio
nby
the
COTR
Com
pute
racc
ount
acc
ess
iss
ome
times
gra
nted
bef
ore
secu
rity
aw
are
ness
trai
ning
isc
ompl
eted
Th
isp
rac
tice
may
be
true
esp
ecia
llyfo
rco
ntra
ctor
ss
ince
the
onb
oard
ing
proc
ess
depe
nds
onth
eco
ntra
ctin
gag
ency
and
the
COTR
tov
erify
that
th
etr
aini
ngis
com
plet
ed
USC
ISs
houl
dco
nsid
err
equi
ring
co
mpu
ter
secu
rity
aw
aren
ess
trai
ning
for
allp
erso
nnel
ndashfu
lltim
eem
ploy
ees
par
ttim
eem
pl
oyee
sa
ndc
ontr
acto
rsndash
and
ve
rify
that
itis
com
plet
ebe
fore
cr
eatin
gan
ysy
stem
acc
ount
sfo
rth
ese
pers
onne
l
Acc
ount
Man
age
men
tG
ener
al
Info
rmat
ion
Tech
nolo
gy
PICS
isa
dmin
iste
red
byIC
Ew
hich
ha
sov
er2
000
LPO
sac
ross
var
ious
co
mpo
nent
sof
DH
ST
hese
LPO
sar
ere
spon
sibl
efo
rgra
ntin
gau
thor
ized
ac
cess
toP
ICS
for
the
pers
onne
lat
thei
rre
spec
tive
wor
ksi
tes
Eac
hLP
Oc
ang
rant
acc
ess
toa
nys
yste
m
cont
rolle
dby
PIC
SI
not
her
wor
ds
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
ran
yof
thei
rst
afft
o
Alth
ough
the
PICS
acc
ount
pro
cess
re
quir
esth
eac
coun
tto
beli
nked
toa
va
lide
mpl
oyee
PIC
Sad
min
istr
ator
sco
uld
crea
teu
naut
hori
zed
acco
unts
in
the
nam
eof
val
ide
mpl
oyee
sw
ith
outt
heir
kno
wle
dge
Inv
alid
acc
ount
sar
ety
pica
llyfl
agge
don
lyw
hen
the
acco
unti
sdo
rman
tfor
ac
erta
inp
eri
odo
ftim
eA
nLP
Oc
ana
lso
assi
gn
righ
tsfo
ran
ysy
stem
con
trol
led
by
In1
2of
the
case
sdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
ins
uffic
ient
acc
ount
m
anag
emen
tena
bled
the
insi
der
sto
com
mit
thei
rcr
imes
U
SCIS
sho
uld
cons
ider
con
duct
in
gac
coun
taud
itsa
tthe
loca
lsi
tele
vel
whi
chw
ould
allo
wth
eva
lidat
ion
ofc
urre
ntP
ICS
ac
coun
tsa
ndr
oles
ver
sus
curr
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 77
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
yU
SCIS
sys
tem
PICS
empl
oyee
list
s
Furt
herm
ore
ICE
adm
inis
ters
this
USC
ISs
houl
dex
plor
ea
mea
nso
fsy
stem
and
cou
lda
ffec
tUSC
ISr
e
segr
egat
ing
acco
untm
anag
eco
rds
unbe
know
nstt
oU
SCIS
men
tin
PICS
so
that
LPO
sca
nad
min
iste
rac
coun
tso
nly
for
thei
row
nor
gani
zatio
nrsquos
syst
ems
In
oth
erw
ords
USC
ISL
POs
wou
ldo
nly
bea
ble
toa
dmin
iste
rau
thor
izat
ions
for
USC
ISs
yste
ms
inP
ICS
and
ICE
LPO
sw
ould
onl
ybe
abl
eto
adm
inis
ter
auth
oriz
atio
nsfo
rIC
Esy
stem
s
Info
rmat
ion
Tech
nolo
gy
Acc
ount
man
agem
enti
sha
ndle
dby
a
num
ber
ofd
iffer
entg
roup
sac
ross
U
SCIS
A
lthou
ghth
ere
isa
nef
fort
to
cent
raliz
eac
coun
tman
agem
ent
lo
cala
ndr
egio
nalo
ffic
eso
fUSC
IS
have
his
tori
cally
don
eth
eir
own
ac
coun
tman
agem
ent
Ifan
acc
ount
has
not
bee
nus
edfo
ra
cert
ain
peri
odo
ftim
eit
isa
uto
mat
ical
lyd
isab
led
The
tim
epe
riod
st
ated
by
vari
ous
inte
rvie
wee
sva
rie
dfr
om3
06
0o
r90
days
CERT | SOFTWARE ENGINEERING INSTITUTE | 78
Sugg
este
dCo
unte
rmea
sure
s
Six
insi
ders
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
wer
eab
leto
car
ryo
utth
eir
illeg
ala
ctiv
ities
bec
ause
ofldquo
priv
ile
gec
reep
rdquoU
SCIS
sho
uld
revi
ew
acco
untm
anag
emen
tpro
ce
dure
sto
ens
ure
that
the
step
scu
rren
tlyta
ken
tor
emov
eor
al
ter
acco
unta
cces
sar
eco
m
plet
ean
dbe
ing
cons
iste
ntly
fol
low
ed
Inp
artic
ular
the
pro
ce
dure
sus
edw
hen
som
eone
ch
ange
slo
catio
nso
rde
part
m
ents
with
inU
SCIS
sho
uld
be
exam
ined
A
sem
ploy
ees
tran
sfe
rth
roug
hout
an
agen
cyt
hey
shou
ldn
otb
eac
cum
ulat
ing
priv
ile
ges
The
ysh
ould
onl
yre
tain
pr
ivile
ges
com
men
sura
tew
ith
thei
rjo
bre
spon
sibi
litie
s
Twel
vep
erce
nt(4
6)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
seu
sed
syst
ema
dmin
istr
ator
pri
vile
ges
tos
abot
age
syst
ems
ord
ata
sh
ared
acc
ount
sw
ere
used
by
insi
ders
follo
win
gte
rmin
atio
nin
Polic
yor
Pra
ctic
eG
aps
The
issu
eof
acc
ount
man
agem
entf
or
empl
oyee
tran
sfer
sis
not
bei
nga
d
dres
sed
ina
con
sist
entm
anne
rT
he
O
ITr
elie
son
not
ifica
tion
bye
ither
the
ne
wo
rol
dsu
perv
isor
whe
nan
em
ploy
eetr
ansf
ers
but
ther
eha
veb
een
ca
ses
inU
SCIS
inw
hich
em
ploy
ees
have
ret
aine
dac
cess
whe
nth
ey
shou
ldn
oth
ave
Th
ough
itw
ould
req
uire
phy
sica
lac
cess
toa
USC
ISm
achi
net
hatf
orm
er
Polic
yan
dor
Sec
urit
yM
easu
re
Whe
nan
em
ploy
eem
oves
from
one
po
sitio
nto
ano
ther
or
tran
sfer
sto
an
othe
rdep
artm
ent
the
man
age
men
tin
thos
ede
part
men
tsm
ust
initi
ate
the
requ
ired
com
pute
rac
coun
tcha
nges
Ther
ear
eop
erat
ing
syst
emim
ages
us
edth
roug
hout
USC
ISth
atp
erm
itan
adm
inis
trat
orto
inst
alla
sta
nda
rdc
onfig
urat
ion
ofa
nop
erat
ing
syst
ema
nda
ccom
pany
ing
soft
war
e
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Chan
ging
Pas
sw
ord
ofS
hare
dA
ccou
ntU
pon
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 79
Sugg
este
dCo
unte
rmea
sure
s
14c
ases
A
lthou
gha
nad
min
is
trat
orw
ould
nee
dph
ysic
ala
cce
ssto
ap
iece
ofe
quip
men
t
The
lack
ofc
onsi
sten
cya
nd
awar
enes
sof
the
stan
dard
pro
ce
dure
sm
ayp
erm
itth
eac
coun
tof
an
insi
der
tob
eus
edfo
llow
ing
term
inat
ion
Term
inat
ing
acco
unts
eve
n2
wee
ksfo
llow
ing
term
inat
ion
may
Polic
yor
Pra
ctic
eG
aps
adm
inis
trat
orw
ould
hav
ead
min
istr
ato
rri
ghts
toG
FE
Itis
cle
arfr
omin
terv
iew
sw
ithU
SCIS
pe
rson
nelt
hata
sin
gle
proc
ess
isn
ei
ther
und
erst
ood
norf
ollo
wed
for
dis
ab
ling
acco
unts
follo
win
gan
em
pl
oyee
orc
ontr
acto
rte
rmin
atio
n
The
proc
edur
esu
sed
are
notc
onsi
ste
ntb
etw
een
supe
rvis
ors
orfi
eld
of
fices
and
for
fede
rale
mpl
oyee
sve
rsu
sco
ntra
ctor
sS
omet
imes
the
exit
clea
ranc
efo
rmm
akes
itto
the
OIT
an
dso
met
imes
itd
oes
not
The
OIT
rsquos
task
ism
ade
even
mor
edi
ffic
ultb
yth
efa
ctth
atit
wou
ldn
eed
tok
now
ex
actly
whi
cha
ccou
nts
anin
divi
dual
ha
sac
cess
to
Thou
ghth
isp
roce
ssis
fair
lye
ffec
tive
it
pote
ntia
llya
llow
sun
auth
oriz
ed
Polic
yan
dor
Sec
urit
yM
easu
re
The
OIT
typi
cally
isn
otifi
edo
fan
acco
untt
erm
inat
ion
ino
neo
fthr
ee
way
s
1)A
sta
ndar
dfo
rmc
alle
dan
exi
tcl
eara
nce
form
is
dist
ribu
ted
and
sign
edb
yot
her
part
ies
suc
has
Hu
man
Res
ourc
esa
ndth
eO
ffic
eof
Se
curi
tya
ndIn
tegr
ity(O
SI)
Thi
sfo
rmle
tsth
eO
ITk
now
that
an
em
ploy
eersquos
acc
ount
ssh
ould
be
dis
able
dor
term
inat
ed
2)T
hes
uper
viso
rof
the
depa
rtin
gem
ploy
eec
onta
cts
the
OIT
dire
ctly
an
din
form
sth
emo
fthe
em
ploy
eersquos
de
part
ure
3)
Whe
na
cont
ract
oris
invo
lved
it
is
the
resp
onsi
bilit
yof
the
COTR
to
info
rmth
eO
IT
The
OIT
rec
eive
san
ldquoat
triti
onli
strdquo
ever
y2
wee
ks
Whe
nth
isli
stis
re
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Upo
nEm
ploy
ee
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 80
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sH
uman
Res
ourc
es
ceiv
eda
man
ualc
heck
isd
one
to
ensu
reth
ate
mpl
oyee
sw
hoh
ave
depa
rted
inth
ela
st2
wee
ksh
ave
thei
rac
coun
tacc
ess
dele
ted
acce
ssfo
r2
wee
ksfo
llow
ing
term
ina
tion
Bec
ause
this
isa
man
ualp
roc
ess
ther
eis
cur
rent
lyn
oau
tom
atic
w
ayto
ens
ure
that
ith
appe
ns
USC
IS
pers
onne
lcite
dan
inst
ance
inw
hich
th
ese
proc
edur
esfa
iled
for
ane
m
ploy
eew
how
aste
rmin
ated
as
aco
ntr
acto
ran
dla
ter
hire
das
afe
dera
lem
ploy
ee
notb
een
ough
top
reve
ntu
nau
thor
ized
orc
rimin
ala
ctiv
ity
As
soon
as
HR
isa
war
eof
the
chan
gea
mor
eau
tom
ated
m
echa
nism
ofd
elet
ing
thes
eac
coun
tss
houl
dbe
impl
em
ente
d
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Dur
ing
Empl
oyee
Le
ave
ofA
bsen
ces
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
LPO
sw
ork
inth
eir
resp
ectiv
ere
gion
sor
off
ices
and
are
dec
entr
aliz
edb
yna
ture
Th
epo
licie
san
dpr
oced
ures
fo
llow
edo
ften
dep
end
onh
ow
thin
gsh
ave
been
don
ehi
stor
ical
lyin
th
atp
artic
ular
off
ice
Beca
use
acco
unta
utho
riza
tion
pro
cedu
res
are
nots
tand
ardi
zed
thro
ugho
uta
llor
gani
zatio
nsu
sing
the
PICS
sL
POs
acro
ssth
een
tire
USC
IS
ente
rpri
seh
ave
notb
een
cons
iste
nt
inh
owth
eyh
ave
hand
led
acco
unt
dele
tion
follo
win
gem
ploy
eete
rmin
atio
n
Ther
eis
no
offic
ialg
uida
nce
orp
rac
tice
inth
epr
oper
way
tos
uspe
nd
acce
ssfo
ran
em
ploy
eeo
na
leav
eof
ab
senc
eI
non
eca
sep
rovi
ded
by
USC
ISa
nem
ploy
eer
etai
ned
acce
ss
toc
ritic
als
yste
ms
even
aft
erb
eing
pl
aced
on
ana
dmin
istr
ativ
ele
ave
of
abse
nce
USC
ISs
houl
dco
ntin
ueit
sef
fort
sto
cen
tral
ize
orr
educ
eth
enu
m
ber
ofL
POs
ino
rder
for
stan
dard
pr
oced
ures
tob
efo
llow
ed
Ifth
isc
anno
tbe
acco
mpl
ishe
d
stan
dard
pro
cedu
res
shou
ldb
epu
blis
hed
inst
ruct
eda
ndc
onsi
ste
ntly
enf
orce
d
Afe
win
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
ser
etai
ned
acce
ssto
org
aniz
atio
nsy
stem
sw
hile
on
ale
ave
of
abse
nce
and
used
that
acc
ess
to
stea
linf
orm
atio
nor
com
mit
frau
dU
SCIS
sho
uld
impl
emen
ta
polic
yto
out
line
exac
tlyw
hat
shou
ldb
edo
new
hen
ago
vern
m
ente
mpl
oyee
or
cont
ract
or
goes
on
ale
ave
ofa
bsen
cec
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 81
Sugg
este
dCo
unte
rmea
sure
ssi
deri
ngth
eri
sks
vers
usb
enef
its
ofa
llow
ing
syst
ema
cces
s
Acc
ess
toth
ese
acco
unts
sho
uld
bec
aref
ully
doc
umen
ted
and
trac
ked
soth
atc
rede
ntia
lsc
an
bec
hang
edif
som
eone
inth
at
rest
rict
edg
roup
no
long
erw
ar
rant
sac
cess
Polic
yor
Pra
ctic
eG
aps
Alth
ough
con
cern
has
bee
nex
pres
sed
ab
outt
hee
xist
ence
oft
hese
ac
co
unts
the
bus
ines
sju
stifi
catio
nha
sta
ken
prec
eden
ceo
vert
her
isk
bein
g
assu
med
Polic
yan
dor
Sec
urit
yM
easu
re
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
Acc
ount
an
dPa
ssw
ord
In
form
atio
n
Acc
ess
Cont
rol
An
orga
niza
tionrsquo
sla
cko
fsuf
ficie
nta
cces
sco
ntro
lmec
hani
sms
was
ac
omm
onth
eme
inm
any
ofth
ein
side
rth
reat
cas
ese
xam
ined
by
CERT
In
si
ders
hav
ebe
ena
ble
toe
xplo
itex
cess
ive
priv
ilege
sto
gai
nac
cess
tos
yste
ms
and
info
rmat
ion
they
oth
erw
ise
wou
ldn
oth
ave
been
aut
hori
zed
toa
cces
sA
dditi
onal
lyi
nsid
ers
have
bee
nkn
own
tou
ser
emot
eac
cess
aft
erte
rmin
atio
nto
att
ack
ano
rgan
izat
ionrsquo
sin
tern
aln
etw
ork
Org
ani
zatio
nss
houl
den
sure
that
net
wor
km
onito
ring
and
logg
ing
ise
nabl
edfo
rex
tern
ala
cces
sM
onito
ring
ofn
etw
ork
activ
ityis
ext
rem
ely
impo
rta
nte
spec
ially
inth
epe
riod
bet
wee
nem
ploy
eer
esig
natio
nan
dte
rmin
atio
n
Giv
enth
edi
stri
bute
dna
ture
ofa
cces
sau
thor
izat
ion
via
PICS
ICE
and
the
US
Dep
artm
ento
fSta
ten
onU
SCIS
em
ploy
ees
and
cont
ract
ors
coul
dbe
gra
nted
acc
ess
toU
SCIS
cri
tical
sys
tem
sI
tis
poss
ible
that
the
non
USC
ISe
mpl
oyee
san
dco
ntra
ctor
sha
ven
otb
een
thro
ugh
the
rigo
rous
pr
eem
ploy
men
tscr
eeni
ngr
equi
red
ofU
SCIS
em
ploy
ees
and
cont
ract
ors
par
ticul
arly
thos
egr
ante
dac
cess
thro
ugh
the
US
Dep
artm
ento
fSta
te
for
acce
ssfr
ome
mba
ssie
sov
erse
as
USC
ISs
houl
dco
nsid
erth
eri
skth
ese
insi
ders
pos
eto
the
prot
ectio
nof
the
criti
calU
SCIS
dat
aan
dsy
stem
s
and
impl
emen
tpro
tect
ion
mec
hani
sms
toli
mit
the
dam
age
that
thes
ein
side
rsm
ight
cau
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 82
Oth
era
cces
sco
ntro
liss
ues
that
sho
uld
bec
onsi
dere
din
clud
eun
rest
rict
eda
cces
sto
som
ecr
itica
lsys
tem
sby
OIT
sta
ffl
ack
ofc
onsi
sten
tpro
ces
ses
for
man
agin
gem
ploy
eea
cces
sas
they
mov
efr
omo
ned
epar
tmen
tto
the
next
with
inU
SCIS
abi
lity
tou
sep
erso
nalc
ompu
ters
for
USC
IS
wor
ka
ndla
cko
fmon
itori
nga
ndc
ontr
ols
for
som
ecr
itica
lsys
tem
adm
inis
trat
ion
func
tions
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
cces
sCo
ntro
l
Fore
ign
Serv
ice
Nat
iona
ls
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
O
ffic
eof
Sec
urit
yan
dIn
te
grit
y
Curr
ently
aF
orei
gnS
ervi
ceN
atio
nal
(FSN
)req
uiri
nga
cces
sto
USC
ISs
ys
tem
ssu
bmits
pap
erw
ork
incl
udin
ga
wai
ver
thro
ugh
the
USC
ISd
irec
tor
and
the
CIO
and
CSO
ofD
HS
Alth
ough
the
asse
ssm
entt
eam
was
ab
leto
get
lim
ited
visi
bilit
yin
toth
is
prac
tice
its
eem
sto
be
alig
ned
with
th
epo
licy
Ift
rue
ith
asg
iven
USC
IS
and
DH
Sbe
tter
vis
ibili
tyin
toth
isa
ctiv
ity
The
prac
tice
shou
ldb
eco
ntin
ued
and
expa
nded
as
need
edto
in
form
all
rele
vant
USC
ISp
erso
nne
l
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
Pe
rson
nelS
ecur
ity
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Whe
nFS
Ns
requ
ire
acce
ssto
USC
IS
syst
ems
ine
mba
ssie
san
dco
nsul
ates
ab
road
the
yar
eve
tted
by
the
US
D
epar
tmen
tofS
tate
Beca
use
the
US
Dep
artm
ento
fSta
te
isp
erfo
rmin
gth
eve
ttin
gpr
oces
s
USC
ISh
asv
ery
little
con
trol
or
visi
bil
ityin
toth
epr
oces
sfo
rgr
antin
gFS
Ns
acce
ssto
USC
ISs
yste
ms
and
net
wor
ks
Inte
rvie
wee
sst
ated
that
in
som
eca
ses
FSN
sha
vea
dmin
istr
ativ
eco
ntro
love
rso
me
syst
ems
and
that
in
oth
erc
ases
the
yar
ese
rvin
gas
in
form
atio
nsy
stem
sec
urity
off
icer
s(IS
SOs)
USC
ISs
houl
dga
ina
bet
ter
un
ders
tand
ing
ofth
eU
SD
epar
tm
ento
fSta
tersquos
vet
ting
proc
ess
and
clar
ifyit
sow
nre
quir
emen
ts
for
gran
ting
and
trac
king
acc
ess
for
FSN
sto
USC
ISs
yste
ms
If
cont
inue
dac
cess
isr
equi
red
the
proc
edur
esto
doc
umen
tand
co
ntro
ltha
tacc
ess
shou
ldb
ene
gotia
ted
with
the
US
De
part
men
tofS
tate
and
con
sis
tent
lye
nfor
ced
Info
rmat
ion
Tech
nolo
gy
Onc
ea
trad
ition
alu
ser
acco
unti
scr
eate
dth
ere
isli
ttle
ton
ow
ayto
di
stin
guis
han
FSN
acc
ount
from
one
be
long
ing
toa
US
citi
zen
Beca
use
anF
SNa
ccou
ntis
not
dis
tin
guis
habl
efr
omo
ther
acc
ount
sit
w
ould
be
extr
emel
ydi
ffic
ultt
oas
so
ciat
esp
ecifi
con
line
activ
ities
with
ac
coun
tsb
elon
ging
toF
SNs
Em
ail
USC
ISs
houl
dco
nsid
erw
heth
er
orn
otit
wan
tsth
eab
ility
tod
is
tingu
ish
wha
tonl
ine
activ
ities
an
dac
cess
esF
SNs
are
enga
ging
in
If
soi
tsho
uld
inco
rpor
ate
CERT | SOFTWARE ENGINEERING INSTITUTE | 83
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sad
dres
ses
appe
arth
esa
me
and
viol
atio
nac
tiviti
esw
ould
not
eas
ilyb
eat
trib
uted
toa
nFS
N
thos
est
eps
into
the
proc
edur
es
men
tione
dab
ove
Info
rmat
ion
Tech
nolo
gy
DH
Sis
inth
epr
oces
sof
bui
ldin
ga
secu
rein
tran
etc
alle
dO
neN
et
whi
chw
illb
ette
ren
able
info
rmat
ion
shar
ing
amon
gD
HS
com
pone
nts
Th
isp
roje
ctw
illb
een
able
dby
inte
rco
nnec
tion
agre
emen
tsb
etw
een
segm
ents
Onc
eth
eap
prop
riat
ein
terc
onne
ctio
nag
reem
ents
are
inp
lace
itw
illb
eha
rder
tor
estr
icta
cces
sfo
rFSN
sto
sp
ecifi
csy
stem
s(e
g
Shar
ePoi
nt)
USC
ISs
houl
dm
ake
ade
term
ina
tion
abou
twhe
ther
or
notF
SN
acce
sss
houl
dbe
any
diff
eren
tfr
omo
ther
sim
ilar
acco
unts
of
US
citi
zens
If
the
lack
ofr
est
rict
ions
isu
nacc
epta
ble
that
is
sue
shou
ldb
ebr
ough
tto
DH
Spe
rson
nelr
espo
nsib
lefo
rim
pl
emen
ting
the
One
Net
sol
utio
n
Acc
ess
cont
rols
Ther
ear
ebu
sine
ssp
roce
ssa
ndr
eso
urce
s(e
g
PICS
CLA
IMS
3a
nd
CLA
IMS
4)th
ata
res
hare
dw
ithIC
E
This
par
tner
ship
isa
nar
tifac
toft
he
past
and
cur
rent
rel
atio
nshi
psb
etw
een
depa
rtm
ents
with
inD
HS
For
thes
esh
ared
res
ourc
esto
func
tio
npr
oper
lyt
hey
requ
ire
care
ful
coor
dina
tion
whi
chd
oes
nott
ake
plac
ein
all
case
sF
ore
xam
ple
USC
IS
does
not
rec
eive
ac
opy
ofth
efo
rmal
ac
cess
req
uest
sub
mitt
edto
ICE
for
anIC
Eem
ploy
eeto
acc
ess
aU
SCIS
sy
stem
USC
ISs
houl
dca
refu
llyd
ocum
ent
wha
tacc
ess
isb
eing
gra
nted
to
any
part
ies
exte
rnal
toU
SCIS
If
addi
tiona
lcoo
rdin
atio
nis
re
quir
edi
tsho
uld
bed
one
with
th
ere
leva
ntd
epar
tmen
tso
fD
HS
For
cert
ain
info
rmat
ion
syst
ems
lo
cala
ndr
emot
elo
gins
are
not
per
m
itted
bet
wee
nth
eho
urs
of1
130
p
ma
nd6
00
am
Th
isp
ract
ice
clos
ely
adhe
res
toth
epo
licy
for
spec
ific
syst
ems
Enfo
rcin
ga
man
dato
rya
cces
spe
riod
may
hel
pen
sure
that
a
mal
icio
usin
side
ris
not
usi
ngs
ys
tem
sw
hen
supe
rvis
ion
isle
ss
ened
Ei
ghtp
erce
nt(2
9)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 84
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sus
eda
cces
sou
tsid
eof
nor
mal
w
orki
ngh
ours
toc
arry
out
thei
rill
icit
activ
ities
Whe
nan
em
ploy
eea
ttem
pts
tolo
gin
toa
res
tric
ted
syst
emd
urin
gof
fpe
akh
ours
an
auto
mat
ice
mai
lno
tice
iss
entb
yth
eO
ITto
per
sons
in
the
empl
oyee
rsquosm
anag
emen
tch
ain
ofc
omm
and
This
pra
ctic
eis
not
con
sist
enta
cros
sal
lsys
tem
san
dis
not
par
tofo
ther
in
cide
ntr
espo
nse
proc
edur
es
USC
ISs
houl
dco
nsid
erim
ple
men
ting
this
pra
ctic
ein
toth
ela
rger
sys
tem
ofi
ncid
entr
esp
onse
to
incl
ude
corr
elat
ion
with
oth
ere
vent
san
dov
era
pe
riod
oft
ime
Acc
ess
Priv
ilege
sndash
Gen
eral
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Att
heV
erm
ontS
ervi
ceC
ente
rO
IT
staf
fare
the
only
one
spr
esen
tlat
eat
nig
ht
As
part
oft
heir
dut
ies
they
al
soh
ave
elec
tron
ica
cces
sto
the
CLA
IMS3
info
rmat
ion
syst
em
As
afu
nctio
nof
the
elec
tron
ica
cces
san
dth
eph
ysic
alla
yout
oft
heS
ervi
ce
Cent
erO
ITp
erso
nnel
hav
eac
cess
to
CLA
IMS3
as
wel
las
the
phys
ical
file
sin
the
build
ing
U
SCIS
sho
uld
cons
ider
the
min
im
umle
velo
facc
ess
(leas
tpriv
ile
ge)n
eede
dfo
ral
lper
sonn
elto
ac
com
plis
hth
eir
job
dutie
sT
hir
teen
per
cent
(49)
oft
hein
side
rs
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sev
iola
ted
ane
edto
kno
win
ord
erto
per
pe
trat
eth
eir
crim
esi
nclu
ding
st
ealin
gPI
Iand
pro
prie
tary
in
form
atio
nI
nad
ditio
ns
ever
al
insi
ders
com
mitt
edth
eir
crim
es
whi
lew
orki
ngo
nth
eni
ghts
hift
w
here
they
enj
oyed
ar
educ
ed
leve
lofs
crut
iny
Unr
estr
icte
del
ectr
onic
and
phy
sica
lacc
ess
to
such
hig
hri
skd
ata
and
syst
ems
outs
ide
ofn
orm
alw
orki
ngh
ours
pr
esen
tsa
hig
hde
gree
ofr
isk
to
CERT | SOFTWARE ENGINEERING INSTITUTE | 85
Sugg
este
dCo
unte
rmea
sure
s
USC
IS
Sinc
eU
SCIS
can
notd
eter
min
ew
hata
cces
sth
eU
SD
epar
tmen
tof
Sta
teg
rant
sto
FSN
son
its
sys
tem
sU
SCIS
sho
uld
cont
inue
to
use
tech
nica
lmea
sure
sto
pre
ve
ntu
naut
hori
zed
acce
ssw
hile
w
orki
ngw
ithc
ount
erin
telli
genc
epe
rson
nelt
ode
alw
iths
uspe
cted
fo
reig
nag
ents
wor
king
aro
und
US
gov
ernm
entf
acili
ties
A
few
insi
ders
inth
eca
ses
ana
lyze
dby
CER
Tus
edth
eir
un
revo
ked
acce
ssto
the
orga
niza
Polic
yor
Pra
ctic
eG
aps
Acc
ordi
ngto
one
inte
rvie
wee
som
eFS
Ns
onth
eCo
nsul
arA
ffai
rsn
etw
ork
are
susp
ecte
dto
be
wor
king
for
arm
sof
fore
ign
inte
llige
nce
ors
ecur
ity
agen
cies
U
SCIS
has
use
dte
chni
cal
met
hods
(eg
fir
ewal
ls)t
oen
sure
th
atU
SCIS
sys
tem
sar
epr
otec
ted
from
any
inte
rcon
nect
ions
with
the
US
Dep
artm
ento
fSta
tersquos
net
wor
ks
This
sin
gle
poin
toff
ailu
rem
akes
it
diff
icul
tto
reco
ver
from
am
alic
ious
ac
ton
this
par
ticul
ars
yste
m
Polic
yan
dor
Sec
urit
yM
easu
re
The
US
Dep
artm
ento
fSta
teC
onsu
la
rA
ffai
rsn
etw
ork
gran
tsa
cces
sto
FSN
sw
orki
ngin
em
bass
ies
and
con
su
late
san
dit
conn
ects
toU
SCIS
sys
te
ms
Ther
eis
as
ingl
epe
rson
who
has
the
know
ledg
eof
and
res
pons
ibili
tyfo
rad
min
iste
ring
the
voic
emai
lsys
tem
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Are
aof
Con
cern
Acc
ess
Priv
ilege
sndash
Syst
emA
dmin
is
trat
or
CERT | SOFTWARE ENGINEERING INSTITUTE | 86
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sfo
rU
SCIS
tionrsquo
sph
one
syst
emto
har
mth
eor
gani
zatio
nI
non
eca
set
he
entir
ecu
stom
ers
ervi
cev
oice
m
ails
yste
mw
asr
edir
ecte
dto
a
porn
ogra
phic
pho
nes
ite
Ina
not
her
der
ogat
ory
com
men
ts
abou
tthe
org
aniz
atio
nw
ere
re
cord
eda
ndp
laye
dfo
rev
ery
voic
em
ailb
ox
USC
ISs
houl
dpl
ace
addi
tiona
lst
affi
nth
ero
leo
fadm
inis
trat
ors
for
the
USC
ISv
oice
mai
lsys
tem
Th
isw
ould
allo
wU
SCIS
toim
pl
emen
tsom
efo
rmo
fsep
ara
tion
ofd
utie
so
rat
the
very
le
ast
min
imal
che
cks
and
bal
ance
sto
pre
vent
tam
peri
ngw
ith
the
voic
emai
lsys
tem
U
SCIS
sho
uld
ensu
reth
atit
man
ag
esa
ccou
nts
and
pass
wor
dsfo
rin
tern
als
yste
ms
such
as
voic
em
ail
asw
ella
sex
tern
ala
cco
unts
O
nein
side
rdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
cha
nged
the
dom
ain
nam
esy
stem
reg
istr
yfo
rhis
or
gani
zatio
nrsquos
web
site
so
that
vis
ito
rsw
ere
sent
toa
por
nogr
aphi
c
CERT | SOFTWARE ENGINEERING INSTITUTE | 87
Sugg
este
dCo
unte
rmea
sure
sw
ebsi
te
Thes
ety
pes
ofa
ccou
nts
are
used
ver
yin
freq
uent
lya
nd
are
ofte
nno
tinc
lude
din
form
al
term
inat
ion
proc
edur
es
USC
ISs
houl
dco
ordi
nate
with
D
HS
pers
onne
lto
ensu
reth
at
desi
red
USC
ISs
ecur
ityp
olic
ies
are
enfo
rced
for
pers
onne
lac
cess
ing
USC
ISs
yste
ms
and
data
Se
ven
perc
ent(
26)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
toa
ttac
kin
par
tbec
ause
of
insu
ffic
ient
mon
itori
ngo
fext
er
nala
cces
s
Polic
yor
Pra
ctic
eG
aps
A
lthou
ghc
onne
ctin
ga
pers
onal
lap
top
toa
USC
ISn
etw
ork
via
are
mot
eco
nnec
tion
may
or
may
not
be
bloc
ked
the
SNO
Cw
asn
otc
onfid
ent
itw
ould
be
bloc
ked
beca
use
itdo
es
notc
ontr
olth
ata
cces
sI
tis
poss
ible
th
ata
use
rco
uld
conn
ectw
itha
per
so
nalm
achi
neif
DH
Sal
low
edit
Polic
yan
dor
Sec
urit
yM
easu
re
Port
sec
urity
wou
ldp
reve
nta
use
rfr
omc
onne
ctin
ga
pers
onal
mac
hine
di
rect
lyto
aU
SCIS
net
wor
kT
his
secu
rity
mec
hani
smis
han
dled
by
the
SNO
C
Rem
ote
acce
sso
nth
eot
herh
and
is
hand
led
byD
HS
USC
ISh
asa
cces
sto
ve
ryli
mite
din
form
atio
nin
clud
ing
logs
for
rem
ote
conn
ectio
nsb
eca
use
ofc
ontr
acts
tipul
atio
nsw
ith
Spri
nt
The
asse
ssm
entt
eam
re
ceiv
edc
onfli
ctin
gop
inio
nsa
bout
w
heth
era
per
sona
lmac
hine
cou
ld
bec
onne
cted
with
ar
emot
eac
coun
t
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Secu
rity
Net
wor
kO
pera
ti
ons
Cent
er
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Man
agem
ento
fRe
mot
eA
cces
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 88
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
The
cont
ract
ors
resp
onsi
ble
for
VIS
have
impl
emen
ted
ast
rict
acc
ess
cont
rols
olut
ion
with
Fir
epas
san
dit
appe
ars
toa
ccom
plis
hits
goa
lofe
nsu
ring
that
onl
yth
epr
oper
per
sonn
el
are
gran
ted
acce
ssa
ndth
atth
eyp
er
form
aut
hori
zed
actio
nso
nce
they
ar
eco
nnec
ted
Unf
ortu
nate
lyt
hey
are
the
only
con
trac
tors
and
sys
tem
us
ing
Fire
pass
and
itw
illn
otb
eus
ed
once
the
mov
eis
mad
eto
Ste
nnis
Sp
ace
Cent
er
They
are
uns
ure
of
wha
tcon
trol
sw
illb
eus
eda
tSte
nnis
Sugg
este
dCo
unte
rmea
sure
s
Impl
emen
ting
aFi
repa
sss
olut
ion
for
allU
SCIS
sys
tem
sm
ight
not
be
cos
tef
fect
ive
USC
ISm
an
agem
ents
houl
dat
leas
texa
min
eth
eri
skp
osed
toth
em
ostc
ritic
al
syst
ems
and
impl
emen
taF
ire
pass
like
sol
utio
nfo
rth
ose
that
re
quir
ere
mot
eac
cess
A
sst
ated
ab
ove
one
inte
nin
side
rsd
ocu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
seu
sed
the
crea
tion
ofu
nkno
wn
path
sin
to
orga
niza
tion
syst
ems
pro
per
mea
sure
sm
ight
hav
epr
even
ted
man
yof
thos
ein
stan
ces
CERT | SOFTWARE ENGINEERING INSTITUTE | 89
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Non
Sys
tem
Ad
USC
ISL
eade
rshi
pA
ccor
ding
too
nein
terv
iew
eeF
SNs
An
FSN
who
isa
sys
tem
adm
inis
trat
or
Ten
perc
ent(
39)o
fins
ider
sm
inis
trat
ors
Wit
h
are
syst
ema
dmin
istr
ator
son
som
efo
rU
SD
epar
tmen
tofS
tate
sys
tem
sdo
cum
ente
din
the
CERT
Insi
der
A
utho
rize
dA
cces
sIn
form
atio
nTe
chno
logy
U
SD
epar
tmen
tofS
tate
sys
tem
sin
do
esn
otn
eces
sari
lyh
ave
adm
inis
tra
Thre
atC
ase
data
base
took
ad
toA
dmin
istr
ator
em
bass
ies
orc
onsu
late
sab
road
to
rri
ghts
on
USC
ISs
yste
ms
One
in
vant
age
ofin
suff
icie
nta
cces
sA
ccou
nts
The
US
Dep
artm
ento
fSta
teh
as
terv
iew
eee
xpre
ssed
con
cern
how
co
ntro
lsto
con
duct
thei
rcr
imes
au
thor
ized
acc
ess
for
som
eFS
Ns
to
ever
tha
tan
adm
inis
trat
orw
hois
a
USC
ISs
houl
dex
amin
eU
SCIS
sys
so
me
USC
ISs
yste
ms
need
edfo
rth
eci
tizen
ofa
fore
ign
coun
try
coul
des
te
ma
cces
sfo
rU
SD
epar
tmen
tpe
rfor
man
ceo
fthe
ird
utie
s
cala
tep
rivi
lege
sor
use
soc
iale
ngi
ofS
tate
sys
tem
adm
inis
trat
ors
ne
erin
gta
ctic
sto
gai
nun
auth
oriz
ed
asw
ella
sho
wth
ose
conn
ectio
ns
acce
ssto
USC
ISs
yste
ms
ar
em
onito
red
orlo
gged
Th
ey
sh
ould
als
ow
ork
with
the
US
Dep
artm
ento
fSta
teto
und
er
stan
dits
pro
cess
esfo
rgr
antin
g
FSN
sac
cess
toU
SD
epar
tmen
t
ofS
tate
sys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 90
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
Lea
ders
hip
Ther
ear
ecu
rren
tlyn
olim
itso
nTh
ela
cko
flim
itsp
lace
don
req
uest
Th
ere
shou
ldb
elo
gica
lcon
trol
s
w
hich
Af
iles
ana
djud
icat
orc
anr
ein
gA
file
sin
NFT
Sm
aya
llow
adj
udi
tod
etec
tldquoex
trao
rdin
aryrdquo
or
sus
Info
rmat
ion
Tech
nolo
gy
ques
tin
the
Nat
iona
lFile
Tra
ckin
gca
tors
tor
eque
sta
file
by
nam
eev
en
pici
ous
file
tran
sfer
req
uest
sI
n
Syst
em(N
FTS)
if
they
sho
uld
notb
eac
cess
ing
that
on
eU
SCIS
cas
eth
ein
side
rre
fil
e
ques
ted
afil
etr
ansf
erto
ar
egio
nfo
ran
indi
vidu
alw
hose
file
sw
ere
ina
noth
err
egio
nan
dw
hose
form
sha
dbe
enp
revi
ousl
yde
ni
ed
CERT | SOFTWARE ENGINEERING INSTITUTE | 91
cri
tilt
om
itiga
ting
the
insi
der
rsc
arri
edo
uta
nat
tack
ta
nce
mal
icio
usin
side
rsu
sed
uste
nsur
end
enf
orce
cn
have
dev
eff
ects
on
ano
ras
tatin
gta
r
nom
alou
sin
crea
sein
net
ay
Sugg
este
dCo
unte
rmea
sure
s
ca sn
toc
ompe
titor
sor
con
spir
ator
sO
rgan
izat
ions
mth
ate
mpl
oyee
sr
esou
rces
inc
ludi
ngin
form
atio
nas
sets
aom
plia
nce
sen
sitiv
ebu
tunc
lass
ified
or
prop
rie
y)is
cri
tical
tom
itiga
ting
an
am
onito
ring
net
wor
ktr
affic
mh
elp
prot
ectc
ontr
olle
d
side
unc
lass
ified
or
prop
riet
ary)
isea
led
circ
umst
ance
sin
whi
chin
tern
ales
In
som
ein
ss
tora
ged
evic
tion
mal
icio
usin
side
rsc
ab
y
mou
nts
ofd
ata
dow
nloa
ded
orou
ghT
h
Polic
yor
Pra
ctic
eG
aps
a re
ono
fCon
trol
led
Info
rmat
ion
ntro
lled
info
rmat
ion
(ie
inf
orm
atio
nth
atis
cla
ssifi
eds
ensi
tive
but
CER
Tr
thre
atr
isk
too
rgan
izat
ions
A
var
iety
ofi
nsid
erth
reat
cas
ess
tudi
edb
yev
thro
ugh
thd
ownl
oad
ofin
form
atio
nto
por
tabl
em
edia
or
exe
unau
thor
ized
ptt
acks
or
toc
omm
unic
ate
sens
itive
info
rmat
ioun
ders
tan
tcon
stitu
tes
acce
ptab
leu
seo
fcom
pany
dpo
licie
sre
gard
ing
wha
thro
ugh
teed
info
rma
chni
calm
eans
Th
eun
auth
oriz
ede
xfilt
ratio
nof
con
trol
l(i
ei
nfor
mat
ion
that
isc
lass
ifie
gani
zatio
nP
rote
ctin
gco
ntro
lled
info
rmat
ion
dth
reat
ris
kto
org
aniz
atio
ns
impl
emen
ted
netw
ork
mon
itori
ngs
trat
egie
sth
atw
ould
det
ectl
arge
wor
ktr
affi
by
tota
lvol
ume
orty
peo
ftra
ffic
(eg
by
ce
ither
por
tor
prot
ocol
)n
Polic
yan
dor
Sec
urit
yM
easu
Resp
onsi
ble
Pers
onne
lIn
form
atio
nTe
chno
logy
ncer
nlo
adto
Prot
ecti
Prot
ectin
gco
emai
lto
lan
thei
ra
the
insi
der
USC
ISh
as
info
rmat
io
Are
aof
Co
Dat
aD
own
Med
ia
CERT | SOFTWARE ENGINEERING INSTITUTE | 92
sure
s
po
1
pria
yte
lld
be
func
he
T ed
s
ecu
itted
em
os
ogs
el
vity
by
org
za
ani
ot
sbe
nter
mea
side
rtw
o
hori
zed
inap
pro
uev
ices
co
bite
dfr
omsy
stem
s
bit
epr
ohi fa
hec
ont
oc
gn
are
per
m hus
eso
fta
ndth
cti
ciou
sa
ngth
es
her
exhi
bitin
glm
alic
iou
Cou
uld
con
ora
ut ed
thes
ed
pro
hi SSC
Iy
ar
rity
aw
aren
ess
ampa
i
evic
es lb
elo
gged
uspi
ted
for
ss
leav
i
ntia
te
Sugg
este
d
Ss
o
ptf
1)E
xce
ces
that
ar
ete
chni
cally
Ung
in
that
the
shou
nte
ldb
et
2)If
USB
dfo
ru
nal
set
held
empl
oyee pl
tion
em
oyee
sign
sof
po c
ore
t
USC
Ih
tions
stan
trac
k
tioni
fact
shou
audi
havi
ns
ider
un
t
of
wor
k
ssed
de
s
onvi
ctio ns
tne
i eng
tel
He
acce
rder
to
Prac
tice
Gap
mth
eU
SCIS
CTa
skF
orc
sho
wed
tha
oe d
ant
pe
rfor
me
sig
nific
aam
oof
ficia
lbus
ines
sin
clud
ill
apto
p
sona
mai
lin
ond
e
Polic
yor
Ac
ase
fro
onh
isp
ersy
stem
sa
sure
pmen
tSC
IS
gov
(G
FE)
orS
ecur
ity
Mea
per
aga
inst
usi
ng
son
ompu
ter
equi
cial
dut
ies
for
Ub
edo
new
ithm
entf
urni
shed
ent
ern
quip
me
Polic
yan
d
Ther
eis
ap
olic
yd
cal
lyo
wne
top
erfo
rmo
ffi
Tele
wor
ksh
ould
on
ly
nel
ble
Pers
on
Resp
onsi
o
ern
Are
aof
Con
c dt
Dat
aD
ownl
oaor
Fro
mH
ome
CERT | SOFTWARE ENGINEERING INSTITUTE | 93
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sve
lop
asy
stem
that
he
was
rew
arde
d
fo
rpr
oduc
ing
The
rea
ren
ote
chni
cal
co
ntro
lsto
cat
chth
isa
ctiv
ityu
nles
s
the
devi
ceis
phy
sica
llyp
lugg
edin
to
the
netw
ork
Prot
ecti
ngC
riti
cal
Info
rmat
ion
Tech
nolo
gy
The
SNO
Cre
spon
dsto
spi
llso
fPII
USC
ISr
espo
nds
toP
IIsp
illag
es
Fi
les
whi
cho
ccur
on
aw
eekl
yba
sis
The
ofte
nen
ough
that
its
staf
fis
wel
l
info
rmat
ion
abou
tthe
inci
dent
is
ve
rsed
inr
espo
nse
proc
edur
es
tran
sfer
red
from
the
data
ow
ner
U
nfor
tuna
tely
the
freq
uenc
yto
w
hob
ecom
esa
war
eof
the
spill
to
w
hich
inci
dent
soc
cur
and
the
the
OSI
whi
chc
reat
esa
Ser
ious
In
re
spon
sep
roce
dure
sin
pla
ced
o
cide
ntR
epor
t(SI
R)th
atit
forw
ards
nots
eem
tor
educ
eth
enu
mbe
rto
the
Priv
acy
Off
icer
and
fina
llyto
Th
ere
spon
see
ffor
tto
aPI
Ispi
llage
of
inci
dent
sor
pro
vide
aut
oth
eSN
OC
in
volv
esm
any
part
ies
and
appe
ars
to
mat
edd
etec
tion
whe
nsp
illag
ebe
ac
ompl
icat
edp
roce
ssfo
ran
eve
nt
occu
rs
that
hap
pens
on
aw
eekl
yba
sis
Thou
ghth
ese
spill
ages
are
acc
iden
tal
even
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 94
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
sho
uld
cont
inue
this
pra
ctic
eas
par
tofi
tsin
cide
ntr
esp
onse
pro
cedu
res
Inc
orpo
rat
ing
ana
ppro
pria
tele
velo
fm
onito
ring
wou
lda
lso
bea
pru
de
ntm
easu
re
Polic
yor
Pra
ctic
eG
aps
This
pra
ctic
eap
pear
sto
be
done
con
si
sten
tly
Polic
yan
dor
Sec
urit
yM
easu
re
Acc
ess
ton
etw
ork
reso
urce
sis
ter
min
ated
imm
edia
tely
whe
na
spill
or
mis
cond
ucti
ssu
spec
ted
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Aud
it
Mon
itor
B
acku
p
Reco
very
Insi
der
thre
atr
esea
rch
cond
ucte
dby
CER
Tha
ssh
own
that
logg
ing
mon
itori
nga
nda
uditi
nge
mpl
oyee
onl
ine
actio
nsc
anp
rovi
dea
nor
gani
za
tion
the
oppo
rtun
ityto
dis
cove
ran
din
vest
igat
esu
spic
ious
insi
der
activ
ityb
efor
em
ore
seri
ous
cons
eque
nces
ens
ue
Org
aniz
atio
nss
houl
dle
ver
age
auto
mat
edp
roce
sses
and
tool
sw
hene
ver
poss
ible
M
oreo
ver
net
wor
kau
ditin
gsh
ould
be
ongo
ing
and
cond
ucte
dra
ndom
lya
nde
m
ploy
ees
shou
ldb
eaw
are
that
cer
tain
act
iviti
esa
rer
egul
arly
mon
itore
dT
his
empl
oyee
aw
aren
ess
can
pote
ntia
llys
erve
as
ade
terr
entt
oin
side
rth
reat
s
Prev
entin
gin
side
rat
tack
sis
the
first
line
ofd
efen
se
Non
ethe
less
eff
ectiv
eba
ckup
and
rec
over
ypr
oces
ses
need
tob
ein
pla
cea
ndo
pera
tion
ally
eff
ectiv
eso
that
ifa
co m
prom
ise
occu
rsb
usin
ess
oper
atio
nsc
anb
esu
stai
ned
with
min
imal
inte
rrup
tion
In
one
case
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sea
nin
side
rw
asa
ble
tom
agni
fyth
eim
pact
ofh
isa
ttac
kby
acc
essi
nga
ndd
estr
oyin
gba
ckup
med
ia
Org
aniz
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 95
Ina
dditi
ont
heS
NO
Cla
cks
the
reso
urce
sto
focu
son
mon
itori
ngfo
rsu
spic
ious
insi
der
activ
ityf
ocus
ing
inst
ead
prim
arily
on
prot
ectio
nfr
om
exte
rnal
inci
dent
s
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sM
odifi
cati
on
In
form
atio
nTe
chno
logy
Lo
gfil
esa
rea
cces
sibl
eby
the
do
D
isab
ling
Log
File
sm
ain
adm
inis
trat
ors
and
syst
em
adm
inis
trat
ors
ofe
ach
resp
ectiv
e
syst
em
USC
ISs
houl
dse
ndc
ritic
allo
gsto
a
cent
raliz
edlo
gse
rver
and
pro
te
ctth
elo
gfil
esto
per
mit
afo
re
nsic
rec
onst
r uct
ion
ofn
etw
ork
orh
ost
base
dev
ents
In
form
atio
nTe
chno
logy
Th
ela
cko
fcon
sist
ency
for
wha
tis
Alth
ough
six
per
cent
(23)
oft
he
logg
eda
cros
sU
SCIS
ser
vers
sys
tem
s
insi
ders
doc
umen
ted
inth
eCE
RT
appl
icat
ions
and
wor
ksta
tions
isc
on
Insi
der
Thre
atC
ase
data
base
cern
ing
Sev
eral
par
ties
addr
esse
dw
ere
able
tom
odify
ord
isab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 96
tions
nee
dto
con
side
rth
eim
port
ance
ofb
acku
pan
dre
cove
ryp
roce
sses
and
car
em
ustb
eta
ken
that
bac
kups
are
per
form
edr
egul
arly
pro
te
cted
and
test
edto
ens
ure
busi
ness
con
tinui
tyin
the
even
tofd
amag
eto
or
loss
ofc
entr
aliz
edd
ata
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
slo
gfil
es
Mon
itor
ing
Susp
ici
ous
Act
ivit
y
Info
rmat
ion
Tech
nolo
gy
are
som
etim
esli
mite
dto
24
hour
sor
less
ofc
olle
ctio
n
the
fact
that
ITp
erso
nnel
mus
tbe
able
top
hysi
cally
rea
cha
mac
hine
in
atim
ely
fash
ion
ifth
eyh
ope
toc
ap
ture
logs
rel
ated
toa
nin
cide
nt
This
as
sum
ptio
nm
akes
itli
kely
that
cri
tica
llog
info
rmat
ion
will
be
mis
sed
CERT | SOFTWARE ENGINEERING INSTITUTE | 97
Sugg
este
dCo
unte
rmea
sure
s
Polic
yor
Pra
ctic
eG
aps
Polic
yan
dor
Sec
urit
yM
easu
re
Dat
abas
ead
min
istr
ator
sar
ere
spon
si
ble
for
mon
itori
nga
nda
lert
ing
whe
nda
taa
cces
sat
tem
pts
are
mad
eto
cri
tical
dat
ain
USC
ISd
ata
base
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 98
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
sho
uld
cons
ider
cle
arly
de
finin
gth
ere
spon
sibi
lity
ofd
ata
base
adm
inis
trat
ors
and
the
SNO
Cfo
rm
onito
ring
ale
rtin
g
and
resp
ondi
ngto
una
utho
rize
dda
taa
cces
sO
nce
the
resp
onsi
bi
lity
isa
ssig
ned
the
appr
opri
ate
grou
psh
ould
dili
gent
lyp
reve
nt
dete
cta
ndr
espo
ndto
una
utho
riz
edd
ata
acce
ssm
odifi
catio
n
and
exfil
trat
ion
atte
mpt
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
mon
itors
and
filte
rs
inbo
und
and
outb
ound
net
wor
ktr
affic
Th
iss
trat
egy
may
pre
ve
nto
rde
tect
the
unau
thor
ized
tr
ansf
ero
fUSC
ISd
ata
outs
ide
the
orga
niza
tion
Man
yin
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
sew
ere
able
toc
omm
itth
eir
mal
icio
usa
ctiv
ities
usi
ngla
ptop
s
Polic
yor
Pra
ctic
eG
aps
Net
wor
ktr
affic
filte
ring
ish
appe
ning
on
lyo
nin
boun
dtr
affic
not
out
boun
dtr
affic
Th
ere
sour
ces
don
ote
xist
toe
xam
ine
ou
tbou
ndtr
affic
onl
yin
boun
dtr
affic
Fu
rthe
rmor
eth
ein
trus
ion
dete
ctio
nsy
stem
sar
eno
topt
imiz
edto
det
ect
secu
rity
eve
nts
Polic
yan
dor
Sec
urit
yM
easu
re
USC
ISh
asth
eab
ility
toc
reat
ein
bo
und
firew
allr
ules
tofi
lter
pote
ntia
llym
alic
ious
net
wor
ktr
affic
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 99
Sugg
este
dCo
unte
rmea
sure
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
incl
udes
fore
nsic
to
ols
toa
idin
vest
igat
ions
Ins
ixp
erce
nt(2
2)o
fthe
cas
es
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
heim
pact
of
the
crim
ew
asm
agni
fied
be
caus
eof
insu
ffic
ient
bac
kups
Polic
yor
Pra
ctic
eG
aps
The
SNO
Cha
sha
dpr
oble
ms
iden
tify
ing
the
root
cau
seo
fan
affe
cted
w
orks
tatio
nor
use
rbe
caus
eof
the
lack
ofn
etw
ork
fore
nsic
app
licat
ions
Id
eally
the
SN
OC
shou
ldb
eab
leto
tr
ace
netw
ork
traf
ficfr
oms
ourc
eto
de
stin
atio
nan
dw
atch
act
ivity
It
has
a
stan
dal
one
fore
nsic
cap
abili
tyb
ut
noth
ing
onth
ene
twor
k
Tabl
etop
exe
rcis
esm
ayn
otg
ive
USC
ISa
true
indi
catio
nof
its
abili
tyto
re
cove
rfr
oma
sys
tem
icfa
ilure
W
hen
poss
ible
bac
kups
sho
uld
be
impl
emen
ted
ons
imila
rha
rdw
are
to
ensu
reth
atth
eba
ckup
tape
isfu
nc
tiona
land
the
back
upis
ope
ratio
nal
Polic
yan
dor
Sec
urit
yM
easu
re
The
SNO
Cis
res
pons
ible
for
dete
rm
inin
gth
ero
otc
ause
ofa
nin
cide
nt
incl
udin
gus
ing
fore
nsic
tool
sto
id
entif
yaf
fect
edw
orks
tatio
nsd
esk
tops
and
lapt
ops
Ba
ckup
test
ing
for
man
ysy
stem
soc
curs
onc
epe
rye
ar
Ins
ome
case
s
the
back
ups
are
only
test
edw
itha
ta
blet
ope
xerc
ise
and
don
otu
se
sim
ilar
orid
entic
alh
ardw
are
toth
at
used
inth
epr
oduc
tion
envi
ronm
ent
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Back
ups
CERT | SOFTWARE ENGINEERING INSTITUTE | 100
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Info
rmat
ion
Tech
nolo
gy
Year
sof
bac
kup
tape
sar
eke
pto
nsi
tea
tthe
Ver
mon
tSer
vice
Cen
ter
an
dsy
stem
adm
inis
trat
ors
have
ac
cess
toth
ese
back
upfi
les
Adm
inis
trat
ors
who
hav
eac
cess
to
the
back
upta
pes
wou
ldb
eab
leto
Back
upm
edia
sho
uld
bec
on
trol
led
care
fully
doc
umen
ted
an
dst
ored
off
site
with
lim
ited
acce
ss
With
outt
hose
con
trol
s
USC
ISc
anno
tbe
sure
its
back
ups
will
giv
eit
the
abili
tyto
rec
over
ss
ecur
ity o wn
Proa
ctiv
ely
addr
essi
ngk
now
nse
curi
tyv
ulne
rabi
litie
ssh
ould
be
apr
iori
tyfo
ran
yor
gani
zatio
nse
ekin
gto
miti
gate
the
risk
ofi
nsid
erth
reat
sa
wel
las
exte
rnal
thre
ats
Cas
est
udie
sha
ves
how
nth
atm
alic
ious
insi
ders
fol
low
ing
term
inat
ion
will
som
etim
ese
xplo
itkn
own
tech
nica
lho
uld
have
ap
roce
sst
vuln
erab
ilitie
sth
atth
eyk
now
hav
eno
tbee
npa
tche
dto
obt
ain
syst
ema
cces
san
dca
rry
outa
nat
tack
O
rgan
izat
ions
sdr
ess
kno
ensu
reth
ato
pera
ting
syst
ems
and
othe
rso
ftw
are
have
bee
nha
rden
edo
rpa
tche
din
ati
mel
ym
anne
rw
hen
poss
ible
Fa
ilure
toa
dvu
lner
abili
ties
prov
ides
an
insi
der
ampl
eop
port
unity
and
pat
hway
sfo
rat
tack
mak
ing
itm
ore
diff
icul
tfor
an
orga
niza
tion
top
rote
ctit
self
Tech
nica
lSec
urit
yV
ulne
rabi
litie
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 101
ount
erm
easu
res
Sugg
este
dC
CERT | SOFTW ARE ENGINE ERING INSTITUTE |102
ceG
aps
Polic
yor
Pra
cti
The
pres
ence
of
host
pe
rim
eter
and
m
prot
ectio
nfo
rCI
Sin
al
war
epu
tsU
Sa
rela
tivel
yse
curd
ing
rep
ositi
onr
ega
oads
m
alic
ious
dow
nl
Polic
yan
dor
Se
easu
re
curi
tyM
Th
eO
ITr
elie
son
tan
ism
sto
w
om
ech
wnl
ode
tect
the
doad
of
licio
us
ma
code
1)
DH
S
nte
mon
itors
the
Ig
atrn
etw
aya
nd
e
2)
orks
ta
age
nto
nw
tio
ns
ale
rts
mm
edi
the
OIT
iat
ely
upon
dis
cov
wn
mal
er
yof
kno
war
eT
heO
ITs
hth
epo
rt
uts
dow
n
tob
lock
mal
ici
ere
ap
ous
code
wh
prop
riat
e
sin
stal
la
als
ode
tect
nel
Resp
onsi
ble
Pers
onog
yIn
form
atio
nTe
chno
l ogy
Info
rmat
ion
Tech
nol
Are
ac
ofC
oner
ne
Add
rss
ino
wn
ngK
Secu
rer
it
yV
uln
ies
abili
t
eA
ddr
ssi
now
nng
KSe
cur
er
ity
Vul
nie
sab
ilit
Sugg
este
dCo
unte
rmea
sure
s
Tw
elve
per
cent
(46)
oft
hec
ases
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
invo
lve
user
sab
usin
gad
min
istr
ator
pri
vi
lege
sto
sab
otag
esy
stem
sor
da
ta
Alth
ough
USC
ISu
sers
nee
dfo
rad
min
istr
ator
righ
tsto
inst
allo
rru
nau
thor
ized
sof
twar
eth
eO
IT
shou
ldc
onsi
der
givi
ngu
sers
se
para
tea
dmin
istr
ator
acc
ount
sfo
rth
ese
expl
icit
purp
oses
U
sers
co
uld
then
use
non
adm
inis
trat
or
acco
unts
for
thei
rda
ilyw
ork
Th
isw
ould
gre
atly
min
imiz
eth
eri
sko
fmal
war
eco
mpr
omis
e
Polic
yor
Pra
ctic
eG
aps
Am
itiga
ting
fact
or
is
that
the
depa
rtin
gem
ploy
eew
ould
ne
edp
hysi
cala
cces
sto
the
syst
emto
lo
gin
A
use
rw
itha
dmin
istr
ator
pri
vile
ges
mus
tnot
rel
yso
lely
on
auto
mat
ic
mec
hani
sms
tos
afeg
uard
his
or
her
com
pute
rA
dmin
istr
ator
rig
hts
give
in
adve
rten
tlyd
ownl
oade
dm
alw
are
the
abili
tyto
com
plet
ely
com
prom
ise
asy
stem
som
etim
esw
ithou
tthe
kn
owle
dge
ofth
eus
er
Polic
yan
dor
Sec
urit
yM
easu
re
tion
ofm
alic
ious
cod
efr
omU
SBs
and
othe
rm
edia
USC
ISu
sers
hav
elo
cala
dmin
istr
ator
ri
ghts
on
thei
row
nm
achi
nes
Thi
sal
low
sus
ers
toin
stal
lsof
twar
eon
th
eirs
yste
ms
So
me
auth
oriz
eds
oftw
are
does
re
quir
ead
min
istr
ator
rig
hts
toin
stal
l
Som
eap
plic
atio
nsa
ctua
llyr
equi
re
adm
inis
trat
orri
ghts
tor
un
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Unm
anag
edS
ys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 103
Conf
igur
atio
nM
anag
emen
t
Effe
ctiv
eco
nfig
urat
ion
man
agem
enth
elps
ens
ure
the
accu
racy
int
egri
tya
ndd
ocum
enta
tion
ofa
llco
mpu
ter
and
netw
ork
syst
emc
onfig
ura
tions
A
wid
eva
riet
yof
cas
esin
the
CERT
Insi
der
Thre
atC
ase
data
base
doc
umen
tins
ider
sw
hor
elie
dhe
avily
on
the
mis
conf
igur
atio
nof
sys
te
ms
The
yhi
ghlig
htth
ene
edfo
rst
rong
erm
ore
effe
ctiv
eim
plem
enta
tion
ofa
utom
ated
con
figur
atio
nm
anag
emen
tcon
trol
sO
rgan
izat
ions
sh
ould
als
oco
nsid
erc
onsi
sten
tdef
initi
ona
nde
nfor
cem
ento
fapp
rove
dco
nfig
urat
ions
Ch
ange
sor
dev
iatio
nsfr
omth
eap
prov
edc
onfig
urat
ion
base
line
shou
ldb
elo
gged
so
they
can
be
inve
stig
ated
for
pote
ntia
lmal
icio
usin
tent
Co
nfig
urat
ion
man
agem
enta
lso
appl
ies
tos
oftw
are
sou
rce
code
and
app
licat
ion
files
O
rgan
izat
ions
that
do
note
nfor
cec
onfig
urat
ion
ma n
agem
enta
cros
sth
een
terp
rise
are
ope
ning
vul
nera
bilit
ies
for
expl
oitb
yte
chni
cali
nsid
ers
with
suf
ficie
ntm
otiv
atio
nan
da
lack
ofe
thic
s
The
OIT
has
ac
onfig
urat
ion
man
agem
entp
olic
yth
atp
rovi
des
base
line
soft
war
eco
nfig
urat
ions
for
USC
ISd
eskt
ops
and
lapt
ops
The
OIT
sca
ns
for
inco
rrec
to
utda
ted
or
unp
atch
edv
ersi
ons
ofs
oftw
are
onth
eap
prov
eds
oftw
are
list
The
OIT
kee
pstr
ack
ofd
iffer
entb
asel
ines
for
diff
er
entc
ontr
acts
D
espi
tetr
acki
nga
nda
rig
orou
sco
nfig
urat
ion
man
agem
entp
olic
yth
eO
ITh
asd
iffic
ulty
kee
ping
trac
kof
the
901
50d
iffer
ents
ys
tem
imag
esin
the
USC
ISe
nvir
onm
ent
Rog
ues
oftw
are
orm
alw
are
iso
ften
dis
cove
red
thro
ugh
ade
liber
ate
man
uals
can
rat
her
than
thro
ugh
ana
utom
ated
pro
cess
To
mak
eth
ista
skm
ore
diff
icul
tth
ere
have
bee
nU
SCIS
em
ploy
ees
with
sen
iori
tyo
rin
fluen
cew
hoa
rea
ble
tou
selo
cal
adm
inis
trat
orp
rivi
lege
sto
inst
alls
oftw
are
for
the
sake
ofc
onve
nien
ce
Conc
erns
reg
ardi
ngc
onfig
urat
ion
man
agem
entm
ake
itdi
ffic
ultf
orth
eO
ITto
ad e
quat
ely
prev
ent
det
ect
and
res
pond
tor
ogue
sof
twar
eor
m
alw
are
usin
gits
cur
rent
pro
cedu
res
We
sugg
ests
ome
cons
ider
atio
nsfo
rle
vera
ging
exi
stin
gde
ploy
men
tsa
ndm
odify
ing
inci
dent
res
pons
epr
actic
esto
incr
ease
eff
ectiv
enes
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
The
OIT
has
ac
onfig
urat
ion
man
ag
emen
tpol
icy
for
soft
war
eco
nfig
ura
tion
base
lines
Th
eO
ITs
cans
for
inco
rrec
to
utda
ted
or
unpa
tche
dve
rsio
nso
fsof
twar
eon
the
ap
Des
pite
rig
orou
sco
nfig
urat
ion
man
ag
emen
tpol
icy
the
OIT
has
diff
icul
ty
keep
ing
trac
kof
the
90to
150
diff
er
ents
yste
mim
ages
inth
eU
SCIS
env
iro
nmen
tR
ogue
sof
twar
eor
mal
war
e
Seve
ntee
nca
ses
docu
men
ted
in
the
CERT
Insi
der
Thre
atC
ase
da
taba
sein
volv
eus
ers
expl
oitin
gth
ela
cko
rw
eakn
ess
ofa
con
fig
urat
ion
man
agem
ents
yste
m
CERT | SOFTWARE ENGINEERING INSTITUTE | 104
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
spr
oved
sof
twar
elis
tT
heO
ITk
eeps
tr
ack
ofd
iffer
entb
asel
ines
for
dif
fere
ntc
ontr
acts
iso
ften
dis
cove
red
thro
ugh
ade
liber
at
em
anua
lsca
nra
ther
than
thro
ugh
ana
utom
ated
pro
cess
toc
arry
out
thei
rat
tack
s
The
OIT
cou
ldle
vera
geth
eex
ist
ing
ePO
dep
loym
entt
oco
mpl
em
enti
tsc
onfig
urat
ion
man
age
men
teff
orts
eP
Oc
and
efin
ea
base
line
for
soft
war
eap
plic
atio
ns
and
aler
ton
any
devi
atio
nsfr
om
that
bas
elin
e
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ins
ome
case
sin
divi
dual
sw
iths
en
iori
tyo
rin
fluen
cea
rea
ble
tou
se
adm
inis
trat
orp
rivi
lege
sto
inst
all
soft
war
efo
rth
esa
keo
fcon
veni
ence
USC
ISs
houl
den
sure
that
con
fig
urat
ion
polic
yis
con
sist
ently
co
mm
unic
ated
and
enf
orce
dth
roug
hout
the
orga
niza
tion
Ev
ens
enio
rle
ader
ship
sho
uld
notb
eab
leto
cas
ually
cir
cum
ve
ntth
ese
polic
ies
with
outg
oing
th
roug
hth
epr
oper
cha
nnel
sas
de
fined
by
the
conf
igur
atio
nm
anag
emen
tpol
icy
Conf
igur
atio
nM
anag
emen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Serv
ice
Cent
ers
are
resp
onsi
ble
for
lock
ing
dow
nde
skto
psto
pre
vent
un
auth
oriz
eds
oftw
are
from
runn
ing
The
lock
dow
npr
oces
sre
lies
onh
um
anin
terv
entio
nI
fcal
lvol
ume
to
the
Serv
ice
Cent
eris
hea
vyt
his
may
in
crea
ser
espo
nse
time
toa
nun
ac
cept
able
leve
l
The
OIT
sho
uld
expl
ore
way
sto
au
tom
ate
lock
dow
nof
pot
en
tially
com
prom
ised
sys
tem
sT
his
wou
ldr
equi
rea
car
eful
bal
ance
of
ser
vice
ver
sus
secu
rity
O
nth
ese
rvic
esi
ded
elay
edr
espo
nse
by
the
Serv
ice
Cent
erm
ayr
esul
tin
loss
ofp
rodu
ctiv
ity
On
the
secu
ri
tys
ide
del
ayed
res
pons
eco
uld
CERT | SOFTWARE ENGINEERING INSTITUTE | 105
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sle
adto
sys
tem
com
prom
ise
M
anag
emen
tsho
uld
eval
uate
the
risk
sof
ac
ompr
omis
ean
dw
eigh
th
ose
risk
sag
ains
tthe
pot
entia
lco
nseq
uenc
eso
fser
vice
dis
rup
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 106
Appendix H Acronyms
C3-LAN CBP CI CIO CLAIMS CMMI COTR CSC CSIRT CSO CMU DBA DHS DOJ FBI FDNS-DS FISMA FSD FSN GFE HR HSPD-12 ICE ISSO IT LER LPO NCR NFTS ODBC OIG OIT OSI PERSEC PICS PII QA SEI SIEM SIR SNOC TSA USB
CLAIMS 3 ndash Local Area Network Customs and Border Protection Counterintelligence Chief Information Officer Computer Linked Application Information Management System Capability Maturity Model Integration Contracting Officerrsquos Technical Representative Computer Sciences Corporation Computer Security Incident Response Team Chief Security Officer Carnegie Mellon University Database Administrator Department of Homeland Security Department of Justice Federal Bureau of Investigation Fraud Detection and National Security Data System Federal Information Security Management Act Field Security Division Foreign Service National Government-furnished Equipment Human Resources Homeland Security Presidential Directive 12 Immigration and Customs Enforcement Information System Security Officer Information Technology Labor and Employee Relations Local PICS Officer National Capital Region National File Tracking System Open Database Connectivity Office of Inspector General Office of Information Technology Office of Security and Integrity Personnel Security Password Issuance and Control System Personally Identifiable Information Quality Assurance Software Engineering Institute Security Information and Event Management Significant Incident Report Security Network Operations Center Transportation Security Administration Universal Serial Bus
107
Appendix H Acronyms
USCIS US Citizenship and Immigration Services VIS Verification Information System
108
Appendix I Management Comments to the Draft Report
109
Appendix J Contributors to this Report
Software Engineering Institute Carnegie Mellon University
Insider Threat Center at CERT
Department of Homeland Security Office of Inspector General
Richard Saunders Director Advanced Technology Division Steve Matthews IT Audit Manager Advanced Technology Division Philip Greene IT AuditorTeam Lead Advanced Technology Division
110
Appendix K Report Distribution
Department of Homeland Security
Secretary Deputy Secretary Chief of Staff Deputy Chiefs of Staff General Counsel Executive Secretariat Director GAOOIG Liaison Office Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs Chief Information Officer Chief Information Security Officer USCIS Chief Information Officer USCIS Chief Information Security Officer USCIS Audit Liaison Office
Office of Management and Budget
Chief Homeland Security Branch DHS OIG Budget Examiner
Congress
Congressional Oversight and Appropriations Committees as appropriate
111
ADDITIONAL INFORMATION AND COPIES
To obtain additional copies of this report please call the Office of Inspector General (OIG) at (202) 254-4100 fax your request to (202) 254-4305 or visit the OIG web site at wwwdhsgovoig
OIG HOTLINE
To report alleged fraud waste abuse or mismanagement or any other kind of criminal or noncriminal misconduct relative to department programs or operations
bull Call our Hotline at 1-800-323-8603
bull Fax the complaint directly to us at (202) 254-4292
bull Email us at DHSOIGHOTLINEdhsgov or
bull Write to us at DHS Office of Inspector GeneralMAIL STOP 2600 Attention Office of Investigations - Hotline 245 Murray Drive SW Building 410 Washington DC 20528
The OIG seeks to protect the identity of each writer and caller
TableofContents
ExecutiveSummary 1
Recommendation2Incorporateinsiderthreatriskmitigationstrategiesintothe
Recommendation3Centralizerecordsofmisconductandviolationstobetterenablea
Background 2
Objective 3
Scope 3
AssessmentProcessMethodology 5
ResultsofAssessment 7
Organizational 7
HumanResources 9
PhysicalSecurity 11
BusinessProcesses 12
IncidentResponse 14
SoftwareEngineering 15
InformationTechnology 16
Recommendation1Instituteanenterpriseriskmanagementplan 22
Transformationeffort 22
coordinatedresponsetoinsiderthreats 22
Recommendation4 23
Recommendation5Considerseparationofdutiesforcriticalbusinessprocessesand theirrelatedinformationsystems 23
Recommendation7Employconsistentphysicalsecuritypoliciesforfieldofficesand
Recommendation9ExamineHRscreeningproceduresforhighriskpositionsandFSNs
Recommendation10Ensurethatphysicalandcomputeraccessisterminatedinatimely
Recommendation11Enforcearequirementforindividualaccountsoncriticalsystems
Recommendation6ConductauditofPICSandFSNaccountsforUSCISsystems 23
servicecentersincludingthephysicalcasefiles 23
Recommendation8Consistentlyenforceexitprocedures 24
24
fashion 24
25
CERT | SOFTWARE ENGINEERING INSTITUTE | i
Recommendation12 25
Recommendation13Reducethenumberofprivilegedaccountsforcriticaldatasystems
25
Recommendation14 25
Recommendation15Implementproceduralandtechnicalcontrolstopreventsource codeunderdevelopmentfrombeingreleasedwithoutappropriatereview 25
Recommendation16 26
Recommendation17 26
Recommendation18Periodicsecurityrefreshertrainingshouldberegularlyconducted andrequiredforallemployees 26
AppendixHAcronyms 107
AppendixIManagementCommentstotheDraftReport 109
AppendixJContributorstothisReport 110
AppendixKReportDistribution 111
ManagementCommentsandOIGAnalysis 27
Appendixes 28
AppendixAOrganizational 30
AppendixBHumanResources 37
AppendixCPhysicalSecurity 42
AppendixDBusinessProcesses 48
AppendixEIncidentResponse 62
AppendixFSoftwareEngineering 69
AppendixGInformationTechnology 75
CERT | SOFTWARE ENGINEERING INSTITUTE | ii
ExecutiveSummary
TheUSDepartmentofHomelandSecurityOfficeofInspectorGeneralengagedtheInsider ThreatCenteratCERToftheSoftwareEngineeringInstituteatCarnegieMellonUniversity toconductaninsiderthreatassessmentofUSCitizenshipandImmigrationServicesThe objectiveoftheassessmentwastodeterminehowUSCitizenshipandImmigrationSer viceshastakenstepstoprotectitsinformationtechnologysystemsanddatafromthe threatsposedbyemployeesandcontractorsTheassessmentevaluatedUSCitizenship andImmigrationServicesagainstapproximately400realinsiderthreatcompromisesdocu mentedintheCERTInsiderThreatCasedatabaseThesecasesallprosecutedintheUnited Statesincludefraudsabotageandtheftofintellectualproperty
TheassessmentteamperformedfieldworkinthenationalcapitalregionVermontService CenterandUSCitizenshipandImmigrationServicesBurlingtonofficesDuetothelimited scopeoftheassessmentsystemsreviewedandlocationsvisitedCERTwasnotabletover ifytheinstitutionalizationandenforcementofanyUSCitizenshipandImmigrationSer vicesrsquopoliciesorrenderanoverallopinionoftheeffectivenessofUSCitizenshipandImmi grationServicesinsiderthreatpostureTheOfficeofInspectorGeneraldidnotrequest CERTtoconductacomprehensiveinformationsystemrsquostechnicalsecuritycontrolsreviewor vulnerabilityassessmenttodeterminethesusceptibilitytointernalthreatsTheOfficeof InspectorGeneralmayperformanindepthfollowupreviewtorenderanoverallopinionof theeffectivenessofUSCitizenshipandImmigrationServicesinsiderthreatposture
USCitizenshipandImmigrationServiceshasmadeprogressinimplementingelementsof aneffectiveinsiderthreatprogramSpecificallyithasestablishedaConvictionTaskForce toreviewformeremployeesconvictedofcriminalmisconductwithinthescopeoftheirdu tiesperformsriskmanagementforinformationtechnologyandfinancialmanagementde velopedexitproceduresforemployeesimprovedprotectionofitsfacilitiesandassetsand adherestoformalizedprocessesforsomesystemsInadditionitisimplementingHome landSecurityPresidentialDirective12forphysicalandelectronicaccountmanagement
WhiletheseeffortshaveresultedinsomeimprovementsUSCitizenshipandImmigration Serviceshasopportunitiestoimproveitssecuritypostureagainstthreatsposedbyemploy eesandcontractorsForexampleitcaninstituteanenterpriseriskmanagementplanand incorporateinsiderthreatriskmitigationstrategiesintoitsnewbusinessprocessesItcan alsocentralizerecordsofmisconductandviolationsinstitutealoggingstrategytopreserve systemactivitiesimplementseparationofdutiesforadjudicativedecisionsconductaudits ofnonUSCitizenshipandImmigrationServicesaccountsemployconsistentpoliciesfor physicalsecurityandconsistentlyenforceemployeeexitprocedures
Theassessmentteamismaking18recommendationstotheDirectorofUSCitizenshipand ImmigrationServicestostrengthenthedepartmentrsquossecuritypostureagainstmaliciousin siderthreatsUSCISconcurredwithallofourrecommendationsandhasalreadybegunto takeactionstoimplementthemThedepartmentrsquosresponseisincludedinitsentiretyas appendixI
CERT | SOFTWARE ENGINEERING INSTITUTE | 1
Background
TheUSDepartmentofHomelandSecurity(DHS)OfficeofInspectorGeneral(DHSOIG) engagedtheCERTprogramintheSoftwareEngineeringInstituteatCarnegieMellonUniver sitytoconductaninsiderthreatvulnerabilityassessmentofUSCitizenshipandImmigra tionServices(USCIS)Theprojectapproachestheinsiderthreatproblemontwoprimary fronts
Thehumanbehavioralcomponent
Thetechnologicalsolutionforautomatingpreventionanddetectioncapabilitiesto identifymeasuremonitorandcontrolinsiderthreatvectors
Insiderscanbecurrentorformeremployeescontractorsorbusinesspartnerswhohaveor hadauthorizedaccesstotheirorganizationssystemandnetworksTheyarefamiliarwith internalpoliciesproceduresandtechnologyandcanexploitthatknowledgetofacilitate attacksandevencolludewithexternalattackersCERTrsquosresearchconductedsince2001 hasfocusedongatheringdataaboutactualmaliciousinsideractsincludinginformation technology(IT)sabotagefraudtheftofconfidentialorproprietaryinformationespionage andpotentialthreatstoourNationscriticalinfrastructures
CERTdevelopedaninsiderthreatvulnerabilityassessmentinstrumentforevaluatingvulner abilitiestoinsiderthreatbasedonresearchtodateBecauseofthecomplexityofthein siderthreatproblemmdashinvolvingsecurityofficersinformationtechnologyinformationsecu ritymanagementdataownerssoftwareengineeringandhumanresourcesmdashorganizations needassistanceinmergingthewealthofavailableguidanceintoasingleactionableframe workCERTadvisesorganizationstousethisassessmentinstrumenttohelpsafeguardtheir criticalinfrastructure
CERTbuilttheassessmentbasedonresearchofapproximately400insiderthreatcasesin theCERTInsiderThreatCasedatabase1Thesecasesareacollectionofrealinsiderthreat compromisesmdashprimarilyfraudsabotageandtheftofintellectualpropertymdashthathavebeen prosecutedintheUnitedStatesStartingin2002CERTcollaboratedwithUSSecretSer vicebehavioralpsychologiststocollectapproximately150actualinsiderthreatcasesthat occurredinUScriticalinfrastructuresectorsbetween1996and2002andexaminedthem frombothatechnicalandabehavioralperspectiveSincethatoriginalstudyCERThascon tinuedtoaddcaseswithfundingfromCarnegieMellonrsquosCyLab2bringingthecaselibraryto atotalofapproximately400casesTheinstrumentencompassestechnicalbehavioral processandpolicyissuesandisstructuredaroundinformationtechnologyinformation securityhumanresourcesphysicalsecuritybusinessprocesseslegalandcontracting managementandorganizationalissues
1Notethatthedatabasedoesnotcontainnationalsecurityespionagecasesinvolvingclassifiedin formation 2httpwwwcylabcmuedu
CERT | SOFTWARE ENGINEERING INSTITUTE | 2
Objective
TheobjectiveoftheinsiderthreatvulnerabilityassessmentwastodeterminehowUSCIShas takenstepstoprotectitsITsystemsanddatafromthethreatposedbyemployeesandcon tractorsThisassessmentwasbasedonbehavioralaswellastechnicalexperienceanditis intendedtoassistUSCISinsafeguardingitscriticalinfrastructureTheassessmentwill
EnableUSCIStogainabetterunderstandingofitsvulnerabilitytoinsiderthreatand provideanabilitytoidentifyandmanageassociatedrisks
Identifytechnicalorganizationalpersonnelbusinesssecurityandprocessissues intoasingleactionableframework
Identityshorttermcountermeasuresagainstinsiderthreats
HelpguideUSCISinitsongoingriskmanagementprocessforimplementinglong termstrategiccountermeasuresagainstinsiderthreats
Scope
USCISemploysapproximately18000governmentemployeesandcontractorslocatedat250 officesthroughouttheworld3Theinsiderthreatvulnerabilityassessmentisintendedto focusoncriticalsystemsandhighriskareasofconcernthatcanbeassessedina3to5day timeframeThereforeatapreassessmentwalkthroughmeetingUSCISstaffidentified3 systemsofthe96systemsusedbytheagencyascriticaltoitsoverallmission
VerificationInformationSystem(VIS)mdashthispublicfacingsystemiscomposedoffive differentapplicationsThepurposeofthesystemistoprovidemdash
o Immigrationstatusinformationtogovernmentbenefitgrantingorganiza tionstohelpthemdeterminetheeligibilityofalienswhoapplyforbenefits
o Ameansforprivateemployerstoperformemploymenteligibilityverifica tionofnewlyhiredemployees
ComputerLinkedApplicationInformationManagementSystem(CLAIMS)mdashThissys temprovidesthefollowingfunctions
3httpwwwuscisgovportalsiteuscismenuitemeb1d4c2a3e5b9ac89243c6a7543f6d1avgnextoi d=2af29c7755cb9010VgnVCM10000045f3d6a1RCRDampvgnextchannel=2af29c7755cb9010Vgn VCM10000045f3d6a1RCRD
CERT | SOFTWARE ENGINEERING INSTITUTE | 3
o CLAIMS3LocalAreaNetwork(C3LAN)wasoriginallydevelopedtotrack thereceiptingofapplicantorpetitionerremittancesandtoproducenotices documentingtheremittanceC3LANnowincludesadjudicationarchive cardproductioncasehistorycasetransferondemandreportselectronic filetrackingimagecaptureproductionstatisticsstatusupdateandelec tronicingestofapplicationdatacapturedthroughtheEFilingwebapplica tionandtheDepartmentofTreasurysponsoredlockboxoperations
o C3mainframesupportsprocessingofUSCISapplicationsandpetitionsfor variousimmigrantbenefits(egchangeofstatusemploymentauthoriza tionandextensionofstay)
FraudDetectionandNationalSecurityDataSystem(FDNSDS)mdashThissystemwasde velopedtoidentifythreatstonationalsecuritycombatbenefitfraudandlocate andremovevulnerabilitiesthatcompromisetheintegrityofthelegalimmigration system
Itisimportanttonotethattheinsiderthreatvulnerabilityassessmentislimitedtoareasof concernobservedinthehundredsofcasesintheCERTInsiderThreatdatabasePeople technologyandorganizationsareconstantlychangingandmaliciousinsiderscontinueto comeupwithnewavenuesofattackinordertodefeatapreviouslyeffectivecountermea sureHowevermanyofthecountermeasuressuggestedinthisreportareapplicabletoa multitudeofattackvectors
ItisalsoimportanttonotethatCERTrsquosinsiderthreatresearchhasonlyexploredintentional insidercrimesAccidentaldataleakageisanareaofsignificantconcernfororganizations howeverCERThasnotyetexploredthataspectofinsiderthreatInadditionthefocusof theresearchtodateistodescribehowtheinsiderthreatproblemevolvesovertimeCERTrsquos longtermresearchdoesincludemeasuringtheeffectivenessofmitigationstrategies
CERT | SOFTWARE ENGINEERING INSTITUTE | 4
AssessmentProcessMethodology
AnentranceconferencewasconductedbytheDHSOIGCERTandUSCISonFebruary23 2010TheentranceconferenceintroducedUSCIStotheCERTassessmentteamFollowing theentranceconferenceapreassessmentwalkthroughwasheldatUSCISheadquarterson March102010AtthatmeetingtheCERTassessmentteamandtheDHSOIGteamex plainedtheassessmentprocesstorepresentativesofUSCISUSCISprovidedsomedocu mentationtotheassessmentteamatthattimeandmoredocumentsthroughouttheas sessmentthosedocumentswerereviewedtoprovidesubstantiationforfindingsinthis report
USCISidentified96systemsitusesFollowingtheinitialmeetingUSCISleadershipandthe assessmentteamchosetheVISCLAIMSandFDNSDSsystemsbecausetheywerecriticalto theoverallmissionofUSCISThesethreesystemswerethefocusofthe5dayonsiteas sessment
AtthepreassessmentwalkthroughUSCISindicatedthatithadcreatedaConvictionsTask Forcetoreviewtheactivitiesof10formeremployeesconvictedofcriminalmisconduct withinthescopeoftheirofficialdutiesThepurposeofthetaskforceistoidentifyissues theseemployeesexploitedtocommittheircrimesThetaskforceintendedtodevelopfind ingsandrecommendationsaimedatpreventingsimilarcrimesinthefutureItgraciously extendedaninvitationtotheCERTandDHSOIGteamstoparticipateAsaresulttheteams observedorreviewedtranscriptsofalltelephoneconferencesconductedbythetaskforce Thesefindingsarereflectedinthisreport
TheCERTinsiderthreatteamandtheDHSOIGliaisonwereonsiteatvariousUSCISloca tionsinthenationalcapitalregion(NCR)fromMarch30throughApril12010
TheDHSOIGliaisonswerepresentatallinterviewsTheDHSOIGattendedtheseinterviews asanobserverandassistedCERTasneeded
Facetofaceinterviewswereconductedwithapproximately58representativesintheNCR followedby32representativesintheVermontServiceCenterandUSCISBurlingtonoffices InadditiontelephoneconferenceswereheldwithstafffromtheOfficeofSecurityandIn tegrity(OSI)InvestigationsDivisionandtheSecurityNetworkOperationsCenter(SNOC) Intervieweesrepresentedthefollowingareas
DataOwners(VISCLAIMSandFDNSDS)
ComputerSciencesCorporation(CSC)(softwareengineeringandoperationalsup portforVISCLAIMSandFDNSDS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 5
OSI(PhysicalSecurityRegionalSecurityInvestigationsPersonnelSecurityCounter intelligence)
HumanCapitalandTraining(TrainingHumanResourcesOperationsCenterLabor EmployeeRelations)
OfficeofInformationTechnology(OIT)(ITSecurityComputerSecurityIncidentRe sponseTeamSecurityandNetworkOperationsCenterAccountManagementEn terpriseOperations)
Legal(ProcurementLaw)
VermontServiceCenter(adjudicatorsdataentryclerkssupervisordirectorsOIT softwareengineering)
Allinterviewswereconsideredconfidentialnorecordofparticipatingemployeesisincluded inthisreportorinsubsequentbriefingsFindingsareattributedonlytoagroupordepart mentinterviewedadocumenttheConvictionsTaskForcetelephoneconferencesordirect observation
CERT | SOFTWARE ENGINEERING INSTITUTE | 6
CERT | SOFTWARE ENGINEERING INSTITUTE | 7
AcriticalissueforUSCISisensuringthattheentireorganizationisriskawareandimple mentingaformalriskmanagementprocesstoaddressriskconsistentlyandcontinually acrosstheenterpriseTheredoesnotappeartobeaconsistentunderstandingofthebroad spectrumofrisksfacingUSCISTheassessmentteamwastoldthereisnoenterprisewide riskmanagementprogramatUSCISOITperformsriskmanagementforInformationTech nology(IT)andFinancialManagementperformsriskmanagementforfinancialmattersbut noonewasawareofanyenterprisewideeffortsInadditioneachfieldofficeandservice centerappearstooperatefairlyindependentlyItisimportantforthoseorganizationsto worktogethertoidentifyprioritizeandaddressriskOngoingcommunicationbetweenall componentsofUSCISwillhelpensurethatnewthreatsattackvectorsandcountermea suresarecommunicatedandhandledeffectivelybyall
InadditionUSCISemployeesandcontractorsholdthekeystooneoftheworldrsquosmostcov etedkingdomsmdashUScitizenshipThismakesemployeesandcontractorsattractivetargets forrecruitmentBecauseofthesensitivenatureofUSCISmissionsomeofitsemployees andcontractorshavebeentargetsforrecruitmentfortheftorunauthorizedmodificationof USCISdataAllemployeesshouldbeawareoftheconsequencesofparticipatinginfraud againstUSCISTheyshouldalsobeinstructedonhowtoreportsolicitationsmadetocom mitfraud
Transformation
TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesUSCISisrelyingheavilyonTransformationtocorrectmanyoftheproblemsresulting fromlegacysystemsThisrelianceonasingleeffortmakesitseffectivenessveryimportant TheteamfoundtheTransformationefforttobeamassiveundertakingthatappearstobe implementingaverydetailedprojectplan
Basedontheteamrsquosreviewoftherequirementsforfrauddetectionandnationalsecurity issuesitappearstherearenorequirementstoaddressinsiderthreatsTheassessment teamreviewedfivecomprehensiveTransformationdocumentsaspartofthisassessment ThedocumentsdescribesystemrequirementsindetailFrauddetectionreferstodetection offraudperpetratedbyapplicantsandpetitionersnationalsecurityissuesfocusonthe handlingofinvestigationswithinUSCISthatinvolvenationalsecurityissues
Againanenterpriseriskmanagementapproachshouldbeconsideredwhendefiningre quirementsforTransformationInsidersatUSCIShaveperpetratedfraudinthepastasevi dencedbytheConvictionsTaskForceInadditionUSCISinsidersarecapableofgranting legalresidencyorcitizenshipstatustosomeonewhoposesanationalsecurityrisktothe UnitedStates
CERT | SOFTWARE ENGINEERING INSTITUTE | 8
TrainingandAwareness
Itisessentialthatsecurityawarenesstrainingisconsistentlyprovidedtoallemployeesto ensuresecuritypoliciesandpracticesareinstitutionalizedthroughoutanorganization Manytimescoworkersandsupervisorsarethefirstpeopletoobserveconcerningbehavior exhibitedbymaliciousinsidersFailuretoreportconcerningbehaviorbycoworkersoroth ersinanorganizationwasaprimaryreasoninsidersintheCERTInsiderThreatCasedata basecontinuedtosetuporcarryouttheirattacks
USCISshouldcontinuetoprovidesecurityawarenesstrainingtoallemployeesandcontrac torsacrosstheglobeThistrainingshouldbeconsistentlyappliedtoeachsitewithaconsis tentmessageofsecurityofUSCISpeoplesystemsanddataItisimperativethatallUSCIS employeesberesponsibleforachievingthemissionofUSCISandprotectingthecriticalas setstothehighestextentpossible
HumanResources
Anorganizationrsquosapproachtoreducinginsiderthreatshouldfocusonproactivelymanaging employeeissuesandbehaviorsThisconceptbeginswitheffectivehiringprocessesand backgroundinvestigationstoscreenpotentialcandidatesOrganizationsshouldalsotrain supervisorstomonitorandrespondtobehaviorsofconcernexhibitedbycurrentemploy eesSomecasesfromtheCERTInsiderThreatdatabaserevealedthatsuspiciousactivity wasnoticedintheworkplacebutnotacteduponOrganizationsmustestablishawell organizedandprofessionalmethodforhandlingnegativeemploymentissuesandensuring thathumanresourcepolicyviolationsareaddressed
Organizationalissuesrelatedtofunctionssharedbyhumanresources(HR)andsecurityper sonnelareattheheartofinsiderriskmanagementEmployeescreeningandselectionis vitaltopreventingcandidateswithknownbehavioralriskfactorsfromenteringtheorgani zationoriftheydoensuringthattheserisksareunderstoodandmonitoredClearpolicy guidelinesaddressingbothpermittedandprohibitedemployeebehaviorarevitaltorisk detectionandmonitoringClearrequirementsforensuringemployeesrsquoknowledgeofthese guidelinesarealsoessentialtotheirsuccessInadditionreportsofpolicyquestionsand violationsneedtobesystematicallyrecordedsothatmanagementHRandsecurityper sonnelcanapproachcasedecisionswithcompletebackgroundinformation
Analysisofthesereportsacrossindividualsanddepartmentscansupplyvitalknowledgeof problemareasbeyondindividualcasesRelationshipsinwhichHRsecurityandmanage mentpersonnelcollaborateaseducatorsandconsultantsarevitaltoearlydetectionand effectivemanagementofemployeesposinganinsiderriskTheneedforclearpolicies
CERT | SOFTWARE ENGINEERING INSTITUTE | 9
completepersonnelriskdataandclosemanagementHRsecuritycollaborationisrarely greaterthanwhenhandlingemployeeterminationissueswhethervoluntaryorinvoluntary
ScreeningandHiringPractices
SeveralpersonnelscreeningandhiringpracticesposearisktoUSCISsystemsanddata
USCISdoesnothaveaconsistentprocedurefordecidingwhethertoconductafacetoface interviewpriortohiringanapplicantbeingscreenedforgovernmentemploymentThere wasanimpressionatUSCISheadquartersthatnearly100ofthoseemployeeshiredby managersareinterviewedbutrepresentativesinBurlingtonVermonttoldusotherwise Thisgapbetweenperceptionandreality(thereisnotapolicystatingthatthismustbedone) isaconcernUSCISshouldrequireinterviewsforallpositionsTheinterviewsneedtobe conductedbysomeoneinvolvedinthedaytodaysupervisionofthepositiontobefilled
Ifapersonalissue(egsubstanceabuserelativelylargefinancialindebtedness)arisesdur ingPersonnelSecurityrsquos(PERSECrsquos)screeningPERSECmayissuealetterofadvisementto thecandidateandclearthatpersonforhirePERSECishesitanttosharenegativeinforma tionaboutapplicantswithUSCISbecauseofprivacyconcernsBecauseoftheseconcernsa managermaynotknowthatsomeoneiscomingintoapositionwithahistoryofalcohol andordrugabusefinancialindebtednessetcTheprivacywallbetweenPERSECandfield personnelconcernedwithhiringistroublingItisdifficultforPERSECrepresentativestoin dicatetheirconcernsaboutpotentialhiresiftheyhaveriskfactorsthatdonotcrossadjudi cationguidelinesfordisqualification
ForeignServiceNational(FSN)employeeswhoworkatUSembassiesandconsulates abroadhaveaccesstoUSCIScriticalsystemsanddatainsomecasesInordertobehired andgrantedaccesstoanyofthosesystemsFSNsarevettedbytheUSDepartmentof StateAlthoughtheaccesstoUSCISsystemsmustbeapprovedbythechiefsecurityofficer (CSO)andchiefinformationofficer(CIO)forDHSUSCIShasverylittlevisibilityintothe screeningprocessforFSNs
ExitProcedures
Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerorContract ingOfficerrsquosTechnicalRepresentative(COTR)Italsoappearsdifferentmanagersfollow
CERT | SOFTWARE ENGINEERING INSTITUTE | 10
differentprocedurestoensurethataccessisdisabledandequipmentisreturnedasem ployeesandcontractorsleaveUSCISThisgapmaymanifestitselfintheinconsistentcollec tionofbadgeslaptopsmobiledevicesandotherUSCISequipmentandimproperdisabling orterminationofaccess
PhysicalSecurity
SomeinsidersdocumentedintheCERTInsiderThreatCasedatabaseexploitedphysicalse curityvulnerabilitiesSomewereabletogainaccesstoorganizationfacilitiesoutsideof normalworkinghourstostealcontrolledinformationortoexactrevengeontheorganiza tionbysabotagingcriticaloperationsPhysicalsecuritycanprovideanotherlayerofdefense againstterminatedinsiderswhowishtoregainphysicalaccesstoattackJustaswithelec tronicsecurityhoweverformeremployeeshavebeensuccessfulinworkingaroundtheir organizationrsquosphysicalsecuritymeasuresItisimportantfororganizationstomanage physicalsecurityforfulltimeparttimeandtemporaryemployeescontractorsandcon tractlaborers
USCISPhysicalSecurityhasmadesignificantprogressprotectingUSCISfacilitiesandassetsin theNCRsinceJanuary2008whenitstoodupanewphysicalsecurityprogramAlthough physicalsecurityintheNCRisconsistentlydirectedandenforcedbyPhysicalSecurityeach fieldofficesetsitsownpoliciesandaccesscontrols
Finallyissuescon cerningthesecurityofapplicantsrsquophysicalcasefilesshouldbeconsideredaspartofaUSCIS riskmanagementstrategybyUSCIS
ControllingandMonitoringProperAccessAuthorization
USCIShandlesthephysicalsecurityandaccessauthorizationoffacilitiesdifferentlydepend ingonwherethefacilityislocatedThephysicalsecurityofNCRfacilitiesishandledbyone groupofUSCISpersonnelbutthephysicalsecurityoffieldofficesfallsundertheFieldSecu rityDivision(FSD)Insomecasesaphysicalsecurityrepresentativeisnotlocatedinafield officeatallWhenthisisthecasetheresponsibilityfallsonothermanagementpersonnel whomaynotbeequippedtohandletheseissuesproperlyandreporttheminatimelyman ner
In10casesdocumentedin
CERT | SOFTWARE ENGINEERING INSTITUTE | 11
theCERTInsiderThreatCasedatabasetheinsiderwasabletocommitacrimefollowing terminationbecauseoffailuretonotifysecurityemployeesandbusinesspartnersofthe terminationTocontrolaccesstoUSCISfacilitiesitisimportantforUSCIStocomparecur rentemployeesandcontractorstotheauthorizedaccesslistineachfacilityrsquosaccesscontrol systemDisablingphysicalaccesstofacilitieswhenemployeesandcontractorsterminateis essentialtoprotectingUSCISemployeesandfacilities
SecurityofPhysicalCaseFiles
AttheVermontServiceCentertheassessmentteamobservedphysicalcasefilesofbenefit applicantsstackedincratesinthehallwaysCasefilesareassumedtobesecureoncethey arecontainedwithinaServiceCenterbuttheycouldbephysicallyalteredorstolenbyany onewithphysicalaccesstothefacilityOneintervieweestatedthatadjudicatorstypically have50to100filesscatteredaroundtheirofficesordesksSomearetrackedandsome maynotbeAdjudicatorsconductinterviewswithapplicantsintheirofficesandtheymay leaveapplicantsunescortedintheirofficeswiththecasefileswhenforinstancemaking copiesorattendingtootherUSCISbusinessAccordingtothesameintervieweeinonefield officenaturalizationcertificatespassportsandcreditcardinformationhavebeenfoundin garbagecansinthehallwayThirteeninsidersdocumentedintheCERTdatabasestole physicalpropertybelongingtotheirorganization
BusinessProcesses
AvarietyofcasesfromtheCERTInsiderThreatCasedatabasedocumentinsiderattacksin whichgapsinbusinessprocessesprovidedapathwayforattackEnforcingseparationof dutiesandtheprincipleofleastprivilegeareprovenmethodsforlimitingauthorizedaccess byinsidersIdeallyorganizationsshouldincludeseparationofdutiesinthedesignofkey businessprocessesandfunctionsandenforcethemviatechnicalandnontechnicalmeans Accesscontrolbasedonseparationofdutiesandleastprivilegeinboththephysicaland virtualenvironmentiscrucialtomitigatingtheriskofinsiderattackTheseconceptsalone willnoteliminatethethreatposedbyinsiderstheyarehoweveranotherlayerinthede fensivepostureofanorganization
BecauseofthesensitivenatureoftheUSCISmissionsomeofitsemployeesandcontractors havebeentargetsforrecruitmentfortheftorunauthorizedmodificationofUSCISdata TwentyninepercentoftheinsidersdocumentedintheCERTdatabasewererecruitedby outsiderstocommittheircrimesMostoftheseinsiderscommittedtheircrimesforfinan cialgainCriticalUSCISbusinessprocessesshouldincludetechnicalcontrolstoenforce separationofdutiesanddualcontroltoreducetheriskofinsiderfraudInadditionpoten tialvulnerabilitiessurroundtheuseoftheICEPasswordIssuanceandControlSystem(PICS) forauthorizationforcriticalUSCISsystemsAlthoughPICSisoutsidethecontrolofUSCIS
CERT | SOFTWARE ENGINEERING INSTITUTE | 12
CERTrecommendsthatUSCISexplorethepossibilityofauditingandcontrollingauthoriza tionsinPICSforcriticalUSCISsystemsFinallyaccountmanagementissuesrelatedtocriti calsystemsshouldbeconsidered
VerificationInformationSystem
TheVerificationInformationSystem(VIS)providesimmigrantstatusinformationtoboth governmentagenciesandprivateemployersinordertoverifybenefitandemploymenteli gibilityBecausethesefunctionsrequiregrantingVISaccesstopartiesexternaltoUSCIS USCISmustissueaccountsandrequirethatthoseaccountsbeusedproperlyTwentyfour (6)oftheinsidersdocumentedintheCERTdatabasewereabletocarryouttheircrimes becauseinsiderssharedaccountandpasswordinformationoftentomaketheirjobseasier andtoincreaseproductivity
ModificationsbyVISuserstocriticaldataarelogged
CLAIMS3LAN
Currentlyalldeniedbenefitsapplicationsarereviewedbyasupervisoronlyasubsetofap provedapplicationsarereviewedAdiscrepancyaroseduringinterviewsadjudicatorssaid thatsupervisorsstoppedlookingatalldenialsbecausetheyaretoobusySupervisorsalso receiveareportofalladjudicationdecisionsenteredbyanadjudicatorforaformtypethat theadjudicatordoesnotnormallyapproveWhenadjudicatorsareintrainingwhichtakes placeforatleast6monthsonaspecifictypeofcasetheyareunder100reviewAquality assurance(QA)processisalsoinplaceOnepartofQAinvolvesasupervisorpulling10 casespermonthperadjudicatortoreviewThesupervisorexaminesadjudicativedecision securityandproceduralissuesInanotheraspectoftheQAotherldquosisterrdquoUSCISService CentersreviewarandomselectionofcasesTheprimarypurposeofQAistoidentifythe needforremedialtrainingratherthandeliberatefraudAuditingeverydeniedrequestindi catesthatthebiggestrisktoUSCISistoincorrectlydenyabenefittoanapplicantrather thantograntabenefittosomeonewhodoesnotdeserveit
FDNSDS
CERT | SOFTWARE ENGINEERING INSTITUTE | 13
IncidentResponse
ThroughcaseanalysisCERThasnotedthatproceduresforrespondingtopotentialinsider incidentspresentuniquechallengesanincidentresponseplanforinsiderincidentsdiffers fromaresponseplanforincidentscausedbyanexternalattackerInadditioninadequate detectionandresponsetosecurityviolationscouldemboldentheinsidermakingtheor ganizationevenmorevulnerabletoaninsidercrimeInfactin18ofthecasesdocumented intheCERTInsiderThreatCasedatabasetheorganizationexperiencedrepeatinsiderinci dentsofasimilarnatureInsiderincidentmanagementshouldleverageexistingsecurity policiesandformalproceduresforhandlingpolicyviolationsSomeofthecasesfromthe CERTInsiderThreatCasedatabaseillustrateinsiderattacksinwhichanorganizationrsquoslackof incidentresponseprocedureslimiteditsabilitytomanageitsresponseeffortsometimes evenresultinginmultiplecriminalactsbythesameinsider
Furthermore81oftheinsidersdocumentedintheCERTInsiderThreatCasedatabasedis playedconcerningbehaviorsintheworkplacepriortoorwhilecarryingouttheircriminal activitiesonlineSupervisorsandemployeesshouldbetrainedtorecognizeandrespondto indicatorsofriskforviolencesabotagefraudtheftandothermaliciousinsideractsEvenif itisnotpossibletorequirenonsupervisorstoreportconcernsthistrainingmayincreasethe frequencyofreportingandthedeterrenceofinsideractions
IncidentManagement
USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductOrganizationsinvolved includetheOfficeofInvestigationswithintheOSILaborandEmployeeRelations(LER)HR ComputerSecurityIncidentResponseTeam(CSIRT)PERSECCounterintelligence(CI) COTRsOITDHSOIGPhysicalSecuritysupervisorsandpossiblydataownersandISSOs Manydifferentpartiesexplainedhowtheymightbeinvolvedinoneaspectofanincident butnosingledepartmentcoordinatestheseactivitiesorconductsaholisticriskanalysisof individualswhohavecommittedviolationsThiscomplexandwidelydistributedbusiness processhasresultedinasituationinwhichitisverydifficulttoobtainacompletepictureof anindividualrsquosinsiderthreatrisklevelConsequentlyanyefforttocoordinateaproactive
CERT | SOFTWARE ENGINEERING INSTITUTE | 14
programforinsiderthreatmitigationwouldhavetocrosssignificantbureaucraticbounda rieswithinthesemyriaddepartmentsofUSCIS
SoftwareEngineering
CodeReviews
SomeUSCISsystemsadheretoaformalizedprocessofsoftwareengineeringusingcontrac torswithaspecifiedlevelofprocessmaturity(iecapabilitymaturitymodelintegration (CMMI)level3)
Therewasevenadocumentedcaseinwhichsourcecodecontainedsomethinginap propriateandwasonlydiscoveredonlyafterthecodewasturnedoverfromonecontractor toanother
CERT | SOFTWARE ENGINEERING INSTITUTE | 15
Insidersinsertedmaliciouscodeintoanoperationalsystemin33casesdocumentedinthe CERTInsiderThreatCasedatabaseandintosourcecodein10casesThesetypesofcrimes canhaveseriousresultsenablinginsiderstoconcealtheiractionsoveranextendedperiod oftimeTheseactionshavebeenusedtocreatemechanismsforcommittingfraudwithout detectionandtosetupfutureITsabotageattacks
Codereviewscanbeverytimeconsumingbutmostmaliciousinsidersinsertmaliciouscode intoproductionsystemsoncetheyarestableandinthemaintenancephasewhenchanges arelessfrequentandlesssubstantial
InformationTechnology
AccountManagement
Researchhasdemonstratedthatifanorganizationrsquoscomputeraccountscanbecompro misedinsidershaveanopportunitytocircumventmanualandautomatedcontrolmecha nismsintendedtopreventinsiderattacksEffectivecomputeraccountandpasswordman agementpoliciesandpracticesarecriticaltoimpedeaninsiderrsquosabilitytousethe organizationrsquossystemsforillicitpurposesInavarietyofcasesdocumentedintheCERTIn siderThreatCasedatabaseinsidersexploitedpasswordvulnerabilitiessharedaccounts andbackdooraccountstocarryoutattacksItisimportantfororganizationstolimitcom puteraccountstothosethatareabsolutelynecessaryusingstrictproceduresandtechnical controlsthatfacilitateattributionofallonlineactivityassociatedwitheachaccounttoan individualuserFurthermoreanorganizationrsquosaccountandpasswordmanagementpolicies mustbeappliedconsistentlyacrosstheenterprisetoincludecontractorssubcontractors andvendorswhohaveaccesstotheorganizationrsquosinformationsystemsandornetworks
InsomeareascomputeraccountsaremanagedfairlywellatUSCISItisimplementing HomelandSecurityPresidentialDirective12(HSPD12)forphysicalandelectronicaccount managementInadditionmostsharedaccountsarecontrolledandallactionsperformed usingthoseaccountscanbeattributedtoasingleuserHoweversomeaccountmanage mentliesoutsidethecontrolofUSCISThispresentsahighdegreeofriskFirstofallac countsandaccessforFSNsshouldbeconsideredcarefullybyUSCISAlthoughFSNsmust submitpaperworkthroughproperchannelswhichrequiresauthorizationbytheCSOand CIOofDHSsuchpaperworkwasnotsubmittedconsistentlypriorto2007Asaresultthere maybeactiveaccountsforwhichthereislittletonoaccountingforthecreationoftheac count
Althoughaccountnamingconventionsaredictatedby DHSandtheUSDepartmentofStateUSCIScouldrequestanamingconventiontodiffer entiatebetweenFSNandUScitizenfederalemployeeaccountsInadditionUSCISshould consistentlytracktheauthorizationandcreationofallUSCISaccountsTodetermineifun
CERT | SOFTWARE ENGINEERING INSTITUTE | 16
authorizedorlegacyaccountsexistUSCISshouldconsiderconductinganaccountauditwith theassistanceofUSDepartmentofStatepersonneltovalidateallexistingFSNaccounts
SecondaccesstosomecriticalUSCISsystemsiscontrolledbythePasswordIssuanceand ControlSystem(PICS)ThepurposeofPICSistofacilitatetheadministrationofusernames andpasswordstocertainICEandUSCISinformationsystemsOneareaofconcernregard ingPICSisthatitisadministeredbyICEandtherearemorethan2000LocalPICSOfficers (LPOs)acrossvariouscomponentsofDHSTheseLPOsusePICStograntauthorizedaccess toICEandUSCISsystemsforthepersonnelattheirrespectivesiteoragencysuchaslocal sheriffspetitionersCustomsandBorderPatrol(CBP)DepartmentofJustice(DOJ)Trans portationSecurityAdministration(TSA)TerrorismTaskForceandDHSOIGEachLPOcan grantaccesstoanysystemcontrolledbyPICSInotherwordsLPOsthroughoutUSCISand ICEcangrantaccessforanyoftheirstafftoanyUSCISsystemFurthermore
Giventhedistributednatureofaccountadmini strationitisverydifficultforUSCISdataownersandOITstafftomanageauthorizationof useraccountstoUSCIScriticalsystemsFinallytheprocessforcommunicatingchangesin employeestatusanddisablingaccountsvarieswidelyamongindividualfieldofficesService CentersandofficesintheNCR
TheapplicationofaccountmanagementpracticesunderthecontrolofUSCISisinconsistent Forexampledisablingorterminatingaccountsforemployeesisnotalwayscompletedina timelymannerupontheemployeersquoschangeinstatusThislackofconsistencyismade worsewhendecentralizedLPOsacrossUSCISdonotfollowthesameproceduresInother casesemployeesareretainingaccessafteratransferwhentheyshouldnotwhichrequires thelosingandgainingsupervisorstonotifyproperaccountmanagementpersonnel
AccessControl
Anorganizationrsquoslackofsufficientaccesscontrolmechanismswasacommonthemein manyoftheinsiderthreatcasesexaminedbyCERTInsidershavebeenabletoexploitex cessiveprivilegestogainaccesstosystemsandinformationtheyotherwisewouldnothave beenauthorizedtoaccessAdditionallyinsidershavebeenknowntouseremoteaccess afterterminationtoattackanorganizationrsquosinternalnetworkOrganizationsshouldensure networkmonitoringandloggingisenabledforexternalaccessMonitoringofnetworkactiv ityisextremelyimportantespeciallyintheperiodbetweenemployeeresignationandter mination
GiventhedistributednatureofaccessauthorizationviaPICSICEandtheUSDepartment ofStatenonUSCISemployeesandcontractorscouldbegrantedaccesstoUSCIScriticalsys temsItispossiblethatthenonUSCISemployeesandcontractorsparticularlythose
CERT | SOFTWARE ENGINEERING INSTITUTE | 17
grantedaccessthroughtheUSDepartmentofStateforaccessfromembassiesoverseas havenotbeenthroughtherigorouspreemploymentscreeningrequiredofUSCISemploy eesandcontractorsUSCISshouldconsidertherisktheseinsidersposetotheprotectionof thecriticalUSCISdataandsystemsandimplementprotectionmechanismstolimitthe damagethattheseinsidersmightcause
OtheraccesscontrolissuesthatshouldbeconsideredbyUSCISincludeunrestrictedaccess tosomecriticalsystemsbyOITstafflackofconsistentprocessesformanagingemployee accessastheymovefromonedepartmenttothenextwithinUSCISabilitytousepersonal computersforUSCISworkandlackofmonitoringandcontrolsforsomecriticalsystemad ministrationfunctions
ProtectionofControlledInformation
Protectingcontrolledinformation(ieinformationthatisclassifiedsensitivebutunclassi fiedorproprietary)iscriticaltomitigatingtheinsiderthreatrisktoorganizationsAvariety ofinsiderthreatcasesstudiedbyCERTrevealedcircumstancesinwhichinsiderscarriedout anattackthroughtheunauthorizeddownloadofinformationtoportablemediaorexternal storagedevicesInsomeinstancesmaliciousinsidersusedemailtoplantheirattacksorto communicatesensitiveinformationtocompetitorsorconspiratorsOrganizationsmusten surethatemployeesunderstandpoliciesregardingwhatconstitutesacceptableuseofcom panyresourcesincludinginformationassetsandenforcecompliancethroughtechnical meansTheunauthorizedexfiltrationofcontrolledinformationbymaliciousinsiderscan havedevastatingeffectsonanorganizationProtectingcontrolledinformation(ieinfor mationthatisclassifiedsensitivebutunclassifiedorproprietary)iscriticaltomitigatingthe insiderthreatrisktoorganizations
USCIShasimplementednetworkmonitoringstrategiesthatwoulddetectlargeamountsof datadownloadedorananomalousincreaseinnetworktrafficeitherbytotalvolumeor typeoftraffic(egbyportorprotocol)Thoughmonitoringnetworktrafficmayhelppro tectcontrolledinformation
CERT | SOFTWARE ENGINEERING INSTITUTE | 18
LoggingAuditingMonitoring
InsiderthreatresearchconductedbyCERThasshownthatloggingmonitoringandauditing employeeonlineactionscanprovideanorganizationtheopportunitytodiscoverandinves tigatesuspiciousinsideractivitybeforemoreseriousconsequencesensueOrganizations shouldleverageautomatedprocessesandtoolswheneverpossibleMoreovernetwork auditingshouldbeongoingandconductedrandomlyandemployeesshouldbeawarethat certainactivitiesareregularlymonitoredThisemployeeawarenesscanpotentiallyserveas adeterrenttoinsiderthreats
ThepreventionofinsiderattacksisthefirstlineofdefenseNonethelesseffectivebackup andrecoveryprocessesneedtobeinplaceandoperationallyeffectivesothatifacompro miseoccursbusinessoperationscanbesustainedwithminimalinterruptionInonecase documentedintheCERTInsiderThreatCasedatabaseaninsiderwasabletomagnifythe impactofhisattackbyaccessinganddestroyingbackupmediaOrganizationsneedtocon sidertheimportanceofbackupandrecoveryprocessesandcaremustbetakenthatback upsareperformedregularlyprotectedandtestedtoensurebusinesscontinuityinthe eventofdamagetoorlossofcentralizeddata
TechnicalSecurityVulnerabilities
Proactivelyaddressingknownsecurityvulnerabilitiesshouldbeapriorityforanyorganiza tionseekingtomitigatetheriskofinsiderthreatsaswellasexternalthreatsCasestudies haveshownthatmaliciousinsidersfollowingterminationwillsometimesexploitknown technicalsecurityvulnerabilitiesthattheyknowhavenotbeenpatchedtoobtainsystem accessandcarryoutanattackOrganizationsshouldhaveaprocesstoensurethatoperat ingsystemsandothersoftwarehavebeenhardenedorpatchedinatimelymannerwhen possibleFailuretoaddressknownvulnerabilitiesprovidesaninsiderampleopportunity andpathwaysforattackmakingitmoredifficultforanorganizationtoprotectitself
CERT | SOFTWARE ENGINEERING INSTITUTE | 19
ThereisaprimaryconcerninthisareaatUSCISUSCISshouldconsiderthefrequencywith whichitscansitssystemsfortechnicalsecurityvulnerabilities
ThereisalsoanotherconcerninthisareaatUSCIS
ConfigurationManagement
Effectiveconfigurationmanagementhelpsensuretheaccuracyintegrityanddocumenta tionofallcomputerandnetworksystemconfigurationsAwidevarietyofcasesintheCERT InsiderThreatCasedatabasedocumentinsiderswhoreliedheavilyonthemisconfiguration ofsystemsTheyhighlighttheneedforstrongermoreeffectiveimplementationofauto matedconfigurationmanagementcontrolsOrganizationsshouldalsoconsiderconsistent definitionandenforcementofapprovedconfigurationsChangesordeviationsfromthe approvedconfigurationbaselineshouldbeloggedsotheycanbeinvestigatedforpotential maliciousintentConfigurationmanagementalsoappliestosoftwaresourcecodeandap plicationfilesOrganizationsthatdonotenforceconfigurationmanagementacrosstheen terpriseareopeningvulnerabilitiesforexploitbytechnicalinsiderswithsufficientmotiva tionandalackofethics
TheOIThasaconfigurationmanagementpolicythatprovidesbaselinesoftwareconfigura tionsforUSCISdesktopsandlaptopsTheOITscansforincorrectoutdatedorunpatched versionsofsoftwareontheapprovedsoftwarelistTheOITkeepstrackofdifferentbase linesfordifferentcontractsDespitetrackingandarigorousconfigurationmanagementpol icy
Roguesoftwareormalwareisoftendiscoveredthroughadeliberatemanual scanratherthanthroughanautomatedprocessTomakethistaskmoredifficultUSCIS employeeswithseniorityorinfluencehavebeenabletouselocaladministratorprivilegesto installsoftwareforthesakeofconvenienceConcernsregardingconfigurationmanagement surroundthedifficultyfortheOITtoadequatelypreventdetectandrespondtorogue softwareormalwareusingitscurrentproceduresWesuggestsomeconsiderationsforlev
CERT | SOFTWARE ENGINEERING INSTITUTE | 20
eragingexistingdeploymentsandmodifyingincidentresponsepracticestoincreaseeffec tiveness
CERT | SOFTWARE ENGINEERING INSTITUTE | 21
Recommendations
Thefollowing18recommendationspresentactionablestepsthatwillenableUSCIStoim proveitspostureagainstmaliciousinsiderthreatsThesehighlevelstrategiesshouldbe plannedandimplementedwiththeassistanceofthemanydiversedepartmentswithin USCISAppendixescontainmorespecificrecommendationsthatpertaintoaparticularde partment(egOITandHR)TheappendixesalsolisttherelevantpartiestoassistUSCISin reviewingeachissuemoregranularlyandtodecidewhetherUSCIShasresourcestoimple mentaparticularrecommendation
Recommendation1Instituteanenterpriseriskmanagementplan USCISmustensurethattheentireorganizationisriskawareandimplementaformalrisk managementprocesstoaddressriskconsistentlyandcontinuallyacrosstheenterprise Theredoesnotappeartobeaconsistentunderstandingofthebroadspectrumofrisksfac ingUSCISTheOITperformsriskmanagementforITandFinancialManagementperforms riskmanagementforfinancialmattersbutnoonewasawareofanyenterprisewideefforts InadditioneachfieldofficeandservicecenterappearstooperatefairlyindependentlyItis importantforthoseorganizationstoworktogethertoidentifyprioritizeandaddressrisk OngoingcommunicationbetweenallcomponentsofUSCISwillhelpensurethatnew threatsattackvectorsandcountermeasuresarecommunicatedandhandledeffectivelyby all
Recommendation2Incorporateinsiderthreatriskmitigation strategiesintotheTransformationeffort TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesRiskmanagementiswithinthescopeofTransformationbutonlyasitpertainsto automatedriskscoringofapplicantsandtoworkflowmanagementtooptimizeadjudicator workloadUSCISshouldincorporatecomprehensiveinsiderthreatriskmitigationrequire mentsintotheTransformationeffort
Recommendation3Centralizerecordsofmisconductandviola tionstobetterenableacoordinatedresponsetoinsiderthreats USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductThiscomplexandwidely distributedbusinessprocesshasresultedinasituationinwhichitisverydifficulttoobtaina completepictureofanindividualrsquosinsiderthreatrisklevelUSCISshouldcreateacentral repositoryofemployeeandcontractormisconductsecurityviolationsSignificantIncident Reports(SIRs)andothersuspiciousactivityreportssorepeatoffenderscanbeeasilyidenti
CERT | SOFTWARE ENGINEERING INSTITUTE | 22
CERT | SOFTWARE ENGINEERING INSTITUTE | 23
storesphysicalfilesforbenefitapplicantsintheVermontServiceCenterwithnophysical protectionbeyondtheexteriorbuildingandguardcontrolsUSCISshouldevaluatecurrent physicalaccessprocedurestodetermineiftheyadequatelyaddressriskandiftheyareen forcedconsistentlyacrosstheenterprise
Recommendation8Consistentlyenforceexitprocedures Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerandCOTRIt alsoappearsthatdifferentmanagersfollowdifferentprocedurestoensurethataccessis disabledandequipmentisreturnedasemployeesandcontractorsleaveUSCISThisgap maymanifestitselfintheinconsistentcollectionofbadgeslaptopsmobiledevicesand otherUSCISequipmentandimproperdisablingorterminationofaccessUSCISshould adoptanenterprisewideexitproceduretoensureconsistentterminationofallemployees andcontractors
Recommendation9ExamineHRscreeningproceduresforhighrisk positionsandFSNs ChangesshouldbemadetotheUSCIShiringprocessesforselecthighriskpositionsFor exampleUSCISshouldconsideradditionalscreeningforadjudicatorsUSCISshouldbe moreinvolvedindecidingwhoisgrantedauthorizedaccessbecauseofthesensitivenature ofthesystemsanddatathatUSCISmanages
Recommendation10Ensurethatphysicalandcomputeraccessis terminatedinatimelyfashion
USCISshouldautomatetherevocationofemployeeandcontractorphysicalaccesswhena terminationoccursTheterminationchecklistshouldincludeanotificationtoPhysicalSecu ritysophysicalaccesscanbedisabledinatimelymannerUSCISshouldalsoreviewaccount managementprocedurestoensurethatthestepstakentoremoveoralteraccountaccess arecompleteunderstoodbyallrelevantpartiesandconsistentlyfollowed
CERT | SOFTWARE ENGINEERING INSTITUTE | 24
Recommendation11Enforcearequirementforindividualaccounts oncriticalsystems
InsomecasesUSCISisawareofaccountsharingtakingplaceatthirdpartyemployerswho useUSCISsystemstoverifyimmigrationstatusToconsistentlyidentifymaliciousinsider activityallactionsmustbeattributabletooneandonlyoneindividualUSCISshouldcon siderincreasingtheconsequencesforinfractionsandpossiblyimplementstrongerauthen ticationtomakesharingofaccountsmoredifficult
Recommendation12
Recommendation13Reducethenumberofprivilegedaccountsfor criticaldatasystems SomedatasystemsincludingFDNSDShaveahighnumberofprivilegedusersManyof theseusersdonotneedtheescalatedaccesstocompletetheirjobresponsibilitiesUSCIS shouldaudittheprivilegeduseraccountsandreducethoseaccountscommensuratewith jobresponsibilities
Recommendation14
Recommendation15Implementproceduralandtechnicalcontrols topreventsourcecodeunderdevelopmentfrombeingreleased withoutappropriatereview USCISshouldconsiderimplementingproceduralandtechnicalcontrolstoenforcesepara tionofdutiesbetweensoftwareengineersandthesystemadministratorsresponsiblefor
CERT | SOFTWARE ENGINEERING INSTITUTE | 25
releasingchangesintoproductionsystemsUSCISshouldconsideridentifyinghighrisk criticalsoftwaremodulesthatcouldbeusedtocarryoutillicitactivityInadditionformal softwaredevelopmentpracticesshouldbefollowed
Recommendation16
Recommendation17
Recommendation18Periodicsecurityrefreshertrainingshouldbe regularlyconductedandrequiredforallemployees USCISshouldreinforcesecuritypracticesandproceduresforallemployeesespeciallythose assignedtosecurityrolesthroughInformationAssurancerefreshertrainingThoughannual refreshertrainingismandatedithasnotbeencompletedinatimelymannerforallroles USCISshouldensurethatthistrainingisadaptedtospecificrolesregularlyconductedand trackedandconsequencesimposedforthosewhohavenotcompletedthetraining
CERT | SOFTWARE ENGINEERING INSTITUTE | 26
ManagementCommentsandOIGAnalysis
WeobtainedwrittencommentsonadraftofthisreportfromtheUSCISDeputyDirector WehaveincludedacopyofthecommentsinitsentiretyinappendixI
USCISconcurredwithourfindingsandrecommendationsandindicatedthatthereportwill beofgreatassistanceastheyseektofurtherstrengtheninternalcontrolsinthisareaInthe writtencommentsUSCISdidnotprovideinformationonhowitintendstoaddressourrec ommendationsThereforeweconsiderourrecommendationsunresolvedandopenpend ingourreviewofUSCIScorrectiveactionplans
CERT | SOFTWARE ENGINEERING INSTITUTE | 27
Appendixes
ThefollowingpagescontainappendixesAthroughGthatcontainacompletedetailedlistof findingsfromtheassessment
Theappendixesareorganizedintothefollowingsections
AppendixAOrganizational
AppendixBHumanResources
AppendixCPhysicalSecurity
AppendixDBusinessProcess
AppendixEIncidentResponse
AppendixFSoftwareEngineering
AppendixGInformationTechnology
AppendixHAcronyms
AppendixIManagementCommentstotheDraftReport
AppendixJContributorstothisReport
AppendixKReportDistribution
EachsectioninappendixesAndashGcontainsabriefintroductionsummaryofthefindingsfor thatareaandatablelistingdetailedfindingsThetablesarestructuredasfollows
Areaof Responsible PolicyandorSecu PolicyorPrac SuggestedCounter Concern Personnel rityMeasure ticeGaps measures
EachrowrepresentsauniqueareaofconcernResponsiblePersonnelliststhegroups withinUSCISthatwouldberesponsibleforimplementingsuggestedcountermeasuresfor thatareaPolicyandorSecurityMeasurelistsinformationrelatedtothatareaofconcern specifictoUSCISobtainedininterviewsIfthatcolumnwasintentionallyleftblankitindi catesthatnoevidencewasprovidedfortheexistenceofapolicyandorsecuritymeasure PolicyorPracticeGapsdescribesgapsidentifiedbyintervieweesorgapsnotedbyCERT staffFinallySuggestedCountermeasuresdescribescountermeasuresthatUSCIScouldim plementtoaddressaparticularvulnerability
Itisimportanttonotethatallsuggestedcountermeasuresmustbeconsideredinthecon textofabroaderriskanalysisItisnotpracticalformostorganizationstoimplement100 protectionagainsteverythreattoeveryorganizationalresourceThereforeitisimportant toadequatelyprotectcriticalinformationandotherresourcesandnotdirectsignificantef forttowardprotectingrelativelyunimportantdataandresourcesArealisticandachievable
CERT | SOFTWARE ENGINEERING INSTITUTE | 28
securitygoalistoprotectthoseassetsdeemedcriticaltotheorganizationrsquosmissionfrom bothexternalandinternalthreats
RiskisthecombinationofthreatvulnerabilityandmissionimpactSomecountermeasures inthisreportareintendedtohelpUSCISrecognizeandunderstandtheinsiderthreatOth ersfocusonclosinggapsthatleaveUSCISmorevulnerabletoinsiderattackMissionimpact cannotbeadequatelyassessedbyCERTthroughthisexercisebecauseitwillvarydepending onthecriticalityofsystemsandinformation
Theresultsofthisinsiderthreatvulnerabilityassessmentshouldbeusedtodeveloporre finetheorganizationrsquosoverallstrategyforsecuringitsnetworkedsystemsstrikingthe properbalancebetweencounteringthethreatandaccomplishingtheorganizationalmis sion
Manyofthefindingsinthisreportincludetherelativefrequencyoftheissueraisedinthe CERTInsiderThreatCasedatabaseAtthetimethisreportwaswrittentherewere386 casesofmaliciousinsideractivityagainstwhichthesuggestedcountermeasurepercentage iscalculatedSoifaparticularactivitywasseenin38ofourcaseswemayindicatethatit wasseenin10ofthecasesintheInsiderThreatCasedatabase
CERT | SOFTWARE ENGINEERING INSTITUTE | 29
Ap
pen
dix
AO
rgan
izat
ion
al
Risk
Man
agem
ent
Co
mm
unic
atio
n
Secu
rity
Pro
cess
Impr
ovem
ent
USC
ISis
ina
diff
icul
tpos
ition
Pa
rto
fits
mis
sion
isto
pro
vide
cus
tom
ers
ervi
ceto
thos
ese
ekin
gim
mig
ratio
nan
dci
tizen
ship
ben
efits
from
the
US
Gov
ernm
ent
How
ever
iti
sch
alle
ngin
gto
opt
imiz
ebu
sine
ssp
roce
sses
for
cust
omer
ser
vice
whi
lea
tthe
sam
etim
eim
plem
entin
gpr
otec
tiv
em
easu
res
toc
ount
erth
eri
skp
osed
by
gran
ting
thos
eve
ryb
enef
its
Man
yU
SCIS
em
ploy
ees
inte
rvie
wed
for
this
ass
essm
enti
dent
ified
the
orga
niza
tionrsquo
spr
imar
yri
ska
sal
low
ing
the
next
terr
oris
tto
live
and
wor
kle
gally
inth
eU
nite
dSt
ates
Th
eyd
esir
ehe
lpin
iden
tifyi
nga
ndim
ple
men
ting
inte
rnal
con
trol
sto
cou
nter
that
ris
kS
ome
ofth
ein
terv
iew
ees
how
ever
mdashev
ens
ome
ofth
eIS
SOs
and
data
ow
ners
mdashfo
cuse
don
leak
ag
eof
PII
asth
eir
prim
ary
conc
ern
Aft
erd
elvi
ngin
toth
em
atte
rw
ithth
eas
sess
men
ttea
mt
hey
cam
eto
und
erst
and
the
risk
pos
edb
yex
po
sure
or
mis
use
ofc
ritic
ald
ata
asth
egr
eate
str
isk
face
dby
USC
ISp
rim
arily
bec
ause
suc
ha
secu
rity
bre
ach
coul
dre
sult
ina
llow
ing
ate
rror
isti
nto
the
coun
try
Ac
ritic
alis
sue
for
USC
ISis
ens
urin
gth
een
tire
orga
niza
tion
isr
isk
awar
ea
ndim
plem
entin
ga
form
alr
isk
man
agem
entp
roce
ssto
add
ress
ris
kco
nsis
tent
lya
ndc
ontin
ually
acr
oss
the
ente
rpri
se
Ther
edo
esn
ota
ppea
rto
be
aco
nsis
tent
und
erst
andi
ngo
fthe
bro
ads
pect
rum
ofr
isks
faci
ng
USC
IS
The
asse
ssm
entt
eam
was
told
ther
eis
no
ente
rpri
sew
ide
risk
man
agem
entp
rogr
ama
tUSC
IS
OIT
per
form
sri
skm
anag
emen
tfor
ITa
nd
Fina
ncia
lMan
agem
entp
erfo
rms
risk
man
agem
entf
orfi
nanc
ialm
atte
rsb
utn
oon
ew
asa
war
eof
any
ent
erpr
ise
wid
eef
fort
sI
nad
ditio
ne
ach
field
off
ice
and
serv
ice
cent
era
ppea
rsto
ope
rate
fair
lyin
depe
nden
tly
Itis
impo
rtan
tfor
thos
eor
gani
zatio
nsto
wor
kto
geth
erto
iden
tify
pri
or
itize
and
add
ress
ris
kO
ngoi
ngc
omm
unic
atio
nbe
twee
nal
lcom
pone
nts
ofU
SCIS
will
hel
pen
sure
that
new
thre
ats
att
ack
vect
ors
and
cou
nte
rmea
sure
sar
eco
mm
unic
ated
and
han
dled
eff
ectiv
ely
bya
ll
Ina
dditi
onU
SCIS
em
ploy
ees
and
cont
ract
ors
hold
the
keys
too
neo
fthe
wor
ldrsquos
mos
tcov
eted
kin
gdom
smdashU
Sc
itize
nshi
pT
his
mak
ese
mpl
oy
ees
and
cont
ract
ors
attr
activ
eta
rget
sfo
rre
crui
tmen
tB
ecau
seo
fthe
sen
sitiv
ena
ture
ofU
SCIS
mis
sion
som
eof
its
empl
oyee
san
dco
ntra
ctor
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 30
have
bee
nta
rget
sfo
rre
crui
tmen
tfor
thef
tor
unau
thor
ized
mod
ifica
tion
ofU
SCIS
dat
aA
llem
ploy
ees
shou
ldb
eaw
are
ofth
eco
nseq
uenc
eso
fpa
rtic
ipat
ing
infr
aud
agai
nstU
SCIS
Th
eys
houl
dal
sob
ein
stru
cted
on
how
tor
epor
tsol
icita
tions
mad
eto
com
mit
frau
d
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEn
terp
rise
Ris
kM
anag
emen
t
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Indi
vidu
alo
rgan
izat
ions
with
inU
SCIS
do
ris
km
anag
emen
trel
ated
toth
eir
part
icul
ard
omai
nF
orin
stan
ceI
Tdo
esr
isk
man
agem
entf
rom
an
IT
pers
pect
ive
and
the
Fina
ncia
lMan
ag
emen
tdoe
sfin
anci
alr
isk
man
ag
emen
t
USC
ISp
erso
nnel
sta
ted
ther
eis
no
ente
rpri
ser
isk
man
agem
entp
roce
ss
for
anal
yzin
gth
eor
gani
zatio
nrsquos
over
al
lris
k
We
sugg
estt
hatU
SCIS
inst
itute
an
ent
erpr
ise
risk
man
agem
ent
prog
ram
W
ithou
tac
omm
on
visi
onfo
rri
skm
anag
emen
tth
eIS
SOs
and
allo
rgan
izat
ions
w
ithin
USC
ISc
anno
teff
ectiv
ely
unde
rsta
ndth
eri
ske
nvir
onm
ent
and
wor
kto
geth
erto
eff
ectiv
ely
miti
gate
ris
k
Inin
terv
iew
ss
ome
USC
ISs
taff
in
clud
ing
som
eIS
SOs
dat
aow
ners
an
dO
ITs
taff
see
med
tov
iew
loss
of
PIIa
sth
em
osti
mpo
rtan
tins
ider
th
reat
ris
kA
llof
the
asse
ssm
ent
ques
tions
wer
ean
swer
edin
the
con
text
ofl
oss
ofP
II
Whe
nw
eas
ked
spec
ifica
llyw
hatt
hey
see
asth
ebi
gges
tins
ider
thre
atr
isk
ev
eryo
nes
eem
edto
agr
eeit
isc
rea
tion
ofr
ealc
itize
nshi
pdo
cum
ents
for
peop
lew
hos
houl
dno
thav
eth
em
In
fact
int
ervi
ewee
sat
the
Verm
ont
Serv
ice
Cent
erc
ateg
oriz
edth
efu
nc
tions
cha
ract
eriz
edb
yth
ehi
ghes
tris
kas
follo
ws
1)
Unl
awfu
lalie
nin
the
Uni
ted
Stat
es
gran
ted
non
imm
igra
nts
tatu
s
2)S
omeo
new
ithn
onim
mig
rant
st
atus
gra
nted
per
man
entr
esid
ency
w
hich
mea
nsh
eor
she
can
live
and
w
ork
inde
finite
lyin
the
Uni
ted
Stat
es
Aga
ina
nen
terp
rise
ris
km
an
agem
entp
rogr
amw
ille
nsur
eth
ate
very
one
acro
ssU
SCIS
is
wor
king
toge
ther
tom
itiga
teth
ehi
ghes
tpri
ority
ris
ks
Ther
ear
ere
gula
tions
and
law
ssu
rrou
nd
ing
prot
ectio
nof
PII
but
focu
sin
gpr
imar
ilyo
nth
atis
sue
can
lead
toa
fals
ese
nse
ofs
ecur
ity
ifot
her
mor
eim
port
antr
isk
ar
eas
are
give
nle
ssa
tten
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 31
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dal
soc
anp
etiti
onfo
rre
lativ
es
The
Verm
ontS
ervi
ceC
ente
ris
im
plem
entin
gse
para
tion
ofd
utie
sfo
rpe
rfor
min
gfu
nctio
ns
1an
d2
ab
ove
(gra
ntin
gno
nim
mig
rant
st
atus
and
mov
ing
som
eone
from
no
nim
mig
rant
sta
tus
top
erm
anen
tre
side
ncy)
so
that
one
USC
ISa
djud
ica
tor
alon
eca
nnot
take
an
appl
ican
tfr
omu
nlaw
fult
ope
rman
entr
esi
dent
Th
ese
two
func
tions
will
be
perf
orm
eda
tdiff
eren
tphy
sica
lloc
atio
ns2
9m
iles
apar
t
The
Verm
ontS
ervi
ceC
ente
rhas
not
ha
dan
adj
udic
ator
who
per
form
ed
both
func
tions
1
and
2fo
rth
esa
me
appl
ican
t
This
dec
isio
nde
mon
stra
tes
that
le
ader
ship
att
heV
erm
ontS
er
vice
Cen
terr
ecog
nize
sth
esi
gni
fican
tris
kof
cre
atin
gle
gal
citiz
ensh
ipd
ocum
ents
fori
llega
lal
iens
and
ista
king
ste
psto
m
itiga
teth
atr
isk
How
ever
our
in
side
rth
reat
ass
essm
enth
as
unco
vere
dot
her
issu
esth
at
coul
dbe
add
ress
edto
miti
gate
th
atr
isk
Aga
ina
form
alr
isk
anal
ysis
wou
lde
nabl
eU
SCIS
to
thor
ough
lye
xam
ine
the
issu
es
and
prio
ritiz
eco
unte
rmea
sure
sus
ing
afo
rmal
pro
cess
Fo
rex
am
ple
an
alte
rnat
ive
toth
eph
ysic
alm
ove
coul
dbe
toim
pl
emen
tan
audi
tmec
hani
smto
lo
okfo
rad
judi
cato
rsw
hop
er
form
edb
oth
func
tions
1
and
2
for
the
sam
eap
plic
ant
Ente
rpri
seW
ide
Com
mun
icat
ion
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ther
eis
no
cons
iste
ncy
ofc
ontr
ols
from
one
ser
vice
cen
ter
toth
ene
xt
We
wer
eto
ldth
eye
ach
oper
ate
fair
ly
inde
pend
ently
USC
ISw
ould
ben
efit
from
ong
oin
gco
mm
unic
atio
nsa
bout
ris
kba
sed
issu
esb
etw
een
the
ser
vice
cen
ters
Fo
rin
stan
ce
com
mun
icat
ions
con
cern
ing
prob
lem
se
ffec
tive
coun
ter
mea
sure
sm
odifi
catio
nsto
CERT | SOFTWARE ENGINEERING INSTITUTE | 32
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sbu
sine
ssp
roce
sses
or
idea
sfo
rco
unte
ring
incr
ease
dri
skc
ould
le
adto
an
impr
oved
ris
kpo
stur
efo
rth
een
tire
USC
ISe
nter
pris
e
Cont
inua
lSec
urit
yPr
oces
sIm
prov
em
ent
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
The
USC
ISC
onvi
ctio
nsT
ask
Forc
eis
an
exc
elle
ntfo
rum
for
anal
yzin
gpa
st
crim
inal
cas
esa
ndd
eter
min
ing
mea
sure
sth
ats
houl
dbe
inst
itute
dto
pre
vent
sim
ilar
crim
esin
the
fu
ture
Ther
eis
no
proc
ess
for
follo
win
gup
on
ac
ase
afte
rthe
Off
ice
ofS
peci
al
Inve
stig
atio
n(O
SI)f
inis
hes
anin
vest
iga
tion
Th
eCo
nvic
tions
Tas
kFo
rce
isth
eon
ly
proc
ess
we
foun
dfo
rfor
mal
trac
king
an
alys
isa
ndp
roce
ssim
prov
emen
tba
sed
ona
ctua
linc
iden
ts
The
as
sess
men
ttea
ma
sked
var
ious
gro
ups
ifth
ere
isa
nyfo
llow
up
toin
cide
nts
fo
rin
stan
ceim
plem
entin
gau
tom
ated
sc
ript
sor
con
trol
sto
det
ectt
hes
ame
inci
dent
inth
efu
ture
Th
ete
amc
ould
no
tfin
da
sing
lep
erso
nw
hok
now
sof
su
cha
nac
tivity
Man
yex
ampl
eso
fem
ploy
eem
isco
ndu
ctc
ited
toth
eas
sess
men
ttea
m
coul
dea
sily
hav
ebe
end
etec
ted
or
even
pre
vent
edv
iaa
utom
ated
con
tr
ols
In
add
ition
the
reis
no
mec
hani
smfo
rco
mm
unic
atin
gis
sues
out
side
ofa
In
nea
rly2
5(9
1)o
fthe
cas
esin
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
hein
side
rw
asa
ble
to
carr
you
tthe
cri
me
beca
use
of
inad
equa
tea
uditi
ngo
fcri
tical
pr
oces
ses
in2
8of
thes
eca
ses
it
was
bec
ause
ofi
nade
quat
eau
ditin
gof
irre
gula
rpr
oces
ses
In
29
ofth
eca
ses
the
orga
niza
tio
nha
dre
peat
edin
cide
nts
ofa
si
mila
rna
ture
A
utom
ated
sc
ript
sar
ean
exc
elle
ntm
echa
ni
smfo
rde
tect
ing
susp
icio
us
tran
sact
ions
as
wel
las
hone
st
mis
take
sU
SCIS
sho
uld
cons
ider
a
form
alp
roce
ssfo
ran
alys
iso
fth
eO
SIrsquos
find
ings
and
the
deve
lop
men
tofa
utom
ated
che
cks
impl
emen
ted
natio
nally
CERT | SOFTWARE ENGINEERING INSTITUTE | 33
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sgi
ven
serv
ice
cent
er
U
SCIS
Em
ploy
ees
are
Pote
ntia
lTar
ge
tsfo
rRe
crui
tm
ent
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
No
evid
ence
pro
vide
d
Som
eU
SCIS
em
ploy
ees
inte
rvie
wed
ha
ver
ecei
ved
are
ques
tfor
ass
ista
nce
from
afr
iend
rel
ativ
eo
rst
rang
er
seek
ing
top
rom
ote
aca
sefo
rso
me
form
ofa
pplic
ant
One
adj
udic
ator
sa
idh
edo
esn
otte
llot
hers
who
he
wor
ksfo
rH
owev
ert
hed
istin
ctiv
egr
een
park
ing
stic
ker
onh
isc
arc
ould
in
as
mal
ltow
nlik
eBu
rlin
gton
VT
re
veal
the
iden
tity
ofh
ise
mpl
oyer
U
SCIS
per
sonn
ela
reth
eref
ore
unus
ual
lyv
ulne
rabl
eto
sol
icita
tion
byo
ut
side
rs
Twen
tyn
ine
perc
ento
fthe
in
side
rsin
the
CERT
Insi
der
Thre
at
Case
dat
abas
ew
ere
recr
uite
dby
ou
tsid
ers
toc
omm
itth
eir
crim
es
USC
ISs
houl
dco
nsid
er
incr
easi
ngth
ese
curi
tya
war
ene
sstr
aini
ngp
rovi
ded
toU
SCIS
em
ploy
ees
and
cont
ract
ors
The
tr
aini
ngs
houl
dbe
con
tinuo
us
incl
udin
gpo
rtio
nsin
tend
edto
ra
ise
awar
enes
sof
the
pote
ntia
lta
rget
that
USC
ISe
mpl
oyee
spr
esen
tA
llem
ploy
ees
shou
ld
bea
war
eof
the
cons
eque
nces
of
par
ticip
atin
gin
frau
dag
ains
tU
SCIS
as
wel
las
how
tor
epor
tso
licita
tions
mad
eto
com
mit
frau
d
Tran
sfor
mat
ion
USC
ISL
eade
rshi
p D
ata
Ow
ners
In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Tran
sfor
mat
ion
isa
larg
ebu
sine
ss
proc
ess
reen
gine
erin
gef
fort
inU
SCIS
th
atis
pri
mar
ilyfo
cuse
don
impr
oved
cu
stom
ers
ervi
cea
ndfr
aud
dete
ctio
nF
ore
xam
ple
the
asse
ssm
ent
team
was
told
that
Tra
nsfo
rmat
ion
will
aut
omat
ical
lyv
alid
ate
data
in
CLA
IMS
agai
nsto
ther
ext
erna
lsys
te
ms
(eg
IC
Ean
dFB
I)a
ndth
at
secu
rity
req
uire
men
tsa
ndc
ontr
ols
Tran
sfor
mat
ion
was
men
tione
din
m
osti
nter
view
sfo
rth
isa
sses
smen
t
Ita
ppea
rsth
atU
SCIS
isr
elyi
ngh
eavi
ly
upon
Tra
nsfo
rmat
ion
toc
orre
ctm
any
ofth
epr
oble
ms
resu
lting
from
lega
cy
syst
ems
How
ever
iti
sun
clea
rw
heth
erin
tern
alp
erso
nnel
sec
urity
an
din
form
atio
nse
curi
tyc
once
rns
will
bein
clud
edin
this
pro
gram
This
rel
ianc
eon
as
ingl
eef
fort
m
akes
the
effe
ctiv
enes
sof
this
ef
fort
ver
yim
port
ant
USC
IS
shou
ldc
onsi
der
the
Tran
sfor
ma
tion
proj
ectf
rom
an
ente
rpris
ew
ide
pers
pect
ive
Iti
sim
port
ant
for
itto
use
afo
rmal
req
uire
m
ents
gat
herin
gpr
oces
sin
or
der
toe
ffec
tivel
ym
itiga
teb
oth
inte
rnal
and
ext
erna
lthr
eats
CERT | SOFTWARE ENGINEERING INSTITUTE | 34
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
veb
een
iden
tifie
dby
cur
rent
C3
LAN
dat
aow
ners
Read
ing
the
Tran
sfor
mat
ion
requ
ire
men
tsd
ocum
enta
tion
itis
not
cle
ar
that
insi
ders
are
con
side
red
inth
ese
curi
tyr
equi
rem
ents
for
prev
entio
nan
dde
tect
ion
offr
aud
orn
atio
nal
secu
rity
inU
SCIS
sys
tem
s
Pers
onne
lsec
urity
sho
uld
be
incl
uded
as
wel
las
info
rmat
ion
secu
rity
to
ensu
reth
atth
eap
pr
opri
ate
inte
rnal
con
trol
sar
ein
pl
ace
tor
educ
eth
eri
skp
osed
by
mal
icio
usin
side
rs
CERT | SOFTWARE ENGINEERING INSTITUTE | 35
Trai
ning
and
Aw
aren
ess
Itis
ess
entia
ltha
tsec
urity
aw
aren
ess
trai
ning
be
cons
iste
ntly
pro
vide
dto
all
empl
oyee
sto
ens
ure
that
sec
urity
pol
icie
san
dpr
actic
esa
rein
stitu
tio
naliz
edth
roug
hout
an
orga
niza
tion
Man
ytim
esc
owor
kers
and
sup
ervi
sors
are
the
first
peo
ple
too
bser
vec
once
rnin
gbe
havi
ore
xhib
ited
by
mal
icio
usin
side
rs
Failu
reb
yco
wor
kers
or
othe
rsin
an
orga
niza
tion
tor
epor
tcon
cern
ing
beha
vior
was
ap
rim
ary
reas
onin
side
rsin
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
tos
etu
por
car
ryo
utth
eir
atta
cks
USC
ISs
houl
dco
ntin
ueto
pro
vide
sec
urity
aw
aren
ess
trai
ning
toa
llem
ploy
ees
and
cont
ract
ors
acro
ssth
egl
obe
Thi
str
aini
ngs
houl
dbe
con
sis
tent
lya
pplie
dto
eac
hsi
tew
itha
con
sist
entm
essa
geo
fsec
urity
ofU
SCIS
peo
ple
sys
tem
sa
ndd
ata
Iti
sim
pera
tive
that
all
USC
ISe
mpl
oyee
sbe
re
spon
sibl
efo
rac
hiev
ing
the
mis
sion
ofU
SCIS
and
pro
tect
ing
the
criti
cala
sset
sto
the
high
este
xten
tpos
sibl
e
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sTr
aini
ngo
rSk
ills
Requ
ired
ofT
hose
in
App
oint
edS
ecu
rity
Rol
es
USC
ISL
eade
rshi
p
USC
ISh
asa
trai
ning
pro
cess
thro
ugh
anin
form
atio
nsy
stem
sse
curi
ty
man
ager
(ISS
M)
USC
ISr
elie
she
av
ilyo
nco
ntra
ctor
sto
pro
vide
ade
qu
atel
ytr
aine
dst
aff
Man
yIS
SOs
are
notw
ellv
erse
din
se
curi
ty
ISSO
sar
ecu
rren
tlyin
an
educ
atio
npr
oces
sb
utIS
SOs
are
typi
ca
llyn
ots
ecur
ityw
atch
dogs
ISSO
sm
usth
ave
prop
ertr
aini
ng
ino
rder
tok
eep
upw
ithth
eev
erc
hang
ing
info
rmat
ion
secu
ri
tye
nvir
onm
enta
ndto
be
able
to
dea
lwith
the
myr
iad
tech
no
logi
esa
ndto
ols
avai
labl
eto
th
em
App
ropr
iate
bud
get
shou
ldb
eal
loca
ted
forI
SSO
tr
aini
ngi
nclu
ding
ven
dor
spec
ific
trai
ning
(eg
M
cAfe
ean
dCi
sco)
and
indu
stry
spe
cific
tr
aini
ng(e
g
SAN
S)
CERT | SOFTWARE ENGINEERING INSTITUTE | 36
Ap
pen
dix
BH
um
anR
esou
rces
Empl
oyee
Issu
es
An
orga
niza
tionrsquo
sap
proa
chto
red
ucin
gin
side
rth
reat
sho
uld
focu
son
pro
activ
ely
man
agin
gem
ploy
eeis
sues
and
beh
avio
rs
This
con
cept
beg
ins
with
eff
ectiv
ehi
ring
pro
cess
esa
ndb
ackg
roun
din
vest
igat
ions
tos
cree
npo
tent
ialc
andi
date
sO
rgan
izat
ions
sho
uld
also
trai
nsu
perv
isor
sto
m
onito
ran
dre
spon
dto
beh
avio
rso
fcon
cern
by
curr
ente
mpl
oyee
sS
ome
case
sfr
omth
eCE
RTIn
sid e
rTh
reat
Cas
eda
taba
ser
evea
led
that
sus
pi
ciou
sac
tivity
was
not
iced
inth
ew
orkp
lace
but
not
act
edu
pon
Org
aniz
atio
nss
houl
des
tabl
ish
aw
ello
rgan
ized
and
pro
fess
iona
lmet
hod
for
hand
ling
nega
tive
empl
oym
enti
ssue
san
den
suri
ngth
ath
uman
res
ourc
epo
licy
viol
atio
nsa
rea
ddre
ssed
Org
aniz
atio
nali
ssue
sre
late
dto
func
tions
sha
red
byH
Ran
dse
curi
typ
erso
nnel
are
att
heh
eart
ofi
nsid
err
isk
man
agem
ent
Em
ploy
ees
cree
ning
an
dse
lect
ion
isv
italt
opr
even
ting
cand
idat
esw
ithk
now
nbe
havi
oral
ris
kfa
ctor
sfr
ome
nter
ing
the
orga
niza
tion
or
ifth
eyd
oe
nsur
ing
that
th
ese
risk
sar
eun
ders
tood
and
mon
itore
dC
lear
pol
icy
guid
elin
esa
ddre
ssin
gbo
thp
erm
itted
and
pro
hibi
ted
empl
oyee
beh
avio
rar
evi
talt
ori
sk
dete
ctio
nan
dm
onito
ring
and
cle
arr
equi
rem
ents
for
ensu
ring
em
ploy
eesrsquo
kno
wle
dge
ofth
ese
guid
elin
esa
ree
ssen
tialt
oth
eir
succ
ess
In
addi
tio
nr
epor
tso
fpol
icy
ques
tions
and
vio
latio
nsn
eed
tob
esy
stem
atic
ally
rec
orde
dso
that
man
agem
ent
HR
and
sec
urity
per
sonn
elc
ana
ppr
oach
cas
ede
cisi
ons
with
com
plet
eba
ckgr
ound
info
rmat
ion
Ana
lysi
sof
thes
ere
port
sac
ross
indi
vidu
als
and
depa
rtm
ents
can
sup
ply
vita
lkno
wle
dge
ofp
robl
ema
reas
bey
ond
indi
vidu
alc
ases
Re
latio
nshi
ps
inw
hich
HR
sec
urity
and
man
agem
entp
erso
nnel
col
labo
rate
as
educ
ator
san
dco
nsul
tant
sar
evi
talt
oea
rly
dete
ctio
nan
def
fect
ive
man
age
men
tofe
mpl
oyee
spo
sing
an
insi
der
risk
Th
ene
edfo
rcl
ear
polic
ies
com
plet
epe
rson
nelr
isk
data
and
clo
sem
anag
emen
tH
Rse
curi
tyc
olla
bo
ratio
nis
rar
ely
grea
ter
than
whe
nha
ndlin
gem
ploy
eete
rmin
atio
nis
sues
whe
ther
vol
unta
ryo
rin
volu
ntar
y
CERT
sug
gest
sen
hanc
emen
tsto
the
USC
ISh
irin
gan
dte
rmin
atio
npr
oces
ses
For
exa
mpl
eU
SCIS
sho
uld
cons
ider
add
ition
als
cree
ning
for
high
ri
skp
ositi
ons
suc
has
adj
udic
ator
sU
SCIS
sho
uld
als o
con
side
rbe
com
ing
mor
ein
volv
edin
vet
ting
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)p
rior
tog
rant
CERT | SOFTWARE ENGINEERING INSTITUTE | 37
ing
them
acc
ess
toU
SCIS
cri
tical
sys
tem
san
dda
ta
Fina
llyU
SCIS
sho
uld
cons
ider
ado
ptin
gan
ent
erpr
ise
wid
eex
itpr
oced
ure
toe
nsur
eco
nsis
te
ntte
rmin
atio
nof
all
empl
oyee
san
dco
ntra
ctor
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPr
eEm
ploy
men
tSc
reen
ing
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
No
evid
ence
pro
vide
d
The
empl
oyee
scr
eeni
ngp
roce
ssla
cks
any
form
ofp
sych
olog
ical
scr
eeni
ng
for
ara
nge
ofp
ositi
ons
incl
udin
gad
ju
dica
tors
Five
per
cent
(18)
oft
hein
side
rs
inth
eCE
RTd
atab
ase
had
poss
ibl
eps
ycho
logi
cali
ssue
sU
SCIS
sh
ould
con
side
rin
clud
ing
psy
chol
ogic
alte
stin
gas
par
toft
h e
new
hir
epr
oces
sfo
rse
lect
pos
itio
nsi
nclu
ding
adj
udic
ator
s
Giv
enth
esi
gnifi
cant
soc
ialp
res
sure
son
adj
udic
ator
san
dth
ere
lativ
ela
cko
fmon
itori
ngfo
rin
side
rri
ski
tsee
ms
impo
rtan
tto
impr
ove
this
asp
ecto
fscr
een
ing
Hum
anR
esou
rces
App
lican
tsa
rea
ssig
ned
ara
ting
by
HR
the
ratin
gis
use
dto
ran
kap
pli
cant
s
Ther
eis
cur
rent
lyn
oau
ditl
ogth
at
wou
ldc
aptu
rein
stan
ces
inw
hich
so
meo
nein
HR
chan
ged
ara
ting
to
enab
les
omeo
neto
get
hir
edm
ore
easi
ly
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
udit
log
totr
a ck
the
cand
idat
era
tings
and
ale
rtw
hen
cand
idat
era
tings
are
cha
nged
by
som
eone
inH
R
CERT | SOFTWARE ENGINEERING INSTITUTE | 38
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Ifa
pers
onal
issu
e(e
g
subs
tanc
eab
use
rel
ativ
ely
larg
efin
anci
alin
de
bted
ness
)aris
esd
urin
gPe
rson
nel
Secu
rity
rsquos(P
ERSE
Crsquos)
scr
eeni
ng
PERS
ECm
ayis
sue
ale
tter
ofa
dvis
em
entt
oth
eca
ndid
ate
and
clea
rth
at
pers
onfo
rhir
eP
ERSE
RCis
hes
itant
to
sha
ren
egat
ive
info
rmat
ion
abou
tap
plic
ants
with
USC
ISb
eca u
seo
fpr
ivac
yco
ncer
ns
Beca
use
ofth
ese
conc
erns
am
anag
erm
ayn
otk
now
th
ats
omeo
neis
com
ing
into
ap
osi
tion
with
ah
isto
ryo
falc
ohol
and
or
drug
abu
sef
inan
cial
inde
bted
ness
et
c
The
priv
acy
wal
lbet
wee
nPE
RSEC
and
fie
ldp
erso
nnel
con
cern
edw
ithh
irin
gis
trou
blin
gI
tis
diff
icul
tfor
PER
SEC
repr
esen
tativ
esto
indi
cate
thei
rco
nce
rns
abou
tpot
entia
lhir
esw
hoh
ave
risk
fact
ors
that
do
notc
ross
adj
udic
atio
ngu
idel
ines
for
disq
ualif
icat
ion
USC
ISs
houl
dco
nsid
era
dditi
onal
sc
reen
ing
for
adju
dica
tors
U
SCIS
sho
uld
bem
ore
invo
lved
in
dec
idin
gw
hois
gra
nted
au
thor
ized
acc
ess
beca
use
ofth
ese
nsiti
ven
atur
eof
the
syst
ems
and
data
tha t
USC
ISm
anag
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Each
fiel
dof
fice
dete
rmin
esw
heth
er
orn
otto
mee
tan
appl
ican
tfac
eto
fa
ceb
efor
ehi
ring
Ther
ew
asa
nim
pres
sion
ath
eadq
uar
ters
that
nea
rly1
00
oft
hose
hir
ed
bym
anag
ers
are
inte
rvie
wed
but
re
pres
enta
tives
inB
urlin
gton
Ver
m
ontt
old
uso
ther
wis
eT
his
gap
be
twee
npe
rcep
tion
(the
reis
not
ap
ol
icy
stat
ing
this
mus
tbe
done
)and
re
ality
iso
fcon
cern
Ther
eha
veb
een
know
nin
stan
ces
in
whi
cha
pplic
ants
wer
eon
lys
cree
ned
USC
ISs
houl
dre
quir
ein
terv
iew
sfo
ral
lpos
ition
sT
hein
terv
iew
sne
edto
be
cond
ucte
dby
som
eon
ein
volv
edin
the
day
tod
ay
supe
rvis
ion
ofth
epo
sitio
nto
be
fille
d
CERT | SOFTWARE ENGINEERING INSTITUTE | 39
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
son
pap
ero
rove
rth
eph
one
befo
re
bein
ghi
red
Sta
ndar
dop
erat
ing
pro
cedu
res
are
notf
ollo
wed
ata
llfie
ld
offic
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
PERS
ECv
ets
fede
rale
mpl
oyee
san
dco
ntra
ctor
s(w
itha
min
imum
bac
kgr
ound
inve
stig
atio
n)
USC
ISr
elie
son
the
US
Dep
artm
ent
ofS
tate
tov
etfo
reig
nna
tiona
lem
pl
oyee
sw
how
ork
ate
mba
ssie
sor
co
nsul
ates
abr
oad
FSN
sin
som
ein
stan
ces
are
gra
nted
ac
coun
tso
nU
SCIS
info
rmat
ion
sys
tem
sI
fFSN
sne
eda
cces
sto
DH
Ssy
ste
ms
(incl
udin
gU
SCIS
)cur
rent
lyt
his
acce
ssm
ustb
eap
prov
edb
yth
eCS
O
and
CIO
for
DH
ST
his
prac
tice
was
no
talw
ays
follo
wed
con
sist
ently
in
the
past
so
ther
em
ayb
eFS
Ns
who
w
ere
gran
ted
acce
ssw
ithou
tall
the
curr
entv
ettin
gan
dap
prov
als
U
SCIS
sho
uld
cons
ider
be c
omin
gm
ore
invo
lved
inv
ettin
gof
FSN
spr
ior
tog
rant
ing
them
acc
ess
to
USC
ISs
yste
ms
In
addi
tion
U
SCIS
sho
uld
audi
tcur
rent
FSN
sw
itha
cces
sto
USC
ISs
yste
ms
and
ensu
reth
ata
ppro
pria
te
vett
ing
was
per
form
ed
Cand
idat
eCe
rtifi
ca
tion
Ver
ifica
tion
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
USC
ISd
oes
noth
ave
ast
anda
rdp
ro
cedu
refo
rve
rifyi
ngth
ece
rtifi
catio
ns
ofjo
bap
plic
ants
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ast
epin
the
new
hir
epr
oces
sto
ver
ifyc
ertif
icat
ions
of
allc
andi
date
sA
few
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 40
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sto
obt
ain
posi
tions
ino
rgan
iza
tions
by
prov
idin
gfa
lsifi
edc
erti
ficat
ions
Empl
oyee
and
Co
ntra
ctor
Ter
mi
nati
on
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Exit
proc
edur
esa
rer
ecen
tlyd
evel
op
eda
ndi
nso
me
case
ss
tillu
nder
de
velo
pmen
t(ie
fo
rmal
exi
tpro
ce
dure
sar
eex
pect
edto
be
rele
ased
in
3m
onth
s)
This
gap
may
man
ifest
itse
lfin
the
inco
nsis
tent
col
lect
ion
ofb
adge
sla
pto
psm
obile
dev
ices
and
oth
erU
SCIS
eq
uipm
ent
USC
ISs
houl
dco
nsid
era
dopt
ing
ane
nter
pris
ew
ide
exit
proc
edu
reto
ens
ure
cons
iste
ntte
rmi
natio
nof
all
empl
oyee
san
dco
ntr
acto
rs
Ita
ppea
rsth
ere
spon
sibi
lity
for
ensu
ring
that
em
ploy
ees
and
cont
ract
ors
are
term
inat
edr
ests
sol
ely
with
the
man
ager
It
als
oap
pear
sdi
ffer
en
tman
ager
sfo
llow
diff
eren
tpr
oced
ures
toe
nsur
eth
ata
cce
ssis
dis
able
dan
deq
uipm
ent
isr
etur
ned
ase
mpl
oyee
san
dco
ntra
ctor
sle
ave
USC
IS
Empl
oyee
and
Co
ntra
ctor
Man
da
tory
Dru
gTe
stin
g
Hum
anR
esou
rces
All
fede
ralp
ositi
ons
are
subj
ectt
odr
ugte
stin
gb
uto
nly
forn
ewh
ires
Acc
ordi
ngto
aU
SCIS
Con
vict
ions
Tas
kFo
rce
inve
stig
atio
nca
sec
all
cont
rac
tor
posi
tions
do
notr
equi
red
rug
test
in
g
Fift
een
insi
ders
doc
umen
ted
in
the
CERT
Insi
der
Thre
atC
ase
data
base
exh
ibite
dsu
bsta
nce
abus
eU
SCIS
sho
uld
cons
ider
im
plem
entin
gm
anda
tory
pos
thi
red
rug
test
ing
for
alle
mpl
oy
ees
and
cont
ract
ors
CERT | SOFTWARE ENGINEERING INSTITUTE | 41
Ap
pen
dix
CP
hys
ical
Sec
uri
ty
Fiel
dof
fices
A
cces
sFo
llow
ing
Term
inat
ion
Se
curi
tyo
fPhy
sica
lCas
eFi
les
Som
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
exp
loite
dph
ysic
als
ecur
ityv
ulne
rabi
litie
s
Som
ew
ere
able
tog
ain
acce
ss
too
rgan
izat
ion
faci
litie
sou
tsid
eof
nor
mal
wor
king
hou
rsto
ste
alc
ontr
olle
din
form
atio
nor
toe
xact
rev
enge
on
the
orga
niza
tion
bys
abot
agin
gcr
itica
lope
ratio
ns
Phys
ical
sec
urity
can
als
opr
ovid
ean
othe
rla
yer
ofd
efen
sea
gain
stte
rmin
ated
insi
ders
who
wis
hto
reg
ain
phys
ical
acc
ess
to
atta
ck
Just
as
with
ele
ctro
nic
secu
rity
how
ever
for
mer
em
ploy
ees
have
bee
nsu
cces
sful
inw
orki
nga
roun
dth
eir
orga
niza
tionrsquo
sph
ysic
als
ecu
rity
mea
sure
sI
tis
impo
rtan
tfor
org
aniz
atio
nsto
man
age
phys
ical
sec
urity
for
full
time
par
ttim
ea
ndte
mpo
rary
em
ploy
ees
con
trac
tors
and
co
ntra
ctla
bore
rs
USC
ISP
hysi
calS
ecur
ityh
asm
ade
sign
ifica
ntp
rogr
ess
prot
ectin
gU
SCIS
faci
litie
san
das
sets
inth
ena
tiona
lcap
italr
egio
n(N
CR)s
ince
Janu
ary
2008
whe
nit
stoo
dup
an
ewp
hysi
cals
ecur
ityp
rogr
am
Alth
ough
phy
sica
lsec
urity
inth
eN
CRis
con
sist
ently
dir
ecte
dan
den
forc
edb
yPh
ysic
al
Secu
rity
eac
hfie
ldo
ffic
ese
tsit
sow
npo
licie
san
dac
cess
con
trol
sI
nad
ditio
ng
aps
inte
rmin
atio
npr
oced
ures
hav
ere
sulte
din
ong
oing
phy
sica
lac
cess
follo
win
gte
rmin
atio
nF
inal
lyi
ssue
sco
ncer
ning
the
secu
rity
ofp
hysi
calc
ase
files
sho
uld
bec
onsi
dere
das
par
tofa
USC
ISr
isk
man
age
men
tstr
ateg
y
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPh
ysic
alS
ecur
ity
ofF
ield
Off
ices
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
USC
ISis
inth
epr
oces
sof
put
ting
ane
wa
cces
sco
ntro
lsys
tem
inp
lace
fo
rth
eN
CR
Befo
reit
doe
sit
will
di
sabl
eac
cess
for
anyo
new
hoh
as
notu
sed
phys
ical
acc
ess
inm
ore
Each
USC
ISfa
cilit
yha
sits
ow
n
polic
ies
and
acce
ssc
ontr
ols
syst
ems
Som
efie
ldo
ffic
esw
ithin
USC
ISh
ave
acce
ss
cont
rols
yste
ms
oth
ers
don
ot
Not
al
loff
ices
inth
efie
ldh
ave
elec
tron
ic
Fort
yof
the
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
took
adv
an
tage
ofi
nade
quat
eph
ysic
als
ecu
rity
toc
arry
out
thei
rcr
imes
El
ectr
onic
acc
ess
cont
rols
pro
vide
CERT | SOFTWARE ENGINEERING INSTITUTE | 42
Sugg
este
dCo
unte
rmea
sure
slo
gsth
atc
ould
be
usef
ulin
inve
s
tigat
ions
ofi
llici
tact
ivity
out
side
of
nor
mal
wor
king
hou
rs
USC
IS
shou
ldc
onsi
der
deve
lopi
nge
nte
rpri
sew
ide
phys
ical
sec
urity
pr
oced
ures
rol
ltho
seo
utto
ea
chfi
eld
offic
ea
ndr
equi
rea
ph
ysic
als
ecur
ityr
epre
sent
ativ
eat
eac
hsi
teto
ens
ure
cons
iste
nt
enfo
rcem
ento
fthe
pol
icie
s
USC
ISs
houl
dco
nsid
erp
rohi
bitin
gea
chfi
eld
offic
efr
omd
evel
opin
gsi
tes
peci
ficp
olic
ies
and
rem
ov
ing
enfo
rcem
entc
ontr
olfr
om
each
site
In1
0ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
follo
win
gte
rmin
atio
ndu
eto
fa
ilure
ton
otify
sec
urity
em
pl
oyee
san
dbu
sine
ssp
artn
ers
of
the
term
inat
ion
To
cont
rola
cce
ssto
USC
ISfa
cilit
ies
itis
im
port
antf
orU
SCIS
toc
ompa
re
curr
ente
mpl
oyee
san
dco
ntra
cto
rsto
the
auth
oriz
eda
cces
slis
t
Polic
yor
Pra
ctic
eG
aps
acce
ssc
ontr
ols
ndashso
me
only
hav
elo
cks
and
keys
N
ote
very
USC
ISs
iteh
asa
phy
sica
lse
curi
tyr
epre
sent
ativ
eW
here
no
re
pres
enta
tive
isp
rese
ntt
his
resp
on
sibi
lity
falls
on
othe
rm
anag
emen
t pe
rson
nelw
hom
ayn
otb
eeq
uipp
ed
toh
andl
eth
ese
issu
esp
rope
rly
and
repo
rtth
emin
ati
mel
ym
anne
r
So
me
man
ager
str
ack
who
acc
esse
s
wha
twhe
nan
dot
hers
do
not
Ac
cord
ing
toP
hysi
calS
ecur
ityin
Ver
m
ont
onl
y20
o
fvio
latio
nsa
reb
ein
gre
port
edto
sec
urity
Polic
yan
dor
Sec
urit
yM
easu
re
than
12
mon
ths
as
wel
las
anyo
ne
nolo
nger
em
ploy
edb
yU
SCIS
It
als
opl
ans
one
xam
inin
gal
lacc
ount
sth
at
have
not
use
dph
ysic
ala
cces
sin
m
ore
than
30
days
Se
curi
tyo
ffie
ldo
ffic
esfa
llsu
nder
th
eFi
eld
Secu
rity
Div
isio
n(F
SD)
The
O
ffic
eof
Sec
urity
and
Inte
grity
(OSI
)re
cent
lyd
evel
oped
an
insp
ectio
nw
orkb
ook
and
isfi
eld
test
ing
itw
ith
FSD
U
SCIS
Fie
ldS
ecur
ityD
ivis
ion
isp
lan
ning
top
uta
sec
urity
rep
rese
ntat
ive
ine
very
fiel
dof
fice
Ite
xpec
tstw
oto
thre
etim
esm
ore
repo
rts
ofv
iola
tio
nso
nce
itha
sa
repr
esen
tativ
ein
ever
ylo
catio
n
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
Phys
ical
Acc
ess
Follo
win
gTe
rmi
nati
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 43
Sugg
este
dCo
unte
rmea
sure
s
ine
ach
faci
lityrsquo
sac
cess
con
trol
syst
em
D
isab
ling
phys
ical
acc
ess
tofa
cili
ties
whe
nem
ploy
ees
and
con
trac
tors
term
inat
eis
ess
entia
lto
prot
ectin
gU
SCIS
em
ploy
ees
and
faci
litie
sU
SCIS
sho
uld
cons
ider
au
tom
atin
gth
ere
voca
tion
of
empl
oyee
and
con
trac
tor
phys
ica
lacc
ess
whe
na
term
inat
ion
occu
rs
The
term
inat
ion
chec
klis
tsh
ould
incl
ude
ano
tific
atio
nto
ph
ysic
als
ecur
itys
oph
ysic
ala
cce
ssc
anb
edi
sabl
ed
Cons
ider
con
sist
ente
nfor
cem
ent
and
inve
stig
atio
nof
USC
ISp
hysi
ca
lsec
urity
inci
dent
sA
llal
erts
sh
ould
be
inve
stig
ated
and
Polic
yor
Pra
ctic
eG
aps
Secu
rity
gua
rds
ats
itelo
catio
nsh
ave
on
occ
asio
nig
nore
ddo
orp
ropp
ed
open
ala
rms
beca
use
thef
thas
trad
itio
nally
bee
na
very
sm
allp
robl
ema
t
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
No
Two
Pers
on
Cont
rol
CERT | SOFTWARE ENGINEERING INSTITUTE | 44
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
docu
men
ted
ifth
eal
erti
sde
emed
unn
eces
sary
then
it
shou
ldb
edi
scon
tinue
dA
llse
cu
rity
vio
latio
nss
houl
dbe
trac
ked
ina
cen
tral
rep
osito
rys
oa
com
pl
ete
hist
ory
for
each
indi
vidu
alis
av
aila
ble
Aft
erH
ours
Acc
ess
Phys
ical
Sec
urit
y
Aut
hori
zed
Acc
ess
Mos
tacc
ess
is2
4ho
urs
ada
y7
days
a
wee
kndash
Tw
enty
nin
eof
the
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seu
sed
phys
ical
acc
ess
outs
ide
ofn
orm
alw
orki
ngh
ours
toa
tta
ck
USC
ISs
houl
dco
nsid
erim
pl
emen
ting
ana
cces
sco
ntro
lsy
stem
that
gra
nts
acce
ssc
om
men
sura
tew
ithth
epo
sitio
nan
em
ploy
eeo
rcon
trac
tor
fills
If
apo
sitio
ndo
esn
otr
equi
rea
cces
sou
tsid
eof
nor
mal
wor
king
hou
rs
the
acce
ssc
ontr
ols
yste
ms
houl
dpr
ohib
itsu
cha
cces
san
dlo
gun
su
cces
sful
acc
ess
atte
mpt
s
Secu
rity
ofP
hysi
ca
lCas
eFi
les
Phys
ical
Sec
urit
y
Prot
ectio
nof
USC
ISC
ase
File
Dat
a
Phys
ical
file
sw
ere
obse
rved
inc
rate
sst
acke
din
the
hallw
ays
inth
eVe
rm
ontS
ervi
ceC
ente
rA
ccor
ding
toa
nin
terv
iew
att
heS
ervi
ceC
ente
ra
ny
one
coul
dw
alk
outw
itha
ldquocr
ate
fullrdquo
of
file
saf
ter
hour
se
spec
ially
ify
ou
are
ate
lew
orke
r
USC
ISa
ssum
esit
sca
sefi
led
ata
is
secu
reb
ecau
seit
sem
ploy
ees
and
cont
ract
ors
have
ac
lear
ance
or
hav
eha
da
back
grou
ndc
heck
It
isim
port
antt
ono
teth
at4
9in
side
rsd
ocum
ente
din
the
CERT
da
taba
sev
iola
ted
need
to
know
CERT | SOFTWARE ENGINEERING INSTITUTE | 45
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ca
sefi
les
are
assu
med
tob
ese
cure
on
ceth
eya
rec
onta
ined
with
ina
Ser
vi
ceC
ente
rb
utth
eyc
ould
be
phys
ica
llya
ltere
dor
sto
len
bya
nyon
ew
ith
phys
ical
acc
ess
toth
efa
cilit
y
One
inte
rvie
wee
sta
ted
that
adj
udic
ato
rsty
pica
llyh
ave
50to
100
file
ssc
at
tere
dar
ound
thei
rof
fice
ord
esk
So
me
are
trac
ked
and
som
em
ayn
ot
be
Adj
udic
ator
sco
nduc
tint
ervi
ews
with
app
lican
tsin
thei
rof
fices
and
th
eym
ight
leav
eap
plic
ants
une
sco
rted
inth
eir
offic
esw
ithth
eca
se
files
whe
nfo
rin
stan
cem
akin
gco
pie
sor
att
endi
ngto
oth
erU
SCIS
bus
ine
ss
Acc
ordi
ngto
the
sam
ein
terv
iew
eei
non
efie
ldo
ffic
en
atur
aliz
atio
nce
rtifi
ca
tes
pas
spor
tsa
ndc
redi
tcar
din
fo
rmat
ion
has
been
foun
din
gar
bage
ca
nsin
the
hallw
ay
Adj
udic
ator
spi
cku
pth
eir
case
sin
an
enve
lope
inth
eir
mai
lbox
D
urin
gth
esi
tev
isit
the
asse
ssm
entt
eam
ob
serv
edth
em
ailr
oom
att
heV
erm
ont
Serv
ice
Cent
eru
natt
ende
dbe
twee
n
polic
ies
inth
eco
mm
issi
ono
fth
eir
crim
es
Ther
efor
er
elyi
ng
onc
lear
ance
sal
one
can
bev
ery
dang
erou
s
Thir
teen
insi
ders
doc
umen
ted
in
the
CERT
dat
abas
est
ole
phys
ical
pr
oper
tyb
elon
ging
toth
eor
gani
za
tion
CER
Tsu
gges
tsU
SCIS
con
si
der
the
cons
eque
nces
oft
heft
or
una
utho
rize
dac
cess
top
hysi
ca
lcas
efil
esa
ndm
ake
ari
sk
base
dde
cisi
onr
egar
ding
pot
en
tialp
olic
yan
dpr
oced
ure
chan
ges
Th
ere
are
stan
dard
pol
icie
san
dpr
oced
ures
forh
andl
ing
sens
itive
in
form
atio
nb
uta
str
ong
educ
atio
nalc
ampa
ign
isn
eede
dto
en
sure
the
prot
ectio
nof
dat
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 46
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
ssh
ifts
(app
roxi
mat
ely
3p
m)
Whe
nad
judi
cato
rsfi
nish
with
afi
let
hey
retu
rnit
toa
dro
pof
fspo
tT
hea
sse
ssm
entt
eam
obs
erve
dth
ose
spot
s
whi
cha
rein
the
open
and
una
tte
nded
A
djud
icat
ors
may
kee
pca
ses
over
nigh
tand
usu
ally
ret
urn
them
w
ithin
1w
eek
Tele
wor
kers
at
Serv
ice
Cent
ers
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
One
hun
dred
eig
hty
nine
peo
ple
at
the
Verm
ontS
ervi
ceC
ente
rare
au
thor
ized
tow
ork
from
hom
eT
hese
em
ploy
ees
pick
up
files
att
heV
er
mon
tSer
vice
Cen
ter
and
take
them
ho
me
The
yw
ork
2da
ysp
erw
eek
in
the
Serv
ice
Cent
era
nd3
day
spe
rw
eek
ath
ome
USC
ISp
ays
anu
nan
noun
ced
visi
tto
allh
omes
toin
ven
tory
the
empl
oyee
srsquofi
les
atle
ast
quar
terl
yT
hese
em
ploy
ees
mus
tha
vea
lock
edfa
cilit
yin
thei
rho
me
and
mus
talw
ays
have
the
abili
tyto
re
turn
the
files
toth
eSe
rvic
eCe
nter
w
ithin
4h
ours
The
cont
rolo
fUSC
ISd
ata
whe
nit
leav
esth
eVe
rmon
tSer
vice
Cen
ter
is
diff
icul
tto
enfo
rce
Em
ploy
ees
mus
tha
vea
ppro
pria
tes
tora
gefa
cilit
ies
bu
tthe
yco
uld
easi
lyc
opy
USC
ISd
ata
and
shar
eit
with
una
utho
rize
din
di
vidu
als
Twen
tyn
ine
perc
ento
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
taba
sew
ere
recr
uite
dby
out
si
ders
toc
omm
itth
eir
crim
e
Mos
toft
hese
insi
ders
com
mitt
ed
the
crim
efo
rfin
anci
alg
ain
Iti
sim
port
antt
hatU
SCIS
rec
ogni
ze
the
pote
ntia
lfor
recr
uitm
ent
an
dth
ela
cko
fcon
trol
exe
rcis
ed
over
sen
sitiv
eda
taa
tadj
udic
ato
rsrsquor
esid
ence
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 47
Ap
pen
dix
DB
usi
nes
sP
roce
sses
Tech
nica
lCon
trol
s
Aut
hori
zati
onv
iaP
ICS
A
ccou
ntM
anag
emen
t
Av
arie
tyo
fcas
esfr
omth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sed
ocum
enti
nsid
era
ttac
ksw
here
gap
sin
bus
ines
spr
oces
ses
prov
ided
ap
athw
ay
for
atta
ck
Enfo
rcin
gse
para
tion
ofd
utie
san
dth
epr
inci
ple
ofle
astp
rivi
lege
are
pro
ven
met
hods
for
limiti
nga
utho
rize
dac
cess
by
insi
ders
Id
eal
lyo
rgan
izat
ions
sho
uld
incl
ude
sepa
ratio
nof
dut
ies
inth
ede
sign
ofk
eyb
usin
ess
proc
esse
san
dfu
nctio
nsa
nde
nfor
ceth
emv
iate
chni
cala
nd
nont
echn
ical
mea
ns
Acc
ess
cont
rolb
ased
on
sepa
ratio
nof
dut
ies
and
leas
tpri
vile
gei
nbo
thth
eph
ysic
ala
ndv
irtu
ale
nvir
onm
ents
is
cruc
ialt
om
itiga
ting
the
risk
ofi
nsid
era
ttac
kT
hese
con
cept
sal
one
will
not
elim
inat
eth
eth
reat
pos
edb
yin
side
rst
hey
are
how
ever
ano
ther
laye
rin
the
defe
nsiv
epo
stur
eof
an
orga
niza
tion
Beca
use
ofth
ese
nsiti
ven
atur
eof
the
USC
ISm
issi
ons
ome
ofit
sem
ploy
ees
and
cont
ract
ors
are
targ
ets
for
recr
uitm
entf
orth
efto
run
auth
or
ized
mod
ifica
tion
ofU
SCIS
dat
aT
wen
tyn
ine
perc
ento
fthe
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
we r
ere
crui
ted
byo
utsi
ders
toc
omm
itth
eir
crim
eM
osto
fthe
sein
side
rsc
omm
itted
the
crim
efo
rfin
anci
alg
ain
Cri
tical
USC
ISb
usin
ess
proc
esse
ssh
ould
incl
ude
tech
nica
lcon
trol
sto
en
forc
ese
para
tion
ofd
utie
san
ddu
alc
ontr
olto
red
uce
the
risk
ofi
nsid
erfr
aud
In
addi
tion
pot
entia
lvul
nera
bilit
ies
surr
ound
the
use
ofth
eIC
EPI
CSs
yste
mfo
rau
thor
izat
ion
for
criti
calU
SCIS
sys
tem
sA
lthou
ghP
ICS
iso
utsi
deth
eco
ntro
lofU
SCIS
CER
Tre
com
men
dsth
atU
SCIS
exp
lore
the
poss
ibili
tyo
faud
iting
and
con
trol
ling
auth
oriz
atio
nsin
PIC
Sfo
rcr
itica
lUSC
ISs
yste
ms
Fin
ally
acc
ount
man
agem
enti
ssue
sre
late
dto
cri
tical
sys
te
ms
shou
ldb
eco
nsid
ered
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
utho
riza
tion
for
USC
ISC
riti
calS
ys
tem
sth
roug
hP
ICS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Seve
ralc
ritic
alU
SCIS
sys
tem
sar
etie
dto
PIC
Sfo
raut
hent
icat
ion
whi
ch
isa
dmin
istr
ated
by
the
ICE
PI
CSlo
gsa
ccou
ntc
reat
ions
whe
nth
eac
coun
tsw
ere
crea
ted
wha
tro
les
appl
ied
toth
eac
coun
tse
tc
PICS
per
mits
use
rso
utsi
deo
fUSC
ISto
au
thor
ize
user
sfo
ran
yU
SCIS
app
lica
tion
tied
toP
ICS
Tw
oth
ousa
ndlo
cal
PICS
off
icer
s(L
POs)
inth
eIC
Ean
dU
SCIS
can
cre
ate
new
acc
ount
sin
PIC
Sfo
rem
ploy
ees
loca
ted
atth
eir
site
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
utho
riza
tion
proc
es
san
dsy
stem
that
ena
bles
itto
co
ntro
lwho
isg
rant
e da
cces
sto
U
SCIS
sys
tem
san
dda
ta
CERT | SOFTWARE ENGINEERING INSTITUTE | 48
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLP
Os
cont
rola
cces
sfo
rshe
riff
sp
eti
tione
rsC
BPD
OJ
TSA
DH
SO
IGT
er
rori
smT
ask
Forc
ea
ndo
ther
s
Acc
ount
sar
eba
sed
onp
erso
nnel
re
cord
so
LPO
sca
nnot
cre
ate
acco
unts
fo
ran
yone
who
isn
ota
nem
ploy
eea
tth
eir
site
H
owev
erP
ICS
adm
inis
tra
tors
can
cre
ate
acco
unts
for
anyo
ne
wor
king
att
heir
site
for
any
syst
em
tied
toP
ICS
CERT
sug
gest
sth
atU
SCIS
val
ida
tec
urre
ntP
ICS
acco
unts
and
ro
les
agai
nstc
urre
nte
mpl
oyee
lis
ts
Ten
perc
ent(
37)o
fth e
in
side
rsd
ocum
ente
din
the
CERT
da
taba
seh
ade
xces
sive
pri
vi
lege
sw
hich
ena
bled
them
to
atta
ck
Ina
dditi
on
b
ecau
seldquo
priv
ilege
cr
eeprdquo
ena
bled
afe
w(s
ix)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
tab a
seto
car
ryo
utth
eir
crim
es
CERT | SOFTWARE ENGINEERING INSTITUTE | 49
Sugg
este
dCo
unte
rmea
sure
s
Twen
tyfo
ur(6
per
cent
)oft
he
insi
ders
doc
umen
ted
inth
eCE
RT
data
base
wer
eab
leto
car
ryo
ut
thei
rcr
imes
bec
ause
insi
ders
sh
ared
acc
ount
and
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bse
asie
ran
dto
incr
ease
pro
du
ctiv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tio
nsa
ndp
ossi
bly
impl
emen
tst
rong
era
uthe
ntic
atio
nto
ma k
esh
arin
gac
coun
tsm
ore
diff
icul
t
Polic
yor
Pra
ctic
eG
aps
VIS
adm
inis
trat
ors
ine
xter
nalc
ompa
ni
eso
rag
enci
esh
ave
been
cau
ght
le
ttin
gm
ultip
lee
mpl
oyee
sus
eth
e
sa
me
VIS
acco
unt
but
USC
ISh
asn
o ab
ility
tota
kea
nya
ctio
nT
hea
cco
unts
ena
ble
empl
oyee
sto
val
idat
ePI
Iand
citi
zens
hip
info
rmat
ion
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
Mod
ifica
tions
by
VIS
user
sto
cri
tical
da
taa
relo
gged
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
VIS
Ac
coun
ts
Logg
ing
Aud
itin
g
and
Ale
rtin
gin
VIS
Ver
ifica
tion
Info
rmat
ion
Syst
em(V
IS) CERT | SOFTWARE ENGINEERING INSTITUTE | 50
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Com
pute
rLi
nked
App
licat
ion
Info
rmat
ion
Man
agem
ent
Syst
em(C
LAIM
S)3
LA
N
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Su
gges
ted
Coun
term
easu
res
Self
Sele
ctio
nof
A
djud
icat
ion
Case
s
ISSO
s D
ata
Ow
ners
Adj
udic
ator
sca
nse
lfse
lect
cas
es
(acc
ordi
ngto
an
inte
rvie
wc
once
rn
ing
anin
tern
alin
cide
ntth
ato
ccur
red
atth
eU
SCIS
and
inte
rvie
ws
with
da
tao
wne
rsa
tthe
Ver
mon
tSer
vice
Ce
nter
)
With
inth
eSe
rvic
eCe
nter
sa
djud
ica
tors
hav
evi
rtua
llyu
nlim
ited
acce
ssto
ap
plic
antf
ilesmdash
ther
ear
eno
nee
dto
kn
owli
mita
tions
or
cont
rols
top
re
vent
an
adju
dica
tor
from
acc
essi
ng
sens
itive
info
rmat
ion
and
repo
rtin
git
too
utsi
ders
or
mod
ifyin
ga
file
(ent
er
ing
anin
valid
dec
isio
n)
Adj
udic
ator
sca
nal
soa
ppro
vea
cas
eth
atis
not
ass
igne
dto
them
Th
ere
is
noti
ebe
twee
nth
eca
sem
anag
emen
tsy
stem
(ie
N
atio
nalF
ileT
rack
ing
Syst
emo
rN
FTS)
and
the
case
adj
udi
catio
nsy
stem
(ie
CL
AIM
S)
Inth
ein
tern
alc
ase
that
occ
urre
dat
U
SCIS
the
per
petr
ator
cir
cum
vent
ed
the
inte
rvie
wp
roce
ssfo
r14
mon
ths
ndash
USC
ISs
houl
dco
nsid
erim
ple
men
ting
tech
nica
lcon
trol
sto
pr
ohib
itad
judi
cato
rsfr
oms
elf
sele
ctin
gca
ses
toa
djud
icat
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 51
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
she
app
rove
dldquon
osh
owrdquo
case
sT
here
w
ere
noc
ontr
ols
tod
etec
tthi
s
Ina
dditi
ona
djud
icat
ors
can
adju
di
cate
any
type
ofc
ase
eve
nth
ough
th
eya
ree
ach
assi
gned
cer
tain
type
sof
ben
efits
cas
esfo
rad
judi
catio
n
Emph
asis
on
Cus
tom
erS
ervi
ceO
ver
Risk
Dat
aO
wne
rs
No
evid
ence
pro
vide
d
One
inte
rvie
wee
att
heV
erm
ontD
ata
Cent
ers
aid
that
ldquost
atsrdquo
can
be
ast
rain
esp
ecia
llyfo
rne
wh
ires
al
thou
ghth
eyd
oge
ta9
0da
ygr
ace
peri
od
USC
ISs
houl
dus
eca
utio
nin
em
ph
asiz
ing
cust
omer
ser
vice
as
the
only
per
form
ance
met
ric
beca
use
this
cou
lde
ncou
rage
la
cko
fatt
entio
nto
ris
kre
late
dac
tiviti
es(s
uch
asa
ccur
ate
adju
di
catio
nde
cisi
ons)
Lack
ofS
epar
atio
nof
Dut
ies
in
CLA
IMS
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Curr
ently
all
decl
ined
req
uest
sfo
rbe
nefit
sar
ere
view
edb
ya
supe
rvi
sor
H
owev
ert
here
was
ad
iscr
ep
ancy
dur
ing
inte
rvie
ws
adj
udic
ator
ssa
idth
ats
uper
viso
rss
topp
edlo
okin
gat
all
deni
als
beca
use
they
are
too
busy
Su
perv
isor
sal
sor
ecei
vea
rep
orto
fal
ladj
udic
atio
nde
cisi
ons
ente
red
by
ana
djud
icat
orfo
ra
form
type
that
th
ead
judi
cato
rdo
esn
otn
orm
ally
ap
prov
e
Onl
ya
rand
oms
ampl
eof
app
rove
dad
judi
catio
nde
cisi
ons
isr
evie
wed
For
som
eca
ses
(for
inst
ance
vic
tims
case
s)a
sen
ior
adju
dica
tor
has
to
revi
ewth
ede
cisi
ona
fter
the
adju
dica
to
ren
ters
itt
hen
the
supe
rvis
orr
evi
ews
itT
his
isa
man
ually
enf
orce
dpr
oces
s
Ther
ew
asa
noth
erd
iscr
epan
cy
in
inte
rvie
ws
the
adju
dica
tors
sai
dth
at
USC
ISs
houl
dco
nsid
erim
ple
men
ting
auto
mat
edp
roce
sses
to
prev
enta
ndd
etec
tfra
ud
Man
ag
emen
tind
icat
edit
wou
ldli
ke
tos
eea
utom
ated
tech
nica
len
forc
emen
toft
her
evie
wa
nd
appr
oval
pro
cess
Inn
earl y
ten
perc
ent(
39)o
fthe
ca
ses
docu
men
ted
inth
eCE
RT
data
base
ins
ider
sto
oka
dvan
CERT | SOFTWARE ENGINEERING INSTITUTE | 52
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s W
hen
adju
dica
tors
are
intr
aini
ng
they
are
und
er1
00
rev
iew
Th
ey
are
intr
aini
ngo
na
spec
ific
type
of
case
for
atle
ast6
mon
ths
A
uditi
ngfo
rim
prop
erly
gra
nted
be
nefit
sis
bas
edo
nsa
mpl
ing
and
or
blin
dqu
ality
ass
uran
ce(Q
A)a
ccor
din
gldquot
oA
rmy
stan
dard
srdquoa
fter
the
fact
A
rand
omly
sel
ecte
d30
cas
es
per
quar
ter
are
also
rev
iew
edb
yldquos
iste
rce
nter
srdquo
QA
pro
cess
var
ies
offic
eby
off
ice
(no
natio
nalp
roce
ss)
Th
isQ
Ah
asb
een
done
fort
hep
ast
year
and
ah
alf
Inth
eVe
rmon
tfie
ld
offic
ee
ach
supe
rvis
orp
ulls
atl
east
10
cas
esp
era
djud
icat
orp
erm
onth
Th
eyr
evie
wd
ecis
ion
rela
ted
issu
es
secu
rity
rel
ated
issu
esa
ndp
roce
du
rali
ssue
s(d
idth
eyfo
llow
the
righ
tst
eps
)T
hey
also
look
for
less
ons
lear
ned
The
pri
mar
ypu
rpos
eof
QA
is
toid
entif
yth
ene
edfo
rre
med
ial
trai
ning
rath
erth
and
elib
erat
efr
aud
So
me
case
sar
em
ore
than
10
00
page
ss
oev
ery
deta
ilca
nnot
be
prac
tical
lyr
evie
wed
for
ever
yca
se
cler
ksp
ullc
ases
ac
oupl
eof
tim
esp
er
mon
thndash
ac
erta
inn
umbe
rof
cas
es
per
empl
oyee
Th
ose
case
sar
epa
ssed
toQ
Aw
hor
evie
ws
the
case
s
QA
then
sen
dsfe
edba
ckto
the
supe
rvi
sor
and
adju
dica
tor
ifth
eyfi
nd
som
ethi
ngth
atd
oes
notl
ook
righ
t
tage
ofi
nsuf
ficie
nts
epar
atio
nof
du
ties
toc
arr y
out
thei
rcr
imes
U
SCIS
sho
uld
care
fully
con
side
rth
ebi
gges
tris
kto
the
orga
niza
tio
nM
any
ofth
eU
SCIS
em
pl
oyee
sin
terv
iew
edfo
rth
isa
sse
ssm
enti
dent
ified
the
prim
ary
risk
for
the
orga
niza
tion
asa
llo
win
gth
ene
xtte
rror
istt
oliv
ean
dw
ork
lega
llyin
the
Uni
ted
Stat
es
They
des
ire
assi
stan
cein
id
entif
ying
and
impl
emen
ting
inte
rnal
con
trol
sto
cou
nter
that
ri
sk
Aud
iting
eve
ryd
enie
dre
ques
tin
dica
tes
that
the
bigg
estr
isk
to
USC
ISis
toin
corr
ectly
den
ya
bene
fitto
an
appl
ican
trat
her
than
tog
rant
ab
enef
itto
som
eon
ew
hod
oes
notd
eser
veit
IfU
SCIS
agr
ees
that
gra
ntin
gle
gald
ocum
ents
toil
lega
lapp
lica
nts
iso
neo
fthe
big
gest
ris
ks
toth
eor
gani
zatio
nth
enit
sh
ould
con
side
rre
quir
ing
dual
CERT | SOFTWARE ENGINEERING INSTITUTE | 53
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sau
thor
izat
ion
for
thes
ead
judi
ca
tion
deci
sion
s
Lack
ofA
utom
ated
Ch
ecks
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Verm
ontI
Tha
sdo
ned
ata
swee
ps
afte
rit
foun
dso
met
hing
sus
pici
ous
W
hen
itha
sdo
nes
oit
has
foun
dm
ore
ofth
esa
me
activ
ity
Ther
ear
eno
aut
omat
edc
heck
s(t
here
w
illb
ein
Tra
nsfo
rmat
ion)
Chec
ksth
atd
oex
ista
rem
anag
eda
tth
elo
call
evel
rat
her
than
ale
rtin
gto
th
ehe
adqu
arte
rsle
vel
Inn
early
twen
tyf
ive
perc
ent
(91)
ofc
ases
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
ca
rry
outt
hec
rim
ebe
caus
eof
in
adeq
uate
aud
iting
ofc
ritic
al
proc
esse
sin
28
case
sit
was
be
caus
eof
inad
equa
tea
uditi
ng
ofir
regu
lar
proc
esse
sI
n29
of
the
case
sth
eor
gani
zatio
nha
dre
peat
edin
cide
nts
ofa
sim
ilar
natu
re
Aut
omat
eds
crip
tsa
re
ane
xcel
lent
mec
hani
smfo
rde
te
ctin
gsu
spic
ious
tran
sact
ions
as
wel
las
hone
stm
ista
kes
U
SCIS
sho
uld
cons
ider
afo
rmal
pr
oces
sfo
ran
alyz
ing
the
OSI
rsquos
findi
ngs
and
deve
lopi
nga
uto
mat
edc
heck
sth
ata
rer
olle
dou
tna
tiona
lly
Phys
ical
Sec
urit
yof
Ca
seF
iles
Dat
aO
wne
rs
Adj
udic
ator
s
No
evid
ence
pro
vide
d
The
NFT
Str
acks
mill
ions
off
iles
It
was
des
crib
edh
owev
era
sa
very
la
rge
war
ehou
sew
here
file
sdo
occ
a
Ten
perc
ent(
40)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
sec
arri
edo
utth
eir
crim
esb
y
CERT | SOFTWARE ENGINEERING INSTITUTE | 54
C
ER
T | S
OFT
WA
RE
EN
GIN
EE
RIN
G IN
STI
TUTE
| 55
Sugg
este
dCo
unte
rmea
sure
s
the
sam
eap
plic
ant
C3LA
Nw
illb
ere
tired
as
part
of
Tran
sfor
mat
ion
C4
will
als
obe
re
tired
A
cop
yof
sec
urity
con
tr
ols
and
requ
irem
ents
has
bee
npr
ovid
edb
yC3
LAN
dat
aow
ners
to
Tra
nsfo
rmat
ion
Iti
sim
por
tant
for
the
Tran
sfor
mat
ion
team
tom
ake
risk
bas
edd
eci
sion
sin
Tra
nsfo
rmat
ion
desi
gn
and
deve
lopm
ent
Polic
yor
Pra
ctic
eG
aps
T
hen
ewH
Rfo
rmh
asn
otb
een
soci
aliz
edo
rw
idel
yad
vert
ised
It
is
upto
the
COTR
san
dsu
perv
isor
sto
co
nsis
tent
lyr
eque
stth
ata
cces
sbe
di
sabl
edw
hen
ane
mpl
oyee
or
con
trac
tor
nolo
nger
nee
dsa
cces
s
Polic
yan
dor
Sec
urit
yM
easu
re
Curr
ently
eve
rym
onth
USC
ISc
om
pare
sth
eH
uman
Res
ourc
esa
ttri
tion
lista
gain
stth
eC3
LA
Na
ccou
ntli
st
and
disa
bles
inac
tive
empl
oyee
ac
coun
ts
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
cces
sto
CL
AIM
S
CERT | SOFTWARE ENGINEERING INSTITUTE | 56
Are
aof
Con
cern
Non
Att
ribu
tion
fo
rD
BAA
ccou
nts
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 57
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Pend
ing
Redu
ctio
nin
For
cefo
rD
ata
Entr
yCl
erks
Dat
aO
wne
rs
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
Dat
aen
try
cler
ksw
illb
elo
sing
thei
rjo
bsw
hen
they
mov
eto
Loc
kBox
w
hich
will
take
ove
rth
efu
nctio
nal
ityo
facc
eptin
gre
mitt
ance
sfo
rbe
nefit
app
lican
ts
Itw
ass
tate
dth
atth
eda
tae
ntry
cle
rks
mig
htb
ehi
red
away
tow
ork
atth
eor
gani
za
tion
whi
chp
erfo
rms
that
func
tio
n
USC
ISs
houl
dbe
aw
are
ofth
ein
crea
sed
insi
der
risk
inth
efa
ce
ofn
egat
ive
orga
niza
tiona
lev
ents
like
this
It
sho
uld
con
side
rpr
oact
ive
step
sto
dec
reas
est
ress
inth
ew
orkp
lace
and
to
ease
pot
entia
lfin
anci
alb
urde
ns
that
cou
ldm
ake
empl
oyee
sm
ore
susc
eptib
leto
rec
ruitm
ent
byo
utsi
ders
Shar
ing
Acc
ount
sin
CLA
IMS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aEn
try
Cler
ks
The
NFT
Sw
illn
otle
tcle
rks
log
inif
th
eyh
ave
notu
sed
the
syst
emfo
ra
cert
ain
num
ber
ofd
ays
Ac
lerk
rsquosc
ube
mat
ew
illlo
gin
for
thei
rcu
bem
ate
ifit
isth
een
dof
the
day
and
ITh
asg
one
hom
efo
rthe
day
Twen
tyf
our
(6
)oft
hein
side
rs
docu
men
ted
inth
eCE
RTd
ata
base
wer
eab
leto
car
ryo
utth
eir
crim
esb
ecau
sein
side
rss
hare
dac
coun
tand
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bs
easi
era
ndto
incr
ease
pro
duct
iv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tions
an
dpo
ssib
lyim
plem
ents
tron
ger
auth
entic
atio
nto
mak
eac
coun
tsh
arin
gm
ore
diff
icul
t
CERT | SOFTWARE ENGINEERING INSTITUTE | 58
Sugg
este
dCo
unte
rmea
sure
s
Ten
perc
ent(
39)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seto
oka
dvan
tage
ofi
nsuf
fici
enta
cces
sco
ntro
ls
USC
IS
shou
ldc
onsi
der
redu
cing
the
num
ber
ofp
rivi
lege
dac
coun
ts
with
acc
ess
toth
eFD
NS
DS
If
the
num
ber
ofs
uper
user
ac
coun
tsw
ere
redu
ced
then
en
hanc
eda
uditi
ngc
ould
be
em
ploy
edo
ntr
ansa
ctio
ns
cond
ucte
dus
ing
thos
eac
coun
ts
Polic
yor
Pra
ctic
eG
aps
b
ut
ther
ear
ena
tiona
lcon
trol
sto
ens
ure
th
atc
eleb
ritie
srsquofi
les
are
notb
eing
ac
cess
ed
Ther
eis
ala
rge
supe
ruse
rco
mm
unity
m
ore
than
thirt
ype
rcen
tofa
llFD
NS
DS
user
sw
itha
cces
sto
the
FDN
SD
S
Thes
eac
coun
tsh
ave
exte
nsiv
epo
wer
a
mal
icio
uss
uper
user
can
com
plet
ely
dele
tea
rec
ord
orm
odify
the
sum
m
ary
offi
ndin
gs
Polic
yan
dor
Sec
urit
yM
easu
re
The
FDN
SD
Sis
ac
entr
alr
epos
itory
of
frau
dan
dna
tiona
lsec
urity
inve
stig
atio
ns
This
sys
tem
hol
dsa
ppli
cant
san
dpe
titio
ners
as
wel
las
PII
Th
ere
isa
lso
ana
tiona
lsec
urity
tab
N
oev
iden
cep
rovi
ded
nnel
logy
logy
sibl
ePe
rso
wne
rs
tion
Tec
hno
wne
rs
tion
Tec
hno
Resp
onD
ata
O In
form
a
Dat
aO
Info
rma
rn
sac
ges
eCo
ncn e
Priv
ilD
S
Are
aof
ng
oLo
ggi
fTra
tion
s
Elev
ated
N
Sto
FD
Frau
dD
etec
tion
and
Nat
ural
izat
ion
Syst
emndash
Dat
aSy
stem
(FD
NS
DS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 59
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Unk
now
n
Conn
ecti
ons
to
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Failu
reto
Add
ress
Kn
own
Secu
rity
V
ulne
rabi
litie
s
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Ther
eis
no
auto
mat
edp
atch
ing
be
caus
eof
the
age
ofth
ese
rver
san
dth
eap
plic
atio
nO
nly
criti
calp
atch
es
are
appl
ied
forf
ear
ofc
rash
ing
the
serv
ers
Thir
teen
insi
ders
inth
eCE
RT
data
base
exp
loite
dkn
own
secu
ri
tyv
ulne
rabi
litie
sth
atw
ere
not
addr
esse
dby
the
orga
niza
tion
U
SCIS
sho
uld
cons
ider
upg
radi
ng
the
FDN
SD
Ssi
nce
thes
evu
lner
ab
ilitie
sin
crea
ser
isk
ofa
ttac
kfr
omo
utsi
dea
ndin
side
Prod
ucti
onD
ata
Ava
ilabl
eto
Con
tr
acto
rsin
Dev
el
opm
ent
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
CSC
has
prod
uctio
nda
tain
the
deve
lop
men
tenv
iron
men
te
ven
thou
ghit
sh
ould
not
hav
eac
cess
top
rodu
ctio
nda
ta
Onl
yon
ein
side
rdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
ses
tole
pro
duct
ion
data
th
ats
houl
dno
thav
ebe
ena
vail
able
tod
evel
oper
sin
the
deve
lop
men
tenv
iron
men
tH
owev
er
itw
ase
xtre
mel
yse
nsiti
ved
ata
with
ver
yst
rict
con
trol
sin
the
prod
uctio
nen
viro
nmen
ta
nd
was
not
sub
ject
toth
ose
sam
eco
ntro
lsin
the
deve
lopm
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 60
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sen
viro
nmen
tT
his
isv
ery
sim
ilar
toth
esi
tuat
ion
atU
SCIS
U
SCIS
sh
ould
exa
min
eda
tab
eing
use
din
the
rem
ote
con
trac
tor
owne
dde
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
vel
ofs
ecur
ityc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
Conf
igur
atio
nM
anag
emen
tan
dor
Cha
nge
Cont
rolP
roce
ss
Not
Enf
orce
d
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Dev
elop
ers
cann
otr
elea
sen
ewe
xec
utab
les
as
epar
ate
syst
ema
dmin
is
trat
orh
asto
pus
hth
emo
ut
Cont
ract
ors
som
etim
esr
elea
sec
ode
tofi
xpr
oble
ms
with
outf
ollo
win
gth
ech
ange
man
agem
entp
roce
ss
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
ofl
ack
ofa
de
quat
eco
nfig
urat
ion
man
age
men
tU
SCIS
has
afo
rmal
con
fig
urat
ion
man
agem
entp
roce
ss
Itis
impo
rtan
tto
enfo
rce
itsu
se
for
alle
mpl
oyee
san
dco
ntra
cto
rs
Oth
erw
ise
itw
illb
eex
tr
emel
ydi
ffic
ultt
oin
vest
igat
ea
crim
eco
mm
itted
usi
ngfl
aws
inte
ntio
nally
inje
cted
into
sou
rce
code
by
aco
ntra
ctor
CERT | SOFTWARE ENGINEERING INSTITUTE | 61
Ap
pen
dix
EI
nci
den
tR
esp
onse
Inci
dent
Man
agem
ent
Se
curi
tyA
war
enes
s
Conc
erni
ngB
ehav
iors
Thro
ugh
case
ana
lysi
sC
ERT
has
note
dth
atp
roce
dure
sfo
rre
spon
ding
top
oten
tiali
nsid
erin
cide
nts
pres
entu
niqu
ech
alle
nges
an
inci
dent
re
spon
sep
lan
for
insi
der
inci
dent
sdi
ffer
sfr
oma
res
pons
epl
anfo
rin
cide
nts
caus
edb
yan
ext
erna
latt
acke
rI
nad
ditio
nin
adeq
uate
det
ectio
nan
dre
spon
seto
sec
urity
vio
latio
nsc
ould
em
bold
enth
ein
side
rm
akin
gth
eor
gani
zatio
nev
enm
ore
vuln
erab
leto
an
insi
der
crim
eI
nfa
cti
n18
of
the
case
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
the
org
aniz
atio
nex
peri
ence
dre
peat
insi
der
inci
dent
sof
as
imila
rna
ture
In
si
der
inci
dent
man
agem
ents
houl
dle
vera
gee
xist
ing
secu
rity
pol
icie
san
dfo
rmal
pro
cedu
res
for
hand
ling
polic
yvi
olat
ions
So
me
ofth
eca
ses
from
the
CERT
Insi
d er
Thre
atC
ase
data
base
illu
stra
tein
side
rat
tack
sin
whi
cha
nor
gani
zatio
nrsquos
lack
ofi
ncid
entr
espo
nse
proc
edur
esli
mite
dits
ab
ility
tom
anag
eits
res
pons
eef
fort
som
etim
ese
ven
resu
lting
inm
ultip
lec
rim
inal
act
sby
the
sam
ein
side
r
USC
ISis
ac
ompl
exo
rgan
izat
ion
with
man
ydi
ffer
entc
ompo
nent
sin
volv
edin
det
ectin
gtr
acki
ngi
nves
tigat
ing
and
follo
win
gup
on
empl
oyee
m
isco
nduc
tT
his
com
plex
itya
ndw
idel
ydi
stri
bute
dfu
nctio
ncr
eate
sa
situ
atio
nin
whi
chit
isv
ery
diff
icul
tto
obta
ina
com
plet
epi
ctur
eof
an
in
divi
dual
rsquosin
side
rth
reat
ris
kle
vel
Bec
ause
oft
his
itis
pra
ctic
ally
impo
ssib
lefo
rU
SCIS
toim
plem
enta
pro
activ
epr
ogra
mto
miti
gate
insi
der
thre
at
CERT
str
ongl
yre
com
men
dsth
atU
SCIS
cre
ate
ace
ntra
lrep
osito
ryo
fem
ploy
eem
isco
nduc
tso
itca
nde
tect
indi
cato
rso
finc
reas
ing
in
side
rth
reat
ris
kan
dm
itiga
teth
ema
squ
ickl
yas
pos
sibl
e
Furt
herm
ore
81
ofth
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
edc
once
rnin
gbe
havi
ors
inth
ew
orkp
lace
pri
orto
or
whi
lec
arry
ing
out
thei
rcr
imin
ala
ctiv
ities
onl
ine
Sup
ervi
sors
and
em
ploy
ees
shou
ldb
etr
aine
dto
rec
ogni
zea
ndr
espo
ndto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
and
oth
erm
alic
ious
insi
der
acts
Ev
enif
itis
not
pos
sibl
eto
req
uire
non
sup
ervi
sors
to
repo
rtc
o nce
rns
this
tr
aini
ngm
ayin
crea
seth
efr
eque
ncy
ofr
epor
ting
and
the
dete
rren
ceo
fins
ider
act
ions
CERT | SOFTWARE ENGINEERING INSTITUTE | 62
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLa
cko
fCen
tral
Re
posi
tory
ofE
m
ploy
eeM
isco
nduc
t
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
IfFi
eld
Secu
rity
rec
eive
sa
Sign
ifica
nt
Inci
dent
Rep
ort(
SIR)
the
nit
inve
sti
gate
sE
mpl
oyee
mis
cond
ucti
sth
en
repo
rted
toO
ffic
eof
Sec
urity
and
In
tegr
ity(O
SI)
Ifth
eO
SIin
vest
igat
ion
subs
tant
iate
san
em
ploy
eersquos
mis
con
duct
itp
rovi
des
Coun
teri
ntel
ligen
ce
(CI)
am
onth
lyr
epor
tI
tals
opr
ovid
es
the
empl
oyee
rsquosm
anag
emen
tac
opy
CI
iss
tart
ing
tog
etm
ore
repo
rts
of
acce
ptab
leu
sev
iola
tions
and
sec
urity
vi
olat
ions
It
trac
kse
very
thin
gin
a
file
for
late
rus
ein
rei
nves
tigat
ions
La
bor
Empl
oyee
Rel
atio
ns(L
ER)h
asa
re
cord
oft
here
port
sit
rece
ives
of
mis
cond
uct
com
plai
nts
agai
nsta
nem
ploy
eer
ule
viol
atio
nsa
nds
oon
H
Rm
aint
ains
the
Off
icia
lPer
sonn
el
File
whi
chc
onta
ins
reco
rds
ofs
us
pens
ions
etc
LE
Rco
ntac
tsH
Ron
ly
for
thos
ety
pes
ofa
ctio
ns
Th
eO
SIe
valu
ates
all
com
plai
nts
itre
ceiv
esa
ndlo
gsth
emin
toth
eca
se
man
agem
ents
yste
m
Ita
ssig
nsth
em
toa
fiel
dof
fice
Att
hatp
oint
any
co
mpl
aint
sar
eth
ere
spon
sibi
lity
of
the
spec
iala
gent
inc
harg
eat
the
field
of
fice
The
fiel
dof
fice
inve
stig
ates
Ther
eis
no
sing
lep
lace
tog
ofo
ran
em
ploy
eersquos
dis
cipl
inar
yre
cord
sT
he
num
ber
ofo
rgan
izat
ions
invo
lved
an
dm
anag
emen
tofr
ecor
dsis
ver
yco
mpl
exa
ndd
istr
ibut
edth
roug
hout
th
eor
gani
zatio
n
Acc
ordi
ngto
Phy
sica
lSec
urity
the
fie
ldo
ffic
edo
esn
otte
llth
eO
SI
abou
tpro
blem
sndashth
eO
SIfi
nds
out
whe
nit
ldquohits
the
pres
srdquo
For
exa
m
ple
the
OSI
isn
otin
form
edo
fad
is
grun
tled
syst
ema
dmin
istr
ator
who
is
exhi
bitin
gco
ncer
ning
beh
avio
rs
USC
ISs
houl
dco
nsid
err
equi
ring
m
anda
tory
rep
ortin
gof
all
inci
de
nts
toth
eO
SI
This
com
mu
nica
tion
stre
amw
illa
llow
the
OSI
tog
etin
volv
eda
sea
rly
as
poss
ible
and
tod
ocum
enta
nd
mai
ntai
na
cent
ralr
epos
itory
of
alli
ncid
ents
Th
isc
entr
alr
epo
sito
ryis
cri
tical
for
ade
quat
ely
man
agin
gin
side
rth
reat
sin
USC
IS
CERT | SOFTWARE ENGINEERING INSTITUTE | 63
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dse
nds
the
case
for
corr
ectiv
eac
tio
nto
the
regi
onal
dir
ecto
rin
the
chai
nof
com
man
da
ndth
enth
ere
gi
onal
dir
ecto
rret
urns
am
anag
emen
tre
port
ofa
ctio
nto
the
spec
iala
gent
in
cha
rge
Th
eO
SIc
onta
cts
the
DH
SO
IGfo
rpo
te
ntia
llyc
rim
inal
beh
avio
ror
ser
ious
m
isco
nduc
tI
fthe
DH
SO
IGtu
rns
the
case
dow
nth
enit
iss
entt
oth
efie
ld
offic
eor
tola
we
nfor
cem
ent
Th
ePe
rson
nelS
ecur
ityd
ivis
ion
(PER
SEC)
not
ifies
the
OSI
mon
thly
of
arre
sts
(tra
cked
inth
eca
sem
anag
em
ents
yste
m)a
ndth
eO
SIn
otifi
es
PERS
ECo
finv
estig
atio
ns
Trac
king
ofO
nlin
eIn
cide
nts
Info
rmat
ion
Tech
nolo
gy
Com
pute
ror
net
wor
kvi
olat
ion
inci
de
nts
are
trac
ked
bya
Rem
edy
sys
tem
tied
toa
uni
que
com
pute
rid
enti
fier
rath
erth
ana
use
rin
an
atte
mpt
to
kee
pPI
Iout
oft
heti
cket
Itis
diff
icul
tto
tiea
nev
entt
oa
par
ticul
arp
erso
nE
ven
ifth
eid
entit
yof
an
off
ende
ris
know
nr
epea
toff
end
ers
are
nott
rack
edin
any
aut
omat
ed
orc
orre
late
dw
ay
USC
ISs
houl
dco
nsid
erin
clud
ing
user
info
rmat
ion
for
each
inci
de
nts
oth
atr
epea
toff
ende
rs
can
bee
asily
iden
tifie
da
sre
pe
ato
ffen
ses
coul
din
dica
tea
nin
side
rof
hig
her
risk
Cons
iste
ncy
inR
esp
onse
toS
ecur
ity
Vio
lati
ons
and
Con
cern
ing
Beha
vior
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
eis
no
requ
ired
trai
ning
for
su
perv
isor
son
how
tor
espo
ndto
a
rang
eof
beh
avio
rsa
ssoc
iate
dw
ith
man
yfo
rms
ofin
side
rri
sk
Co
mpu
ter
use
viol
atio
nsa
ren
ot
Eigh
tyo
neo
fthe
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
ed
conc
erni
ngb
ehav
iors
pri
orto
or
whi
lec
arry
ing
outt
heir
cri
min
al
activ
ities
Em
ploy
ees
shou
ldb
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 64
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
ndle
dco
nsis
tent
lya
cros
sde
part
m
ents
sup
ervi
sors
and
type
ofe
m
ploy
ee
Egre
giou
svi
olat
ions
are
re
ferr
edto
the
OSI
for
afu
llin
vest
igat
ion
but
the
crite
rion
for
deci
ding
whe
nth
atis
war
rant
edis
a
gutr
eact
ion
trai
ned
tor
ecog
nize
and
re
spon
dto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
an
dot
her
insi
der
acts
Ev
enif
it
isn
otp
ossi
ble
tor
equi
ren
on
supe
rvis
ors
tor
epor
tcon
cern
s
this
trai
ning
may
incr
ease
the
freq
uenc
yof
repo
rtin
gan
dde
te
rren
ceo
fins
ider
act
ions
US
Dep
artm
ento
fSt
ate
Inve
stig
atio
ns
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
OSI
Inve
stig
atio
nsh
ave
been
sub
ject
to
alle
gatio
nso
fvio
latio
nsin
volv
ing
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)
but
the
OIS
rel
ies
onth
eU
SD
epar
tmen
tof
Sta
teto
inve
stig
ate
USC
ISh
asn
ovi
sibi
lity
into
US
De
part
men
tofS
tate
inve
stig
atio
ns
FSN
sw
hoh
ave
acce
ssto
USC
IS
syst
ems
and
data
sho
uld
be
incl
uded
ina
nin
side
rth
reat
risk
m
itiga
tion
stra
tegy
Prep
arat
ion
for
Neg
ativ
eW
ork
Rela
ted
Even
ts
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
edo
not
app
ear
tob
ean
ygu
ide
lines
tra
inin
go
rpe
rson
nela
vaila
ble
toe
valu
ate
empl
oyee
insi
der
risk
be
fore
or
afte
rfre
quen
tlyp
reci
pita
tin
gev
ents
suc
has
term
inat
ion
de
mot
ions
tra
nsfe
rso
rot
her
disa
ppo
intm
ents
or
unm
ete
xpec
tatio
ns
Ther
eal
sod
oes
nota
ppea
rto
bea
gr
oup
char
ged
with
eva
luat
ing
in
side
rri
skfr
omo
rgan
izat
iona
leve
nts
ord
evel
opm
ents
aff
ectin
ggr
oups
of
empl
oyee
ss
uch
asr
eloc
atio
nsc
on
trac
tcha
nges
lay
offs
and
reo
rgan
iza
tions
Fift
yfiv
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
had
neg
ativ
eem
pl
oym
enti
ssue
sN
inet
yfo
ur
had
ach
ange
ine
mpl
oym
ent
stat
usp
rior
toth
eir
atta
cks
20
had
com
pens
atio
nor
ben
efit
issu
esa
nd6
5w
ere
disg
runt
led
Su
perv
isor
ssh
ould
be
trai
ned
in
thes
eri
skin
dica
tors
Th
ere
shou
lda
lso
bea
nav
aila
ble
pane
lofs
peci
alis
tsfr
omth
eO
SI
orth
eLa
bor
Empl
oyee
Rel
atio
ns(L
ER)t
rain
edto
ass
ess
such
ris
k
CERT | SOFTWARE ENGINEERING INSTITUTE | 65
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Si
mila
rsp
ecia
lists
sho
uld
be
avai
labl
eto
par
ticip
ate
inp
lan
ning
and
exe
cutio
nof
res
pons
epl
ans
inp
repa
ratio
nfo
rne
ga
tive
wor
kpla
cee
vent
sth
atp
ote
ntia
llyc
ould
lead
tod
isgr
un
tlem
enta
mon
gth
ew
orkf
orce
at
USC
IS
Cont
ract
orM
an
agem
ent
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Hum
anR
esou
rces
Pers
onne
lscr
eeni
ngp
roce
dure
sfo
rco
ntra
ctor
sar
esi
mila
rto
thos
efo
rem
ploy
ees
Cont
ract
ing
com
pani
esa
rer
equi
red
tor
epor
tany
adv
erse
info
rmat
ion
rega
rdin
gth
eir
empl
oyee
sim
med
iat
ely
(ina
llco
ntra
cts)
LER
has
noin
volv
emen
twith
con
tr
acto
rs
They
hav
eno
rec
ord
of
cont
ract
orm
isbe
havi
ors
orc
om
plai
nts
agai
nstc
ontr
acto
rs
Supe
rvis
ors
the
OSI
LER
and
oth
ers
conc
erne
dw
itho
rgan
izat
iona
lsec
uri
tym
ayb
ela
rgel
yun
awar
eof
in
side
rri
sks
rela
ted
toc
ontr
acto
rs
Cont
ract
ors
are
nots
ubje
ctto
gov
er
nmen
tmon
itori
ngo
rris
kas
sess
m
ent
Ac
ontr
acto
ron
ac
ritic
als
ys
tem
may
dev
elop
or
have
sig
nific
ant
insi
der
risk
fact
ors
that
may
rem
ain
unkn
own
tog
over
nmen
tem
ploy
ees
due
tola
cko
frep
ortin
gre
quir
em
ents
Sixt
ytw
oof
the
insi
ders
doc
um
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eco
ntr
acto
rs
USC
ISc
ontr
actm
an
agem
ents
taff
sho
uld
cons
ider
th
ene
edfo
rre
port
ing
ara
nge
ofp
oten
tiali
ndic
ator
sof
insi
der
risk
am
ong
cont
ract
sta
ff
Inci
de
ntr
espo
nse
plan
ssh
ould
in
clud
ere
spon
seto
em
ploy
ee
and
cont
ract
oris
sues
Empl
oyee
or
Con
trac
tor
Conc
erni
ng
Beha
vior
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Byp
olic
yit
ise
very
em
ploy
eersquos
re
spon
sibi
lity
tor
epor
tsus
pici
ous
be
havi
oro
rm
isco
nduc
tS
uper
viso
rs
Self
repo
rted
dru
gus
ea
rres
ta
nd
asso
ciat
ions
with
fore
ign
natio
nals
du
ring
em
ploy
men
tare
sen
tto
the
Supe
rvis
ors
need
tob
eno
tifie
dim
med
iate
lyw
hen
ane
mpl
oyee
re
port
sdr
ugu
sea
rres
tso
r
CERT | SOFTWARE ENGINEERING INSTITUTE | 66
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Labo
rEm
ploy
eeR
elat
ions
who
obs
erve
con
cern
ing
ors
uspi
ciou
sbe
havi
orr
epor
titt
oLE
Ror
the
OSI
Fo
rlo
wle
velm
isco
nduc
tL
ERa
dvis
es
the
field
off
ice
man
agem
ento
nha
ndl
ing
the
mat
ter
LER
rep
orts
mor
ese
riou
sm
isco
nduc
twith
mor
ese
vere
co
nseq
uenc
esto
HR
M
isco
nduc
tcan
als
obe
rep
orte
dvi
aSi
gnifi
cant
Inci
dent
Rep
orts
(SIR
s)
SIRs
are
sen
tto
Phys
ical
Sec
urity
or
to
the
OSI
for
inve
stig
atio
n
IfCI
dis
cove
rss
omet
hing
sus
pici
ous
duri
nga
rei
nves
tigat
ion
itin
form
sth
eem
ploy
eersquos
sup
ervi
sor
The
su
perv
isor
wor
ksw
ithL
ERa
ndc
ouns
el
tod
ecid
eon
follo
wu
pac
tions
OSI
Th
eO
SIs
ends
res
ults
tos
uper
vi
sor
follo
win
gin
vest
igat
ion
asso
ciat
ion
with
fore
ign
natio
nal
ss
oth
eyh
ave
ana
ccur
ate
perc
eptio
nof
the
risk
ass
oci
ated
with
eac
hof
thei
rem
ploy
ee
sI
nad
ditio
n1
8of
the
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
had
poss
ible
psy
chol
ogic
alis
su
es
Inc
olla
bora
tion
with
the
OSI
and
LER
sup
ervi
sors
con
fr
ontin
gem
ploy
ees
who
dis
play
co
ncer
ning
beh
avio
rss
houl
dha
veth
eab
ility
tor
emov
eth
em
from
the
wor
kfor
cep
endi
nga
m
edic
alo
rps
ycho
logi
cal
eval
uatio
nto
det
erm
ine
whe
ther
they
hav
ea
diso
rder
or
illne
ssth
atm
ayim
pair
thei
rtr
ustw
orth
ines
sor
judg
men
tor
mak
eth
ema
dan
gert
oth
em
selv
eso
rot
hers
Si
mila
rly
em
po
wer
ing
supe
rvis
ors
tom
ake
ane
mpl
oyee
ass
ista
nce
pro
gram
ref
erra
land
eva
luat
ion
man
dato
ryi
nco
llabo
ratio
nw
ithL
ERo
rth
eO
SIm
ight
hel
pre
mov
eat
ris
kin
divi
dual
sfr
om
the
wor
kfor
ceu
ntil
they
can
sa
fely
and
sec
urel
yre
turn
CERT | SOFTWARE ENGINEERING INSTITUTE | 67
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEl
ectr
onic
Inve
sti
gati
ons
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Mos
talle
gatio
nsr
epor
ted
toth
eO
SI
are
notv
ery
tech
nica
lth
eO
ITp
ro
vide
sfo
rens
ics
uppo
rtfo
rin
vest
iga
tions
(pri
mar
ilyd
atab
ase
tran
sac
tions
)
PERS
ECh
asn
ever
ask
edth
eO
ITto
re
view
au
serrsquo
son
line
activ
ity
Onl
yon
epe
rson
inO
SIis
qua
lifie
dto
do
afo
rens
icin
spec
tion
USC
ISs
houl
dco
nsid
erin
clud
ing
the
OIT
inin
vest
igat
ions
ofs
us
pici
ous
activ
ity
CERT
rsquosin
side
rth
reat
res
earc
hha
ssh
own
that
no
ntec
hnic
alc
once
rnin
gbe
hav
iors
can
be
asso
ciat
edw
ith
onlin
ecr
imin
ala
ctiv
ity
It
wou
ldb
ebe
nefic
ialt
och
eck
for
past
tech
nica
lsec
urity
vio
la
tions
and
hav
eth
eO
ITa
naly
ze
curr
ento
nlin
eac
tivity
as
part
of
the
OSI
inve
stig
atio
ns
CERT | SOFTWARE ENGINEERING INSTITUTE | 68
t
efe
w de ti
nth
eca
ses
docu
men
ted
inth
eCE
RTd
atab
ase
inje
cted
cod
ein
tos
ourc
eco
deto
faci
lita
but
ina
ase
the
coo
utb
yso
f
L
oggi
ng
Cri
tica
lDat
aCo
ntro
ls
urce
cod
ew
ere
inte
nded
tos
abot
age
the
orga
niza
tionrsquo
ssy
stem
sc
ases
the
code
n
ino
nec
was
set
toe
xecu
tefo
llow
ing
the
insi
derrsquo
ste
rmin
atio
SCIS
rec
ogni
zeth
epo
dbe
car
ried
tent
iali
llici
tact
ivity
that
cou
lr
the
mos
tcri
tical
sys
tem
san
dsy
stem
com
pone
nts
Cod
eRe
view
s
Conf
igur
atio
nM
anag
emen
t
side
rsb
oth
empl
oyee
san
dco
ntra
ctor
snd
ITs
abot
age
In
mos
tcas
est
hem
odifi
catio
nsto
so
faci
litat
efr
aud
In
man
yde
was
use
dto
impo
rtan
ttha
tUfo
ra
year
bef
ore
final
lye
xecu
ting
Iti
ser
sa
ndim
plem
enta
ppro
pria
tec
ontr
ols
par
ticul
arly
fo
ciou
sin
frau
da
sth
eco
plan
ted
eng
ine
Mal
ibo
thca
sew
as
war
e
Ap
pen
dix
FS
oftw
are
Engi
nee
rin
g CERT | SOFTWARE ENGINEERING INSTITUTE | 69
Are
aof
Con
cern
C
ode
Re
view
s
Resp
onsi
ble
Pers
onne
lIS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Cont
ract
ors
are
requ
ired
tom
aint
ain
ace
rtai
nle
velo
fpro
cess
mat
urity
(C
MM
ILev
el3
)to
bein
com
plia
nce
with
USC
ISp
olic
ies
So
urce
cod
eis
res
tric
ted
toth
ose
with
the
need
tok
now
Ve
rsio
nM
anag
eris
use
dto
con
trol
an
dtr
ack
chan
ges
tos
ourc
eco
de
Sepa
ratio
nof
dut
ies
isim
plem
ente
din
the
soft
war
ere
leas
epr
oces
sC
SC
chec
ksn
ews
ourc
eco
dein
toV
ersi
on
Man
ager
aU
SCIS
em
ploy
eec
heck
sou
tthe
sou
rce
code
and
rel
ease
sit
into
pro
duct
ion
Th
eU
SCIS
DBA
mov
esn
ewd
atab
ase
obje
cts
into
the
prod
uctio
nda
ta
base
Polic
yor
Pra
ctic
eG
aps
Ano
ther
inte
rvie
wee
men
tione
dth
at
anldquo
East
ere
ggrdquo
was
foun
din
sou
rce
code
aft
erth
eco
ntra
ctw
asg
iven
toa
ne
wc
ompa
ny4
Sugg
este
dCo
unte
rmea
sure
s
4 Av
irtu
alE
aste
reg
gis
an
inte
ntio
nalh
idde
nm
essa
gej
oke
orfe
atur
ein
ap
rogr
amm
ovie
boo
ke
tc
CERT | SOFTWARE ENGINEERING INSTITUTE | 70
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
and
orC
hang
eCo
ntro
lPro
cess
N
otE
nfor
ced
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
No
evid
ence
pro
vide
d
Whe
nco
ntra
ctor
sde
velo
pso
ftw
are
rem
otel
yth
eya
res
uppo
sed
tor
egis
te
rco
dein
Ver
sion
Man
ager
but
this
is
not
alw
ays
done
con
sist
ently
Co
ntra
ctor
sso
met
imes
rel
ease
cod
eto
fix
prob
lem
sw
ithou
tfol
low
ing
the
chan
gem
anag
emen
tpro
cess
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
oft
hela
cko
fade
qu
ate
conf
igur
atio
nm
anag
emen
t
Soft
war
eEn
gine
er
ing
Cont
rols
inth
eSe
rvic
eCe
nter
s
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
ISSO
s
No
evid
ence
pro
vide
d
Soft
war
eis
bei
ngd
evel
oped
inth
eSe
rvic
eCe
nter
sw
ithou
tcon
sist
ently
en
forc
ing
the
sam
ech
ange
man
age
men
tpro
cess
ese
nfor
ced
atth
ena
tio
nal(
ente
rpris
e)le
vel
The
cen
ters
us
ea
code
rep
osito
ryb
utn
otV
ersi
on
Man
ager
to
trac
kso
ftw
are
chan
ges
Th
eyd
ope
err
evie
ws
ofc
ode
and
belie
veth
ate
nter
pris
eco
ntro
lsfo
rco
der
evie
wa
rem
ore
deta
iled
(al
thou
ghth
atb
elie
fapp
ears
tob
efa
lse
ac
cord
ing
toin
terv
iew
sat
hea
dqua
rte
rs)
USC
ISs
houl
dco
nsid
erc
onsi
sten
tpo
licie
san
dpr
oced
ures
for
soft
w
are
engi
neer
ing
for
the
entir
een
terp
rise
inc
ludi
ngth
eSe
rvic
eCe
nter
s
Mos
tins
ider
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 71
A
rea
ofC
once
rn
Resp
onsi
ble
Pers
onne
lPo
licy
and
orS
ecur
ity
Mea
sure
Po
licy
orP
ract
ice
Gap
sSu
gges
ted
Coun
term
easu
res
Dat
aO
wne
rs
ba
sew
ere
dete
cted
or
iden
tifie
d
usin
gso
me
kind
ofs
yste
mlo
g
Info
rmat
ion
Tech
nolo
gy
Lo
gsu
sed
incl
ude
data
base
logs
appl
icat
ion
logs
sys
tem
logs
re
mot
eac
cess
logs
and
man
y
othe
rs
Prod
ucti
onD
ata
in
ISSO
sD
evel
opm
enta
ndp
rodu
ctio
nsy
sIn
som
eca
ses
con
trac
tors
hav
eac
O
nly
one
insi
der
docu
men
ted
in
Dev
elop
men
tEnv
i
tem
ssh
ould
be
sepa
rate
inte
rms
of
cess
tob
oth
syst
ems
incl
udin
gpr
oth
eCE
RTIn
side
rTh
reat
Cas
eda
CERT | SOFTWARE ENGINEERING INSTITUTE | 72
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sro
nmen
t
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
data
sha
ring
and
acc
ess
cont
rol
duct
ion
data
inth
ede
velo
pmen
ten
viro
nmen
t
taba
ses
tole
pro
duct
ion
data
that
sh
ould
not
hav
ebe
ena
vaila
ble
to
deve
lope
rsin
the
deve
lopm
ent
envi
ronm
ent
How
ever
itw
as
extr
emel
yse
nsiti
ved
ata
with
ve
rys
tric
tcon
trol
sin
the
prod
uc
tion
envi
ronm
ent
and
was
not
su
bjec
tto
thos
esa
me
cont
rols
in
the
deve
lopm
ente
nvir
onm
ent
Th
isis
ver
ysi
mila
rto
the
situ
atio
nat
USC
IS
USC
ISs
houl
dex
am
ine
data
bei
ngu
sed
inth
ede
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
velo
fse
curi
tyc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 73
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 74
Ap
pen
dix
GI
nfo
rmat
ion
Tec
hn
olog
y
Acc
ount
Man
agem
ent
Rese
arch
has
dem
onst
rate
dth
atif
an
orga
niza
tionrsquo
sco
mpu
ter
acco
unts
can
be
com
prom
ised
ins
ider
sha
vea
nop
port
unity
toc
ircu
mve
ntm
an
uala
nda
utom
ated
con
trol
mec
hani
sms
inte
nded
top
reve
ntin
side
rat
tack
sE
ffec
tive
com
pute
rac
coun
tand
pas
swor
dm
anag
emen
tpol
icie
san
dpr
actic
esa
rec
ritic
alto
impe
dea
nin
side
rrsquos
abili
tyto
use
the
orga
niza
tionrsquo
ssy
stem
sfo
rill
icit
purp
oses
In
av
arie
tyo
fcas
esd
ocum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sei
nsid
ers
expl
oite
dpa
ssw
ord
vuln
erab
ilitie
ss
hare
dac
coun
tsa
ndb
ackd
oor
acco
unts
toc
arry
out
att
acks
It
isim
port
antf
oro
rgan
izat
ions
toli
mit
com
pute
rac
coun
tsto
thos
eth
ata
rea
bsol
utel
yne
cess
ary
usi
ngs
tric
tpro
cedu
res
and
tech
nica
lcon
trol
sth
atfa
cilit
ate
attr
ibut
ion
ofa
llon
line
activ
itya
ssoc
iate
dw
ithe
a ch
acco
untt
oan
indi
vidu
alu
ser
Fur
ther
mor
ea
nor
gani
zatio
nrsquos
acco
unta
nd
pass
wor
dm
anag
emen
tpol
icie
sm
ustb
eap
plie
dco
nsis
tent
lya
cros
sth
een
terp
rise
toin
clud
eco
ntra
ctor
ss
ubco
ntra
ctor
sa
ndv
endo
rsw
hoh
ave
acce
ssto
the
orga
niza
tionrsquo
sin
form
atio
nsy
stem
sor
net
wor
ks
Ins
ome
area
sc
ompu
ter
acco
unts
are
man
aged
fair
lyw
ella
tUSC
IS
USC
ISis
impl
emen
ting
Hom
elan
dSe
curi
tyP
resi
dent
ialD
irec
tive
12(H
SPD
12
)for
phy
sica
land
ele
ctro
nic
acco
untm
anag
emen
tI
nad
ditio
nm
osts
hare
dac
coun
tsa
rec
ontr
olle
dan
dal
lact
ions
per
form
edu
sing
thos
eac
coun
tsc
anb
eat
trib
uted
toa
sin
gle
user
H
owev
ers
ome
acco
untm
anag
emen
tlie
sou
tsid
eth
eco
ntro
lofU
SCIS
Th
i sp
rese
nts
ahi
ghd
egre
eof
ris
kF
irst
ofa
lla
ccou
nts
and
acce
ssfo
rFS
Ns
shou
ldb
eco
nsid
ered
car
eful
lyb
yU
SCIS
A
lthou
ghF
SNs
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
ch
anne
lsw
hich
req
uire
sau
thor
izat
ion
byth
eCS
Oa
ndC
IOo
fDH
Ss
uch
pape
rwor
kw
asn
ots
ubm
itted
con
sist
ently
pri
orto
200
7A
sa
resu
lt
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
tF
urth
erm
ore
an
FSN
acc
ount
and
aU
S
citiz
enfe
dera
lem
ploy
eea
ccou
ntc
anno
tbe
dist
ingu
ishe
don
ceit
isc
reat
ed
Alth
ough
acc
ount
nam
ing
conv
entio
nsa
red
icta
ted
byD
HS
and
the
US
Dep
artm
ento
fSta
teU
SCIS
cou
ldr
eque
sta
nam
ing
conv
entio
nto
diff
eren
tiate
bet
wee
nFS
Na
ndU
Sc
itize
nfe
dera
lem
ploy
eea
ccou
nts
In
addi
tion
USC
ISs
houl
dco
nsis
tent
lytr
ack
the
auth
oriz
atio
nan
dcr
eatio
nof
all
USC
ISa
ccou
nts
To
dete
rmin
eif
unau
thor
ized
or
lega
cya
ccou
nts
exis
tU
SCIS
sho
uld
cons
ider
con
duct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSta
tep
erso
nnel
tov
alid
ate
alle
xist
ing
FSN
ac
coun
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 75
Seco
nda
cces
sto
som
ecr
itica
lUSC
ISs
yste
ms
isc
ontr
olle
dby
the
Pass
wor
dIs
suan
cea
ndC
ontr
olS
yste
m(P
ICS)
Th
epu
rpos
eof
PIC
Sis
tofa
cili
tate
the
adm
inis
trat
ion
ofu
sern
ames
and
pas
swor
dsto
cer
tain
ICE
and
USC
ISin
form
atio
nsy
stem
sO
nea
rea
ofc
once
rnr
egar
ding
PIC
Sis
that
it
isa
dmin
iste
red
byIC
Ea
ndth
ere
are
mor
eth
an2
000
Loc
alP
ICS
Off
icer
s(L
POs)
acr
oss
vari
ous
com
pone
nts
ofD
HS
The
seL
POs
use
PICS
to
gran
taut
hori
zed
acce
ssto
ICE
and
USC
ISs
yste
ms
for
the
pers
onne
latt
heir
res
pect
ive
site
or
agen
cys
uch
aslo
cals
heri
ffs
pet
ition
ers
Cus
tom
san
dBo
rder
Pat
rol(
CBP)
Dep
artm
ento
fJus
tice
(DO
J)T
rans
port
atio
nSe
curi
tyA
dmin
istr
atio
n(T
SA)
Terr
oris
mT
ask
Forc
ea
ndD
HS
OIG
Ea
ch
LPO
can
gra
nta
cces
sto
any
sys
tem
con
trol
led
byP
ICS
In
othe
rw
ords
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
rany
oft
heir
sta
ffto
an
yU
SCIS
sys
tem
Fu
rthe
rmor
eU
SCIS
has
no
visi
bilit
yin
tow
hoh
asa
cces
sto
its
syst
ems
Giv
enth
edi
stri
bute
dna
ture
ofa
ccou
nta
dmin
istr
atio
nit
isv
ery
diff
icul
tfor
USC
ISd
ata
owne
rsa
ndO
ITs
taff
tom
anag
eau
thor
izat
ion
ofu
ser
acco
unts
toU
SCIS
cri
tical
sys
tem
sF
inal
lyt
hep
roc
ess
for
com
mun
icat
ing
chan
ges
ine
mpl
oyee
sta
tus
and
disa
blin
gac
coun
tsv
arie
sw
idel
yam
ong
indi
vidu
alfi
eld
offic
esS
ervi
ceC
ente
rsa
ndo
ffic
esin
the
NCR
D
orm
anta
ccou
nts
prov
ide
aco
nven
ient
unk
now
nac
cess
pat
hfo
rcu
rren
tand
form
ere
mpl
oyee
sto
use
for
illic
itac
tivity
Ala
cko
fcon
sist
ency
exi
sts
inth
eap
plic
atio
nof
acc
ount
man
agem
entp
ract
ices
und
erth
eco
ntro
lofU
SCIS
Fo
rex
ampl
ed
isab
ling
orte
rmin
at
ing
acco
unts
for
empl
oyee
sis
not
alw
ays
com
plet
edin
ati
mel
ym
anne
rup
onth
eem
ploy
eersquos
cha
nge
ins
tatu
sT
his
lack
ofc
onsi
sten
cyis
mad
ew
orse
whe
nde
cent
raliz
edL
POs
acro
ssU
SCIS
do
notf
ollo
wth
esa
me
proc
edur
es
Ino
ther
cas
ese
mpl
oyee
sar
ere
tain
ing
acce
ssa
fter
atr
ansf
er
whe
nth
eys
houl
dno
tw
hich
req
uire
sth
elo
sing
and
gai
ning
sup
e rvi
sors
ton
otify
pro
per
acco
untm
anag
emen
tper
sonn
el
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
ccou
ntE
stab
lis
hmen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ino
rder
for
FSN
sto
gai
nac
cess
to
USC
ISs
yste
ms
they
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
cha
nnel
s
whi
che
vent
ually
req
uire
sau
thor
iza
tion
byth
eCS
Oa
ndC
IOo
fDH
S
Prio
rto
200
7w
aive
rpa
perw
ork
for
FSN
sre
ques
ting
acco
unta
cces
sw
as
nots
ubm
itted
con
sist
ently
A
sa
re
sult
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
t
USC
ISs
houl
dco
nsid
erc
ondu
ct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSt
ate
pers
onne
lto
valid
ate
all
exis
ting
FSN
acc
ount
s
Info
rmat
ion
Tech
nolo
gy
Diff
eren
tper
sonn
ela
rer
espo
nsib
le
for
acco
untc
reat
ion
and
dele
tion
acro
ssth
een
tire
ente
rpri
sed
epe
ndin
gon
the
syst
emo
rne
twor
kin
Dat
abas
ead
min
istr
ator
sm
ayb
eab
le
toc
reat
ean
dde
lete
dat
abas
ean
dap
plic
atio
nac
coun
tsw
ithou
tas
ec
ond
pers
onv
erify
ing
that
act
ion
Beca
use
data
base
adm
inis
trat
ors
have
acc
ess
tos
uch
criti
cald
ata
U
SCIS
sho
uld
cons
ider
sep
arat
ing
the
task
ofa
utho
rizi
nga
cces
sto
CERT | SOFTWARE ENGINEERING INSTITUTE | 76
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
squ
estio
n
USC
ISd
atab
ases
from
the
task
of
man
agin
gth
eda
tain
the
data
ba
ses
Thi
sse
para
tion
ofd
utie
sm
ayr
educ
eth
eri
sko
fad
ata
base
adm
inis
trat
orc
reat
ing
an
unau
thor
ized
acc
ount
and
usi
ng
that
acc
ount
toc
arry
out
am
ali
ciou
sac
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ac
ompu
ter
acco
unti
ses
tabl
ishe
don
lya
fter
an
umbe
rof
cri
teri
aha
ve
been
met
inc
ludi
ngs
ecur
itya
war
ene
sstr
aini
ng
Ina
dditi
onto
the
step
sre
quire
dof
al
lper
sonn
elfo
rac
coun
tacc
ess
co
ntra
ctor
sha
veto
go
thro
ugh
extr
ast
eps
som
eof
whi
chin
clud
eve
rifi
catio
nby
the
COTR
Com
pute
racc
ount
acc
ess
iss
ome
times
gra
nted
bef
ore
secu
rity
aw
are
ness
trai
ning
isc
ompl
eted
Th
isp
rac
tice
may
be
true
esp
ecia
llyfo
rco
ntra
ctor
ss
ince
the
onb
oard
ing
proc
ess
depe
nds
onth
eco
ntra
ctin
gag
ency
and
the
COTR
tov
erify
that
th
etr
aini
ngis
com
plet
ed
USC
ISs
houl
dco
nsid
err
equi
ring
co
mpu
ter
secu
rity
aw
aren
ess
trai
ning
for
allp
erso
nnel
ndashfu
lltim
eem
ploy
ees
par
ttim
eem
pl
oyee
sa
ndc
ontr
acto
rsndash
and
ve
rify
that
itis
com
plet
ebe
fore
cr
eatin
gan
ysy
stem
acc
ount
sfo
rth
ese
pers
onne
l
Acc
ount
Man
age
men
tG
ener
al
Info
rmat
ion
Tech
nolo
gy
PICS
isa
dmin
iste
red
byIC
Ew
hich
ha
sov
er2
000
LPO
sac
ross
var
ious
co
mpo
nent
sof
DH
ST
hese
LPO
sar
ere
spon
sibl
efo
rgra
ntin
gau
thor
ized
ac
cess
toP
ICS
for
the
pers
onne
lat
thei
rre
spec
tive
wor
ksi
tes
Eac
hLP
Oc
ang
rant
acc
ess
toa
nys
yste
m
cont
rolle
dby
PIC
SI
not
her
wor
ds
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
ran
yof
thei
rst
afft
o
Alth
ough
the
PICS
acc
ount
pro
cess
re
quir
esth
eac
coun
tto
beli
nked
toa
va
lide
mpl
oyee
PIC
Sad
min
istr
ator
sco
uld
crea
teu
naut
hori
zed
acco
unts
in
the
nam
eof
val
ide
mpl
oyee
sw
ith
outt
heir
kno
wle
dge
Inv
alid
acc
ount
sar
ety
pica
llyfl
agge
don
lyw
hen
the
acco
unti
sdo
rman
tfor
ac
erta
inp
eri
odo
ftim
eA
nLP
Oc
ana
lso
assi
gn
righ
tsfo
ran
ysy
stem
con
trol
led
by
In1
2of
the
case
sdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
ins
uffic
ient
acc
ount
m
anag
emen
tena
bled
the
insi
der
sto
com
mit
thei
rcr
imes
U
SCIS
sho
uld
cons
ider
con
duct
in
gac
coun
taud
itsa
tthe
loca
lsi
tele
vel
whi
chw
ould
allo
wth
eva
lidat
ion
ofc
urre
ntP
ICS
ac
coun
tsa
ndr
oles
ver
sus
curr
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 77
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
yU
SCIS
sys
tem
PICS
empl
oyee
list
s
Furt
herm
ore
ICE
adm
inis
ters
this
USC
ISs
houl
dex
plor
ea
mea
nso
fsy
stem
and
cou
lda
ffec
tUSC
ISr
e
segr
egat
ing
acco
untm
anag
eco
rds
unbe
know
nstt
oU
SCIS
men
tin
PICS
so
that
LPO
sca
nad
min
iste
rac
coun
tso
nly
for
thei
row
nor
gani
zatio
nrsquos
syst
ems
In
oth
erw
ords
USC
ISL
POs
wou
ldo
nly
bea
ble
toa
dmin
iste
rau
thor
izat
ions
for
USC
ISs
yste
ms
inP
ICS
and
ICE
LPO
sw
ould
onl
ybe
abl
eto
adm
inis
ter
auth
oriz
atio
nsfo
rIC
Esy
stem
s
Info
rmat
ion
Tech
nolo
gy
Acc
ount
man
agem
enti
sha
ndle
dby
a
num
ber
ofd
iffer
entg
roup
sac
ross
U
SCIS
A
lthou
ghth
ere
isa
nef
fort
to
cent
raliz
eac
coun
tman
agem
ent
lo
cala
ndr
egio
nalo
ffic
eso
fUSC
IS
have
his
tori
cally
don
eth
eir
own
ac
coun
tman
agem
ent
Ifan
acc
ount
has
not
bee
nus
edfo
ra
cert
ain
peri
odo
ftim
eit
isa
uto
mat
ical
lyd
isab
led
The
tim
epe
riod
st
ated
by
vari
ous
inte
rvie
wee
sva
rie
dfr
om3
06
0o
r90
days
CERT | SOFTWARE ENGINEERING INSTITUTE | 78
Sugg
este
dCo
unte
rmea
sure
s
Six
insi
ders
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
wer
eab
leto
car
ryo
utth
eir
illeg
ala
ctiv
ities
bec
ause
ofldquo
priv
ile
gec
reep
rdquoU
SCIS
sho
uld
revi
ew
acco
untm
anag
emen
tpro
ce
dure
sto
ens
ure
that
the
step
scu
rren
tlyta
ken
tor
emov
eor
al
ter
acco
unta
cces
sar
eco
m
plet
ean
dbe
ing
cons
iste
ntly
fol
low
ed
Inp
artic
ular
the
pro
ce
dure
sus
edw
hen
som
eone
ch
ange
slo
catio
nso
rde
part
m
ents
with
inU
SCIS
sho
uld
be
exam
ined
A
sem
ploy
ees
tran
sfe
rth
roug
hout
an
agen
cyt
hey
shou
ldn
otb
eac
cum
ulat
ing
priv
ile
ges
The
ysh
ould
onl
yre
tain
pr
ivile
ges
com
men
sura
tew
ith
thei
rjo
bre
spon
sibi
litie
s
Twel
vep
erce
nt(4
6)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
seu
sed
syst
ema
dmin
istr
ator
pri
vile
ges
tos
abot
age
syst
ems
ord
ata
sh
ared
acc
ount
sw
ere
used
by
insi
ders
follo
win
gte
rmin
atio
nin
Polic
yor
Pra
ctic
eG
aps
The
issu
eof
acc
ount
man
agem
entf
or
empl
oyee
tran
sfer
sis
not
bei
nga
d
dres
sed
ina
con
sist
entm
anne
rT
he
O
ITr
elie
son
not
ifica
tion
bye
ither
the
ne
wo
rol
dsu
perv
isor
whe
nan
em
ploy
eetr
ansf
ers
but
ther
eha
veb
een
ca
ses
inU
SCIS
inw
hich
em
ploy
ees
have
ret
aine
dac
cess
whe
nth
ey
shou
ldn
oth
ave
Th
ough
itw
ould
req
uire
phy
sica
lac
cess
toa
USC
ISm
achi
net
hatf
orm
er
Polic
yan
dor
Sec
urit
yM
easu
re
Whe
nan
em
ploy
eem
oves
from
one
po
sitio
nto
ano
ther
or
tran
sfer
sto
an
othe
rdep
artm
ent
the
man
age
men
tin
thos
ede
part
men
tsm
ust
initi
ate
the
requ
ired
com
pute
rac
coun
tcha
nges
Ther
ear
eop
erat
ing
syst
emim
ages
us
edth
roug
hout
USC
ISth
atp
erm
itan
adm
inis
trat
orto
inst
alla
sta
nda
rdc
onfig
urat
ion
ofa
nop
erat
ing
syst
ema
nda
ccom
pany
ing
soft
war
e
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Chan
ging
Pas
sw
ord
ofS
hare
dA
ccou
ntU
pon
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 79
Sugg
este
dCo
unte
rmea
sure
s
14c
ases
A
lthou
gha
nad
min
is
trat
orw
ould
nee
dph
ysic
ala
cce
ssto
ap
iece
ofe
quip
men
t
The
lack
ofc
onsi
sten
cya
nd
awar
enes
sof
the
stan
dard
pro
ce
dure
sm
ayp
erm
itth
eac
coun
tof
an
insi
der
tob
eus
edfo
llow
ing
term
inat
ion
Term
inat
ing
acco
unts
eve
n2
wee
ksfo
llow
ing
term
inat
ion
may
Polic
yor
Pra
ctic
eG
aps
adm
inis
trat
orw
ould
hav
ead
min
istr
ato
rri
ghts
toG
FE
Itis
cle
arfr
omin
terv
iew
sw
ithU
SCIS
pe
rson
nelt
hata
sin
gle
proc
ess
isn
ei
ther
und
erst
ood
norf
ollo
wed
for
dis
ab
ling
acco
unts
follo
win
gan
em
pl
oyee
orc
ontr
acto
rte
rmin
atio
n
The
proc
edur
esu
sed
are
notc
onsi
ste
ntb
etw
een
supe
rvis
ors
orfi
eld
of
fices
and
for
fede
rale
mpl
oyee
sve
rsu
sco
ntra
ctor
sS
omet
imes
the
exit
clea
ranc
efo
rmm
akes
itto
the
OIT
an
dso
met
imes
itd
oes
not
The
OIT
rsquos
task
ism
ade
even
mor
edi
ffic
ultb
yth
efa
ctth
atit
wou
ldn
eed
tok
now
ex
actly
whi
cha
ccou
nts
anin
divi
dual
ha
sac
cess
to
Thou
ghth
isp
roce
ssis
fair
lye
ffec
tive
it
pote
ntia
llya
llow
sun
auth
oriz
ed
Polic
yan
dor
Sec
urit
yM
easu
re
The
OIT
typi
cally
isn
otifi
edo
fan
acco
untt
erm
inat
ion
ino
neo
fthr
ee
way
s
1)A
sta
ndar
dfo
rmc
alle
dan
exi
tcl
eara
nce
form
is
dist
ribu
ted
and
sign
edb
yot
her
part
ies
suc
has
Hu
man
Res
ourc
esa
ndth
eO
ffic
eof
Se
curi
tya
ndIn
tegr
ity(O
SI)
Thi
sfo
rmle
tsth
eO
ITk
now
that
an
em
ploy
eersquos
acc
ount
ssh
ould
be
dis
able
dor
term
inat
ed
2)T
hes
uper
viso
rof
the
depa
rtin
gem
ploy
eec
onta
cts
the
OIT
dire
ctly
an
din
form
sth
emo
fthe
em
ploy
eersquos
de
part
ure
3)
Whe
na
cont
ract
oris
invo
lved
it
is
the
resp
onsi
bilit
yof
the
COTR
to
info
rmth
eO
IT
The
OIT
rec
eive
san
ldquoat
triti
onli
strdquo
ever
y2
wee
ks
Whe
nth
isli
stis
re
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Upo
nEm
ploy
ee
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 80
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sH
uman
Res
ourc
es
ceiv
eda
man
ualc
heck
isd
one
to
ensu
reth
ate
mpl
oyee
sw
hoh
ave
depa
rted
inth
ela
st2
wee
ksh
ave
thei
rac
coun
tacc
ess
dele
ted
acce
ssfo
r2
wee
ksfo
llow
ing
term
ina
tion
Bec
ause
this
isa
man
ualp
roc
ess
ther
eis
cur
rent
lyn
oau
tom
atic
w
ayto
ens
ure
that
ith
appe
ns
USC
IS
pers
onne
lcite
dan
inst
ance
inw
hich
th
ese
proc
edur
esfa
iled
for
ane
m
ploy
eew
how
aste
rmin
ated
as
aco
ntr
acto
ran
dla
ter
hire
das
afe
dera
lem
ploy
ee
notb
een
ough
top
reve
ntu
nau
thor
ized
orc
rimin
ala
ctiv
ity
As
soon
as
HR
isa
war
eof
the
chan
gea
mor
eau
tom
ated
m
echa
nism
ofd
elet
ing
thes
eac
coun
tss
houl
dbe
impl
em
ente
d
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Dur
ing
Empl
oyee
Le
ave
ofA
bsen
ces
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
LPO
sw
ork
inth
eir
resp
ectiv
ere
gion
sor
off
ices
and
are
dec
entr
aliz
edb
yna
ture
Th
epo
licie
san
dpr
oced
ures
fo
llow
edo
ften
dep
end
onh
ow
thin
gsh
ave
been
don
ehi
stor
ical
lyin
th
atp
artic
ular
off
ice
Beca
use
acco
unta
utho
riza
tion
pro
cedu
res
are
nots
tand
ardi
zed
thro
ugho
uta
llor
gani
zatio
nsu
sing
the
PICS
sL
POs
acro
ssth
een
tire
USC
IS
ente
rpri
seh
ave
notb
een
cons
iste
nt
inh
owth
eyh
ave
hand
led
acco
unt
dele
tion
follo
win
gem
ploy
eete
rmin
atio
n
Ther
eis
no
offic
ialg
uida
nce
orp
rac
tice
inth
epr
oper
way
tos
uspe
nd
acce
ssfo
ran
em
ploy
eeo
na
leav
eof
ab
senc
eI
non
eca
sep
rovi
ded
by
USC
ISa
nem
ploy
eer
etai
ned
acce
ss
toc
ritic
als
yste
ms
even
aft
erb
eing
pl
aced
on
ana
dmin
istr
ativ
ele
ave
of
abse
nce
USC
ISs
houl
dco
ntin
ueit
sef
fort
sto
cen
tral
ize
orr
educ
eth
enu
m
ber
ofL
POs
ino
rder
for
stan
dard
pr
oced
ures
tob
efo
llow
ed
Ifth
isc
anno
tbe
acco
mpl
ishe
d
stan
dard
pro
cedu
res
shou
ldb
epu
blis
hed
inst
ruct
eda
ndc
onsi
ste
ntly
enf
orce
d
Afe
win
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
ser
etai
ned
acce
ssto
org
aniz
atio
nsy
stem
sw
hile
on
ale
ave
of
abse
nce
and
used
that
acc
ess
to
stea
linf
orm
atio
nor
com
mit
frau
dU
SCIS
sho
uld
impl
emen
ta
polic
yto
out
line
exac
tlyw
hat
shou
ldb
edo
new
hen
ago
vern
m
ente
mpl
oyee
or
cont
ract
or
goes
on
ale
ave
ofa
bsen
cec
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 81
Sugg
este
dCo
unte
rmea
sure
ssi
deri
ngth
eri
sks
vers
usb
enef
its
ofa
llow
ing
syst
ema
cces
s
Acc
ess
toth
ese
acco
unts
sho
uld
bec
aref
ully
doc
umen
ted
and
trac
ked
soth
atc
rede
ntia
lsc
an
bec
hang
edif
som
eone
inth
at
rest
rict
edg
roup
no
long
erw
ar
rant
sac
cess
Polic
yor
Pra
ctic
eG
aps
Alth
ough
con
cern
has
bee
nex
pres
sed
ab
outt
hee
xist
ence
oft
hese
ac
co
unts
the
bus
ines
sju
stifi
catio
nha
sta
ken
prec
eden
ceo
vert
her
isk
bein
g
assu
med
Polic
yan
dor
Sec
urit
yM
easu
re
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
Acc
ount
an
dPa
ssw
ord
In
form
atio
n
Acc
ess
Cont
rol
An
orga
niza
tionrsquo
sla
cko
fsuf
ficie
nta
cces
sco
ntro
lmec
hani
sms
was
ac
omm
onth
eme
inm
any
ofth
ein
side
rth
reat
cas
ese
xam
ined
by
CERT
In
si
ders
hav
ebe
ena
ble
toe
xplo
itex
cess
ive
priv
ilege
sto
gai
nac
cess
tos
yste
ms
and
info
rmat
ion
they
oth
erw
ise
wou
ldn
oth
ave
been
aut
hori
zed
toa
cces
sA
dditi
onal
lyi
nsid
ers
have
bee
nkn
own
tou
ser
emot
eac
cess
aft
erte
rmin
atio
nto
att
ack
ano
rgan
izat
ionrsquo
sin
tern
aln
etw
ork
Org
ani
zatio
nss
houl
den
sure
that
net
wor
km
onito
ring
and
logg
ing
ise
nabl
edfo
rex
tern
ala
cces
sM
onito
ring
ofn
etw
ork
activ
ityis
ext
rem
ely
impo
rta
nte
spec
ially
inth
epe
riod
bet
wee
nem
ploy
eer
esig
natio
nan
dte
rmin
atio
n
Giv
enth
edi
stri
bute
dna
ture
ofa
cces
sau
thor
izat
ion
via
PICS
ICE
and
the
US
Dep
artm
ento
fSta
ten
onU
SCIS
em
ploy
ees
and
cont
ract
ors
coul
dbe
gra
nted
acc
ess
toU
SCIS
cri
tical
sys
tem
sI
tis
poss
ible
that
the
non
USC
ISe
mpl
oyee
san
dco
ntra
ctor
sha
ven
otb
een
thro
ugh
the
rigo
rous
pr
eem
ploy
men
tscr
eeni
ngr
equi
red
ofU
SCIS
em
ploy
ees
and
cont
ract
ors
par
ticul
arly
thos
egr
ante
dac
cess
thro
ugh
the
US
Dep
artm
ento
fSta
te
for
acce
ssfr
ome
mba
ssie
sov
erse
as
USC
ISs
houl
dco
nsid
erth
eri
skth
ese
insi
ders
pos
eto
the
prot
ectio
nof
the
criti
calU
SCIS
dat
aan
dsy
stem
s
and
impl
emen
tpro
tect
ion
mec
hani
sms
toli
mit
the
dam
age
that
thes
ein
side
rsm
ight
cau
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 82
Oth
era
cces
sco
ntro
liss
ues
that
sho
uld
bec
onsi
dere
din
clud
eun
rest
rict
eda
cces
sto
som
ecr
itica
lsys
tem
sby
OIT
sta
ffl
ack
ofc
onsi
sten
tpro
ces
ses
for
man
agin
gem
ploy
eea
cces
sas
they
mov
efr
omo
ned
epar
tmen
tto
the
next
with
inU
SCIS
abi
lity
tou
sep
erso
nalc
ompu
ters
for
USC
IS
wor
ka
ndla
cko
fmon
itori
nga
ndc
ontr
ols
for
som
ecr
itica
lsys
tem
adm
inis
trat
ion
func
tions
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
cces
sCo
ntro
l
Fore
ign
Serv
ice
Nat
iona
ls
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
O
ffic
eof
Sec
urit
yan
dIn
te
grit
y
Curr
ently
aF
orei
gnS
ervi
ceN
atio
nal
(FSN
)req
uiri
nga
cces
sto
USC
ISs
ys
tem
ssu
bmits
pap
erw
ork
incl
udin
ga
wai
ver
thro
ugh
the
USC
ISd
irec
tor
and
the
CIO
and
CSO
ofD
HS
Alth
ough
the
asse
ssm
entt
eam
was
ab
leto
get
lim
ited
visi
bilit
yin
toth
is
prac
tice
its
eem
sto
be
alig
ned
with
th
epo
licy
Ift
rue
ith
asg
iven
USC
IS
and
DH
Sbe
tter
vis
ibili
tyin
toth
isa
ctiv
ity
The
prac
tice
shou
ldb
eco
ntin
ued
and
expa
nded
as
need
edto
in
form
all
rele
vant
USC
ISp
erso
nne
l
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
Pe
rson
nelS
ecur
ity
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Whe
nFS
Ns
requ
ire
acce
ssto
USC
IS
syst
ems
ine
mba
ssie
san
dco
nsul
ates
ab
road
the
yar
eve
tted
by
the
US
D
epar
tmen
tofS
tate
Beca
use
the
US
Dep
artm
ento
fSta
te
isp
erfo
rmin
gth
eve
ttin
gpr
oces
s
USC
ISh
asv
ery
little
con
trol
or
visi
bil
ityin
toth
epr
oces
sfo
rgr
antin
gFS
Ns
acce
ssto
USC
ISs
yste
ms
and
net
wor
ks
Inte
rvie
wee
sst
ated
that
in
som
eca
ses
FSN
sha
vea
dmin
istr
ativ
eco
ntro
love
rso
me
syst
ems
and
that
in
oth
erc
ases
the
yar
ese
rvin
gas
in
form
atio
nsy
stem
sec
urity
off
icer
s(IS
SOs)
USC
ISs
houl
dga
ina
bet
ter
un
ders
tand
ing
ofth
eU
SD
epar
tm
ento
fSta
tersquos
vet
ting
proc
ess
and
clar
ifyit
sow
nre
quir
emen
ts
for
gran
ting
and
trac
king
acc
ess
for
FSN
sto
USC
ISs
yste
ms
If
cont
inue
dac
cess
isr
equi
red
the
proc
edur
esto
doc
umen
tand
co
ntro
ltha
tacc
ess
shou
ldb
ene
gotia
ted
with
the
US
De
part
men
tofS
tate
and
con
sis
tent
lye
nfor
ced
Info
rmat
ion
Tech
nolo
gy
Onc
ea
trad
ition
alu
ser
acco
unti
scr
eate
dth
ere
isli
ttle
ton
ow
ayto
di
stin
guis
han
FSN
acc
ount
from
one
be
long
ing
toa
US
citi
zen
Beca
use
anF
SNa
ccou
ntis
not
dis
tin
guis
habl
efr
omo
ther
acc
ount
sit
w
ould
be
extr
emel
ydi
ffic
ultt
oas
so
ciat
esp
ecifi
con
line
activ
ities
with
ac
coun
tsb
elon
ging
toF
SNs
Em
ail
USC
ISs
houl
dco
nsid
erw
heth
er
orn
otit
wan
tsth
eab
ility
tod
is
tingu
ish
wha
tonl
ine
activ
ities
an
dac
cess
esF
SNs
are
enga
ging
in
If
soi
tsho
uld
inco
rpor
ate
CERT | SOFTWARE ENGINEERING INSTITUTE | 83
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sad
dres
ses
appe
arth
esa
me
and
viol
atio
nac
tiviti
esw
ould
not
eas
ilyb
eat
trib
uted
toa
nFS
N
thos
est
eps
into
the
proc
edur
es
men
tione
dab
ove
Info
rmat
ion
Tech
nolo
gy
DH
Sis
inth
epr
oces
sof
bui
ldin
ga
secu
rein
tran
etc
alle
dO
neN
et
whi
chw
illb
ette
ren
able
info
rmat
ion
shar
ing
amon
gD
HS
com
pone
nts
Th
isp
roje
ctw
illb
een
able
dby
inte
rco
nnec
tion
agre
emen
tsb
etw
een
segm
ents
Onc
eth
eap
prop
riat
ein
terc
onne
ctio
nag
reem
ents
are
inp
lace
itw
illb
eha
rder
tor
estr
icta
cces
sfo
rFSN
sto
sp
ecifi
csy
stem
s(e
g
Shar
ePoi
nt)
USC
ISs
houl
dm
ake
ade
term
ina
tion
abou
twhe
ther
or
notF
SN
acce
sss
houl
dbe
any
diff
eren
tfr
omo
ther
sim
ilar
acco
unts
of
US
citi
zens
If
the
lack
ofr
est
rict
ions
isu
nacc
epta
ble
that
is
sue
shou
ldb
ebr
ough
tto
DH
Spe
rson
nelr
espo
nsib
lefo
rim
pl
emen
ting
the
One
Net
sol
utio
n
Acc
ess
cont
rols
Ther
ear
ebu
sine
ssp
roce
ssa
ndr
eso
urce
s(e
g
PICS
CLA
IMS
3a
nd
CLA
IMS
4)th
ata
res
hare
dw
ithIC
E
This
par
tner
ship
isa
nar
tifac
toft
he
past
and
cur
rent
rel
atio
nshi
psb
etw
een
depa
rtm
ents
with
inD
HS
For
thes
esh
ared
res
ourc
esto
func
tio
npr
oper
lyt
hey
requ
ire
care
ful
coor
dina
tion
whi
chd
oes
nott
ake
plac
ein
all
case
sF
ore
xam
ple
USC
IS
does
not
rec
eive
ac
opy
ofth
efo
rmal
ac
cess
req
uest
sub
mitt
edto
ICE
for
anIC
Eem
ploy
eeto
acc
ess
aU
SCIS
sy
stem
USC
ISs
houl
dca
refu
llyd
ocum
ent
wha
tacc
ess
isb
eing
gra
nted
to
any
part
ies
exte
rnal
toU
SCIS
If
addi
tiona
lcoo
rdin
atio
nis
re
quir
edi
tsho
uld
bed
one
with
th
ere
leva
ntd
epar
tmen
tso
fD
HS
For
cert
ain
info
rmat
ion
syst
ems
lo
cala
ndr
emot
elo
gins
are
not
per
m
itted
bet
wee
nth
eho
urs
of1
130
p
ma
nd6
00
am
Th
isp
ract
ice
clos
ely
adhe
res
toth
epo
licy
for
spec
ific
syst
ems
Enfo
rcin
ga
man
dato
rya
cces
spe
riod
may
hel
pen
sure
that
a
mal
icio
usin
side
ris
not
usi
ngs
ys
tem
sw
hen
supe
rvis
ion
isle
ss
ened
Ei
ghtp
erce
nt(2
9)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 84
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sus
eda
cces
sou
tsid
eof
nor
mal
w
orki
ngh
ours
toc
arry
out
thei
rill
icit
activ
ities
Whe
nan
em
ploy
eea
ttem
pts
tolo
gin
toa
res
tric
ted
syst
emd
urin
gof
fpe
akh
ours
an
auto
mat
ice
mai
lno
tice
iss
entb
yth
eO
ITto
per
sons
in
the
empl
oyee
rsquosm
anag
emen
tch
ain
ofc
omm
and
This
pra
ctic
eis
not
con
sist
enta
cros
sal
lsys
tem
san
dis
not
par
tofo
ther
in
cide
ntr
espo
nse
proc
edur
es
USC
ISs
houl
dco
nsid
erim
ple
men
ting
this
pra
ctic
ein
toth
ela
rger
sys
tem
ofi
ncid
entr
esp
onse
to
incl
ude
corr
elat
ion
with
oth
ere
vent
san
dov
era
pe
riod
oft
ime
Acc
ess
Priv
ilege
sndash
Gen
eral
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Att
heV
erm
ontS
ervi
ceC
ente
rO
IT
staf
fare
the
only
one
spr
esen
tlat
eat
nig
ht
As
part
oft
heir
dut
ies
they
al
soh
ave
elec
tron
ica
cces
sto
the
CLA
IMS3
info
rmat
ion
syst
em
As
afu
nctio
nof
the
elec
tron
ica
cces
san
dth
eph
ysic
alla
yout
oft
heS
ervi
ce
Cent
erO
ITp
erso
nnel
hav
eac
cess
to
CLA
IMS3
as
wel
las
the
phys
ical
file
sin
the
build
ing
U
SCIS
sho
uld
cons
ider
the
min
im
umle
velo
facc
ess
(leas
tpriv
ile
ge)n
eede
dfo
ral
lper
sonn
elto
ac
com
plis
hth
eir
job
dutie
sT
hir
teen
per
cent
(49)
oft
hein
side
rs
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sev
iola
ted
ane
edto
kno
win
ord
erto
per
pe
trat
eth
eir
crim
esi
nclu
ding
st
ealin
gPI
Iand
pro
prie
tary
in
form
atio
nI
nad
ditio
ns
ever
al
insi
ders
com
mitt
edth
eir
crim
es
whi
lew
orki
ngo
nth
eni
ghts
hift
w
here
they
enj
oyed
ar
educ
ed
leve
lofs
crut
iny
Unr
estr
icte
del
ectr
onic
and
phy
sica
lacc
ess
to
such
hig
hri
skd
ata
and
syst
ems
outs
ide
ofn
orm
alw
orki
ngh
ours
pr
esen
tsa
hig
hde
gree
ofr
isk
to
CERT | SOFTWARE ENGINEERING INSTITUTE | 85
Sugg
este
dCo
unte
rmea
sure
s
USC
IS
Sinc
eU
SCIS
can
notd
eter
min
ew
hata
cces
sth
eU
SD
epar
tmen
tof
Sta
teg
rant
sto
FSN
son
its
sys
tem
sU
SCIS
sho
uld
cont
inue
to
use
tech
nica
lmea
sure
sto
pre
ve
ntu
naut
hori
zed
acce
ssw
hile
w
orki
ngw
ithc
ount
erin
telli
genc
epe
rson
nelt
ode
alw
iths
uspe
cted
fo
reig
nag
ents
wor
king
aro
und
US
gov
ernm
entf
acili
ties
A
few
insi
ders
inth
eca
ses
ana
lyze
dby
CER
Tus
edth
eir
un
revo
ked
acce
ssto
the
orga
niza
Polic
yor
Pra
ctic
eG
aps
Acc
ordi
ngto
one
inte
rvie
wee
som
eFS
Ns
onth
eCo
nsul
arA
ffai
rsn
etw
ork
are
susp
ecte
dto
be
wor
king
for
arm
sof
fore
ign
inte
llige
nce
ors
ecur
ity
agen
cies
U
SCIS
has
use
dte
chni
cal
met
hods
(eg
fir
ewal
ls)t
oen
sure
th
atU
SCIS
sys
tem
sar
epr
otec
ted
from
any
inte
rcon
nect
ions
with
the
US
Dep
artm
ento
fSta
tersquos
net
wor
ks
This
sin
gle
poin
toff
ailu
rem
akes
it
diff
icul
tto
reco
ver
from
am
alic
ious
ac
ton
this
par
ticul
ars
yste
m
Polic
yan
dor
Sec
urit
yM
easu
re
The
US
Dep
artm
ento
fSta
teC
onsu
la
rA
ffai
rsn
etw
ork
gran
tsa
cces
sto
FSN
sw
orki
ngin
em
bass
ies
and
con
su
late
san
dit
conn
ects
toU
SCIS
sys
te
ms
Ther
eis
as
ingl
epe
rson
who
has
the
know
ledg
eof
and
res
pons
ibili
tyfo
rad
min
iste
ring
the
voic
emai
lsys
tem
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Are
aof
Con
cern
Acc
ess
Priv
ilege
sndash
Syst
emA
dmin
is
trat
or
CERT | SOFTWARE ENGINEERING INSTITUTE | 86
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sfo
rU
SCIS
tionrsquo
sph
one
syst
emto
har
mth
eor
gani
zatio
nI
non
eca
set
he
entir
ecu
stom
ers
ervi
cev
oice
m
ails
yste
mw
asr
edir
ecte
dto
a
porn
ogra
phic
pho
nes
ite
Ina
not
her
der
ogat
ory
com
men
ts
abou
tthe
org
aniz
atio
nw
ere
re
cord
eda
ndp
laye
dfo
rev
ery
voic
em
ailb
ox
USC
ISs
houl
dpl
ace
addi
tiona
lst
affi
nth
ero
leo
fadm
inis
trat
ors
for
the
USC
ISv
oice
mai
lsys
tem
Th
isw
ould
allo
wU
SCIS
toim
pl
emen
tsom
efo
rmo
fsep
ara
tion
ofd
utie
so
rat
the
very
le
ast
min
imal
che
cks
and
bal
ance
sto
pre
vent
tam
peri
ngw
ith
the
voic
emai
lsys
tem
U
SCIS
sho
uld
ensu
reth
atit
man
ag
esa
ccou
nts
and
pass
wor
dsfo
rin
tern
als
yste
ms
such
as
voic
em
ail
asw
ella
sex
tern
ala
cco
unts
O
nein
side
rdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
cha
nged
the
dom
ain
nam
esy
stem
reg
istr
yfo
rhis
or
gani
zatio
nrsquos
web
site
so
that
vis
ito
rsw
ere
sent
toa
por
nogr
aphi
c
CERT | SOFTWARE ENGINEERING INSTITUTE | 87
Sugg
este
dCo
unte
rmea
sure
sw
ebsi
te
Thes
ety
pes
ofa
ccou
nts
are
used
ver
yin
freq
uent
lya
nd
are
ofte
nno
tinc
lude
din
form
al
term
inat
ion
proc
edur
es
USC
ISs
houl
dco
ordi
nate
with
D
HS
pers
onne
lto
ensu
reth
at
desi
red
USC
ISs
ecur
ityp
olic
ies
are
enfo
rced
for
pers
onne
lac
cess
ing
USC
ISs
yste
ms
and
data
Se
ven
perc
ent(
26)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
toa
ttac
kin
par
tbec
ause
of
insu
ffic
ient
mon
itori
ngo
fext
er
nala
cces
s
Polic
yor
Pra
ctic
eG
aps
A
lthou
ghc
onne
ctin
ga
pers
onal
lap
top
toa
USC
ISn
etw
ork
via
are
mot
eco
nnec
tion
may
or
may
not
be
bloc
ked
the
SNO
Cw
asn
otc
onfid
ent
itw
ould
be
bloc
ked
beca
use
itdo
es
notc
ontr
olth
ata
cces
sI
tis
poss
ible
th
ata
use
rco
uld
conn
ectw
itha
per
so
nalm
achi
neif
DH
Sal
low
edit
Polic
yan
dor
Sec
urit
yM
easu
re
Port
sec
urity
wou
ldp
reve
nta
use
rfr
omc
onne
ctin
ga
pers
onal
mac
hine
di
rect
lyto
aU
SCIS
net
wor
kT
his
secu
rity
mec
hani
smis
han
dled
by
the
SNO
C
Rem
ote
acce
sso
nth
eot
herh
and
is
hand
led
byD
HS
USC
ISh
asa
cces
sto
ve
ryli
mite
din
form
atio
nin
clud
ing
logs
for
rem
ote
conn
ectio
nsb
eca
use
ofc
ontr
acts
tipul
atio
nsw
ith
Spri
nt
The
asse
ssm
entt
eam
re
ceiv
edc
onfli
ctin
gop
inio
nsa
bout
w
heth
era
per
sona
lmac
hine
cou
ld
bec
onne
cted
with
ar
emot
eac
coun
t
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Secu
rity
Net
wor
kO
pera
ti
ons
Cent
er
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Man
agem
ento
fRe
mot
eA
cces
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 88
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
The
cont
ract
ors
resp
onsi
ble
for
VIS
have
impl
emen
ted
ast
rict
acc
ess
cont
rols
olut
ion
with
Fir
epas
san
dit
appe
ars
toa
ccom
plis
hits
goa
lofe
nsu
ring
that
onl
yth
epr
oper
per
sonn
el
are
gran
ted
acce
ssa
ndth
atth
eyp
er
form
aut
hori
zed
actio
nso
nce
they
ar
eco
nnec
ted
Unf
ortu
nate
lyt
hey
are
the
only
con
trac
tors
and
sys
tem
us
ing
Fire
pass
and
itw
illn
otb
eus
ed
once
the
mov
eis
mad
eto
Ste
nnis
Sp
ace
Cent
er
They
are
uns
ure
of
wha
tcon
trol
sw
illb
eus
eda
tSte
nnis
Sugg
este
dCo
unte
rmea
sure
s
Impl
emen
ting
aFi
repa
sss
olut
ion
for
allU
SCIS
sys
tem
sm
ight
not
be
cos
tef
fect
ive
USC
ISm
an
agem
ents
houl
dat
leas
texa
min
eth
eri
skp
osed
toth
em
ostc
ritic
al
syst
ems
and
impl
emen
taF
ire
pass
like
sol
utio
nfo
rth
ose
that
re
quir
ere
mot
eac
cess
A
sst
ated
ab
ove
one
inte
nin
side
rsd
ocu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
seu
sed
the
crea
tion
ofu
nkno
wn
path
sin
to
orga
niza
tion
syst
ems
pro
per
mea
sure
sm
ight
hav
epr
even
ted
man
yof
thos
ein
stan
ces
CERT | SOFTWARE ENGINEERING INSTITUTE | 89
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Non
Sys
tem
Ad
USC
ISL
eade
rshi
pA
ccor
ding
too
nein
terv
iew
eeF
SNs
An
FSN
who
isa
sys
tem
adm
inis
trat
or
Ten
perc
ent(
39)o
fins
ider
sm
inis
trat
ors
Wit
h
are
syst
ema
dmin
istr
ator
son
som
efo
rU
SD
epar
tmen
tofS
tate
sys
tem
sdo
cum
ente
din
the
CERT
Insi
der
A
utho
rize
dA
cces
sIn
form
atio
nTe
chno
logy
U
SD
epar
tmen
tofS
tate
sys
tem
sin
do
esn
otn
eces
sari
lyh
ave
adm
inis
tra
Thre
atC
ase
data
base
took
ad
toA
dmin
istr
ator
em
bass
ies
orc
onsu
late
sab
road
to
rri
ghts
on
USC
ISs
yste
ms
One
in
vant
age
ofin
suff
icie
nta
cces
sA
ccou
nts
The
US
Dep
artm
ento
fSta
teh
as
terv
iew
eee
xpre
ssed
con
cern
how
co
ntro
lsto
con
duct
thei
rcr
imes
au
thor
ized
acc
ess
for
som
eFS
Ns
to
ever
tha
tan
adm
inis
trat
orw
hois
a
USC
ISs
houl
dex
amin
eU
SCIS
sys
so
me
USC
ISs
yste
ms
need
edfo
rth
eci
tizen
ofa
fore
ign
coun
try
coul
des
te
ma
cces
sfo
rU
SD
epar
tmen
tpe
rfor
man
ceo
fthe
ird
utie
s
cala
tep
rivi
lege
sor
use
soc
iale
ngi
ofS
tate
sys
tem
adm
inis
trat
ors
ne
erin
gta
ctic
sto
gai
nun
auth
oriz
ed
asw
ella
sho
wth
ose
conn
ectio
ns
acce
ssto
USC
ISs
yste
ms
ar
em
onito
red
orlo
gged
Th
ey
sh
ould
als
ow
ork
with
the
US
Dep
artm
ento
fSta
teto
und
er
stan
dits
pro
cess
esfo
rgr
antin
g
FSN
sac
cess
toU
SD
epar
tmen
t
ofS
tate
sys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 90
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
Lea
ders
hip
Ther
ear
ecu
rren
tlyn
olim
itso
nTh
ela
cko
flim
itsp
lace
don
req
uest
Th
ere
shou
ldb
elo
gica
lcon
trol
s
w
hich
Af
iles
ana
djud
icat
orc
anr
ein
gA
file
sin
NFT
Sm
aya
llow
adj
udi
tod
etec
tldquoex
trao
rdin
aryrdquo
or
sus
Info
rmat
ion
Tech
nolo
gy
ques
tin
the
Nat
iona
lFile
Tra
ckin
gca
tors
tor
eque
sta
file
by
nam
eev
en
pici
ous
file
tran
sfer
req
uest
sI
n
Syst
em(N
FTS)
if
they
sho
uld
notb
eac
cess
ing
that
on
eU
SCIS
cas
eth
ein
side
rre
fil
e
ques
ted
afil
etr
ansf
erto
ar
egio
nfo
ran
indi
vidu
alw
hose
file
sw
ere
ina
noth
err
egio
nan
dw
hose
form
sha
dbe
enp
revi
ousl
yde
ni
ed
CERT | SOFTWARE ENGINEERING INSTITUTE | 91
cri
tilt
om
itiga
ting
the
insi
der
rsc
arri
edo
uta
nat
tack
ta
nce
mal
icio
usin
side
rsu
sed
uste
nsur
end
enf
orce
cn
have
dev
eff
ects
on
ano
ras
tatin
gta
r
nom
alou
sin
crea
sein
net
ay
Sugg
este
dCo
unte
rmea
sure
s
ca sn
toc
ompe
titor
sor
con
spir
ator
sO
rgan
izat
ions
mth
ate
mpl
oyee
sr
esou
rces
inc
ludi
ngin
form
atio
nas
sets
aom
plia
nce
sen
sitiv
ebu
tunc
lass
ified
or
prop
rie
y)is
cri
tical
tom
itiga
ting
an
am
onito
ring
net
wor
ktr
affic
mh
elp
prot
ectc
ontr
olle
d
side
unc
lass
ified
or
prop
riet
ary)
isea
led
circ
umst
ance
sin
whi
chin
tern
ales
In
som
ein
ss
tora
ged
evic
tion
mal
icio
usin
side
rsc
ab
y
mou
nts
ofd
ata
dow
nloa
ded
orou
ghT
h
Polic
yor
Pra
ctic
eG
aps
a re
ono
fCon
trol
led
Info
rmat
ion
ntro
lled
info
rmat
ion
(ie
inf
orm
atio
nth
atis
cla
ssifi
eds
ensi
tive
but
CER
Tr
thre
atr
isk
too
rgan
izat
ions
A
var
iety
ofi
nsid
erth
reat
cas
ess
tudi
edb
yev
thro
ugh
thd
ownl
oad
ofin
form
atio
nto
por
tabl
em
edia
or
exe
unau
thor
ized
ptt
acks
or
toc
omm
unic
ate
sens
itive
info
rmat
ioun
ders
tan
tcon
stitu
tes
acce
ptab
leu
seo
fcom
pany
dpo
licie
sre
gard
ing
wha
thro
ugh
teed
info
rma
chni
calm
eans
Th
eun
auth
oriz
ede
xfilt
ratio
nof
con
trol
l(i
ei
nfor
mat
ion
that
isc
lass
ifie
gani
zatio
nP
rote
ctin
gco
ntro
lled
info
rmat
ion
dth
reat
ris
kto
org
aniz
atio
ns
impl
emen
ted
netw
ork
mon
itori
ngs
trat
egie
sth
atw
ould
det
ectl
arge
wor
ktr
affi
by
tota
lvol
ume
orty
peo
ftra
ffic
(eg
by
ce
ither
por
tor
prot
ocol
)n
Polic
yan
dor
Sec
urit
yM
easu
Resp
onsi
ble
Pers
onne
lIn
form
atio
nTe
chno
logy
ncer
nlo
adto
Prot
ecti
Prot
ectin
gco
emai
lto
lan
thei
ra
the
insi
der
USC
ISh
as
info
rmat
io
Are
aof
Co
Dat
aD
own
Med
ia
CERT | SOFTWARE ENGINEERING INSTITUTE | 92
sure
s
po
1
pria
yte
lld
be
func
he
T ed
s
ecu
itted
em
os
ogs
el
vity
by
org
za
ani
ot
sbe
nter
mea
side
rtw
o
hori
zed
inap
pro
uev
ices
co
bite
dfr
omsy
stem
s
bit
epr
ohi fa
hec
ont
oc
gn
are
per
m hus
eso
fta
ndth
cti
ciou
sa
ngth
es
her
exhi
bitin
glm
alic
iou
Cou
uld
con
ora
ut ed
thes
ed
pro
hi SSC
Iy
ar
rity
aw
aren
ess
ampa
i
evic
es lb
elo
gged
uspi
ted
for
ss
leav
i
ntia
te
Sugg
este
d
Ss
o
ptf
1)E
xce
ces
that
ar
ete
chni
cally
Ung
in
that
the
shou
nte
ldb
et
2)If
USB
dfo
ru
nal
set
held
empl
oyee pl
tion
em
oyee
sign
sof
po c
ore
t
USC
Ih
tions
stan
trac
k
tioni
fact
shou
audi
havi
ns
ider
un
t
of
wor
k
ssed
de
s
onvi
ctio ns
tne
i eng
tel
He
acce
rder
to
Prac
tice
Gap
mth
eU
SCIS
CTa
skF
orc
sho
wed
tha
oe d
ant
pe
rfor
me
sig
nific
aam
oof
ficia
lbus
ines
sin
clud
ill
apto
p
sona
mai
lin
ond
e
Polic
yor
Ac
ase
fro
onh
isp
ersy
stem
sa
sure
pmen
tSC
IS
gov
(G
FE)
orS
ecur
ity
Mea
per
aga
inst
usi
ng
son
ompu
ter
equi
cial
dut
ies
for
Ub
edo
new
ithm
entf
urni
shed
ent
ern
quip
me
Polic
yan
d
Ther
eis
ap
olic
yd
cal
lyo
wne
top
erfo
rmo
ffi
Tele
wor
ksh
ould
on
ly
nel
ble
Pers
on
Resp
onsi
o
ern
Are
aof
Con
c dt
Dat
aD
ownl
oaor
Fro
mH
ome
CERT | SOFTWARE ENGINEERING INSTITUTE | 93
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sve
lop
asy
stem
that
he
was
rew
arde
d
fo
rpr
oduc
ing
The
rea
ren
ote
chni
cal
co
ntro
lsto
cat
chth
isa
ctiv
ityu
nles
s
the
devi
ceis
phy
sica
llyp
lugg
edin
to
the
netw
ork
Prot
ecti
ngC
riti
cal
Info
rmat
ion
Tech
nolo
gy
The
SNO
Cre
spon
dsto
spi
llso
fPII
USC
ISr
espo
nds
toP
IIsp
illag
es
Fi
les
whi
cho
ccur
on
aw
eekl
yba
sis
The
ofte
nen
ough
that
its
staf
fis
wel
l
info
rmat
ion
abou
tthe
inci
dent
is
ve
rsed
inr
espo
nse
proc
edur
es
tran
sfer
red
from
the
data
ow
ner
U
nfor
tuna
tely
the
freq
uenc
yto
w
hob
ecom
esa
war
eof
the
spill
to
w
hich
inci
dent
soc
cur
and
the
the
OSI
whi
chc
reat
esa
Ser
ious
In
re
spon
sep
roce
dure
sin
pla
ced
o
cide
ntR
epor
t(SI
R)th
atit
forw
ards
nots
eem
tor
educ
eth
enu
mbe
rto
the
Priv
acy
Off
icer
and
fina
llyto
Th
ere
spon
see
ffor
tto
aPI
Ispi
llage
of
inci
dent
sor
pro
vide
aut
oth
eSN
OC
in
volv
esm
any
part
ies
and
appe
ars
to
mat
edd
etec
tion
whe
nsp
illag
ebe
ac
ompl
icat
edp
roce
ssfo
ran
eve
nt
occu
rs
that
hap
pens
on
aw
eekl
yba
sis
Thou
ghth
ese
spill
ages
are
acc
iden
tal
even
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 94
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
sho
uld
cont
inue
this
pra
ctic
eas
par
tofi
tsin
cide
ntr
esp
onse
pro
cedu
res
Inc
orpo
rat
ing
ana
ppro
pria
tele
velo
fm
onito
ring
wou
lda
lso
bea
pru
de
ntm
easu
re
Polic
yor
Pra
ctic
eG
aps
This
pra
ctic
eap
pear
sto
be
done
con
si
sten
tly
Polic
yan
dor
Sec
urit
yM
easu
re
Acc
ess
ton
etw
ork
reso
urce
sis
ter
min
ated
imm
edia
tely
whe
na
spill
or
mis
cond
ucti
ssu
spec
ted
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Aud
it
Mon
itor
B
acku
p
Reco
very
Insi
der
thre
atr
esea
rch
cond
ucte
dby
CER
Tha
ssh
own
that
logg
ing
mon
itori
nga
nda
uditi
nge
mpl
oyee
onl
ine
actio
nsc
anp
rovi
dea
nor
gani
za
tion
the
oppo
rtun
ityto
dis
cove
ran
din
vest
igat
esu
spic
ious
insi
der
activ
ityb
efor
em
ore
seri
ous
cons
eque
nces
ens
ue
Org
aniz
atio
nss
houl
dle
ver
age
auto
mat
edp
roce
sses
and
tool
sw
hene
ver
poss
ible
M
oreo
ver
net
wor
kau
ditin
gsh
ould
be
ongo
ing
and
cond
ucte
dra
ndom
lya
nde
m
ploy
ees
shou
ldb
eaw
are
that
cer
tain
act
iviti
esa
rer
egul
arly
mon
itore
dT
his
empl
oyee
aw
aren
ess
can
pote
ntia
llys
erve
as
ade
terr
entt
oin
side
rth
reat
s
Prev
entin
gin
side
rat
tack
sis
the
first
line
ofd
efen
se
Non
ethe
less
eff
ectiv
eba
ckup
and
rec
over
ypr
oces
ses
need
tob
ein
pla
cea
ndo
pera
tion
ally
eff
ectiv
eso
that
ifa
co m
prom
ise
occu
rsb
usin
ess
oper
atio
nsc
anb
esu
stai
ned
with
min
imal
inte
rrup
tion
In
one
case
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sea
nin
side
rw
asa
ble
tom
agni
fyth
eim
pact
ofh
isa
ttac
kby
acc
essi
nga
ndd
estr
oyin
gba
ckup
med
ia
Org
aniz
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 95
Ina
dditi
ont
heS
NO
Cla
cks
the
reso
urce
sto
focu
son
mon
itori
ngfo
rsu
spic
ious
insi
der
activ
ityf
ocus
ing
inst
ead
prim
arily
on
prot
ectio
nfr
om
exte
rnal
inci
dent
s
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sM
odifi
cati
on
In
form
atio
nTe
chno
logy
Lo
gfil
esa
rea
cces
sibl
eby
the
do
D
isab
ling
Log
File
sm
ain
adm
inis
trat
ors
and
syst
em
adm
inis
trat
ors
ofe
ach
resp
ectiv
e
syst
em
USC
ISs
houl
dse
ndc
ritic
allo
gsto
a
cent
raliz
edlo
gse
rver
and
pro
te
ctth
elo
gfil
esto
per
mit
afo
re
nsic
rec
onst
r uct
ion
ofn
etw
ork
orh
ost
base
dev
ents
In
form
atio
nTe
chno
logy
Th
ela
cko
fcon
sist
ency
for
wha
tis
Alth
ough
six
per
cent
(23)
oft
he
logg
eda
cros
sU
SCIS
ser
vers
sys
tem
s
insi
ders
doc
umen
ted
inth
eCE
RT
appl
icat
ions
and
wor
ksta
tions
isc
on
Insi
der
Thre
atC
ase
data
base
cern
ing
Sev
eral
par
ties
addr
esse
dw
ere
able
tom
odify
ord
isab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 96
tions
nee
dto
con
side
rth
eim
port
ance
ofb
acku
pan
dre
cove
ryp
roce
sses
and
car
em
ustb
eta
ken
that
bac
kups
are
per
form
edr
egul
arly
pro
te
cted
and
test
edto
ens
ure
busi
ness
con
tinui
tyin
the
even
tofd
amag
eto
or
loss
ofc
entr
aliz
edd
ata
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
slo
gfil
es
Mon
itor
ing
Susp
ici
ous
Act
ivit
y
Info
rmat
ion
Tech
nolo
gy
are
som
etim
esli
mite
dto
24
hour
sor
less
ofc
olle
ctio
n
the
fact
that
ITp
erso
nnel
mus
tbe
able
top
hysi
cally
rea
cha
mac
hine
in
atim
ely
fash
ion
ifth
eyh
ope
toc
ap
ture
logs
rel
ated
toa
nin
cide
nt
This
as
sum
ptio
nm
akes
itli
kely
that
cri
tica
llog
info
rmat
ion
will
be
mis
sed
CERT | SOFTWARE ENGINEERING INSTITUTE | 97
Sugg
este
dCo
unte
rmea
sure
s
Polic
yor
Pra
ctic
eG
aps
Polic
yan
dor
Sec
urit
yM
easu
re
Dat
abas
ead
min
istr
ator
sar
ere
spon
si
ble
for
mon
itori
nga
nda
lert
ing
whe
nda
taa
cces
sat
tem
pts
are
mad
eto
cri
tical
dat
ain
USC
ISd
ata
base
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 98
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
sho
uld
cons
ider
cle
arly
de
finin
gth
ere
spon
sibi
lity
ofd
ata
base
adm
inis
trat
ors
and
the
SNO
Cfo
rm
onito
ring
ale
rtin
g
and
resp
ondi
ngto
una
utho
rize
dda
taa
cces
sO
nce
the
resp
onsi
bi
lity
isa
ssig
ned
the
appr
opri
ate
grou
psh
ould
dili
gent
lyp
reve
nt
dete
cta
ndr
espo
ndto
una
utho
riz
edd
ata
acce
ssm
odifi
catio
n
and
exfil
trat
ion
atte
mpt
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
mon
itors
and
filte
rs
inbo
und
and
outb
ound
net
wor
ktr
affic
Th
iss
trat
egy
may
pre
ve
nto
rde
tect
the
unau
thor
ized
tr
ansf
ero
fUSC
ISd
ata
outs
ide
the
orga
niza
tion
Man
yin
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
sew
ere
able
toc
omm
itth
eir
mal
icio
usa
ctiv
ities
usi
ngla
ptop
s
Polic
yor
Pra
ctic
eG
aps
Net
wor
ktr
affic
filte
ring
ish
appe
ning
on
lyo
nin
boun
dtr
affic
not
out
boun
dtr
affic
Th
ere
sour
ces
don
ote
xist
toe
xam
ine
ou
tbou
ndtr
affic
onl
yin
boun
dtr
affic
Fu
rthe
rmor
eth
ein
trus
ion
dete
ctio
nsy
stem
sar
eno
topt
imiz
edto
det
ect
secu
rity
eve
nts
Polic
yan
dor
Sec
urit
yM
easu
re
USC
ISh
asth
eab
ility
toc
reat
ein
bo
und
firew
allr
ules
tofi
lter
pote
ntia
llym
alic
ious
net
wor
ktr
affic
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 99
Sugg
este
dCo
unte
rmea
sure
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
incl
udes
fore
nsic
to
ols
toa
idin
vest
igat
ions
Ins
ixp
erce
nt(2
2)o
fthe
cas
es
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
heim
pact
of
the
crim
ew
asm
agni
fied
be
caus
eof
insu
ffic
ient
bac
kups
Polic
yor
Pra
ctic
eG
aps
The
SNO
Cha
sha
dpr
oble
ms
iden
tify
ing
the
root
cau
seo
fan
affe
cted
w
orks
tatio
nor
use
rbe
caus
eof
the
lack
ofn
etw
ork
fore
nsic
app
licat
ions
Id
eally
the
SN
OC
shou
ldb
eab
leto
tr
ace
netw
ork
traf
ficfr
oms
ourc
eto
de
stin
atio
nan
dw
atch
act
ivity
It
has
a
stan
dal
one
fore
nsic
cap
abili
tyb
ut
noth
ing
onth
ene
twor
k
Tabl
etop
exe
rcis
esm
ayn
otg
ive
USC
ISa
true
indi
catio
nof
its
abili
tyto
re
cove
rfr
oma
sys
tem
icfa
ilure
W
hen
poss
ible
bac
kups
sho
uld
be
impl
emen
ted
ons
imila
rha
rdw
are
to
ensu
reth
atth
eba
ckup
tape
isfu
nc
tiona
land
the
back
upis
ope
ratio
nal
Polic
yan
dor
Sec
urit
yM
easu
re
The
SNO
Cis
res
pons
ible
for
dete
rm
inin
gth
ero
otc
ause
ofa
nin
cide
nt
incl
udin
gus
ing
fore
nsic
tool
sto
id
entif
yaf
fect
edw
orks
tatio
nsd
esk
tops
and
lapt
ops
Ba
ckup
test
ing
for
man
ysy
stem
soc
curs
onc
epe
rye
ar
Ins
ome
case
s
the
back
ups
are
only
test
edw
itha
ta
blet
ope
xerc
ise
and
don
otu
se
sim
ilar
orid
entic
alh
ardw
are
toth
at
used
inth
epr
oduc
tion
envi
ronm
ent
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Back
ups
CERT | SOFTWARE ENGINEERING INSTITUTE | 100
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Info
rmat
ion
Tech
nolo
gy
Year
sof
bac
kup
tape
sar
eke
pto
nsi
tea
tthe
Ver
mon
tSer
vice
Cen
ter
an
dsy
stem
adm
inis
trat
ors
have
ac
cess
toth
ese
back
upfi
les
Adm
inis
trat
ors
who
hav
eac
cess
to
the
back
upta
pes
wou
ldb
eab
leto
Back
upm
edia
sho
uld
bec
on
trol
led
care
fully
doc
umen
ted
an
dst
ored
off
site
with
lim
ited
acce
ss
With
outt
hose
con
trol
s
USC
ISc
anno
tbe
sure
its
back
ups
will
giv
eit
the
abili
tyto
rec
over
ss
ecur
ity o wn
Proa
ctiv
ely
addr
essi
ngk
now
nse
curi
tyv
ulne
rabi
litie
ssh
ould
be
apr
iori
tyfo
ran
yor
gani
zatio
nse
ekin
gto
miti
gate
the
risk
ofi
nsid
erth
reat
sa
wel
las
exte
rnal
thre
ats
Cas
est
udie
sha
ves
how
nth
atm
alic
ious
insi
ders
fol
low
ing
term
inat
ion
will
som
etim
ese
xplo
itkn
own
tech
nica
lho
uld
have
ap
roce
sst
vuln
erab
ilitie
sth
atth
eyk
now
hav
eno
tbee
npa
tche
dto
obt
ain
syst
ema
cces
san
dca
rry
outa
nat
tack
O
rgan
izat
ions
sdr
ess
kno
ensu
reth
ato
pera
ting
syst
ems
and
othe
rso
ftw
are
have
bee
nha
rden
edo
rpa
tche
din
ati
mel
ym
anne
rw
hen
poss
ible
Fa
ilure
toa
dvu
lner
abili
ties
prov
ides
an
insi
der
ampl
eop
port
unity
and
pat
hway
sfo
rat
tack
mak
ing
itm
ore
diff
icul
tfor
an
orga
niza
tion
top
rote
ctit
self
Tech
nica
lSec
urit
yV
ulne
rabi
litie
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 101
ount
erm
easu
res
Sugg
este
dC
CERT | SOFTW ARE ENGINE ERING INSTITUTE |102
ceG
aps
Polic
yor
Pra
cti
The
pres
ence
of
host
pe
rim
eter
and
m
prot
ectio
nfo
rCI
Sin
al
war
epu
tsU
Sa
rela
tivel
yse
curd
ing
rep
ositi
onr
ega
oads
m
alic
ious
dow
nl
Polic
yan
dor
Se
easu
re
curi
tyM
Th
eO
ITr
elie
son
tan
ism
sto
w
om
ech
wnl
ode
tect
the
doad
of
licio
us
ma
code
1)
DH
S
nte
mon
itors
the
Ig
atrn
etw
aya
nd
e
2)
orks
ta
age
nto
nw
tio
ns
ale
rts
mm
edi
the
OIT
iat
ely
upon
dis
cov
wn
mal
er
yof
kno
war
eT
heO
ITs
hth
epo
rt
uts
dow
n
tob
lock
mal
ici
ere
ap
ous
code
wh
prop
riat
e
sin
stal
la
als
ode
tect
nel
Resp
onsi
ble
Pers
onog
yIn
form
atio
nTe
chno
l ogy
Info
rmat
ion
Tech
nol
Are
ac
ofC
oner
ne
Add
rss
ino
wn
ngK
Secu
rer
it
yV
uln
ies
abili
t
eA
ddr
ssi
now
nng
KSe
cur
er
ity
Vul
nie
sab
ilit
Sugg
este
dCo
unte
rmea
sure
s
Tw
elve
per
cent
(46)
oft
hec
ases
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
invo
lve
user
sab
usin
gad
min
istr
ator
pri
vi
lege
sto
sab
otag
esy
stem
sor
da
ta
Alth
ough
USC
ISu
sers
nee
dfo
rad
min
istr
ator
righ
tsto
inst
allo
rru
nau
thor
ized
sof
twar
eth
eO
IT
shou
ldc
onsi
der
givi
ngu
sers
se
para
tea
dmin
istr
ator
acc
ount
sfo
rth
ese
expl
icit
purp
oses
U
sers
co
uld
then
use
non
adm
inis
trat
or
acco
unts
for
thei
rda
ilyw
ork
Th
isw
ould
gre
atly
min
imiz
eth
eri
sko
fmal
war
eco
mpr
omis
e
Polic
yor
Pra
ctic
eG
aps
Am
itiga
ting
fact
or
is
that
the
depa
rtin
gem
ploy
eew
ould
ne
edp
hysi
cala
cces
sto
the
syst
emto
lo
gin
A
use
rw
itha
dmin
istr
ator
pri
vile
ges
mus
tnot
rel
yso
lely
on
auto
mat
ic
mec
hani
sms
tos
afeg
uard
his
or
her
com
pute
rA
dmin
istr
ator
rig
hts
give
in
adve
rten
tlyd
ownl
oade
dm
alw
are
the
abili
tyto
com
plet
ely
com
prom
ise
asy
stem
som
etim
esw
ithou
tthe
kn
owle
dge
ofth
eus
er
Polic
yan
dor
Sec
urit
yM
easu
re
tion
ofm
alic
ious
cod
efr
omU
SBs
and
othe
rm
edia
USC
ISu
sers
hav
elo
cala
dmin
istr
ator
ri
ghts
on
thei
row
nm
achi
nes
Thi
sal
low
sus
ers
toin
stal
lsof
twar
eon
th
eirs
yste
ms
So
me
auth
oriz
eds
oftw
are
does
re
quir
ead
min
istr
ator
rig
hts
toin
stal
l
Som
eap
plic
atio
nsa
ctua
llyr
equi
re
adm
inis
trat
orri
ghts
tor
un
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Unm
anag
edS
ys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 103
Conf
igur
atio
nM
anag
emen
t
Effe
ctiv
eco
nfig
urat
ion
man
agem
enth
elps
ens
ure
the
accu
racy
int
egri
tya
ndd
ocum
enta
tion
ofa
llco
mpu
ter
and
netw
ork
syst
emc
onfig
ura
tions
A
wid
eva
riet
yof
cas
esin
the
CERT
Insi
der
Thre
atC
ase
data
base
doc
umen
tins
ider
sw
hor
elie
dhe
avily
on
the
mis
conf
igur
atio
nof
sys
te
ms
The
yhi
ghlig
htth
ene
edfo
rst
rong
erm
ore
effe
ctiv
eim
plem
enta
tion
ofa
utom
ated
con
figur
atio
nm
anag
emen
tcon
trol
sO
rgan
izat
ions
sh
ould
als
oco
nsid
erc
onsi
sten
tdef
initi
ona
nde
nfor
cem
ento
fapp
rove
dco
nfig
urat
ions
Ch
ange
sor
dev
iatio
nsfr
omth
eap
prov
edc
onfig
urat
ion
base
line
shou
ldb
elo
gged
so
they
can
be
inve
stig
ated
for
pote
ntia
lmal
icio
usin
tent
Co
nfig
urat
ion
man
agem
enta
lso
appl
ies
tos
oftw
are
sou
rce
code
and
app
licat
ion
files
O
rgan
izat
ions
that
do
note
nfor
cec
onfig
urat
ion
ma n
agem
enta
cros
sth
een
terp
rise
are
ope
ning
vul
nera
bilit
ies
for
expl
oitb
yte
chni
cali
nsid
ers
with
suf
ficie
ntm
otiv
atio
nan
da
lack
ofe
thic
s
The
OIT
has
ac
onfig
urat
ion
man
agem
entp
olic
yth
atp
rovi
des
base
line
soft
war
eco
nfig
urat
ions
for
USC
ISd
eskt
ops
and
lapt
ops
The
OIT
sca
ns
for
inco
rrec
to
utda
ted
or
unp
atch
edv
ersi
ons
ofs
oftw
are
onth
eap
prov
eds
oftw
are
list
The
OIT
kee
pstr
ack
ofd
iffer
entb
asel
ines
for
diff
er
entc
ontr
acts
D
espi
tetr
acki
nga
nda
rig
orou
sco
nfig
urat
ion
man
agem
entp
olic
yth
eO
ITh
asd
iffic
ulty
kee
ping
trac
kof
the
901
50d
iffer
ents
ys
tem
imag
esin
the
USC
ISe
nvir
onm
ent
Rog
ues
oftw
are
orm
alw
are
iso
ften
dis
cove
red
thro
ugh
ade
liber
ate
man
uals
can
rat
her
than
thro
ugh
ana
utom
ated
pro
cess
To
mak
eth
ista
skm
ore
diff
icul
tth
ere
have
bee
nU
SCIS
em
ploy
ees
with
sen
iori
tyo
rin
fluen
cew
hoa
rea
ble
tou
selo
cal
adm
inis
trat
orp
rivi
lege
sto
inst
alls
oftw
are
for
the
sake
ofc
onve
nien
ce
Conc
erns
reg
ardi
ngc
onfig
urat
ion
man
agem
entm
ake
itdi
ffic
ultf
orth
eO
ITto
ad e
quat
ely
prev
ent
det
ect
and
res
pond
tor
ogue
sof
twar
eor
m
alw
are
usin
gits
cur
rent
pro
cedu
res
We
sugg
ests
ome
cons
ider
atio
nsfo
rle
vera
ging
exi
stin
gde
ploy
men
tsa
ndm
odify
ing
inci
dent
res
pons
epr
actic
esto
incr
ease
eff
ectiv
enes
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
The
OIT
has
ac
onfig
urat
ion
man
ag
emen
tpol
icy
for
soft
war
eco
nfig
ura
tion
base
lines
Th
eO
ITs
cans
for
inco
rrec
to
utda
ted
or
unpa
tche
dve
rsio
nso
fsof
twar
eon
the
ap
Des
pite
rig
orou
sco
nfig
urat
ion
man
ag
emen
tpol
icy
the
OIT
has
diff
icul
ty
keep
ing
trac
kof
the
90to
150
diff
er
ents
yste
mim
ages
inth
eU
SCIS
env
iro
nmen
tR
ogue
sof
twar
eor
mal
war
e
Seve
ntee
nca
ses
docu
men
ted
in
the
CERT
Insi
der
Thre
atC
ase
da
taba
sein
volv
eus
ers
expl
oitin
gth
ela
cko
rw
eakn
ess
ofa
con
fig
urat
ion
man
agem
ents
yste
m
CERT | SOFTWARE ENGINEERING INSTITUTE | 104
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
spr
oved
sof
twar
elis
tT
heO
ITk
eeps
tr
ack
ofd
iffer
entb
asel
ines
for
dif
fere
ntc
ontr
acts
iso
ften
dis
cove
red
thro
ugh
ade
liber
at
em
anua
lsca
nra
ther
than
thro
ugh
ana
utom
ated
pro
cess
toc
arry
out
thei
rat
tack
s
The
OIT
cou
ldle
vera
geth
eex
ist
ing
ePO
dep
loym
entt
oco
mpl
em
enti
tsc
onfig
urat
ion
man
age
men
teff
orts
eP
Oc
and
efin
ea
base
line
for
soft
war
eap
plic
atio
ns
and
aler
ton
any
devi
atio
nsfr
om
that
bas
elin
e
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ins
ome
case
sin
divi
dual
sw
iths
en
iori
tyo
rin
fluen
cea
rea
ble
tou
se
adm
inis
trat
orp
rivi
lege
sto
inst
all
soft
war
efo
rth
esa
keo
fcon
veni
ence
USC
ISs
houl
den
sure
that
con
fig
urat
ion
polic
yis
con
sist
ently
co
mm
unic
ated
and
enf
orce
dth
roug
hout
the
orga
niza
tion
Ev
ens
enio
rle
ader
ship
sho
uld
notb
eab
leto
cas
ually
cir
cum
ve
ntth
ese
polic
ies
with
outg
oing
th
roug
hth
epr
oper
cha
nnel
sas
de
fined
by
the
conf
igur
atio
nm
anag
emen
tpol
icy
Conf
igur
atio
nM
anag
emen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Serv
ice
Cent
ers
are
resp
onsi
ble
for
lock
ing
dow
nde
skto
psto
pre
vent
un
auth
oriz
eds
oftw
are
from
runn
ing
The
lock
dow
npr
oces
sre
lies
onh
um
anin
terv
entio
nI
fcal
lvol
ume
to
the
Serv
ice
Cent
eris
hea
vyt
his
may
in
crea
ser
espo
nse
time
toa
nun
ac
cept
able
leve
l
The
OIT
sho
uld
expl
ore
way
sto
au
tom
ate
lock
dow
nof
pot
en
tially
com
prom
ised
sys
tem
sT
his
wou
ldr
equi
rea
car
eful
bal
ance
of
ser
vice
ver
sus
secu
rity
O
nth
ese
rvic
esi
ded
elay
edr
espo
nse
by
the
Serv
ice
Cent
erm
ayr
esul
tin
loss
ofp
rodu
ctiv
ity
On
the
secu
ri
tys
ide
del
ayed
res
pons
eco
uld
CERT | SOFTWARE ENGINEERING INSTITUTE | 105
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sle
adto
sys
tem
com
prom
ise
M
anag
emen
tsho
uld
eval
uate
the
risk
sof
ac
ompr
omis
ean
dw
eigh
th
ose
risk
sag
ains
tthe
pot
entia
lco
nseq
uenc
eso
fser
vice
dis
rup
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 106
Appendix H Acronyms
C3-LAN CBP CI CIO CLAIMS CMMI COTR CSC CSIRT CSO CMU DBA DHS DOJ FBI FDNS-DS FISMA FSD FSN GFE HR HSPD-12 ICE ISSO IT LER LPO NCR NFTS ODBC OIG OIT OSI PERSEC PICS PII QA SEI SIEM SIR SNOC TSA USB
CLAIMS 3 ndash Local Area Network Customs and Border Protection Counterintelligence Chief Information Officer Computer Linked Application Information Management System Capability Maturity Model Integration Contracting Officerrsquos Technical Representative Computer Sciences Corporation Computer Security Incident Response Team Chief Security Officer Carnegie Mellon University Database Administrator Department of Homeland Security Department of Justice Federal Bureau of Investigation Fraud Detection and National Security Data System Federal Information Security Management Act Field Security Division Foreign Service National Government-furnished Equipment Human Resources Homeland Security Presidential Directive 12 Immigration and Customs Enforcement Information System Security Officer Information Technology Labor and Employee Relations Local PICS Officer National Capital Region National File Tracking System Open Database Connectivity Office of Inspector General Office of Information Technology Office of Security and Integrity Personnel Security Password Issuance and Control System Personally Identifiable Information Quality Assurance Software Engineering Institute Security Information and Event Management Significant Incident Report Security Network Operations Center Transportation Security Administration Universal Serial Bus
107
Appendix H Acronyms
USCIS US Citizenship and Immigration Services VIS Verification Information System
108
Appendix I Management Comments to the Draft Report
109
Appendix J Contributors to this Report
Software Engineering Institute Carnegie Mellon University
Insider Threat Center at CERT
Department of Homeland Security Office of Inspector General
Richard Saunders Director Advanced Technology Division Steve Matthews IT Audit Manager Advanced Technology Division Philip Greene IT AuditorTeam Lead Advanced Technology Division
110
Appendix K Report Distribution
Department of Homeland Security
Secretary Deputy Secretary Chief of Staff Deputy Chiefs of Staff General Counsel Executive Secretariat Director GAOOIG Liaison Office Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs Chief Information Officer Chief Information Security Officer USCIS Chief Information Officer USCIS Chief Information Security Officer USCIS Audit Liaison Office
Office of Management and Budget
Chief Homeland Security Branch DHS OIG Budget Examiner
Congress
Congressional Oversight and Appropriations Committees as appropriate
111
ADDITIONAL INFORMATION AND COPIES
To obtain additional copies of this report please call the Office of Inspector General (OIG) at (202) 254-4100 fax your request to (202) 254-4305 or visit the OIG web site at wwwdhsgovoig
OIG HOTLINE
To report alleged fraud waste abuse or mismanagement or any other kind of criminal or noncriminal misconduct relative to department programs or operations
bull Call our Hotline at 1-800-323-8603
bull Fax the complaint directly to us at (202) 254-4292
bull Email us at DHSOIGHOTLINEdhsgov or
bull Write to us at DHS Office of Inspector GeneralMAIL STOP 2600 Attention Office of Investigations - Hotline 245 Murray Drive SW Building 410 Washington DC 20528
The OIG seeks to protect the identity of each writer and caller
Recommendation12 25
Recommendation13Reducethenumberofprivilegedaccountsforcriticaldatasystems
25
Recommendation14 25
Recommendation15Implementproceduralandtechnicalcontrolstopreventsource codeunderdevelopmentfrombeingreleasedwithoutappropriatereview 25
Recommendation16 26
Recommendation17 26
Recommendation18Periodicsecurityrefreshertrainingshouldberegularlyconducted andrequiredforallemployees 26
AppendixHAcronyms 107
AppendixIManagementCommentstotheDraftReport 109
AppendixJContributorstothisReport 110
AppendixKReportDistribution 111
ManagementCommentsandOIGAnalysis 27
Appendixes 28
AppendixAOrganizational 30
AppendixBHumanResources 37
AppendixCPhysicalSecurity 42
AppendixDBusinessProcesses 48
AppendixEIncidentResponse 62
AppendixFSoftwareEngineering 69
AppendixGInformationTechnology 75
CERT | SOFTWARE ENGINEERING INSTITUTE | ii
ExecutiveSummary
TheUSDepartmentofHomelandSecurityOfficeofInspectorGeneralengagedtheInsider ThreatCenteratCERToftheSoftwareEngineeringInstituteatCarnegieMellonUniversity toconductaninsiderthreatassessmentofUSCitizenshipandImmigrationServicesThe objectiveoftheassessmentwastodeterminehowUSCitizenshipandImmigrationSer viceshastakenstepstoprotectitsinformationtechnologysystemsanddatafromthe threatsposedbyemployeesandcontractorsTheassessmentevaluatedUSCitizenship andImmigrationServicesagainstapproximately400realinsiderthreatcompromisesdocu mentedintheCERTInsiderThreatCasedatabaseThesecasesallprosecutedintheUnited Statesincludefraudsabotageandtheftofintellectualproperty
TheassessmentteamperformedfieldworkinthenationalcapitalregionVermontService CenterandUSCitizenshipandImmigrationServicesBurlingtonofficesDuetothelimited scopeoftheassessmentsystemsreviewedandlocationsvisitedCERTwasnotabletover ifytheinstitutionalizationandenforcementofanyUSCitizenshipandImmigrationSer vicesrsquopoliciesorrenderanoverallopinionoftheeffectivenessofUSCitizenshipandImmi grationServicesinsiderthreatpostureTheOfficeofInspectorGeneraldidnotrequest CERTtoconductacomprehensiveinformationsystemrsquostechnicalsecuritycontrolsreviewor vulnerabilityassessmenttodeterminethesusceptibilitytointernalthreatsTheOfficeof InspectorGeneralmayperformanindepthfollowupreviewtorenderanoverallopinionof theeffectivenessofUSCitizenshipandImmigrationServicesinsiderthreatposture
USCitizenshipandImmigrationServiceshasmadeprogressinimplementingelementsof aneffectiveinsiderthreatprogramSpecificallyithasestablishedaConvictionTaskForce toreviewformeremployeesconvictedofcriminalmisconductwithinthescopeoftheirdu tiesperformsriskmanagementforinformationtechnologyandfinancialmanagementde velopedexitproceduresforemployeesimprovedprotectionofitsfacilitiesandassetsand adherestoformalizedprocessesforsomesystemsInadditionitisimplementingHome landSecurityPresidentialDirective12forphysicalandelectronicaccountmanagement
WhiletheseeffortshaveresultedinsomeimprovementsUSCitizenshipandImmigration Serviceshasopportunitiestoimproveitssecuritypostureagainstthreatsposedbyemploy eesandcontractorsForexampleitcaninstituteanenterpriseriskmanagementplanand incorporateinsiderthreatriskmitigationstrategiesintoitsnewbusinessprocessesItcan alsocentralizerecordsofmisconductandviolationsinstitutealoggingstrategytopreserve systemactivitiesimplementseparationofdutiesforadjudicativedecisionsconductaudits ofnonUSCitizenshipandImmigrationServicesaccountsemployconsistentpoliciesfor physicalsecurityandconsistentlyenforceemployeeexitprocedures
Theassessmentteamismaking18recommendationstotheDirectorofUSCitizenshipand ImmigrationServicestostrengthenthedepartmentrsquossecuritypostureagainstmaliciousin siderthreatsUSCISconcurredwithallofourrecommendationsandhasalreadybegunto takeactionstoimplementthemThedepartmentrsquosresponseisincludedinitsentiretyas appendixI
CERT | SOFTWARE ENGINEERING INSTITUTE | 1
Background
TheUSDepartmentofHomelandSecurity(DHS)OfficeofInspectorGeneral(DHSOIG) engagedtheCERTprogramintheSoftwareEngineeringInstituteatCarnegieMellonUniver sitytoconductaninsiderthreatvulnerabilityassessmentofUSCitizenshipandImmigra tionServices(USCIS)Theprojectapproachestheinsiderthreatproblemontwoprimary fronts
Thehumanbehavioralcomponent
Thetechnologicalsolutionforautomatingpreventionanddetectioncapabilitiesto identifymeasuremonitorandcontrolinsiderthreatvectors
Insiderscanbecurrentorformeremployeescontractorsorbusinesspartnerswhohaveor hadauthorizedaccesstotheirorganizationssystemandnetworksTheyarefamiliarwith internalpoliciesproceduresandtechnologyandcanexploitthatknowledgetofacilitate attacksandevencolludewithexternalattackersCERTrsquosresearchconductedsince2001 hasfocusedongatheringdataaboutactualmaliciousinsideractsincludinginformation technology(IT)sabotagefraudtheftofconfidentialorproprietaryinformationespionage andpotentialthreatstoourNationscriticalinfrastructures
CERTdevelopedaninsiderthreatvulnerabilityassessmentinstrumentforevaluatingvulner abilitiestoinsiderthreatbasedonresearchtodateBecauseofthecomplexityofthein siderthreatproblemmdashinvolvingsecurityofficersinformationtechnologyinformationsecu ritymanagementdataownerssoftwareengineeringandhumanresourcesmdashorganizations needassistanceinmergingthewealthofavailableguidanceintoasingleactionableframe workCERTadvisesorganizationstousethisassessmentinstrumenttohelpsafeguardtheir criticalinfrastructure
CERTbuilttheassessmentbasedonresearchofapproximately400insiderthreatcasesin theCERTInsiderThreatCasedatabase1Thesecasesareacollectionofrealinsiderthreat compromisesmdashprimarilyfraudsabotageandtheftofintellectualpropertymdashthathavebeen prosecutedintheUnitedStatesStartingin2002CERTcollaboratedwithUSSecretSer vicebehavioralpsychologiststocollectapproximately150actualinsiderthreatcasesthat occurredinUScriticalinfrastructuresectorsbetween1996and2002andexaminedthem frombothatechnicalandabehavioralperspectiveSincethatoriginalstudyCERThascon tinuedtoaddcaseswithfundingfromCarnegieMellonrsquosCyLab2bringingthecaselibraryto atotalofapproximately400casesTheinstrumentencompassestechnicalbehavioral processandpolicyissuesandisstructuredaroundinformationtechnologyinformation securityhumanresourcesphysicalsecuritybusinessprocesseslegalandcontracting managementandorganizationalissues
1Notethatthedatabasedoesnotcontainnationalsecurityespionagecasesinvolvingclassifiedin formation 2httpwwwcylabcmuedu
CERT | SOFTWARE ENGINEERING INSTITUTE | 2
Objective
TheobjectiveoftheinsiderthreatvulnerabilityassessmentwastodeterminehowUSCIShas takenstepstoprotectitsITsystemsanddatafromthethreatposedbyemployeesandcon tractorsThisassessmentwasbasedonbehavioralaswellastechnicalexperienceanditis intendedtoassistUSCISinsafeguardingitscriticalinfrastructureTheassessmentwill
EnableUSCIStogainabetterunderstandingofitsvulnerabilitytoinsiderthreatand provideanabilitytoidentifyandmanageassociatedrisks
Identifytechnicalorganizationalpersonnelbusinesssecurityandprocessissues intoasingleactionableframework
Identityshorttermcountermeasuresagainstinsiderthreats
HelpguideUSCISinitsongoingriskmanagementprocessforimplementinglong termstrategiccountermeasuresagainstinsiderthreats
Scope
USCISemploysapproximately18000governmentemployeesandcontractorslocatedat250 officesthroughouttheworld3Theinsiderthreatvulnerabilityassessmentisintendedto focusoncriticalsystemsandhighriskareasofconcernthatcanbeassessedina3to5day timeframeThereforeatapreassessmentwalkthroughmeetingUSCISstaffidentified3 systemsofthe96systemsusedbytheagencyascriticaltoitsoverallmission
VerificationInformationSystem(VIS)mdashthispublicfacingsystemiscomposedoffive differentapplicationsThepurposeofthesystemistoprovidemdash
o Immigrationstatusinformationtogovernmentbenefitgrantingorganiza tionstohelpthemdeterminetheeligibilityofalienswhoapplyforbenefits
o Ameansforprivateemployerstoperformemploymenteligibilityverifica tionofnewlyhiredemployees
ComputerLinkedApplicationInformationManagementSystem(CLAIMS)mdashThissys temprovidesthefollowingfunctions
3httpwwwuscisgovportalsiteuscismenuitemeb1d4c2a3e5b9ac89243c6a7543f6d1avgnextoi d=2af29c7755cb9010VgnVCM10000045f3d6a1RCRDampvgnextchannel=2af29c7755cb9010Vgn VCM10000045f3d6a1RCRD
CERT | SOFTWARE ENGINEERING INSTITUTE | 3
o CLAIMS3LocalAreaNetwork(C3LAN)wasoriginallydevelopedtotrack thereceiptingofapplicantorpetitionerremittancesandtoproducenotices documentingtheremittanceC3LANnowincludesadjudicationarchive cardproductioncasehistorycasetransferondemandreportselectronic filetrackingimagecaptureproductionstatisticsstatusupdateandelec tronicingestofapplicationdatacapturedthroughtheEFilingwebapplica tionandtheDepartmentofTreasurysponsoredlockboxoperations
o C3mainframesupportsprocessingofUSCISapplicationsandpetitionsfor variousimmigrantbenefits(egchangeofstatusemploymentauthoriza tionandextensionofstay)
FraudDetectionandNationalSecurityDataSystem(FDNSDS)mdashThissystemwasde velopedtoidentifythreatstonationalsecuritycombatbenefitfraudandlocate andremovevulnerabilitiesthatcompromisetheintegrityofthelegalimmigration system
Itisimportanttonotethattheinsiderthreatvulnerabilityassessmentislimitedtoareasof concernobservedinthehundredsofcasesintheCERTInsiderThreatdatabasePeople technologyandorganizationsareconstantlychangingandmaliciousinsiderscontinueto comeupwithnewavenuesofattackinordertodefeatapreviouslyeffectivecountermea sureHowevermanyofthecountermeasuressuggestedinthisreportareapplicabletoa multitudeofattackvectors
ItisalsoimportanttonotethatCERTrsquosinsiderthreatresearchhasonlyexploredintentional insidercrimesAccidentaldataleakageisanareaofsignificantconcernfororganizations howeverCERThasnotyetexploredthataspectofinsiderthreatInadditionthefocusof theresearchtodateistodescribehowtheinsiderthreatproblemevolvesovertimeCERTrsquos longtermresearchdoesincludemeasuringtheeffectivenessofmitigationstrategies
CERT | SOFTWARE ENGINEERING INSTITUTE | 4
AssessmentProcessMethodology
AnentranceconferencewasconductedbytheDHSOIGCERTandUSCISonFebruary23 2010TheentranceconferenceintroducedUSCIStotheCERTassessmentteamFollowing theentranceconferenceapreassessmentwalkthroughwasheldatUSCISheadquarterson March102010AtthatmeetingtheCERTassessmentteamandtheDHSOIGteamex plainedtheassessmentprocesstorepresentativesofUSCISUSCISprovidedsomedocu mentationtotheassessmentteamatthattimeandmoredocumentsthroughouttheas sessmentthosedocumentswerereviewedtoprovidesubstantiationforfindingsinthis report
USCISidentified96systemsitusesFollowingtheinitialmeetingUSCISleadershipandthe assessmentteamchosetheVISCLAIMSandFDNSDSsystemsbecausetheywerecriticalto theoverallmissionofUSCISThesethreesystemswerethefocusofthe5dayonsiteas sessment
AtthepreassessmentwalkthroughUSCISindicatedthatithadcreatedaConvictionsTask Forcetoreviewtheactivitiesof10formeremployeesconvictedofcriminalmisconduct withinthescopeoftheirofficialdutiesThepurposeofthetaskforceistoidentifyissues theseemployeesexploitedtocommittheircrimesThetaskforceintendedtodevelopfind ingsandrecommendationsaimedatpreventingsimilarcrimesinthefutureItgraciously extendedaninvitationtotheCERTandDHSOIGteamstoparticipateAsaresulttheteams observedorreviewedtranscriptsofalltelephoneconferencesconductedbythetaskforce Thesefindingsarereflectedinthisreport
TheCERTinsiderthreatteamandtheDHSOIGliaisonwereonsiteatvariousUSCISloca tionsinthenationalcapitalregion(NCR)fromMarch30throughApril12010
TheDHSOIGliaisonswerepresentatallinterviewsTheDHSOIGattendedtheseinterviews asanobserverandassistedCERTasneeded
Facetofaceinterviewswereconductedwithapproximately58representativesintheNCR followedby32representativesintheVermontServiceCenterandUSCISBurlingtonoffices InadditiontelephoneconferenceswereheldwithstafffromtheOfficeofSecurityandIn tegrity(OSI)InvestigationsDivisionandtheSecurityNetworkOperationsCenter(SNOC) Intervieweesrepresentedthefollowingareas
DataOwners(VISCLAIMSandFDNSDS)
ComputerSciencesCorporation(CSC)(softwareengineeringandoperationalsup portforVISCLAIMSandFDNSDS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 5
OSI(PhysicalSecurityRegionalSecurityInvestigationsPersonnelSecurityCounter intelligence)
HumanCapitalandTraining(TrainingHumanResourcesOperationsCenterLabor EmployeeRelations)
OfficeofInformationTechnology(OIT)(ITSecurityComputerSecurityIncidentRe sponseTeamSecurityandNetworkOperationsCenterAccountManagementEn terpriseOperations)
Legal(ProcurementLaw)
VermontServiceCenter(adjudicatorsdataentryclerkssupervisordirectorsOIT softwareengineering)
Allinterviewswereconsideredconfidentialnorecordofparticipatingemployeesisincluded inthisreportorinsubsequentbriefingsFindingsareattributedonlytoagroupordepart mentinterviewedadocumenttheConvictionsTaskForcetelephoneconferencesordirect observation
CERT | SOFTWARE ENGINEERING INSTITUTE | 6
CERT | SOFTWARE ENGINEERING INSTITUTE | 7
AcriticalissueforUSCISisensuringthattheentireorganizationisriskawareandimple mentingaformalriskmanagementprocesstoaddressriskconsistentlyandcontinually acrosstheenterpriseTheredoesnotappeartobeaconsistentunderstandingofthebroad spectrumofrisksfacingUSCISTheassessmentteamwastoldthereisnoenterprisewide riskmanagementprogramatUSCISOITperformsriskmanagementforInformationTech nology(IT)andFinancialManagementperformsriskmanagementforfinancialmattersbut noonewasawareofanyenterprisewideeffortsInadditioneachfieldofficeandservice centerappearstooperatefairlyindependentlyItisimportantforthoseorganizationsto worktogethertoidentifyprioritizeandaddressriskOngoingcommunicationbetweenall componentsofUSCISwillhelpensurethatnewthreatsattackvectorsandcountermea suresarecommunicatedandhandledeffectivelybyall
InadditionUSCISemployeesandcontractorsholdthekeystooneoftheworldrsquosmostcov etedkingdomsmdashUScitizenshipThismakesemployeesandcontractorsattractivetargets forrecruitmentBecauseofthesensitivenatureofUSCISmissionsomeofitsemployees andcontractorshavebeentargetsforrecruitmentfortheftorunauthorizedmodificationof USCISdataAllemployeesshouldbeawareoftheconsequencesofparticipatinginfraud againstUSCISTheyshouldalsobeinstructedonhowtoreportsolicitationsmadetocom mitfraud
Transformation
TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesUSCISisrelyingheavilyonTransformationtocorrectmanyoftheproblemsresulting fromlegacysystemsThisrelianceonasingleeffortmakesitseffectivenessveryimportant TheteamfoundtheTransformationefforttobeamassiveundertakingthatappearstobe implementingaverydetailedprojectplan
Basedontheteamrsquosreviewoftherequirementsforfrauddetectionandnationalsecurity issuesitappearstherearenorequirementstoaddressinsiderthreatsTheassessment teamreviewedfivecomprehensiveTransformationdocumentsaspartofthisassessment ThedocumentsdescribesystemrequirementsindetailFrauddetectionreferstodetection offraudperpetratedbyapplicantsandpetitionersnationalsecurityissuesfocusonthe handlingofinvestigationswithinUSCISthatinvolvenationalsecurityissues
Againanenterpriseriskmanagementapproachshouldbeconsideredwhendefiningre quirementsforTransformationInsidersatUSCIShaveperpetratedfraudinthepastasevi dencedbytheConvictionsTaskForceInadditionUSCISinsidersarecapableofgranting legalresidencyorcitizenshipstatustosomeonewhoposesanationalsecurityrisktothe UnitedStates
CERT | SOFTWARE ENGINEERING INSTITUTE | 8
TrainingandAwareness
Itisessentialthatsecurityawarenesstrainingisconsistentlyprovidedtoallemployeesto ensuresecuritypoliciesandpracticesareinstitutionalizedthroughoutanorganization Manytimescoworkersandsupervisorsarethefirstpeopletoobserveconcerningbehavior exhibitedbymaliciousinsidersFailuretoreportconcerningbehaviorbycoworkersoroth ersinanorganizationwasaprimaryreasoninsidersintheCERTInsiderThreatCasedata basecontinuedtosetuporcarryouttheirattacks
USCISshouldcontinuetoprovidesecurityawarenesstrainingtoallemployeesandcontrac torsacrosstheglobeThistrainingshouldbeconsistentlyappliedtoeachsitewithaconsis tentmessageofsecurityofUSCISpeoplesystemsanddataItisimperativethatallUSCIS employeesberesponsibleforachievingthemissionofUSCISandprotectingthecriticalas setstothehighestextentpossible
HumanResources
Anorganizationrsquosapproachtoreducinginsiderthreatshouldfocusonproactivelymanaging employeeissuesandbehaviorsThisconceptbeginswitheffectivehiringprocessesand backgroundinvestigationstoscreenpotentialcandidatesOrganizationsshouldalsotrain supervisorstomonitorandrespondtobehaviorsofconcernexhibitedbycurrentemploy eesSomecasesfromtheCERTInsiderThreatdatabaserevealedthatsuspiciousactivity wasnoticedintheworkplacebutnotacteduponOrganizationsmustestablishawell organizedandprofessionalmethodforhandlingnegativeemploymentissuesandensuring thathumanresourcepolicyviolationsareaddressed
Organizationalissuesrelatedtofunctionssharedbyhumanresources(HR)andsecurityper sonnelareattheheartofinsiderriskmanagementEmployeescreeningandselectionis vitaltopreventingcandidateswithknownbehavioralriskfactorsfromenteringtheorgani zationoriftheydoensuringthattheserisksareunderstoodandmonitoredClearpolicy guidelinesaddressingbothpermittedandprohibitedemployeebehaviorarevitaltorisk detectionandmonitoringClearrequirementsforensuringemployeesrsquoknowledgeofthese guidelinesarealsoessentialtotheirsuccessInadditionreportsofpolicyquestionsand violationsneedtobesystematicallyrecordedsothatmanagementHRandsecurityper sonnelcanapproachcasedecisionswithcompletebackgroundinformation
Analysisofthesereportsacrossindividualsanddepartmentscansupplyvitalknowledgeof problemareasbeyondindividualcasesRelationshipsinwhichHRsecurityandmanage mentpersonnelcollaborateaseducatorsandconsultantsarevitaltoearlydetectionand effectivemanagementofemployeesposinganinsiderriskTheneedforclearpolicies
CERT | SOFTWARE ENGINEERING INSTITUTE | 9
completepersonnelriskdataandclosemanagementHRsecuritycollaborationisrarely greaterthanwhenhandlingemployeeterminationissueswhethervoluntaryorinvoluntary
ScreeningandHiringPractices
SeveralpersonnelscreeningandhiringpracticesposearisktoUSCISsystemsanddata
USCISdoesnothaveaconsistentprocedurefordecidingwhethertoconductafacetoface interviewpriortohiringanapplicantbeingscreenedforgovernmentemploymentThere wasanimpressionatUSCISheadquartersthatnearly100ofthoseemployeeshiredby managersareinterviewedbutrepresentativesinBurlingtonVermonttoldusotherwise Thisgapbetweenperceptionandreality(thereisnotapolicystatingthatthismustbedone) isaconcernUSCISshouldrequireinterviewsforallpositionsTheinterviewsneedtobe conductedbysomeoneinvolvedinthedaytodaysupervisionofthepositiontobefilled
Ifapersonalissue(egsubstanceabuserelativelylargefinancialindebtedness)arisesdur ingPersonnelSecurityrsquos(PERSECrsquos)screeningPERSECmayissuealetterofadvisementto thecandidateandclearthatpersonforhirePERSECishesitanttosharenegativeinforma tionaboutapplicantswithUSCISbecauseofprivacyconcernsBecauseoftheseconcernsa managermaynotknowthatsomeoneiscomingintoapositionwithahistoryofalcohol andordrugabusefinancialindebtednessetcTheprivacywallbetweenPERSECandfield personnelconcernedwithhiringistroublingItisdifficultforPERSECrepresentativestoin dicatetheirconcernsaboutpotentialhiresiftheyhaveriskfactorsthatdonotcrossadjudi cationguidelinesfordisqualification
ForeignServiceNational(FSN)employeeswhoworkatUSembassiesandconsulates abroadhaveaccesstoUSCIScriticalsystemsanddatainsomecasesInordertobehired andgrantedaccesstoanyofthosesystemsFSNsarevettedbytheUSDepartmentof StateAlthoughtheaccesstoUSCISsystemsmustbeapprovedbythechiefsecurityofficer (CSO)andchiefinformationofficer(CIO)forDHSUSCIShasverylittlevisibilityintothe screeningprocessforFSNs
ExitProcedures
Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerorContract ingOfficerrsquosTechnicalRepresentative(COTR)Italsoappearsdifferentmanagersfollow
CERT | SOFTWARE ENGINEERING INSTITUTE | 10
differentprocedurestoensurethataccessisdisabledandequipmentisreturnedasem ployeesandcontractorsleaveUSCISThisgapmaymanifestitselfintheinconsistentcollec tionofbadgeslaptopsmobiledevicesandotherUSCISequipmentandimproperdisabling orterminationofaccess
PhysicalSecurity
SomeinsidersdocumentedintheCERTInsiderThreatCasedatabaseexploitedphysicalse curityvulnerabilitiesSomewereabletogainaccesstoorganizationfacilitiesoutsideof normalworkinghourstostealcontrolledinformationortoexactrevengeontheorganiza tionbysabotagingcriticaloperationsPhysicalsecuritycanprovideanotherlayerofdefense againstterminatedinsiderswhowishtoregainphysicalaccesstoattackJustaswithelec tronicsecurityhoweverformeremployeeshavebeensuccessfulinworkingaroundtheir organizationrsquosphysicalsecuritymeasuresItisimportantfororganizationstomanage physicalsecurityforfulltimeparttimeandtemporaryemployeescontractorsandcon tractlaborers
USCISPhysicalSecurityhasmadesignificantprogressprotectingUSCISfacilitiesandassetsin theNCRsinceJanuary2008whenitstoodupanewphysicalsecurityprogramAlthough physicalsecurityintheNCRisconsistentlydirectedandenforcedbyPhysicalSecurityeach fieldofficesetsitsownpoliciesandaccesscontrols
Finallyissuescon cerningthesecurityofapplicantsrsquophysicalcasefilesshouldbeconsideredaspartofaUSCIS riskmanagementstrategybyUSCIS
ControllingandMonitoringProperAccessAuthorization
USCIShandlesthephysicalsecurityandaccessauthorizationoffacilitiesdifferentlydepend ingonwherethefacilityislocatedThephysicalsecurityofNCRfacilitiesishandledbyone groupofUSCISpersonnelbutthephysicalsecurityoffieldofficesfallsundertheFieldSecu rityDivision(FSD)Insomecasesaphysicalsecurityrepresentativeisnotlocatedinafield officeatallWhenthisisthecasetheresponsibilityfallsonothermanagementpersonnel whomaynotbeequippedtohandletheseissuesproperlyandreporttheminatimelyman ner
In10casesdocumentedin
CERT | SOFTWARE ENGINEERING INSTITUTE | 11
theCERTInsiderThreatCasedatabasetheinsiderwasabletocommitacrimefollowing terminationbecauseoffailuretonotifysecurityemployeesandbusinesspartnersofthe terminationTocontrolaccesstoUSCISfacilitiesitisimportantforUSCIStocomparecur rentemployeesandcontractorstotheauthorizedaccesslistineachfacilityrsquosaccesscontrol systemDisablingphysicalaccesstofacilitieswhenemployeesandcontractorsterminateis essentialtoprotectingUSCISemployeesandfacilities
SecurityofPhysicalCaseFiles
AttheVermontServiceCentertheassessmentteamobservedphysicalcasefilesofbenefit applicantsstackedincratesinthehallwaysCasefilesareassumedtobesecureoncethey arecontainedwithinaServiceCenterbuttheycouldbephysicallyalteredorstolenbyany onewithphysicalaccesstothefacilityOneintervieweestatedthatadjudicatorstypically have50to100filesscatteredaroundtheirofficesordesksSomearetrackedandsome maynotbeAdjudicatorsconductinterviewswithapplicantsintheirofficesandtheymay leaveapplicantsunescortedintheirofficeswiththecasefileswhenforinstancemaking copiesorattendingtootherUSCISbusinessAccordingtothesameintervieweeinonefield officenaturalizationcertificatespassportsandcreditcardinformationhavebeenfoundin garbagecansinthehallwayThirteeninsidersdocumentedintheCERTdatabasestole physicalpropertybelongingtotheirorganization
BusinessProcesses
AvarietyofcasesfromtheCERTInsiderThreatCasedatabasedocumentinsiderattacksin whichgapsinbusinessprocessesprovidedapathwayforattackEnforcingseparationof dutiesandtheprincipleofleastprivilegeareprovenmethodsforlimitingauthorizedaccess byinsidersIdeallyorganizationsshouldincludeseparationofdutiesinthedesignofkey businessprocessesandfunctionsandenforcethemviatechnicalandnontechnicalmeans Accesscontrolbasedonseparationofdutiesandleastprivilegeinboththephysicaland virtualenvironmentiscrucialtomitigatingtheriskofinsiderattackTheseconceptsalone willnoteliminatethethreatposedbyinsiderstheyarehoweveranotherlayerinthede fensivepostureofanorganization
BecauseofthesensitivenatureoftheUSCISmissionsomeofitsemployeesandcontractors havebeentargetsforrecruitmentfortheftorunauthorizedmodificationofUSCISdata TwentyninepercentoftheinsidersdocumentedintheCERTdatabasewererecruitedby outsiderstocommittheircrimesMostoftheseinsiderscommittedtheircrimesforfinan cialgainCriticalUSCISbusinessprocessesshouldincludetechnicalcontrolstoenforce separationofdutiesanddualcontroltoreducetheriskofinsiderfraudInadditionpoten tialvulnerabilitiessurroundtheuseoftheICEPasswordIssuanceandControlSystem(PICS) forauthorizationforcriticalUSCISsystemsAlthoughPICSisoutsidethecontrolofUSCIS
CERT | SOFTWARE ENGINEERING INSTITUTE | 12
CERTrecommendsthatUSCISexplorethepossibilityofauditingandcontrollingauthoriza tionsinPICSforcriticalUSCISsystemsFinallyaccountmanagementissuesrelatedtocriti calsystemsshouldbeconsidered
VerificationInformationSystem
TheVerificationInformationSystem(VIS)providesimmigrantstatusinformationtoboth governmentagenciesandprivateemployersinordertoverifybenefitandemploymenteli gibilityBecausethesefunctionsrequiregrantingVISaccesstopartiesexternaltoUSCIS USCISmustissueaccountsandrequirethatthoseaccountsbeusedproperlyTwentyfour (6)oftheinsidersdocumentedintheCERTdatabasewereabletocarryouttheircrimes becauseinsiderssharedaccountandpasswordinformationoftentomaketheirjobseasier andtoincreaseproductivity
ModificationsbyVISuserstocriticaldataarelogged
CLAIMS3LAN
Currentlyalldeniedbenefitsapplicationsarereviewedbyasupervisoronlyasubsetofap provedapplicationsarereviewedAdiscrepancyaroseduringinterviewsadjudicatorssaid thatsupervisorsstoppedlookingatalldenialsbecausetheyaretoobusySupervisorsalso receiveareportofalladjudicationdecisionsenteredbyanadjudicatorforaformtypethat theadjudicatordoesnotnormallyapproveWhenadjudicatorsareintrainingwhichtakes placeforatleast6monthsonaspecifictypeofcasetheyareunder100reviewAquality assurance(QA)processisalsoinplaceOnepartofQAinvolvesasupervisorpulling10 casespermonthperadjudicatortoreviewThesupervisorexaminesadjudicativedecision securityandproceduralissuesInanotheraspectoftheQAotherldquosisterrdquoUSCISService CentersreviewarandomselectionofcasesTheprimarypurposeofQAistoidentifythe needforremedialtrainingratherthandeliberatefraudAuditingeverydeniedrequestindi catesthatthebiggestrisktoUSCISistoincorrectlydenyabenefittoanapplicantrather thantograntabenefittosomeonewhodoesnotdeserveit
FDNSDS
CERT | SOFTWARE ENGINEERING INSTITUTE | 13
IncidentResponse
ThroughcaseanalysisCERThasnotedthatproceduresforrespondingtopotentialinsider incidentspresentuniquechallengesanincidentresponseplanforinsiderincidentsdiffers fromaresponseplanforincidentscausedbyanexternalattackerInadditioninadequate detectionandresponsetosecurityviolationscouldemboldentheinsidermakingtheor ganizationevenmorevulnerabletoaninsidercrimeInfactin18ofthecasesdocumented intheCERTInsiderThreatCasedatabasetheorganizationexperiencedrepeatinsiderinci dentsofasimilarnatureInsiderincidentmanagementshouldleverageexistingsecurity policiesandformalproceduresforhandlingpolicyviolationsSomeofthecasesfromthe CERTInsiderThreatCasedatabaseillustrateinsiderattacksinwhichanorganizationrsquoslackof incidentresponseprocedureslimiteditsabilitytomanageitsresponseeffortsometimes evenresultinginmultiplecriminalactsbythesameinsider
Furthermore81oftheinsidersdocumentedintheCERTInsiderThreatCasedatabasedis playedconcerningbehaviorsintheworkplacepriortoorwhilecarryingouttheircriminal activitiesonlineSupervisorsandemployeesshouldbetrainedtorecognizeandrespondto indicatorsofriskforviolencesabotagefraudtheftandothermaliciousinsideractsEvenif itisnotpossibletorequirenonsupervisorstoreportconcernsthistrainingmayincreasethe frequencyofreportingandthedeterrenceofinsideractions
IncidentManagement
USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductOrganizationsinvolved includetheOfficeofInvestigationswithintheOSILaborandEmployeeRelations(LER)HR ComputerSecurityIncidentResponseTeam(CSIRT)PERSECCounterintelligence(CI) COTRsOITDHSOIGPhysicalSecuritysupervisorsandpossiblydataownersandISSOs Manydifferentpartiesexplainedhowtheymightbeinvolvedinoneaspectofanincident butnosingledepartmentcoordinatestheseactivitiesorconductsaholisticriskanalysisof individualswhohavecommittedviolationsThiscomplexandwidelydistributedbusiness processhasresultedinasituationinwhichitisverydifficulttoobtainacompletepictureof anindividualrsquosinsiderthreatrisklevelConsequentlyanyefforttocoordinateaproactive
CERT | SOFTWARE ENGINEERING INSTITUTE | 14
programforinsiderthreatmitigationwouldhavetocrosssignificantbureaucraticbounda rieswithinthesemyriaddepartmentsofUSCIS
SoftwareEngineering
CodeReviews
SomeUSCISsystemsadheretoaformalizedprocessofsoftwareengineeringusingcontrac torswithaspecifiedlevelofprocessmaturity(iecapabilitymaturitymodelintegration (CMMI)level3)
Therewasevenadocumentedcaseinwhichsourcecodecontainedsomethinginap propriateandwasonlydiscoveredonlyafterthecodewasturnedoverfromonecontractor toanother
CERT | SOFTWARE ENGINEERING INSTITUTE | 15
Insidersinsertedmaliciouscodeintoanoperationalsystemin33casesdocumentedinthe CERTInsiderThreatCasedatabaseandintosourcecodein10casesThesetypesofcrimes canhaveseriousresultsenablinginsiderstoconcealtheiractionsoveranextendedperiod oftimeTheseactionshavebeenusedtocreatemechanismsforcommittingfraudwithout detectionandtosetupfutureITsabotageattacks
Codereviewscanbeverytimeconsumingbutmostmaliciousinsidersinsertmaliciouscode intoproductionsystemsoncetheyarestableandinthemaintenancephasewhenchanges arelessfrequentandlesssubstantial
InformationTechnology
AccountManagement
Researchhasdemonstratedthatifanorganizationrsquoscomputeraccountscanbecompro misedinsidershaveanopportunitytocircumventmanualandautomatedcontrolmecha nismsintendedtopreventinsiderattacksEffectivecomputeraccountandpasswordman agementpoliciesandpracticesarecriticaltoimpedeaninsiderrsquosabilitytousethe organizationrsquossystemsforillicitpurposesInavarietyofcasesdocumentedintheCERTIn siderThreatCasedatabaseinsidersexploitedpasswordvulnerabilitiessharedaccounts andbackdooraccountstocarryoutattacksItisimportantfororganizationstolimitcom puteraccountstothosethatareabsolutelynecessaryusingstrictproceduresandtechnical controlsthatfacilitateattributionofallonlineactivityassociatedwitheachaccounttoan individualuserFurthermoreanorganizationrsquosaccountandpasswordmanagementpolicies mustbeappliedconsistentlyacrosstheenterprisetoincludecontractorssubcontractors andvendorswhohaveaccesstotheorganizationrsquosinformationsystemsandornetworks
InsomeareascomputeraccountsaremanagedfairlywellatUSCISItisimplementing HomelandSecurityPresidentialDirective12(HSPD12)forphysicalandelectronicaccount managementInadditionmostsharedaccountsarecontrolledandallactionsperformed usingthoseaccountscanbeattributedtoasingleuserHoweversomeaccountmanage mentliesoutsidethecontrolofUSCISThispresentsahighdegreeofriskFirstofallac countsandaccessforFSNsshouldbeconsideredcarefullybyUSCISAlthoughFSNsmust submitpaperworkthroughproperchannelswhichrequiresauthorizationbytheCSOand CIOofDHSsuchpaperworkwasnotsubmittedconsistentlypriorto2007Asaresultthere maybeactiveaccountsforwhichthereislittletonoaccountingforthecreationoftheac count
Althoughaccountnamingconventionsaredictatedby DHSandtheUSDepartmentofStateUSCIScouldrequestanamingconventiontodiffer entiatebetweenFSNandUScitizenfederalemployeeaccountsInadditionUSCISshould consistentlytracktheauthorizationandcreationofallUSCISaccountsTodetermineifun
CERT | SOFTWARE ENGINEERING INSTITUTE | 16
authorizedorlegacyaccountsexistUSCISshouldconsiderconductinganaccountauditwith theassistanceofUSDepartmentofStatepersonneltovalidateallexistingFSNaccounts
SecondaccesstosomecriticalUSCISsystemsiscontrolledbythePasswordIssuanceand ControlSystem(PICS)ThepurposeofPICSistofacilitatetheadministrationofusernames andpasswordstocertainICEandUSCISinformationsystemsOneareaofconcernregard ingPICSisthatitisadministeredbyICEandtherearemorethan2000LocalPICSOfficers (LPOs)acrossvariouscomponentsofDHSTheseLPOsusePICStograntauthorizedaccess toICEandUSCISsystemsforthepersonnelattheirrespectivesiteoragencysuchaslocal sheriffspetitionersCustomsandBorderPatrol(CBP)DepartmentofJustice(DOJ)Trans portationSecurityAdministration(TSA)TerrorismTaskForceandDHSOIGEachLPOcan grantaccesstoanysystemcontrolledbyPICSInotherwordsLPOsthroughoutUSCISand ICEcangrantaccessforanyoftheirstafftoanyUSCISsystemFurthermore
Giventhedistributednatureofaccountadmini strationitisverydifficultforUSCISdataownersandOITstafftomanageauthorizationof useraccountstoUSCIScriticalsystemsFinallytheprocessforcommunicatingchangesin employeestatusanddisablingaccountsvarieswidelyamongindividualfieldofficesService CentersandofficesintheNCR
TheapplicationofaccountmanagementpracticesunderthecontrolofUSCISisinconsistent Forexampledisablingorterminatingaccountsforemployeesisnotalwayscompletedina timelymannerupontheemployeersquoschangeinstatusThislackofconsistencyismade worsewhendecentralizedLPOsacrossUSCISdonotfollowthesameproceduresInother casesemployeesareretainingaccessafteratransferwhentheyshouldnotwhichrequires thelosingandgainingsupervisorstonotifyproperaccountmanagementpersonnel
AccessControl
Anorganizationrsquoslackofsufficientaccesscontrolmechanismswasacommonthemein manyoftheinsiderthreatcasesexaminedbyCERTInsidershavebeenabletoexploitex cessiveprivilegestogainaccesstosystemsandinformationtheyotherwisewouldnothave beenauthorizedtoaccessAdditionallyinsidershavebeenknowntouseremoteaccess afterterminationtoattackanorganizationrsquosinternalnetworkOrganizationsshouldensure networkmonitoringandloggingisenabledforexternalaccessMonitoringofnetworkactiv ityisextremelyimportantespeciallyintheperiodbetweenemployeeresignationandter mination
GiventhedistributednatureofaccessauthorizationviaPICSICEandtheUSDepartment ofStatenonUSCISemployeesandcontractorscouldbegrantedaccesstoUSCIScriticalsys temsItispossiblethatthenonUSCISemployeesandcontractorsparticularlythose
CERT | SOFTWARE ENGINEERING INSTITUTE | 17
grantedaccessthroughtheUSDepartmentofStateforaccessfromembassiesoverseas havenotbeenthroughtherigorouspreemploymentscreeningrequiredofUSCISemploy eesandcontractorsUSCISshouldconsidertherisktheseinsidersposetotheprotectionof thecriticalUSCISdataandsystemsandimplementprotectionmechanismstolimitthe damagethattheseinsidersmightcause
OtheraccesscontrolissuesthatshouldbeconsideredbyUSCISincludeunrestrictedaccess tosomecriticalsystemsbyOITstafflackofconsistentprocessesformanagingemployee accessastheymovefromonedepartmenttothenextwithinUSCISabilitytousepersonal computersforUSCISworkandlackofmonitoringandcontrolsforsomecriticalsystemad ministrationfunctions
ProtectionofControlledInformation
Protectingcontrolledinformation(ieinformationthatisclassifiedsensitivebutunclassi fiedorproprietary)iscriticaltomitigatingtheinsiderthreatrisktoorganizationsAvariety ofinsiderthreatcasesstudiedbyCERTrevealedcircumstancesinwhichinsiderscarriedout anattackthroughtheunauthorizeddownloadofinformationtoportablemediaorexternal storagedevicesInsomeinstancesmaliciousinsidersusedemailtoplantheirattacksorto communicatesensitiveinformationtocompetitorsorconspiratorsOrganizationsmusten surethatemployeesunderstandpoliciesregardingwhatconstitutesacceptableuseofcom panyresourcesincludinginformationassetsandenforcecompliancethroughtechnical meansTheunauthorizedexfiltrationofcontrolledinformationbymaliciousinsiderscan havedevastatingeffectsonanorganizationProtectingcontrolledinformation(ieinfor mationthatisclassifiedsensitivebutunclassifiedorproprietary)iscriticaltomitigatingthe insiderthreatrisktoorganizations
USCIShasimplementednetworkmonitoringstrategiesthatwoulddetectlargeamountsof datadownloadedorananomalousincreaseinnetworktrafficeitherbytotalvolumeor typeoftraffic(egbyportorprotocol)Thoughmonitoringnetworktrafficmayhelppro tectcontrolledinformation
CERT | SOFTWARE ENGINEERING INSTITUTE | 18
LoggingAuditingMonitoring
InsiderthreatresearchconductedbyCERThasshownthatloggingmonitoringandauditing employeeonlineactionscanprovideanorganizationtheopportunitytodiscoverandinves tigatesuspiciousinsideractivitybeforemoreseriousconsequencesensueOrganizations shouldleverageautomatedprocessesandtoolswheneverpossibleMoreovernetwork auditingshouldbeongoingandconductedrandomlyandemployeesshouldbeawarethat certainactivitiesareregularlymonitoredThisemployeeawarenesscanpotentiallyserveas adeterrenttoinsiderthreats
ThepreventionofinsiderattacksisthefirstlineofdefenseNonethelesseffectivebackup andrecoveryprocessesneedtobeinplaceandoperationallyeffectivesothatifacompro miseoccursbusinessoperationscanbesustainedwithminimalinterruptionInonecase documentedintheCERTInsiderThreatCasedatabaseaninsiderwasabletomagnifythe impactofhisattackbyaccessinganddestroyingbackupmediaOrganizationsneedtocon sidertheimportanceofbackupandrecoveryprocessesandcaremustbetakenthatback upsareperformedregularlyprotectedandtestedtoensurebusinesscontinuityinthe eventofdamagetoorlossofcentralizeddata
TechnicalSecurityVulnerabilities
Proactivelyaddressingknownsecurityvulnerabilitiesshouldbeapriorityforanyorganiza tionseekingtomitigatetheriskofinsiderthreatsaswellasexternalthreatsCasestudies haveshownthatmaliciousinsidersfollowingterminationwillsometimesexploitknown technicalsecurityvulnerabilitiesthattheyknowhavenotbeenpatchedtoobtainsystem accessandcarryoutanattackOrganizationsshouldhaveaprocesstoensurethatoperat ingsystemsandothersoftwarehavebeenhardenedorpatchedinatimelymannerwhen possibleFailuretoaddressknownvulnerabilitiesprovidesaninsiderampleopportunity andpathwaysforattackmakingitmoredifficultforanorganizationtoprotectitself
CERT | SOFTWARE ENGINEERING INSTITUTE | 19
ThereisaprimaryconcerninthisareaatUSCISUSCISshouldconsiderthefrequencywith whichitscansitssystemsfortechnicalsecurityvulnerabilities
ThereisalsoanotherconcerninthisareaatUSCIS
ConfigurationManagement
Effectiveconfigurationmanagementhelpsensuretheaccuracyintegrityanddocumenta tionofallcomputerandnetworksystemconfigurationsAwidevarietyofcasesintheCERT InsiderThreatCasedatabasedocumentinsiderswhoreliedheavilyonthemisconfiguration ofsystemsTheyhighlighttheneedforstrongermoreeffectiveimplementationofauto matedconfigurationmanagementcontrolsOrganizationsshouldalsoconsiderconsistent definitionandenforcementofapprovedconfigurationsChangesordeviationsfromthe approvedconfigurationbaselineshouldbeloggedsotheycanbeinvestigatedforpotential maliciousintentConfigurationmanagementalsoappliestosoftwaresourcecodeandap plicationfilesOrganizationsthatdonotenforceconfigurationmanagementacrosstheen terpriseareopeningvulnerabilitiesforexploitbytechnicalinsiderswithsufficientmotiva tionandalackofethics
TheOIThasaconfigurationmanagementpolicythatprovidesbaselinesoftwareconfigura tionsforUSCISdesktopsandlaptopsTheOITscansforincorrectoutdatedorunpatched versionsofsoftwareontheapprovedsoftwarelistTheOITkeepstrackofdifferentbase linesfordifferentcontractsDespitetrackingandarigorousconfigurationmanagementpol icy
Roguesoftwareormalwareisoftendiscoveredthroughadeliberatemanual scanratherthanthroughanautomatedprocessTomakethistaskmoredifficultUSCIS employeeswithseniorityorinfluencehavebeenabletouselocaladministratorprivilegesto installsoftwareforthesakeofconvenienceConcernsregardingconfigurationmanagement surroundthedifficultyfortheOITtoadequatelypreventdetectandrespondtorogue softwareormalwareusingitscurrentproceduresWesuggestsomeconsiderationsforlev
CERT | SOFTWARE ENGINEERING INSTITUTE | 20
eragingexistingdeploymentsandmodifyingincidentresponsepracticestoincreaseeffec tiveness
CERT | SOFTWARE ENGINEERING INSTITUTE | 21
Recommendations
Thefollowing18recommendationspresentactionablestepsthatwillenableUSCIStoim proveitspostureagainstmaliciousinsiderthreatsThesehighlevelstrategiesshouldbe plannedandimplementedwiththeassistanceofthemanydiversedepartmentswithin USCISAppendixescontainmorespecificrecommendationsthatpertaintoaparticularde partment(egOITandHR)TheappendixesalsolisttherelevantpartiestoassistUSCISin reviewingeachissuemoregranularlyandtodecidewhetherUSCIShasresourcestoimple mentaparticularrecommendation
Recommendation1Instituteanenterpriseriskmanagementplan USCISmustensurethattheentireorganizationisriskawareandimplementaformalrisk managementprocesstoaddressriskconsistentlyandcontinuallyacrosstheenterprise Theredoesnotappeartobeaconsistentunderstandingofthebroadspectrumofrisksfac ingUSCISTheOITperformsriskmanagementforITandFinancialManagementperforms riskmanagementforfinancialmattersbutnoonewasawareofanyenterprisewideefforts InadditioneachfieldofficeandservicecenterappearstooperatefairlyindependentlyItis importantforthoseorganizationstoworktogethertoidentifyprioritizeandaddressrisk OngoingcommunicationbetweenallcomponentsofUSCISwillhelpensurethatnew threatsattackvectorsandcountermeasuresarecommunicatedandhandledeffectivelyby all
Recommendation2Incorporateinsiderthreatriskmitigation strategiesintotheTransformationeffort TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesRiskmanagementiswithinthescopeofTransformationbutonlyasitpertainsto automatedriskscoringofapplicantsandtoworkflowmanagementtooptimizeadjudicator workloadUSCISshouldincorporatecomprehensiveinsiderthreatriskmitigationrequire mentsintotheTransformationeffort
Recommendation3Centralizerecordsofmisconductandviola tionstobetterenableacoordinatedresponsetoinsiderthreats USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductThiscomplexandwidely distributedbusinessprocesshasresultedinasituationinwhichitisverydifficulttoobtaina completepictureofanindividualrsquosinsiderthreatrisklevelUSCISshouldcreateacentral repositoryofemployeeandcontractormisconductsecurityviolationsSignificantIncident Reports(SIRs)andothersuspiciousactivityreportssorepeatoffenderscanbeeasilyidenti
CERT | SOFTWARE ENGINEERING INSTITUTE | 22
CERT | SOFTWARE ENGINEERING INSTITUTE | 23
storesphysicalfilesforbenefitapplicantsintheVermontServiceCenterwithnophysical protectionbeyondtheexteriorbuildingandguardcontrolsUSCISshouldevaluatecurrent physicalaccessprocedurestodetermineiftheyadequatelyaddressriskandiftheyareen forcedconsistentlyacrosstheenterprise
Recommendation8Consistentlyenforceexitprocedures Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerandCOTRIt alsoappearsthatdifferentmanagersfollowdifferentprocedurestoensurethataccessis disabledandequipmentisreturnedasemployeesandcontractorsleaveUSCISThisgap maymanifestitselfintheinconsistentcollectionofbadgeslaptopsmobiledevicesand otherUSCISequipmentandimproperdisablingorterminationofaccessUSCISshould adoptanenterprisewideexitproceduretoensureconsistentterminationofallemployees andcontractors
Recommendation9ExamineHRscreeningproceduresforhighrisk positionsandFSNs ChangesshouldbemadetotheUSCIShiringprocessesforselecthighriskpositionsFor exampleUSCISshouldconsideradditionalscreeningforadjudicatorsUSCISshouldbe moreinvolvedindecidingwhoisgrantedauthorizedaccessbecauseofthesensitivenature ofthesystemsanddatathatUSCISmanages
Recommendation10Ensurethatphysicalandcomputeraccessis terminatedinatimelyfashion
USCISshouldautomatetherevocationofemployeeandcontractorphysicalaccesswhena terminationoccursTheterminationchecklistshouldincludeanotificationtoPhysicalSecu ritysophysicalaccesscanbedisabledinatimelymannerUSCISshouldalsoreviewaccount managementprocedurestoensurethatthestepstakentoremoveoralteraccountaccess arecompleteunderstoodbyallrelevantpartiesandconsistentlyfollowed
CERT | SOFTWARE ENGINEERING INSTITUTE | 24
Recommendation11Enforcearequirementforindividualaccounts oncriticalsystems
InsomecasesUSCISisawareofaccountsharingtakingplaceatthirdpartyemployerswho useUSCISsystemstoverifyimmigrationstatusToconsistentlyidentifymaliciousinsider activityallactionsmustbeattributabletooneandonlyoneindividualUSCISshouldcon siderincreasingtheconsequencesforinfractionsandpossiblyimplementstrongerauthen ticationtomakesharingofaccountsmoredifficult
Recommendation12
Recommendation13Reducethenumberofprivilegedaccountsfor criticaldatasystems SomedatasystemsincludingFDNSDShaveahighnumberofprivilegedusersManyof theseusersdonotneedtheescalatedaccesstocompletetheirjobresponsibilitiesUSCIS shouldaudittheprivilegeduseraccountsandreducethoseaccountscommensuratewith jobresponsibilities
Recommendation14
Recommendation15Implementproceduralandtechnicalcontrols topreventsourcecodeunderdevelopmentfrombeingreleased withoutappropriatereview USCISshouldconsiderimplementingproceduralandtechnicalcontrolstoenforcesepara tionofdutiesbetweensoftwareengineersandthesystemadministratorsresponsiblefor
CERT | SOFTWARE ENGINEERING INSTITUTE | 25
releasingchangesintoproductionsystemsUSCISshouldconsideridentifyinghighrisk criticalsoftwaremodulesthatcouldbeusedtocarryoutillicitactivityInadditionformal softwaredevelopmentpracticesshouldbefollowed
Recommendation16
Recommendation17
Recommendation18Periodicsecurityrefreshertrainingshouldbe regularlyconductedandrequiredforallemployees USCISshouldreinforcesecuritypracticesandproceduresforallemployeesespeciallythose assignedtosecurityrolesthroughInformationAssurancerefreshertrainingThoughannual refreshertrainingismandatedithasnotbeencompletedinatimelymannerforallroles USCISshouldensurethatthistrainingisadaptedtospecificrolesregularlyconductedand trackedandconsequencesimposedforthosewhohavenotcompletedthetraining
CERT | SOFTWARE ENGINEERING INSTITUTE | 26
ManagementCommentsandOIGAnalysis
WeobtainedwrittencommentsonadraftofthisreportfromtheUSCISDeputyDirector WehaveincludedacopyofthecommentsinitsentiretyinappendixI
USCISconcurredwithourfindingsandrecommendationsandindicatedthatthereportwill beofgreatassistanceastheyseektofurtherstrengtheninternalcontrolsinthisareaInthe writtencommentsUSCISdidnotprovideinformationonhowitintendstoaddressourrec ommendationsThereforeweconsiderourrecommendationsunresolvedandopenpend ingourreviewofUSCIScorrectiveactionplans
CERT | SOFTWARE ENGINEERING INSTITUTE | 27
Appendixes
ThefollowingpagescontainappendixesAthroughGthatcontainacompletedetailedlistof findingsfromtheassessment
Theappendixesareorganizedintothefollowingsections
AppendixAOrganizational
AppendixBHumanResources
AppendixCPhysicalSecurity
AppendixDBusinessProcess
AppendixEIncidentResponse
AppendixFSoftwareEngineering
AppendixGInformationTechnology
AppendixHAcronyms
AppendixIManagementCommentstotheDraftReport
AppendixJContributorstothisReport
AppendixKReportDistribution
EachsectioninappendixesAndashGcontainsabriefintroductionsummaryofthefindingsfor thatareaandatablelistingdetailedfindingsThetablesarestructuredasfollows
Areaof Responsible PolicyandorSecu PolicyorPrac SuggestedCounter Concern Personnel rityMeasure ticeGaps measures
EachrowrepresentsauniqueareaofconcernResponsiblePersonnelliststhegroups withinUSCISthatwouldberesponsibleforimplementingsuggestedcountermeasuresfor thatareaPolicyandorSecurityMeasurelistsinformationrelatedtothatareaofconcern specifictoUSCISobtainedininterviewsIfthatcolumnwasintentionallyleftblankitindi catesthatnoevidencewasprovidedfortheexistenceofapolicyandorsecuritymeasure PolicyorPracticeGapsdescribesgapsidentifiedbyintervieweesorgapsnotedbyCERT staffFinallySuggestedCountermeasuresdescribescountermeasuresthatUSCIScouldim plementtoaddressaparticularvulnerability
Itisimportanttonotethatallsuggestedcountermeasuresmustbeconsideredinthecon textofabroaderriskanalysisItisnotpracticalformostorganizationstoimplement100 protectionagainsteverythreattoeveryorganizationalresourceThereforeitisimportant toadequatelyprotectcriticalinformationandotherresourcesandnotdirectsignificantef forttowardprotectingrelativelyunimportantdataandresourcesArealisticandachievable
CERT | SOFTWARE ENGINEERING INSTITUTE | 28
securitygoalistoprotectthoseassetsdeemedcriticaltotheorganizationrsquosmissionfrom bothexternalandinternalthreats
RiskisthecombinationofthreatvulnerabilityandmissionimpactSomecountermeasures inthisreportareintendedtohelpUSCISrecognizeandunderstandtheinsiderthreatOth ersfocusonclosinggapsthatleaveUSCISmorevulnerabletoinsiderattackMissionimpact cannotbeadequatelyassessedbyCERTthroughthisexercisebecauseitwillvarydepending onthecriticalityofsystemsandinformation
Theresultsofthisinsiderthreatvulnerabilityassessmentshouldbeusedtodeveloporre finetheorganizationrsquosoverallstrategyforsecuringitsnetworkedsystemsstrikingthe properbalancebetweencounteringthethreatandaccomplishingtheorganizationalmis sion
Manyofthefindingsinthisreportincludetherelativefrequencyoftheissueraisedinthe CERTInsiderThreatCasedatabaseAtthetimethisreportwaswrittentherewere386 casesofmaliciousinsideractivityagainstwhichthesuggestedcountermeasurepercentage iscalculatedSoifaparticularactivitywasseenin38ofourcaseswemayindicatethatit wasseenin10ofthecasesintheInsiderThreatCasedatabase
CERT | SOFTWARE ENGINEERING INSTITUTE | 29
Ap
pen
dix
AO
rgan
izat
ion
al
Risk
Man
agem
ent
Co
mm
unic
atio
n
Secu
rity
Pro
cess
Impr
ovem
ent
USC
ISis
ina
diff
icul
tpos
ition
Pa
rto
fits
mis
sion
isto
pro
vide
cus
tom
ers
ervi
ceto
thos
ese
ekin
gim
mig
ratio
nan
dci
tizen
ship
ben
efits
from
the
US
Gov
ernm
ent
How
ever
iti
sch
alle
ngin
gto
opt
imiz
ebu
sine
ssp
roce
sses
for
cust
omer
ser
vice
whi
lea
tthe
sam
etim
eim
plem
entin
gpr
otec
tiv
em
easu
res
toc
ount
erth
eri
skp
osed
by
gran
ting
thos
eve
ryb
enef
its
Man
yU
SCIS
em
ploy
ees
inte
rvie
wed
for
this
ass
essm
enti
dent
ified
the
orga
niza
tionrsquo
spr
imar
yri
ska
sal
low
ing
the
next
terr
oris
tto
live
and
wor
kle
gally
inth
eU
nite
dSt
ates
Th
eyd
esir
ehe
lpin
iden
tifyi
nga
ndim
ple
men
ting
inte
rnal
con
trol
sto
cou
nter
that
ris
kS
ome
ofth
ein
terv
iew
ees
how
ever
mdashev
ens
ome
ofth
eIS
SOs
and
data
ow
ners
mdashfo
cuse
don
leak
ag
eof
PII
asth
eir
prim
ary
conc
ern
Aft
erd
elvi
ngin
toth
em
atte
rw
ithth
eas
sess
men
ttea
mt
hey
cam
eto
und
erst
and
the
risk
pos
edb
yex
po
sure
or
mis
use
ofc
ritic
ald
ata
asth
egr
eate
str
isk
face
dby
USC
ISp
rim
arily
bec
ause
suc
ha
secu
rity
bre
ach
coul
dre
sult
ina
llow
ing
ate
rror
isti
nto
the
coun
try
Ac
ritic
alis
sue
for
USC
ISis
ens
urin
gth
een
tire
orga
niza
tion
isr
isk
awar
ea
ndim
plem
entin
ga
form
alr
isk
man
agem
entp
roce
ssto
add
ress
ris
kco
nsis
tent
lya
ndc
ontin
ually
acr
oss
the
ente
rpri
se
Ther
edo
esn
ota
ppea
rto
be
aco
nsis
tent
und
erst
andi
ngo
fthe
bro
ads
pect
rum
ofr
isks
faci
ng
USC
IS
The
asse
ssm
entt
eam
was
told
ther
eis
no
ente
rpri
sew
ide
risk
man
agem
entp
rogr
ama
tUSC
IS
OIT
per
form
sri
skm
anag
emen
tfor
ITa
nd
Fina
ncia
lMan
agem
entp
erfo
rms
risk
man
agem
entf
orfi
nanc
ialm
atte
rsb
utn
oon
ew
asa
war
eof
any
ent
erpr
ise
wid
eef
fort
sI
nad
ditio
ne
ach
field
off
ice
and
serv
ice
cent
era
ppea
rsto
ope
rate
fair
lyin
depe
nden
tly
Itis
impo
rtan
tfor
thos
eor
gani
zatio
nsto
wor
kto
geth
erto
iden
tify
pri
or
itize
and
add
ress
ris
kO
ngoi
ngc
omm
unic
atio
nbe
twee
nal
lcom
pone
nts
ofU
SCIS
will
hel
pen
sure
that
new
thre
ats
att
ack
vect
ors
and
cou
nte
rmea
sure
sar
eco
mm
unic
ated
and
han
dled
eff
ectiv
ely
bya
ll
Ina
dditi
onU
SCIS
em
ploy
ees
and
cont
ract
ors
hold
the
keys
too
neo
fthe
wor
ldrsquos
mos
tcov
eted
kin
gdom
smdashU
Sc
itize
nshi
pT
his
mak
ese
mpl
oy
ees
and
cont
ract
ors
attr
activ
eta
rget
sfo
rre
crui
tmen
tB
ecau
seo
fthe
sen
sitiv
ena
ture
ofU
SCIS
mis
sion
som
eof
its
empl
oyee
san
dco
ntra
ctor
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 30
have
bee
nta
rget
sfo
rre
crui
tmen
tfor
thef
tor
unau
thor
ized
mod
ifica
tion
ofU
SCIS
dat
aA
llem
ploy
ees
shou
ldb
eaw
are
ofth
eco
nseq
uenc
eso
fpa
rtic
ipat
ing
infr
aud
agai
nstU
SCIS
Th
eys
houl
dal
sob
ein
stru
cted
on
how
tor
epor
tsol
icita
tions
mad
eto
com
mit
frau
d
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEn
terp
rise
Ris
kM
anag
emen
t
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Indi
vidu
alo
rgan
izat
ions
with
inU
SCIS
do
ris
km
anag
emen
trel
ated
toth
eir
part
icul
ard
omai
nF
orin
stan
ceI
Tdo
esr
isk
man
agem
entf
rom
an
IT
pers
pect
ive
and
the
Fina
ncia
lMan
ag
emen
tdoe
sfin
anci
alr
isk
man
ag
emen
t
USC
ISp
erso
nnel
sta
ted
ther
eis
no
ente
rpri
ser
isk
man
agem
entp
roce
ss
for
anal
yzin
gth
eor
gani
zatio
nrsquos
over
al
lris
k
We
sugg
estt
hatU
SCIS
inst
itute
an
ent
erpr
ise
risk
man
agem
ent
prog
ram
W
ithou
tac
omm
on
visi
onfo
rri
skm
anag
emen
tth
eIS
SOs
and
allo
rgan
izat
ions
w
ithin
USC
ISc
anno
teff
ectiv
ely
unde
rsta
ndth
eri
ske
nvir
onm
ent
and
wor
kto
geth
erto
eff
ectiv
ely
miti
gate
ris
k
Inin
terv
iew
ss
ome
USC
ISs
taff
in
clud
ing
som
eIS
SOs
dat
aow
ners
an
dO
ITs
taff
see
med
tov
iew
loss
of
PIIa
sth
em
osti
mpo
rtan
tins
ider
th
reat
ris
kA
llof
the
asse
ssm
ent
ques
tions
wer
ean
swer
edin
the
con
text
ofl
oss
ofP
II
Whe
nw
eas
ked
spec
ifica
llyw
hatt
hey
see
asth
ebi
gges
tins
ider
thre
atr
isk
ev
eryo
nes
eem
edto
agr
eeit
isc
rea
tion
ofr
ealc
itize
nshi
pdo
cum
ents
for
peop
lew
hos
houl
dno
thav
eth
em
In
fact
int
ervi
ewee
sat
the
Verm
ont
Serv
ice
Cent
erc
ateg
oriz
edth
efu
nc
tions
cha
ract
eriz
edb
yth
ehi
ghes
tris
kas
follo
ws
1)
Unl
awfu
lalie
nin
the
Uni
ted
Stat
es
gran
ted
non
imm
igra
nts
tatu
s
2)S
omeo
new
ithn
onim
mig
rant
st
atus
gra
nted
per
man
entr
esid
ency
w
hich
mea
nsh
eor
she
can
live
and
w
ork
inde
finite
lyin
the
Uni
ted
Stat
es
Aga
ina
nen
terp
rise
ris
km
an
agem
entp
rogr
amw
ille
nsur
eth
ate
very
one
acro
ssU
SCIS
is
wor
king
toge
ther
tom
itiga
teth
ehi
ghes
tpri
ority
ris
ks
Ther
ear
ere
gula
tions
and
law
ssu
rrou
nd
ing
prot
ectio
nof
PII
but
focu
sin
gpr
imar
ilyo
nth
atis
sue
can
lead
toa
fals
ese
nse
ofs
ecur
ity
ifot
her
mor
eim
port
antr
isk
ar
eas
are
give
nle
ssa
tten
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 31
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dal
soc
anp
etiti
onfo
rre
lativ
es
The
Verm
ontS
ervi
ceC
ente
ris
im
plem
entin
gse
para
tion
ofd
utie
sfo
rpe
rfor
min
gfu
nctio
ns
1an
d2
ab
ove
(gra
ntin
gno
nim
mig
rant
st
atus
and
mov
ing
som
eone
from
no
nim
mig
rant
sta
tus
top
erm
anen
tre
side
ncy)
so
that
one
USC
ISa
djud
ica
tor
alon
eca
nnot
take
an
appl
ican
tfr
omu
nlaw
fult
ope
rman
entr
esi
dent
Th
ese
two
func
tions
will
be
perf
orm
eda
tdiff
eren
tphy
sica
lloc
atio
ns2
9m
iles
apar
t
The
Verm
ontS
ervi
ceC
ente
rhas
not
ha
dan
adj
udic
ator
who
per
form
ed
both
func
tions
1
and
2fo
rth
esa
me
appl
ican
t
This
dec
isio
nde
mon
stra
tes
that
le
ader
ship
att
heV
erm
ontS
er
vice
Cen
terr
ecog
nize
sth
esi
gni
fican
tris
kof
cre
atin
gle
gal
citiz
ensh
ipd
ocum
ents
fori
llega
lal
iens
and
ista
king
ste
psto
m
itiga
teth
atr
isk
How
ever
our
in
side
rth
reat
ass
essm
enth
as
unco
vere
dot
her
issu
esth
at
coul
dbe
add
ress
edto
miti
gate
th
atr
isk
Aga
ina
form
alr
isk
anal
ysis
wou
lde
nabl
eU
SCIS
to
thor
ough
lye
xam
ine
the
issu
es
and
prio
ritiz
eco
unte
rmea
sure
sus
ing
afo
rmal
pro
cess
Fo
rex
am
ple
an
alte
rnat
ive
toth
eph
ysic
alm
ove
coul
dbe
toim
pl
emen
tan
audi
tmec
hani
smto
lo
okfo
rad
judi
cato
rsw
hop
er
form
edb
oth
func
tions
1
and
2
for
the
sam
eap
plic
ant
Ente
rpri
seW
ide
Com
mun
icat
ion
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ther
eis
no
cons
iste
ncy
ofc
ontr
ols
from
one
ser
vice
cen
ter
toth
ene
xt
We
wer
eto
ldth
eye
ach
oper
ate
fair
ly
inde
pend
ently
USC
ISw
ould
ben
efit
from
ong
oin
gco
mm
unic
atio
nsa
bout
ris
kba
sed
issu
esb
etw
een
the
ser
vice
cen
ters
Fo
rin
stan
ce
com
mun
icat
ions
con
cern
ing
prob
lem
se
ffec
tive
coun
ter
mea
sure
sm
odifi
catio
nsto
CERT | SOFTWARE ENGINEERING INSTITUTE | 32
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sbu
sine
ssp
roce
sses
or
idea
sfo
rco
unte
ring
incr
ease
dri
skc
ould
le
adto
an
impr
oved
ris
kpo
stur
efo
rth
een
tire
USC
ISe
nter
pris
e
Cont
inua
lSec
urit
yPr
oces
sIm
prov
em
ent
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
The
USC
ISC
onvi
ctio
nsT
ask
Forc
eis
an
exc
elle
ntfo
rum
for
anal
yzin
gpa
st
crim
inal
cas
esa
ndd
eter
min
ing
mea
sure
sth
ats
houl
dbe
inst
itute
dto
pre
vent
sim
ilar
crim
esin
the
fu
ture
Ther
eis
no
proc
ess
for
follo
win
gup
on
ac
ase
afte
rthe
Off
ice
ofS
peci
al
Inve
stig
atio
n(O
SI)f
inis
hes
anin
vest
iga
tion
Th
eCo
nvic
tions
Tas
kFo
rce
isth
eon
ly
proc
ess
we
foun
dfo
rfor
mal
trac
king
an
alys
isa
ndp
roce
ssim
prov
emen
tba
sed
ona
ctua
linc
iden
ts
The
as
sess
men
ttea
ma
sked
var
ious
gro
ups
ifth
ere
isa
nyfo
llow
up
toin
cide
nts
fo
rin
stan
ceim
plem
entin
gau
tom
ated
sc
ript
sor
con
trol
sto
det
ectt
hes
ame
inci
dent
inth
efu
ture
Th
ete
amc
ould
no
tfin
da
sing
lep
erso
nw
hok
now
sof
su
cha
nac
tivity
Man
yex
ampl
eso
fem
ploy
eem
isco
ndu
ctc
ited
toth
eas
sess
men
ttea
m
coul
dea
sily
hav
ebe
end
etec
ted
or
even
pre
vent
edv
iaa
utom
ated
con
tr
ols
In
add
ition
the
reis
no
mec
hani
smfo
rco
mm
unic
atin
gis
sues
out
side
ofa
In
nea
rly2
5(9
1)o
fthe
cas
esin
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
hein
side
rw
asa
ble
to
carr
you
tthe
cri
me
beca
use
of
inad
equa
tea
uditi
ngo
fcri
tical
pr
oces
ses
in2
8of
thes
eca
ses
it
was
bec
ause
ofi
nade
quat
eau
ditin
gof
irre
gula
rpr
oces
ses
In
29
ofth
eca
ses
the
orga
niza
tio
nha
dre
peat
edin
cide
nts
ofa
si
mila
rna
ture
A
utom
ated
sc
ript
sar
ean
exc
elle
ntm
echa
ni
smfo
rde
tect
ing
susp
icio
us
tran
sact
ions
as
wel
las
hone
st
mis
take
sU
SCIS
sho
uld
cons
ider
a
form
alp
roce
ssfo
ran
alys
iso
fth
eO
SIrsquos
find
ings
and
the
deve
lop
men
tofa
utom
ated
che
cks
impl
emen
ted
natio
nally
CERT | SOFTWARE ENGINEERING INSTITUTE | 33
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sgi
ven
serv
ice
cent
er
U
SCIS
Em
ploy
ees
are
Pote
ntia
lTar
ge
tsfo
rRe
crui
tm
ent
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
No
evid
ence
pro
vide
d
Som
eU
SCIS
em
ploy
ees
inte
rvie
wed
ha
ver
ecei
ved
are
ques
tfor
ass
ista
nce
from
afr
iend
rel
ativ
eo
rst
rang
er
seek
ing
top
rom
ote
aca
sefo
rso
me
form
ofa
pplic
ant
One
adj
udic
ator
sa
idh
edo
esn
otte
llot
hers
who
he
wor
ksfo
rH
owev
ert
hed
istin
ctiv
egr
een
park
ing
stic
ker
onh
isc
arc
ould
in
as
mal
ltow
nlik
eBu
rlin
gton
VT
re
veal
the
iden
tity
ofh
ise
mpl
oyer
U
SCIS
per
sonn
ela
reth
eref
ore
unus
ual
lyv
ulne
rabl
eto
sol
icita
tion
byo
ut
side
rs
Twen
tyn
ine
perc
ento
fthe
in
side
rsin
the
CERT
Insi
der
Thre
at
Case
dat
abas
ew
ere
recr
uite
dby
ou
tsid
ers
toc
omm
itth
eir
crim
es
USC
ISs
houl
dco
nsid
er
incr
easi
ngth
ese
curi
tya
war
ene
sstr
aini
ngp
rovi
ded
toU
SCIS
em
ploy
ees
and
cont
ract
ors
The
tr
aini
ngs
houl
dbe
con
tinuo
us
incl
udin
gpo
rtio
nsin
tend
edto
ra
ise
awar
enes
sof
the
pote
ntia
lta
rget
that
USC
ISe
mpl
oyee
spr
esen
tA
llem
ploy
ees
shou
ld
bea
war
eof
the
cons
eque
nces
of
par
ticip
atin
gin
frau
dag
ains
tU
SCIS
as
wel
las
how
tor
epor
tso
licita
tions
mad
eto
com
mit
frau
d
Tran
sfor
mat
ion
USC
ISL
eade
rshi
p D
ata
Ow
ners
In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Tran
sfor
mat
ion
isa
larg
ebu
sine
ss
proc
ess
reen
gine
erin
gef
fort
inU
SCIS
th
atis
pri
mar
ilyfo
cuse
don
impr
oved
cu
stom
ers
ervi
cea
ndfr
aud
dete
ctio
nF
ore
xam
ple
the
asse
ssm
ent
team
was
told
that
Tra
nsfo
rmat
ion
will
aut
omat
ical
lyv
alid
ate
data
in
CLA
IMS
agai
nsto
ther
ext
erna
lsys
te
ms
(eg
IC
Ean
dFB
I)a
ndth
at
secu
rity
req
uire
men
tsa
ndc
ontr
ols
Tran
sfor
mat
ion
was
men
tione
din
m
osti
nter
view
sfo
rth
isa
sses
smen
t
Ita
ppea
rsth
atU
SCIS
isr
elyi
ngh
eavi
ly
upon
Tra
nsfo
rmat
ion
toc
orre
ctm
any
ofth
epr
oble
ms
resu
lting
from
lega
cy
syst
ems
How
ever
iti
sun
clea
rw
heth
erin
tern
alp
erso
nnel
sec
urity
an
din
form
atio
nse
curi
tyc
once
rns
will
bein
clud
edin
this
pro
gram
This
rel
ianc
eon
as
ingl
eef
fort
m
akes
the
effe
ctiv
enes
sof
this
ef
fort
ver
yim
port
ant
USC
IS
shou
ldc
onsi
der
the
Tran
sfor
ma
tion
proj
ectf
rom
an
ente
rpris
ew
ide
pers
pect
ive
Iti
sim
port
ant
for
itto
use
afo
rmal
req
uire
m
ents
gat
herin
gpr
oces
sin
or
der
toe
ffec
tivel
ym
itiga
teb
oth
inte
rnal
and
ext
erna
lthr
eats
CERT | SOFTWARE ENGINEERING INSTITUTE | 34
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
veb
een
iden
tifie
dby
cur
rent
C3
LAN
dat
aow
ners
Read
ing
the
Tran
sfor
mat
ion
requ
ire
men
tsd
ocum
enta
tion
itis
not
cle
ar
that
insi
ders
are
con
side
red
inth
ese
curi
tyr
equi
rem
ents
for
prev
entio
nan
dde
tect
ion
offr
aud
orn
atio
nal
secu
rity
inU
SCIS
sys
tem
s
Pers
onne
lsec
urity
sho
uld
be
incl
uded
as
wel
las
info
rmat
ion
secu
rity
to
ensu
reth
atth
eap
pr
opri
ate
inte
rnal
con
trol
sar
ein
pl
ace
tor
educ
eth
eri
skp
osed
by
mal
icio
usin
side
rs
CERT | SOFTWARE ENGINEERING INSTITUTE | 35
Trai
ning
and
Aw
aren
ess
Itis
ess
entia
ltha
tsec
urity
aw
aren
ess
trai
ning
be
cons
iste
ntly
pro
vide
dto
all
empl
oyee
sto
ens
ure
that
sec
urity
pol
icie
san
dpr
actic
esa
rein
stitu
tio
naliz
edth
roug
hout
an
orga
niza
tion
Man
ytim
esc
owor
kers
and
sup
ervi
sors
are
the
first
peo
ple
too
bser
vec
once
rnin
gbe
havi
ore
xhib
ited
by
mal
icio
usin
side
rs
Failu
reb
yco
wor
kers
or
othe
rsin
an
orga
niza
tion
tor
epor
tcon
cern
ing
beha
vior
was
ap
rim
ary
reas
onin
side
rsin
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
tos
etu
por
car
ryo
utth
eir
atta
cks
USC
ISs
houl
dco
ntin
ueto
pro
vide
sec
urity
aw
aren
ess
trai
ning
toa
llem
ploy
ees
and
cont
ract
ors
acro
ssth
egl
obe
Thi
str
aini
ngs
houl
dbe
con
sis
tent
lya
pplie
dto
eac
hsi
tew
itha
con
sist
entm
essa
geo
fsec
urity
ofU
SCIS
peo
ple
sys
tem
sa
ndd
ata
Iti
sim
pera
tive
that
all
USC
ISe
mpl
oyee
sbe
re
spon
sibl
efo
rac
hiev
ing
the
mis
sion
ofU
SCIS
and
pro
tect
ing
the
criti
cala
sset
sto
the
high
este
xten
tpos
sibl
e
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sTr
aini
ngo
rSk
ills
Requ
ired
ofT
hose
in
App
oint
edS
ecu
rity
Rol
es
USC
ISL
eade
rshi
p
USC
ISh
asa
trai
ning
pro
cess
thro
ugh
anin
form
atio
nsy
stem
sse
curi
ty
man
ager
(ISS
M)
USC
ISr
elie
she
av
ilyo
nco
ntra
ctor
sto
pro
vide
ade
qu
atel
ytr
aine
dst
aff
Man
yIS
SOs
are
notw
ellv
erse
din
se
curi
ty
ISSO
sar
ecu
rren
tlyin
an
educ
atio
npr
oces
sb
utIS
SOs
are
typi
ca
llyn
ots
ecur
ityw
atch
dogs
ISSO
sm
usth
ave
prop
ertr
aini
ng
ino
rder
tok
eep
upw
ithth
eev
erc
hang
ing
info
rmat
ion
secu
ri
tye
nvir
onm
enta
ndto
be
able
to
dea
lwith
the
myr
iad
tech
no
logi
esa
ndto
ols
avai
labl
eto
th
em
App
ropr
iate
bud
get
shou
ldb
eal
loca
ted
forI
SSO
tr
aini
ngi
nclu
ding
ven
dor
spec
ific
trai
ning
(eg
M
cAfe
ean
dCi
sco)
and
indu
stry
spe
cific
tr
aini
ng(e
g
SAN
S)
CERT | SOFTWARE ENGINEERING INSTITUTE | 36
Ap
pen
dix
BH
um
anR
esou
rces
Empl
oyee
Issu
es
An
orga
niza
tionrsquo
sap
proa
chto
red
ucin
gin
side
rth
reat
sho
uld
focu
son
pro
activ
ely
man
agin
gem
ploy
eeis
sues
and
beh
avio
rs
This
con
cept
beg
ins
with
eff
ectiv
ehi
ring
pro
cess
esa
ndb
ackg
roun
din
vest
igat
ions
tos
cree
npo
tent
ialc
andi
date
sO
rgan
izat
ions
sho
uld
also
trai
nsu
perv
isor
sto
m
onito
ran
dre
spon
dto
beh
avio
rso
fcon
cern
by
curr
ente
mpl
oyee
sS
ome
case
sfr
omth
eCE
RTIn
sid e
rTh
reat
Cas
eda
taba
ser
evea
led
that
sus
pi
ciou
sac
tivity
was
not
iced
inth
ew
orkp
lace
but
not
act
edu
pon
Org
aniz
atio
nss
houl
des
tabl
ish
aw
ello
rgan
ized
and
pro
fess
iona
lmet
hod
for
hand
ling
nega
tive
empl
oym
enti
ssue
san
den
suri
ngth
ath
uman
res
ourc
epo
licy
viol
atio
nsa
rea
ddre
ssed
Org
aniz
atio
nali
ssue
sre
late
dto
func
tions
sha
red
byH
Ran
dse
curi
typ
erso
nnel
are
att
heh
eart
ofi
nsid
err
isk
man
agem
ent
Em
ploy
ees
cree
ning
an
dse
lect
ion
isv
italt
opr
even
ting
cand
idat
esw
ithk
now
nbe
havi
oral
ris
kfa
ctor
sfr
ome
nter
ing
the
orga
niza
tion
or
ifth
eyd
oe
nsur
ing
that
th
ese
risk
sar
eun
ders
tood
and
mon
itore
dC
lear
pol
icy
guid
elin
esa
ddre
ssin
gbo
thp
erm
itted
and
pro
hibi
ted
empl
oyee
beh
avio
rar
evi
talt
ori
sk
dete
ctio
nan
dm
onito
ring
and
cle
arr
equi
rem
ents
for
ensu
ring
em
ploy
eesrsquo
kno
wle
dge
ofth
ese
guid
elin
esa
ree
ssen
tialt
oth
eir
succ
ess
In
addi
tio
nr
epor
tso
fpol
icy
ques
tions
and
vio
latio
nsn
eed
tob
esy
stem
atic
ally
rec
orde
dso
that
man
agem
ent
HR
and
sec
urity
per
sonn
elc
ana
ppr
oach
cas
ede
cisi
ons
with
com
plet
eba
ckgr
ound
info
rmat
ion
Ana
lysi
sof
thes
ere
port
sac
ross
indi
vidu
als
and
depa
rtm
ents
can
sup
ply
vita
lkno
wle
dge
ofp
robl
ema
reas
bey
ond
indi
vidu
alc
ases
Re
latio
nshi
ps
inw
hich
HR
sec
urity
and
man
agem
entp
erso
nnel
col
labo
rate
as
educ
ator
san
dco
nsul
tant
sar
evi
talt
oea
rly
dete
ctio
nan
def
fect
ive
man
age
men
tofe
mpl
oyee
spo
sing
an
insi
der
risk
Th
ene
edfo
rcl
ear
polic
ies
com
plet
epe
rson
nelr
isk
data
and
clo
sem
anag
emen
tH
Rse
curi
tyc
olla
bo
ratio
nis
rar
ely
grea
ter
than
whe
nha
ndlin
gem
ploy
eete
rmin
atio
nis
sues
whe
ther
vol
unta
ryo
rin
volu
ntar
y
CERT
sug
gest
sen
hanc
emen
tsto
the
USC
ISh
irin
gan
dte
rmin
atio
npr
oces
ses
For
exa
mpl
eU
SCIS
sho
uld
cons
ider
add
ition
als
cree
ning
for
high
ri
skp
ositi
ons
suc
has
adj
udic
ator
sU
SCIS
sho
uld
als o
con
side
rbe
com
ing
mor
ein
volv
edin
vet
ting
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)p
rior
tog
rant
CERT | SOFTWARE ENGINEERING INSTITUTE | 37
ing
them
acc
ess
toU
SCIS
cri
tical
sys
tem
san
dda
ta
Fina
llyU
SCIS
sho
uld
cons
ider
ado
ptin
gan
ent
erpr
ise
wid
eex
itpr
oced
ure
toe
nsur
eco
nsis
te
ntte
rmin
atio
nof
all
empl
oyee
san
dco
ntra
ctor
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPr
eEm
ploy
men
tSc
reen
ing
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
No
evid
ence
pro
vide
d
The
empl
oyee
scr
eeni
ngp
roce
ssla
cks
any
form
ofp
sych
olog
ical
scr
eeni
ng
for
ara
nge
ofp
ositi
ons
incl
udin
gad
ju
dica
tors
Five
per
cent
(18)
oft
hein
side
rs
inth
eCE
RTd
atab
ase
had
poss
ibl
eps
ycho
logi
cali
ssue
sU
SCIS
sh
ould
con
side
rin
clud
ing
psy
chol
ogic
alte
stin
gas
par
toft
h e
new
hir
epr
oces
sfo
rse
lect
pos
itio
nsi
nclu
ding
adj
udic
ator
s
Giv
enth
esi
gnifi
cant
soc
ialp
res
sure
son
adj
udic
ator
san
dth
ere
lativ
ela
cko
fmon
itori
ngfo
rin
side
rri
ski
tsee
ms
impo
rtan
tto
impr
ove
this
asp
ecto
fscr
een
ing
Hum
anR
esou
rces
App
lican
tsa
rea
ssig
ned
ara
ting
by
HR
the
ratin
gis
use
dto
ran
kap
pli
cant
s
Ther
eis
cur
rent
lyn
oau
ditl
ogth
at
wou
ldc
aptu
rein
stan
ces
inw
hich
so
meo
nein
HR
chan
ged
ara
ting
to
enab
les
omeo
neto
get
hir
edm
ore
easi
ly
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
udit
log
totr
a ck
the
cand
idat
era
tings
and
ale
rtw
hen
cand
idat
era
tings
are
cha
nged
by
som
eone
inH
R
CERT | SOFTWARE ENGINEERING INSTITUTE | 38
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Ifa
pers
onal
issu
e(e
g
subs
tanc
eab
use
rel
ativ
ely
larg
efin
anci
alin
de
bted
ness
)aris
esd
urin
gPe
rson
nel
Secu
rity
rsquos(P
ERSE
Crsquos)
scr
eeni
ng
PERS
ECm
ayis
sue
ale
tter
ofa
dvis
em
entt
oth
eca
ndid
ate
and
clea
rth
at
pers
onfo
rhir
eP
ERSE
RCis
hes
itant
to
sha
ren
egat
ive
info
rmat
ion
abou
tap
plic
ants
with
USC
ISb
eca u
seo
fpr
ivac
yco
ncer
ns
Beca
use
ofth
ese
conc
erns
am
anag
erm
ayn
otk
now
th
ats
omeo
neis
com
ing
into
ap
osi
tion
with
ah
isto
ryo
falc
ohol
and
or
drug
abu
sef
inan
cial
inde
bted
ness
et
c
The
priv
acy
wal
lbet
wee
nPE
RSEC
and
fie
ldp
erso
nnel
con
cern
edw
ithh
irin
gis
trou
blin
gI
tis
diff
icul
tfor
PER
SEC
repr
esen
tativ
esto
indi
cate
thei
rco
nce
rns
abou
tpot
entia
lhir
esw
hoh
ave
risk
fact
ors
that
do
notc
ross
adj
udic
atio
ngu
idel
ines
for
disq
ualif
icat
ion
USC
ISs
houl
dco
nsid
era
dditi
onal
sc
reen
ing
for
adju
dica
tors
U
SCIS
sho
uld
bem
ore
invo
lved
in
dec
idin
gw
hois
gra
nted
au
thor
ized
acc
ess
beca
use
ofth
ese
nsiti
ven
atur
eof
the
syst
ems
and
data
tha t
USC
ISm
anag
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Each
fiel
dof
fice
dete
rmin
esw
heth
er
orn
otto
mee
tan
appl
ican
tfac
eto
fa
ceb
efor
ehi
ring
Ther
ew
asa
nim
pres
sion
ath
eadq
uar
ters
that
nea
rly1
00
oft
hose
hir
ed
bym
anag
ers
are
inte
rvie
wed
but
re
pres
enta
tives
inB
urlin
gton
Ver
m
ontt
old
uso
ther
wis
eT
his
gap
be
twee
npe
rcep
tion
(the
reis
not
ap
ol
icy
stat
ing
this
mus
tbe
done
)and
re
ality
iso
fcon
cern
Ther
eha
veb
een
know
nin
stan
ces
in
whi
cha
pplic
ants
wer
eon
lys
cree
ned
USC
ISs
houl
dre
quir
ein
terv
iew
sfo
ral
lpos
ition
sT
hein
terv
iew
sne
edto
be
cond
ucte
dby
som
eon
ein
volv
edin
the
day
tod
ay
supe
rvis
ion
ofth
epo
sitio
nto
be
fille
d
CERT | SOFTWARE ENGINEERING INSTITUTE | 39
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
son
pap
ero
rove
rth
eph
one
befo
re
bein
ghi
red
Sta
ndar
dop
erat
ing
pro
cedu
res
are
notf
ollo
wed
ata
llfie
ld
offic
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
PERS
ECv
ets
fede
rale
mpl
oyee
san
dco
ntra
ctor
s(w
itha
min
imum
bac
kgr
ound
inve
stig
atio
n)
USC
ISr
elie
son
the
US
Dep
artm
ent
ofS
tate
tov
etfo
reig
nna
tiona
lem
pl
oyee
sw
how
ork
ate
mba
ssie
sor
co
nsul
ates
abr
oad
FSN
sin
som
ein
stan
ces
are
gra
nted
ac
coun
tso
nU
SCIS
info
rmat
ion
sys
tem
sI
fFSN
sne
eda
cces
sto
DH
Ssy
ste
ms
(incl
udin
gU
SCIS
)cur
rent
lyt
his
acce
ssm
ustb
eap
prov
edb
yth
eCS
O
and
CIO
for
DH
ST
his
prac
tice
was
no
talw
ays
follo
wed
con
sist
ently
in
the
past
so
ther
em
ayb
eFS
Ns
who
w
ere
gran
ted
acce
ssw
ithou
tall
the
curr
entv
ettin
gan
dap
prov
als
U
SCIS
sho
uld
cons
ider
be c
omin
gm
ore
invo
lved
inv
ettin
gof
FSN
spr
ior
tog
rant
ing
them
acc
ess
to
USC
ISs
yste
ms
In
addi
tion
U
SCIS
sho
uld
audi
tcur
rent
FSN
sw
itha
cces
sto
USC
ISs
yste
ms
and
ensu
reth
ata
ppro
pria
te
vett
ing
was
per
form
ed
Cand
idat
eCe
rtifi
ca
tion
Ver
ifica
tion
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
USC
ISd
oes
noth
ave
ast
anda
rdp
ro
cedu
refo
rve
rifyi
ngth
ece
rtifi
catio
ns
ofjo
bap
plic
ants
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ast
epin
the
new
hir
epr
oces
sto
ver
ifyc
ertif
icat
ions
of
allc
andi
date
sA
few
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 40
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sto
obt
ain
posi
tions
ino
rgan
iza
tions
by
prov
idin
gfa
lsifi
edc
erti
ficat
ions
Empl
oyee
and
Co
ntra
ctor
Ter
mi
nati
on
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Exit
proc
edur
esa
rer
ecen
tlyd
evel
op
eda
ndi
nso
me
case
ss
tillu
nder
de
velo
pmen
t(ie
fo
rmal
exi
tpro
ce
dure
sar
eex
pect
edto
be
rele
ased
in
3m
onth
s)
This
gap
may
man
ifest
itse
lfin
the
inco
nsis
tent
col
lect
ion
ofb
adge
sla
pto
psm
obile
dev
ices
and
oth
erU
SCIS
eq
uipm
ent
USC
ISs
houl
dco
nsid
era
dopt
ing
ane
nter
pris
ew
ide
exit
proc
edu
reto
ens
ure
cons
iste
ntte
rmi
natio
nof
all
empl
oyee
san
dco
ntr
acto
rs
Ita
ppea
rsth
ere
spon
sibi
lity
for
ensu
ring
that
em
ploy
ees
and
cont
ract
ors
are
term
inat
edr
ests
sol
ely
with
the
man
ager
It
als
oap
pear
sdi
ffer
en
tman
ager
sfo
llow
diff
eren
tpr
oced
ures
toe
nsur
eth
ata
cce
ssis
dis
able
dan
deq
uipm
ent
isr
etur
ned
ase
mpl
oyee
san
dco
ntra
ctor
sle
ave
USC
IS
Empl
oyee
and
Co
ntra
ctor
Man
da
tory
Dru
gTe
stin
g
Hum
anR
esou
rces
All
fede
ralp
ositi
ons
are
subj
ectt
odr
ugte
stin
gb
uto
nly
forn
ewh
ires
Acc
ordi
ngto
aU
SCIS
Con
vict
ions
Tas
kFo
rce
inve
stig
atio
nca
sec
all
cont
rac
tor
posi
tions
do
notr
equi
red
rug
test
in
g
Fift
een
insi
ders
doc
umen
ted
in
the
CERT
Insi
der
Thre
atC
ase
data
base
exh
ibite
dsu
bsta
nce
abus
eU
SCIS
sho
uld
cons
ider
im
plem
entin
gm
anda
tory
pos
thi
red
rug
test
ing
for
alle
mpl
oy
ees
and
cont
ract
ors
CERT | SOFTWARE ENGINEERING INSTITUTE | 41
Ap
pen
dix
CP
hys
ical
Sec
uri
ty
Fiel
dof
fices
A
cces
sFo
llow
ing
Term
inat
ion
Se
curi
tyo
fPhy
sica
lCas
eFi
les
Som
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
exp
loite
dph
ysic
als
ecur
ityv
ulne
rabi
litie
s
Som
ew
ere
able
tog
ain
acce
ss
too
rgan
izat
ion
faci
litie
sou
tsid
eof
nor
mal
wor
king
hou
rsto
ste
alc
ontr
olle
din
form
atio
nor
toe
xact
rev
enge
on
the
orga
niza
tion
bys
abot
agin
gcr
itica
lope
ratio
ns
Phys
ical
sec
urity
can
als
opr
ovid
ean
othe
rla
yer
ofd
efen
sea
gain
stte
rmin
ated
insi
ders
who
wis
hto
reg
ain
phys
ical
acc
ess
to
atta
ck
Just
as
with
ele
ctro
nic
secu
rity
how
ever
for
mer
em
ploy
ees
have
bee
nsu
cces
sful
inw
orki
nga
roun
dth
eir
orga
niza
tionrsquo
sph
ysic
als
ecu
rity
mea
sure
sI
tis
impo
rtan
tfor
org
aniz
atio
nsto
man
age
phys
ical
sec
urity
for
full
time
par
ttim
ea
ndte
mpo
rary
em
ploy
ees
con
trac
tors
and
co
ntra
ctla
bore
rs
USC
ISP
hysi
calS
ecur
ityh
asm
ade
sign
ifica
ntp
rogr
ess
prot
ectin
gU
SCIS
faci
litie
san
das
sets
inth
ena
tiona
lcap
italr
egio
n(N
CR)s
ince
Janu
ary
2008
whe
nit
stoo
dup
an
ewp
hysi
cals
ecur
ityp
rogr
am
Alth
ough
phy
sica
lsec
urity
inth
eN
CRis
con
sist
ently
dir
ecte
dan
den
forc
edb
yPh
ysic
al
Secu
rity
eac
hfie
ldo
ffic
ese
tsit
sow
npo
licie
san
dac
cess
con
trol
sI
nad
ditio
ng
aps
inte
rmin
atio
npr
oced
ures
hav
ere
sulte
din
ong
oing
phy
sica
lac
cess
follo
win
gte
rmin
atio
nF
inal
lyi
ssue
sco
ncer
ning
the
secu
rity
ofp
hysi
calc
ase
files
sho
uld
bec
onsi
dere
das
par
tofa
USC
ISr
isk
man
age
men
tstr
ateg
y
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPh
ysic
alS
ecur
ity
ofF
ield
Off
ices
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
USC
ISis
inth
epr
oces
sof
put
ting
ane
wa
cces
sco
ntro
lsys
tem
inp
lace
fo
rth
eN
CR
Befo
reit
doe
sit
will
di
sabl
eac
cess
for
anyo
new
hoh
as
notu
sed
phys
ical
acc
ess
inm
ore
Each
USC
ISfa
cilit
yha
sits
ow
n
polic
ies
and
acce
ssc
ontr
ols
syst
ems
Som
efie
ldo
ffic
esw
ithin
USC
ISh
ave
acce
ss
cont
rols
yste
ms
oth
ers
don
ot
Not
al
loff
ices
inth
efie
ldh
ave
elec
tron
ic
Fort
yof
the
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
took
adv
an
tage
ofi
nade
quat
eph
ysic
als
ecu
rity
toc
arry
out
thei
rcr
imes
El
ectr
onic
acc
ess
cont
rols
pro
vide
CERT | SOFTWARE ENGINEERING INSTITUTE | 42
Sugg
este
dCo
unte
rmea
sure
slo
gsth
atc
ould
be
usef
ulin
inve
s
tigat
ions
ofi
llici
tact
ivity
out
side
of
nor
mal
wor
king
hou
rs
USC
IS
shou
ldc
onsi
der
deve
lopi
nge
nte
rpri
sew
ide
phys
ical
sec
urity
pr
oced
ures
rol
ltho
seo
utto
ea
chfi
eld
offic
ea
ndr
equi
rea
ph
ysic
als
ecur
ityr
epre
sent
ativ
eat
eac
hsi
teto
ens
ure
cons
iste
nt
enfo
rcem
ento
fthe
pol
icie
s
USC
ISs
houl
dco
nsid
erp
rohi
bitin
gea
chfi
eld
offic
efr
omd
evel
opin
gsi
tes
peci
ficp
olic
ies
and
rem
ov
ing
enfo
rcem
entc
ontr
olfr
om
each
site
In1
0ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
follo
win
gte
rmin
atio
ndu
eto
fa
ilure
ton
otify
sec
urity
em
pl
oyee
san
dbu
sine
ssp
artn
ers
of
the
term
inat
ion
To
cont
rola
cce
ssto
USC
ISfa
cilit
ies
itis
im
port
antf
orU
SCIS
toc
ompa
re
curr
ente
mpl
oyee
san
dco
ntra
cto
rsto
the
auth
oriz
eda
cces
slis
t
Polic
yor
Pra
ctic
eG
aps
acce
ssc
ontr
ols
ndashso
me
only
hav
elo
cks
and
keys
N
ote
very
USC
ISs
iteh
asa
phy
sica
lse
curi
tyr
epre
sent
ativ
eW
here
no
re
pres
enta
tive
isp
rese
ntt
his
resp
on
sibi
lity
falls
on
othe
rm
anag
emen
t pe
rson
nelw
hom
ayn
otb
eeq
uipp
ed
toh
andl
eth
ese
issu
esp
rope
rly
and
repo
rtth
emin
ati
mel
ym
anne
r
So
me
man
ager
str
ack
who
acc
esse
s
wha
twhe
nan
dot
hers
do
not
Ac
cord
ing
toP
hysi
calS
ecur
ityin
Ver
m
ont
onl
y20
o
fvio
latio
nsa
reb
ein
gre
port
edto
sec
urity
Polic
yan
dor
Sec
urit
yM
easu
re
than
12
mon
ths
as
wel
las
anyo
ne
nolo
nger
em
ploy
edb
yU
SCIS
It
als
opl
ans
one
xam
inin
gal
lacc
ount
sth
at
have
not
use
dph
ysic
ala
cces
sin
m
ore
than
30
days
Se
curi
tyo
ffie
ldo
ffic
esfa
llsu
nder
th
eFi
eld
Secu
rity
Div
isio
n(F
SD)
The
O
ffic
eof
Sec
urity
and
Inte
grity
(OSI
)re
cent
lyd
evel
oped
an
insp
ectio
nw
orkb
ook
and
isfi
eld
test
ing
itw
ith
FSD
U
SCIS
Fie
ldS
ecur
ityD
ivis
ion
isp
lan
ning
top
uta
sec
urity
rep
rese
ntat
ive
ine
very
fiel
dof
fice
Ite
xpec
tstw
oto
thre
etim
esm
ore
repo
rts
ofv
iola
tio
nso
nce
itha
sa
repr
esen
tativ
ein
ever
ylo
catio
n
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
Phys
ical
Acc
ess
Follo
win
gTe
rmi
nati
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 43
Sugg
este
dCo
unte
rmea
sure
s
ine
ach
faci
lityrsquo
sac
cess
con
trol
syst
em
D
isab
ling
phys
ical
acc
ess
tofa
cili
ties
whe
nem
ploy
ees
and
con
trac
tors
term
inat
eis
ess
entia
lto
prot
ectin
gU
SCIS
em
ploy
ees
and
faci
litie
sU
SCIS
sho
uld
cons
ider
au
tom
atin
gth
ere
voca
tion
of
empl
oyee
and
con
trac
tor
phys
ica
lacc
ess
whe
na
term
inat
ion
occu
rs
The
term
inat
ion
chec
klis
tsh
ould
incl
ude
ano
tific
atio
nto
ph
ysic
als
ecur
itys
oph
ysic
ala
cce
ssc
anb
edi
sabl
ed
Cons
ider
con
sist
ente
nfor
cem
ent
and
inve
stig
atio
nof
USC
ISp
hysi
ca
lsec
urity
inci
dent
sA
llal
erts
sh
ould
be
inve
stig
ated
and
Polic
yor
Pra
ctic
eG
aps
Secu
rity
gua
rds
ats
itelo
catio
nsh
ave
on
occ
asio
nig
nore
ddo
orp
ropp
ed
open
ala
rms
beca
use
thef
thas
trad
itio
nally
bee
na
very
sm
allp
robl
ema
t
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
No
Two
Pers
on
Cont
rol
CERT | SOFTWARE ENGINEERING INSTITUTE | 44
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
docu
men
ted
ifth
eal
erti
sde
emed
unn
eces
sary
then
it
shou
ldb
edi
scon
tinue
dA
llse
cu
rity
vio
latio
nss
houl
dbe
trac
ked
ina
cen
tral
rep
osito
rys
oa
com
pl
ete
hist
ory
for
each
indi
vidu
alis
av
aila
ble
Aft
erH
ours
Acc
ess
Phys
ical
Sec
urit
y
Aut
hori
zed
Acc
ess
Mos
tacc
ess
is2
4ho
urs
ada
y7
days
a
wee
kndash
Tw
enty
nin
eof
the
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seu
sed
phys
ical
acc
ess
outs
ide
ofn
orm
alw
orki
ngh
ours
toa
tta
ck
USC
ISs
houl
dco
nsid
erim
pl
emen
ting
ana
cces
sco
ntro
lsy
stem
that
gra
nts
acce
ssc
om
men
sura
tew
ithth
epo
sitio
nan
em
ploy
eeo
rcon
trac
tor
fills
If
apo
sitio
ndo
esn
otr
equi
rea
cces
sou
tsid
eof
nor
mal
wor
king
hou
rs
the
acce
ssc
ontr
ols
yste
ms
houl
dpr
ohib
itsu
cha
cces
san
dlo
gun
su
cces
sful
acc
ess
atte
mpt
s
Secu
rity
ofP
hysi
ca
lCas
eFi
les
Phys
ical
Sec
urit
y
Prot
ectio
nof
USC
ISC
ase
File
Dat
a
Phys
ical
file
sw
ere
obse
rved
inc
rate
sst
acke
din
the
hallw
ays
inth
eVe
rm
ontS
ervi
ceC
ente
rA
ccor
ding
toa
nin
terv
iew
att
heS
ervi
ceC
ente
ra
ny
one
coul
dw
alk
outw
itha
ldquocr
ate
fullrdquo
of
file
saf
ter
hour
se
spec
ially
ify
ou
are
ate
lew
orke
r
USC
ISa
ssum
esit
sca
sefi
led
ata
is
secu
reb
ecau
seit
sem
ploy
ees
and
cont
ract
ors
have
ac
lear
ance
or
hav
eha
da
back
grou
ndc
heck
It
isim
port
antt
ono
teth
at4
9in
side
rsd
ocum
ente
din
the
CERT
da
taba
sev
iola
ted
need
to
know
CERT | SOFTWARE ENGINEERING INSTITUTE | 45
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ca
sefi
les
are
assu
med
tob
ese
cure
on
ceth
eya
rec
onta
ined
with
ina
Ser
vi
ceC
ente
rb
utth
eyc
ould
be
phys
ica
llya
ltere
dor
sto
len
bya
nyon
ew
ith
phys
ical
acc
ess
toth
efa
cilit
y
One
inte
rvie
wee
sta
ted
that
adj
udic
ato
rsty
pica
llyh
ave
50to
100
file
ssc
at
tere
dar
ound
thei
rof
fice
ord
esk
So
me
are
trac
ked
and
som
em
ayn
ot
be
Adj
udic
ator
sco
nduc
tint
ervi
ews
with
app
lican
tsin
thei
rof
fices
and
th
eym
ight
leav
eap
plic
ants
une
sco
rted
inth
eir
offic
esw
ithth
eca
se
files
whe
nfo
rin
stan
cem
akin
gco
pie
sor
att
endi
ngto
oth
erU
SCIS
bus
ine
ss
Acc
ordi
ngto
the
sam
ein
terv
iew
eei
non
efie
ldo
ffic
en
atur
aliz
atio
nce
rtifi
ca
tes
pas
spor
tsa
ndc
redi
tcar
din
fo
rmat
ion
has
been
foun
din
gar
bage
ca
nsin
the
hallw
ay
Adj
udic
ator
spi
cku
pth
eir
case
sin
an
enve
lope
inth
eir
mai
lbox
D
urin
gth
esi
tev
isit
the
asse
ssm
entt
eam
ob
serv
edth
em
ailr
oom
att
heV
erm
ont
Serv
ice
Cent
eru
natt
ende
dbe
twee
n
polic
ies
inth
eco
mm
issi
ono
fth
eir
crim
es
Ther
efor
er
elyi
ng
onc
lear
ance
sal
one
can
bev
ery
dang
erou
s
Thir
teen
insi
ders
doc
umen
ted
in
the
CERT
dat
abas
est
ole
phys
ical
pr
oper
tyb
elon
ging
toth
eor
gani
za
tion
CER
Tsu
gges
tsU
SCIS
con
si
der
the
cons
eque
nces
oft
heft
or
una
utho
rize
dac
cess
top
hysi
ca
lcas
efil
esa
ndm
ake
ari
sk
base
dde
cisi
onr
egar
ding
pot
en
tialp
olic
yan
dpr
oced
ure
chan
ges
Th
ere
are
stan
dard
pol
icie
san
dpr
oced
ures
forh
andl
ing
sens
itive
in
form
atio
nb
uta
str
ong
educ
atio
nalc
ampa
ign
isn
eede
dto
en
sure
the
prot
ectio
nof
dat
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 46
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
ssh
ifts
(app
roxi
mat
ely
3p
m)
Whe
nad
judi
cato
rsfi
nish
with
afi
let
hey
retu
rnit
toa
dro
pof
fspo
tT
hea
sse
ssm
entt
eam
obs
erve
dth
ose
spot
s
whi
cha
rein
the
open
and
una
tte
nded
A
djud
icat
ors
may
kee
pca
ses
over
nigh
tand
usu
ally
ret
urn
them
w
ithin
1w
eek
Tele
wor
kers
at
Serv
ice
Cent
ers
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
One
hun
dred
eig
hty
nine
peo
ple
at
the
Verm
ontS
ervi
ceC
ente
rare
au
thor
ized
tow
ork
from
hom
eT
hese
em
ploy
ees
pick
up
files
att
heV
er
mon
tSer
vice
Cen
ter
and
take
them
ho
me
The
yw
ork
2da
ysp
erw
eek
in
the
Serv
ice
Cent
era
nd3
day
spe
rw
eek
ath
ome
USC
ISp
ays
anu
nan
noun
ced
visi
tto
allh
omes
toin
ven
tory
the
empl
oyee
srsquofi
les
atle
ast
quar
terl
yT
hese
em
ploy
ees
mus
tha
vea
lock
edfa
cilit
yin
thei
rho
me
and
mus
talw
ays
have
the
abili
tyto
re
turn
the
files
toth
eSe
rvic
eCe
nter
w
ithin
4h
ours
The
cont
rolo
fUSC
ISd
ata
whe
nit
leav
esth
eVe
rmon
tSer
vice
Cen
ter
is
diff
icul
tto
enfo
rce
Em
ploy
ees
mus
tha
vea
ppro
pria
tes
tora
gefa
cilit
ies
bu
tthe
yco
uld
easi
lyc
opy
USC
ISd
ata
and
shar
eit
with
una
utho
rize
din
di
vidu
als
Twen
tyn
ine
perc
ento
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
taba
sew
ere
recr
uite
dby
out
si
ders
toc
omm
itth
eir
crim
e
Mos
toft
hese
insi
ders
com
mitt
ed
the
crim
efo
rfin
anci
alg
ain
Iti
sim
port
antt
hatU
SCIS
rec
ogni
ze
the
pote
ntia
lfor
recr
uitm
ent
an
dth
ela
cko
fcon
trol
exe
rcis
ed
over
sen
sitiv
eda
taa
tadj
udic
ato
rsrsquor
esid
ence
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 47
Ap
pen
dix
DB
usi
nes
sP
roce
sses
Tech
nica
lCon
trol
s
Aut
hori
zati
onv
iaP
ICS
A
ccou
ntM
anag
emen
t
Av
arie
tyo
fcas
esfr
omth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sed
ocum
enti
nsid
era
ttac
ksw
here
gap
sin
bus
ines
spr
oces
ses
prov
ided
ap
athw
ay
for
atta
ck
Enfo
rcin
gse
para
tion
ofd
utie
san
dth
epr
inci
ple
ofle
astp
rivi
lege
are
pro
ven
met
hods
for
limiti
nga
utho
rize
dac
cess
by
insi
ders
Id
eal
lyo
rgan
izat
ions
sho
uld
incl
ude
sepa
ratio
nof
dut
ies
inth
ede
sign
ofk
eyb
usin
ess
proc
esse
san
dfu
nctio
nsa
nde
nfor
ceth
emv
iate
chni
cala
nd
nont
echn
ical
mea
ns
Acc
ess
cont
rolb
ased
on
sepa
ratio
nof
dut
ies
and
leas
tpri
vile
gei
nbo
thth
eph
ysic
ala
ndv
irtu
ale
nvir
onm
ents
is
cruc
ialt
om
itiga
ting
the
risk
ofi
nsid
era
ttac
kT
hese
con
cept
sal
one
will
not
elim
inat
eth
eth
reat
pos
edb
yin
side
rst
hey
are
how
ever
ano
ther
laye
rin
the
defe
nsiv
epo
stur
eof
an
orga
niza
tion
Beca
use
ofth
ese
nsiti
ven
atur
eof
the
USC
ISm
issi
ons
ome
ofit
sem
ploy
ees
and
cont
ract
ors
are
targ
ets
for
recr
uitm
entf
orth
efto
run
auth
or
ized
mod
ifica
tion
ofU
SCIS
dat
aT
wen
tyn
ine
perc
ento
fthe
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
we r
ere
crui
ted
byo
utsi
ders
toc
omm
itth
eir
crim
eM
osto
fthe
sein
side
rsc
omm
itted
the
crim
efo
rfin
anci
alg
ain
Cri
tical
USC
ISb
usin
ess
proc
esse
ssh
ould
incl
ude
tech
nica
lcon
trol
sto
en
forc
ese
para
tion
ofd
utie
san
ddu
alc
ontr
olto
red
uce
the
risk
ofi
nsid
erfr
aud
In
addi
tion
pot
entia
lvul
nera
bilit
ies
surr
ound
the
use
ofth
eIC
EPI
CSs
yste
mfo
rau
thor
izat
ion
for
criti
calU
SCIS
sys
tem
sA
lthou
ghP
ICS
iso
utsi
deth
eco
ntro
lofU
SCIS
CER
Tre
com
men
dsth
atU
SCIS
exp
lore
the
poss
ibili
tyo
faud
iting
and
con
trol
ling
auth
oriz
atio
nsin
PIC
Sfo
rcr
itica
lUSC
ISs
yste
ms
Fin
ally
acc
ount
man
agem
enti
ssue
sre
late
dto
cri
tical
sys
te
ms
shou
ldb
eco
nsid
ered
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
utho
riza
tion
for
USC
ISC
riti
calS
ys
tem
sth
roug
hP
ICS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Seve
ralc
ritic
alU
SCIS
sys
tem
sar
etie
dto
PIC
Sfo
raut
hent
icat
ion
whi
ch
isa
dmin
istr
ated
by
the
ICE
PI
CSlo
gsa
ccou
ntc
reat
ions
whe
nth
eac
coun
tsw
ere
crea
ted
wha
tro
les
appl
ied
toth
eac
coun
tse
tc
PICS
per
mits
use
rso
utsi
deo
fUSC
ISto
au
thor
ize
user
sfo
ran
yU
SCIS
app
lica
tion
tied
toP
ICS
Tw
oth
ousa
ndlo
cal
PICS
off
icer
s(L
POs)
inth
eIC
Ean
dU
SCIS
can
cre
ate
new
acc
ount
sin
PIC
Sfo
rem
ploy
ees
loca
ted
atth
eir
site
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
utho
riza
tion
proc
es
san
dsy
stem
that
ena
bles
itto
co
ntro
lwho
isg
rant
e da
cces
sto
U
SCIS
sys
tem
san
dda
ta
CERT | SOFTWARE ENGINEERING INSTITUTE | 48
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLP
Os
cont
rola
cces
sfo
rshe
riff
sp
eti
tione
rsC
BPD
OJ
TSA
DH
SO
IGT
er
rori
smT
ask
Forc
ea
ndo
ther
s
Acc
ount
sar
eba
sed
onp
erso
nnel
re
cord
so
LPO
sca
nnot
cre
ate
acco
unts
fo
ran
yone
who
isn
ota
nem
ploy
eea
tth
eir
site
H
owev
erP
ICS
adm
inis
tra
tors
can
cre
ate
acco
unts
for
anyo
ne
wor
king
att
heir
site
for
any
syst
em
tied
toP
ICS
CERT
sug
gest
sth
atU
SCIS
val
ida
tec
urre
ntP
ICS
acco
unts
and
ro
les
agai
nstc
urre
nte
mpl
oyee
lis
ts
Ten
perc
ent(
37)o
fth e
in
side
rsd
ocum
ente
din
the
CERT
da
taba
seh
ade
xces
sive
pri
vi
lege
sw
hich
ena
bled
them
to
atta
ck
Ina
dditi
on
b
ecau
seldquo
priv
ilege
cr
eeprdquo
ena
bled
afe
w(s
ix)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
tab a
seto
car
ryo
utth
eir
crim
es
CERT | SOFTWARE ENGINEERING INSTITUTE | 49
Sugg
este
dCo
unte
rmea
sure
s
Twen
tyfo
ur(6
per
cent
)oft
he
insi
ders
doc
umen
ted
inth
eCE
RT
data
base
wer
eab
leto
car
ryo
ut
thei
rcr
imes
bec
ause
insi
ders
sh
ared
acc
ount
and
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bse
asie
ran
dto
incr
ease
pro
du
ctiv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tio
nsa
ndp
ossi
bly
impl
emen
tst
rong
era
uthe
ntic
atio
nto
ma k
esh
arin
gac
coun
tsm
ore
diff
icul
t
Polic
yor
Pra
ctic
eG
aps
VIS
adm
inis
trat
ors
ine
xter
nalc
ompa
ni
eso
rag
enci
esh
ave
been
cau
ght
le
ttin
gm
ultip
lee
mpl
oyee
sus
eth
e
sa
me
VIS
acco
unt
but
USC
ISh
asn
o ab
ility
tota
kea
nya
ctio
nT
hea
cco
unts
ena
ble
empl
oyee
sto
val
idat
ePI
Iand
citi
zens
hip
info
rmat
ion
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
Mod
ifica
tions
by
VIS
user
sto
cri
tical
da
taa
relo
gged
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
VIS
Ac
coun
ts
Logg
ing
Aud
itin
g
and
Ale
rtin
gin
VIS
Ver
ifica
tion
Info
rmat
ion
Syst
em(V
IS) CERT | SOFTWARE ENGINEERING INSTITUTE | 50
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Com
pute
rLi
nked
App
licat
ion
Info
rmat
ion
Man
agem
ent
Syst
em(C
LAIM
S)3
LA
N
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Su
gges
ted
Coun
term
easu
res
Self
Sele
ctio
nof
A
djud
icat
ion
Case
s
ISSO
s D
ata
Ow
ners
Adj
udic
ator
sca
nse
lfse
lect
cas
es
(acc
ordi
ngto
an
inte
rvie
wc
once
rn
ing
anin
tern
alin
cide
ntth
ato
ccur
red
atth
eU
SCIS
and
inte
rvie
ws
with
da
tao
wne
rsa
tthe
Ver
mon
tSer
vice
Ce
nter
)
With
inth
eSe
rvic
eCe
nter
sa
djud
ica
tors
hav
evi
rtua
llyu
nlim
ited
acce
ssto
ap
plic
antf
ilesmdash
ther
ear
eno
nee
dto
kn
owli
mita
tions
or
cont
rols
top
re
vent
an
adju
dica
tor
from
acc
essi
ng
sens
itive
info
rmat
ion
and
repo
rtin
git
too
utsi
ders
or
mod
ifyin
ga
file
(ent
er
ing
anin
valid
dec
isio
n)
Adj
udic
ator
sca
nal
soa
ppro
vea
cas
eth
atis
not
ass
igne
dto
them
Th
ere
is
noti
ebe
twee
nth
eca
sem
anag
emen
tsy
stem
(ie
N
atio
nalF
ileT
rack
ing
Syst
emo
rN
FTS)
and
the
case
adj
udi
catio
nsy
stem
(ie
CL
AIM
S)
Inth
ein
tern
alc
ase
that
occ
urre
dat
U
SCIS
the
per
petr
ator
cir
cum
vent
ed
the
inte
rvie
wp
roce
ssfo
r14
mon
ths
ndash
USC
ISs
houl
dco
nsid
erim
ple
men
ting
tech
nica
lcon
trol
sto
pr
ohib
itad
judi
cato
rsfr
oms
elf
sele
ctin
gca
ses
toa
djud
icat
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 51
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
she
app
rove
dldquon
osh
owrdquo
case
sT
here
w
ere
noc
ontr
ols
tod
etec
tthi
s
Ina
dditi
ona
djud
icat
ors
can
adju
di
cate
any
type
ofc
ase
eve
nth
ough
th
eya
ree
ach
assi
gned
cer
tain
type
sof
ben
efits
cas
esfo
rad
judi
catio
n
Emph
asis
on
Cus
tom
erS
ervi
ceO
ver
Risk
Dat
aO
wne
rs
No
evid
ence
pro
vide
d
One
inte
rvie
wee
att
heV
erm
ontD
ata
Cent
ers
aid
that
ldquost
atsrdquo
can
be
ast
rain
esp
ecia
llyfo
rne
wh
ires
al
thou
ghth
eyd
oge
ta9
0da
ygr
ace
peri
od
USC
ISs
houl
dus
eca
utio
nin
em
ph
asiz
ing
cust
omer
ser
vice
as
the
only
per
form
ance
met
ric
beca
use
this
cou
lde
ncou
rage
la
cko
fatt
entio
nto
ris
kre
late
dac
tiviti
es(s
uch
asa
ccur
ate
adju
di
catio
nde
cisi
ons)
Lack
ofS
epar
atio
nof
Dut
ies
in
CLA
IMS
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Curr
ently
all
decl
ined
req
uest
sfo
rbe
nefit
sar
ere
view
edb
ya
supe
rvi
sor
H
owev
ert
here
was
ad
iscr
ep
ancy
dur
ing
inte
rvie
ws
adj
udic
ator
ssa
idth
ats
uper
viso
rss
topp
edlo
okin
gat
all
deni
als
beca
use
they
are
too
busy
Su
perv
isor
sal
sor
ecei
vea
rep
orto
fal
ladj
udic
atio
nde
cisi
ons
ente
red
by
ana
djud
icat
orfo
ra
form
type
that
th
ead
judi
cato
rdo
esn
otn
orm
ally
ap
prov
e
Onl
ya
rand
oms
ampl
eof
app
rove
dad
judi
catio
nde
cisi
ons
isr
evie
wed
For
som
eca
ses
(for
inst
ance
vic
tims
case
s)a
sen
ior
adju
dica
tor
has
to
revi
ewth
ede
cisi
ona
fter
the
adju
dica
to
ren
ters
itt
hen
the
supe
rvis
orr
evi
ews
itT
his
isa
man
ually
enf
orce
dpr
oces
s
Ther
ew
asa
noth
erd
iscr
epan
cy
in
inte
rvie
ws
the
adju
dica
tors
sai
dth
at
USC
ISs
houl
dco
nsid
erim
ple
men
ting
auto
mat
edp
roce
sses
to
prev
enta
ndd
etec
tfra
ud
Man
ag
emen
tind
icat
edit
wou
ldli
ke
tos
eea
utom
ated
tech
nica
len
forc
emen
toft
her
evie
wa
nd
appr
oval
pro
cess
Inn
earl y
ten
perc
ent(
39)o
fthe
ca
ses
docu
men
ted
inth
eCE
RT
data
base
ins
ider
sto
oka
dvan
CERT | SOFTWARE ENGINEERING INSTITUTE | 52
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s W
hen
adju
dica
tors
are
intr
aini
ng
they
are
und
er1
00
rev
iew
Th
ey
are
intr
aini
ngo
na
spec
ific
type
of
case
for
atle
ast6
mon
ths
A
uditi
ngfo
rim
prop
erly
gra
nted
be
nefit
sis
bas
edo
nsa
mpl
ing
and
or
blin
dqu
ality
ass
uran
ce(Q
A)a
ccor
din
gldquot
oA
rmy
stan
dard
srdquoa
fter
the
fact
A
rand
omly
sel
ecte
d30
cas
es
per
quar
ter
are
also
rev
iew
edb
yldquos
iste
rce
nter
srdquo
QA
pro
cess
var
ies
offic
eby
off
ice
(no
natio
nalp
roce
ss)
Th
isQ
Ah
asb
een
done
fort
hep
ast
year
and
ah
alf
Inth
eVe
rmon
tfie
ld
offic
ee
ach
supe
rvis
orp
ulls
atl
east
10
cas
esp
era
djud
icat
orp
erm
onth
Th
eyr
evie
wd
ecis
ion
rela
ted
issu
es
secu
rity
rel
ated
issu
esa
ndp
roce
du
rali
ssue
s(d
idth
eyfo
llow
the
righ
tst
eps
)T
hey
also
look
for
less
ons
lear
ned
The
pri
mar
ypu
rpos
eof
QA
is
toid
entif
yth
ene
edfo
rre
med
ial
trai
ning
rath
erth
and
elib
erat
efr
aud
So
me
case
sar
em
ore
than
10
00
page
ss
oev
ery
deta
ilca
nnot
be
prac
tical
lyr
evie
wed
for
ever
yca
se
cler
ksp
ullc
ases
ac
oupl
eof
tim
esp
er
mon
thndash
ac
erta
inn
umbe
rof
cas
es
per
empl
oyee
Th
ose
case
sar
epa
ssed
toQ
Aw
hor
evie
ws
the
case
s
QA
then
sen
dsfe
edba
ckto
the
supe
rvi
sor
and
adju
dica
tor
ifth
eyfi
nd
som
ethi
ngth
atd
oes
notl
ook
righ
t
tage
ofi
nsuf
ficie
nts
epar
atio
nof
du
ties
toc
arr y
out
thei
rcr
imes
U
SCIS
sho
uld
care
fully
con
side
rth
ebi
gges
tris
kto
the
orga
niza
tio
nM
any
ofth
eU
SCIS
em
pl
oyee
sin
terv
iew
edfo
rth
isa
sse
ssm
enti
dent
ified
the
prim
ary
risk
for
the
orga
niza
tion
asa
llo
win
gth
ene
xtte
rror
istt
oliv
ean
dw
ork
lega
llyin
the
Uni
ted
Stat
es
They
des
ire
assi
stan
cein
id
entif
ying
and
impl
emen
ting
inte
rnal
con
trol
sto
cou
nter
that
ri
sk
Aud
iting
eve
ryd
enie
dre
ques
tin
dica
tes
that
the
bigg
estr
isk
to
USC
ISis
toin
corr
ectly
den
ya
bene
fitto
an
appl
ican
trat
her
than
tog
rant
ab
enef
itto
som
eon
ew
hod
oes
notd
eser
veit
IfU
SCIS
agr
ees
that
gra
ntin
gle
gald
ocum
ents
toil
lega
lapp
lica
nts
iso
neo
fthe
big
gest
ris
ks
toth
eor
gani
zatio
nth
enit
sh
ould
con
side
rre
quir
ing
dual
CERT | SOFTWARE ENGINEERING INSTITUTE | 53
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sau
thor
izat
ion
for
thes
ead
judi
ca
tion
deci
sion
s
Lack
ofA
utom
ated
Ch
ecks
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Verm
ontI
Tha
sdo
ned
ata
swee
ps
afte
rit
foun
dso
met
hing
sus
pici
ous
W
hen
itha
sdo
nes
oit
has
foun
dm
ore
ofth
esa
me
activ
ity
Ther
ear
eno
aut
omat
edc
heck
s(t
here
w
illb
ein
Tra
nsfo
rmat
ion)
Chec
ksth
atd
oex
ista
rem
anag
eda
tth
elo
call
evel
rat
her
than
ale
rtin
gto
th
ehe
adqu
arte
rsle
vel
Inn
early
twen
tyf
ive
perc
ent
(91)
ofc
ases
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
ca
rry
outt
hec
rim
ebe
caus
eof
in
adeq
uate
aud
iting
ofc
ritic
al
proc
esse
sin
28
case
sit
was
be
caus
eof
inad
equa
tea
uditi
ng
ofir
regu
lar
proc
esse
sI
n29
of
the
case
sth
eor
gani
zatio
nha
dre
peat
edin
cide
nts
ofa
sim
ilar
natu
re
Aut
omat
eds
crip
tsa
re
ane
xcel
lent
mec
hani
smfo
rde
te
ctin
gsu
spic
ious
tran
sact
ions
as
wel
las
hone
stm
ista
kes
U
SCIS
sho
uld
cons
ider
afo
rmal
pr
oces
sfo
ran
alyz
ing
the
OSI
rsquos
findi
ngs
and
deve
lopi
nga
uto
mat
edc
heck
sth
ata
rer
olle
dou
tna
tiona
lly
Phys
ical
Sec
urit
yof
Ca
seF
iles
Dat
aO
wne
rs
Adj
udic
ator
s
No
evid
ence
pro
vide
d
The
NFT
Str
acks
mill
ions
off
iles
It
was
des
crib
edh
owev
era
sa
very
la
rge
war
ehou
sew
here
file
sdo
occ
a
Ten
perc
ent(
40)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
sec
arri
edo
utth
eir
crim
esb
y
CERT | SOFTWARE ENGINEERING INSTITUTE | 54
C
ER
T | S
OFT
WA
RE
EN
GIN
EE
RIN
G IN
STI
TUTE
| 55
Sugg
este
dCo
unte
rmea
sure
s
the
sam
eap
plic
ant
C3LA
Nw
illb
ere
tired
as
part
of
Tran
sfor
mat
ion
C4
will
als
obe
re
tired
A
cop
yof
sec
urity
con
tr
ols
and
requ
irem
ents
has
bee
npr
ovid
edb
yC3
LAN
dat
aow
ners
to
Tra
nsfo
rmat
ion
Iti
sim
por
tant
for
the
Tran
sfor
mat
ion
team
tom
ake
risk
bas
edd
eci
sion
sin
Tra
nsfo
rmat
ion
desi
gn
and
deve
lopm
ent
Polic
yor
Pra
ctic
eG
aps
T
hen
ewH
Rfo
rmh
asn
otb
een
soci
aliz
edo
rw
idel
yad
vert
ised
It
is
upto
the
COTR
san
dsu
perv
isor
sto
co
nsis
tent
lyr
eque
stth
ata
cces
sbe
di
sabl
edw
hen
ane
mpl
oyee
or
con
trac
tor
nolo
nger
nee
dsa
cces
s
Polic
yan
dor
Sec
urit
yM
easu
re
Curr
ently
eve
rym
onth
USC
ISc
om
pare
sth
eH
uman
Res
ourc
esa
ttri
tion
lista
gain
stth
eC3
LA
Na
ccou
ntli
st
and
disa
bles
inac
tive
empl
oyee
ac
coun
ts
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
cces
sto
CL
AIM
S
CERT | SOFTWARE ENGINEERING INSTITUTE | 56
Are
aof
Con
cern
Non
Att
ribu
tion
fo
rD
BAA
ccou
nts
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 57
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Pend
ing
Redu
ctio
nin
For
cefo
rD
ata
Entr
yCl
erks
Dat
aO
wne
rs
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
Dat
aen
try
cler
ksw
illb
elo
sing
thei
rjo
bsw
hen
they
mov
eto
Loc
kBox
w
hich
will
take
ove
rth
efu
nctio
nal
ityo
facc
eptin
gre
mitt
ance
sfo
rbe
nefit
app
lican
ts
Itw
ass
tate
dth
atth
eda
tae
ntry
cle
rks
mig
htb
ehi
red
away
tow
ork
atth
eor
gani
za
tion
whi
chp
erfo
rms
that
func
tio
n
USC
ISs
houl
dbe
aw
are
ofth
ein
crea
sed
insi
der
risk
inth
efa
ce
ofn
egat
ive
orga
niza
tiona
lev
ents
like
this
It
sho
uld
con
side
rpr
oact
ive
step
sto
dec
reas
est
ress
inth
ew
orkp
lace
and
to
ease
pot
entia
lfin
anci
alb
urde
ns
that
cou
ldm
ake
empl
oyee
sm
ore
susc
eptib
leto
rec
ruitm
ent
byo
utsi
ders
Shar
ing
Acc
ount
sin
CLA
IMS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aEn
try
Cler
ks
The
NFT
Sw
illn
otle
tcle
rks
log
inif
th
eyh
ave
notu
sed
the
syst
emfo
ra
cert
ain
num
ber
ofd
ays
Ac
lerk
rsquosc
ube
mat
ew
illlo
gin
for
thei
rcu
bem
ate
ifit
isth
een
dof
the
day
and
ITh
asg
one
hom
efo
rthe
day
Twen
tyf
our
(6
)oft
hein
side
rs
docu
men
ted
inth
eCE
RTd
ata
base
wer
eab
leto
car
ryo
utth
eir
crim
esb
ecau
sein
side
rss
hare
dac
coun
tand
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bs
easi
era
ndto
incr
ease
pro
duct
iv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tions
an
dpo
ssib
lyim
plem
ents
tron
ger
auth
entic
atio
nto
mak
eac
coun
tsh
arin
gm
ore
diff
icul
t
CERT | SOFTWARE ENGINEERING INSTITUTE | 58
Sugg
este
dCo
unte
rmea
sure
s
Ten
perc
ent(
39)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seto
oka
dvan
tage
ofi
nsuf
fici
enta
cces
sco
ntro
ls
USC
IS
shou
ldc
onsi
der
redu
cing
the
num
ber
ofp
rivi
lege
dac
coun
ts
with
acc
ess
toth
eFD
NS
DS
If
the
num
ber
ofs
uper
user
ac
coun
tsw
ere
redu
ced
then
en
hanc
eda
uditi
ngc
ould
be
em
ploy
edo
ntr
ansa
ctio
ns
cond
ucte
dus
ing
thos
eac
coun
ts
Polic
yor
Pra
ctic
eG
aps
b
ut
ther
ear
ena
tiona
lcon
trol
sto
ens
ure
th
atc
eleb
ritie
srsquofi
les
are
notb
eing
ac
cess
ed
Ther
eis
ala
rge
supe
ruse
rco
mm
unity
m
ore
than
thirt
ype
rcen
tofa
llFD
NS
DS
user
sw
itha
cces
sto
the
FDN
SD
S
Thes
eac
coun
tsh
ave
exte
nsiv
epo
wer
a
mal
icio
uss
uper
user
can
com
plet
ely
dele
tea
rec
ord
orm
odify
the
sum
m
ary
offi
ndin
gs
Polic
yan
dor
Sec
urit
yM
easu
re
The
FDN
SD
Sis
ac
entr
alr
epos
itory
of
frau
dan
dna
tiona
lsec
urity
inve
stig
atio
ns
This
sys
tem
hol
dsa
ppli
cant
san
dpe
titio
ners
as
wel
las
PII
Th
ere
isa
lso
ana
tiona
lsec
urity
tab
N
oev
iden
cep
rovi
ded
nnel
logy
logy
sibl
ePe
rso
wne
rs
tion
Tec
hno
wne
rs
tion
Tec
hno
Resp
onD
ata
O In
form
a
Dat
aO
Info
rma
rn
sac
ges
eCo
ncn e
Priv
ilD
S
Are
aof
ng
oLo
ggi
fTra
tion
s
Elev
ated
N
Sto
FD
Frau
dD
etec
tion
and
Nat
ural
izat
ion
Syst
emndash
Dat
aSy
stem
(FD
NS
DS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 59
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Unk
now
n
Conn
ecti
ons
to
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Failu
reto
Add
ress
Kn
own
Secu
rity
V
ulne
rabi
litie
s
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Ther
eis
no
auto
mat
edp
atch
ing
be
caus
eof
the
age
ofth
ese
rver
san
dth
eap
plic
atio
nO
nly
criti
calp
atch
es
are
appl
ied
forf
ear
ofc
rash
ing
the
serv
ers
Thir
teen
insi
ders
inth
eCE
RT
data
base
exp
loite
dkn
own
secu
ri
tyv
ulne
rabi
litie
sth
atw
ere
not
addr
esse
dby
the
orga
niza
tion
U
SCIS
sho
uld
cons
ider
upg
radi
ng
the
FDN
SD
Ssi
nce
thes
evu
lner
ab
ilitie
sin
crea
ser
isk
ofa
ttac
kfr
omo
utsi
dea
ndin
side
Prod
ucti
onD
ata
Ava
ilabl
eto
Con
tr
acto
rsin
Dev
el
opm
ent
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
CSC
has
prod
uctio
nda
tain
the
deve
lop
men
tenv
iron
men
te
ven
thou
ghit
sh
ould
not
hav
eac
cess
top
rodu
ctio
nda
ta
Onl
yon
ein
side
rdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
ses
tole
pro
duct
ion
data
th
ats
houl
dno
thav
ebe
ena
vail
able
tod
evel
oper
sin
the
deve
lop
men
tenv
iron
men
tH
owev
er
itw
ase
xtre
mel
yse
nsiti
ved
ata
with
ver
yst
rict
con
trol
sin
the
prod
uctio
nen
viro
nmen
ta
nd
was
not
sub
ject
toth
ose
sam
eco
ntro
lsin
the
deve
lopm
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 60
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sen
viro
nmen
tT
his
isv
ery
sim
ilar
toth
esi
tuat
ion
atU
SCIS
U
SCIS
sh
ould
exa
min
eda
tab
eing
use
din
the
rem
ote
con
trac
tor
owne
dde
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
vel
ofs
ecur
ityc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
Conf
igur
atio
nM
anag
emen
tan
dor
Cha
nge
Cont
rolP
roce
ss
Not
Enf
orce
d
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Dev
elop
ers
cann
otr
elea
sen
ewe
xec
utab
les
as
epar
ate
syst
ema
dmin
is
trat
orh
asto
pus
hth
emo
ut
Cont
ract
ors
som
etim
esr
elea
sec
ode
tofi
xpr
oble
ms
with
outf
ollo
win
gth
ech
ange
man
agem
entp
roce
ss
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
ofl
ack
ofa
de
quat
eco
nfig
urat
ion
man
age
men
tU
SCIS
has
afo
rmal
con
fig
urat
ion
man
agem
entp
roce
ss
Itis
impo
rtan
tto
enfo
rce
itsu
se
for
alle
mpl
oyee
san
dco
ntra
cto
rs
Oth
erw
ise
itw
illb
eex
tr
emel
ydi
ffic
ultt
oin
vest
igat
ea
crim
eco
mm
itted
usi
ngfl
aws
inte
ntio
nally
inje
cted
into
sou
rce
code
by
aco
ntra
ctor
CERT | SOFTWARE ENGINEERING INSTITUTE | 61
Ap
pen
dix
EI
nci
den
tR
esp
onse
Inci
dent
Man
agem
ent
Se
curi
tyA
war
enes
s
Conc
erni
ngB
ehav
iors
Thro
ugh
case
ana
lysi
sC
ERT
has
note
dth
atp
roce
dure
sfo
rre
spon
ding
top
oten
tiali
nsid
erin
cide
nts
pres
entu
niqu
ech
alle
nges
an
inci
dent
re
spon
sep
lan
for
insi
der
inci
dent
sdi
ffer
sfr
oma
res
pons
epl
anfo
rin
cide
nts
caus
edb
yan
ext
erna
latt
acke
rI
nad
ditio
nin
adeq
uate
det
ectio
nan
dre
spon
seto
sec
urity
vio
latio
nsc
ould
em
bold
enth
ein
side
rm
akin
gth
eor
gani
zatio
nev
enm
ore
vuln
erab
leto
an
insi
der
crim
eI
nfa
cti
n18
of
the
case
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
the
org
aniz
atio
nex
peri
ence
dre
peat
insi
der
inci
dent
sof
as
imila
rna
ture
In
si
der
inci
dent
man
agem
ents
houl
dle
vera
gee
xist
ing
secu
rity
pol
icie
san
dfo
rmal
pro
cedu
res
for
hand
ling
polic
yvi
olat
ions
So
me
ofth
eca
ses
from
the
CERT
Insi
d er
Thre
atC
ase
data
base
illu
stra
tein
side
rat
tack
sin
whi
cha
nor
gani
zatio
nrsquos
lack
ofi
ncid
entr
espo
nse
proc
edur
esli
mite
dits
ab
ility
tom
anag
eits
res
pons
eef
fort
som
etim
ese
ven
resu
lting
inm
ultip
lec
rim
inal
act
sby
the
sam
ein
side
r
USC
ISis
ac
ompl
exo
rgan
izat
ion
with
man
ydi
ffer
entc
ompo
nent
sin
volv
edin
det
ectin
gtr
acki
ngi
nves
tigat
ing
and
follo
win
gup
on
empl
oyee
m
isco
nduc
tT
his
com
plex
itya
ndw
idel
ydi
stri
bute
dfu
nctio
ncr
eate
sa
situ
atio
nin
whi
chit
isv
ery
diff
icul
tto
obta
ina
com
plet
epi
ctur
eof
an
in
divi
dual
rsquosin
side
rth
reat
ris
kle
vel
Bec
ause
oft
his
itis
pra
ctic
ally
impo
ssib
lefo
rU
SCIS
toim
plem
enta
pro
activ
epr
ogra
mto
miti
gate
insi
der
thre
at
CERT
str
ongl
yre
com
men
dsth
atU
SCIS
cre
ate
ace
ntra
lrep
osito
ryo
fem
ploy
eem
isco
nduc
tso
itca
nde
tect
indi
cato
rso
finc
reas
ing
in
side
rth
reat
ris
kan
dm
itiga
teth
ema
squ
ickl
yas
pos
sibl
e
Furt
herm
ore
81
ofth
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
edc
once
rnin
gbe
havi
ors
inth
ew
orkp
lace
pri
orto
or
whi
lec
arry
ing
out
thei
rcr
imin
ala
ctiv
ities
onl
ine
Sup
ervi
sors
and
em
ploy
ees
shou
ldb
etr
aine
dto
rec
ogni
zea
ndr
espo
ndto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
and
oth
erm
alic
ious
insi
der
acts
Ev
enif
itis
not
pos
sibl
eto
req
uire
non
sup
ervi
sors
to
repo
rtc
o nce
rns
this
tr
aini
ngm
ayin
crea
seth
efr
eque
ncy
ofr
epor
ting
and
the
dete
rren
ceo
fins
ider
act
ions
CERT | SOFTWARE ENGINEERING INSTITUTE | 62
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLa
cko
fCen
tral
Re
posi
tory
ofE
m
ploy
eeM
isco
nduc
t
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
IfFi
eld
Secu
rity
rec
eive
sa
Sign
ifica
nt
Inci
dent
Rep
ort(
SIR)
the
nit
inve
sti
gate
sE
mpl
oyee
mis
cond
ucti
sth
en
repo
rted
toO
ffic
eof
Sec
urity
and
In
tegr
ity(O
SI)
Ifth
eO
SIin
vest
igat
ion
subs
tant
iate
san
em
ploy
eersquos
mis
con
duct
itp
rovi
des
Coun
teri
ntel
ligen
ce
(CI)
am
onth
lyr
epor
tI
tals
opr
ovid
es
the
empl
oyee
rsquosm
anag
emen
tac
opy
CI
iss
tart
ing
tog
etm
ore
repo
rts
of
acce
ptab
leu
sev
iola
tions
and
sec
urity
vi
olat
ions
It
trac
kse
very
thin
gin
a
file
for
late
rus
ein
rei
nves
tigat
ions
La
bor
Empl
oyee
Rel
atio
ns(L
ER)h
asa
re
cord
oft
here
port
sit
rece
ives
of
mis
cond
uct
com
plai
nts
agai
nsta
nem
ploy
eer
ule
viol
atio
nsa
nds
oon
H
Rm
aint
ains
the
Off
icia
lPer
sonn
el
File
whi
chc
onta
ins
reco
rds
ofs
us
pens
ions
etc
LE
Rco
ntac
tsH
Ron
ly
for
thos
ety
pes
ofa
ctio
ns
Th
eO
SIe
valu
ates
all
com
plai
nts
itre
ceiv
esa
ndlo
gsth
emin
toth
eca
se
man
agem
ents
yste
m
Ita
ssig
nsth
em
toa
fiel
dof
fice
Att
hatp
oint
any
co
mpl
aint
sar
eth
ere
spon
sibi
lity
of
the
spec
iala
gent
inc
harg
eat
the
field
of
fice
The
fiel
dof
fice
inve
stig
ates
Ther
eis
no
sing
lep
lace
tog
ofo
ran
em
ploy
eersquos
dis
cipl
inar
yre
cord
sT
he
num
ber
ofo
rgan
izat
ions
invo
lved
an
dm
anag
emen
tofr
ecor
dsis
ver
yco
mpl
exa
ndd
istr
ibut
edth
roug
hout
th
eor
gani
zatio
n
Acc
ordi
ngto
Phy
sica
lSec
urity
the
fie
ldo
ffic
edo
esn
otte
llth
eO
SI
abou
tpro
blem
sndashth
eO
SIfi
nds
out
whe
nit
ldquohits
the
pres
srdquo
For
exa
m
ple
the
OSI
isn
otin
form
edo
fad
is
grun
tled
syst
ema
dmin
istr
ator
who
is
exhi
bitin
gco
ncer
ning
beh
avio
rs
USC
ISs
houl
dco
nsid
err
equi
ring
m
anda
tory
rep
ortin
gof
all
inci
de
nts
toth
eO
SI
This
com
mu
nica
tion
stre
amw
illa
llow
the
OSI
tog
etin
volv
eda
sea
rly
as
poss
ible
and
tod
ocum
enta
nd
mai
ntai
na
cent
ralr
epos
itory
of
alli
ncid
ents
Th
isc
entr
alr
epo
sito
ryis
cri
tical
for
ade
quat
ely
man
agin
gin
side
rth
reat
sin
USC
IS
CERT | SOFTWARE ENGINEERING INSTITUTE | 63
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dse
nds
the
case
for
corr
ectiv
eac
tio
nto
the
regi
onal
dir
ecto
rin
the
chai
nof
com
man
da
ndth
enth
ere
gi
onal
dir
ecto
rret
urns
am
anag
emen
tre
port
ofa
ctio
nto
the
spec
iala
gent
in
cha
rge
Th
eO
SIc
onta
cts
the
DH
SO
IGfo
rpo
te
ntia
llyc
rim
inal
beh
avio
ror
ser
ious
m
isco
nduc
tI
fthe
DH
SO
IGtu
rns
the
case
dow
nth
enit
iss
entt
oth
efie
ld
offic
eor
tola
we
nfor
cem
ent
Th
ePe
rson
nelS
ecur
ityd
ivis
ion
(PER
SEC)
not
ifies
the
OSI
mon
thly
of
arre
sts
(tra
cked
inth
eca
sem
anag
em
ents
yste
m)a
ndth
eO
SIn
otifi
es
PERS
ECo
finv
estig
atio
ns
Trac
king
ofO
nlin
eIn
cide
nts
Info
rmat
ion
Tech
nolo
gy
Com
pute
ror
net
wor
kvi
olat
ion
inci
de
nts
are
trac
ked
bya
Rem
edy
sys
tem
tied
toa
uni
que
com
pute
rid
enti
fier
rath
erth
ana
use
rin
an
atte
mpt
to
kee
pPI
Iout
oft
heti
cket
Itis
diff
icul
tto
tiea
nev
entt
oa
par
ticul
arp
erso
nE
ven
ifth
eid
entit
yof
an
off
ende
ris
know
nr
epea
toff
end
ers
are
nott
rack
edin
any
aut
omat
ed
orc
orre
late
dw
ay
USC
ISs
houl
dco
nsid
erin
clud
ing
user
info
rmat
ion
for
each
inci
de
nts
oth
atr
epea
toff
ende
rs
can
bee
asily
iden
tifie
da
sre
pe
ato
ffen
ses
coul
din
dica
tea
nin
side
rof
hig
her
risk
Cons
iste
ncy
inR
esp
onse
toS
ecur
ity
Vio
lati
ons
and
Con
cern
ing
Beha
vior
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
eis
no
requ
ired
trai
ning
for
su
perv
isor
son
how
tor
espo
ndto
a
rang
eof
beh
avio
rsa
ssoc
iate
dw
ith
man
yfo
rms
ofin
side
rri
sk
Co
mpu
ter
use
viol
atio
nsa
ren
ot
Eigh
tyo
neo
fthe
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
ed
conc
erni
ngb
ehav
iors
pri
orto
or
whi
lec
arry
ing
outt
heir
cri
min
al
activ
ities
Em
ploy
ees
shou
ldb
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 64
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
ndle
dco
nsis
tent
lya
cros
sde
part
m
ents
sup
ervi
sors
and
type
ofe
m
ploy
ee
Egre
giou
svi
olat
ions
are
re
ferr
edto
the
OSI
for
afu
llin
vest
igat
ion
but
the
crite
rion
for
deci
ding
whe
nth
atis
war
rant
edis
a
gutr
eact
ion
trai
ned
tor
ecog
nize
and
re
spon
dto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
an
dot
her
insi
der
acts
Ev
enif
it
isn
otp
ossi
ble
tor
equi
ren
on
supe
rvis
ors
tor
epor
tcon
cern
s
this
trai
ning
may
incr
ease
the
freq
uenc
yof
repo
rtin
gan
dde
te
rren
ceo
fins
ider
act
ions
US
Dep
artm
ento
fSt
ate
Inve
stig
atio
ns
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
OSI
Inve
stig
atio
nsh
ave
been
sub
ject
to
alle
gatio
nso
fvio
latio
nsin
volv
ing
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)
but
the
OIS
rel
ies
onth
eU
SD
epar
tmen
tof
Sta
teto
inve
stig
ate
USC
ISh
asn
ovi
sibi
lity
into
US
De
part
men
tofS
tate
inve
stig
atio
ns
FSN
sw
hoh
ave
acce
ssto
USC
IS
syst
ems
and
data
sho
uld
be
incl
uded
ina
nin
side
rth
reat
risk
m
itiga
tion
stra
tegy
Prep
arat
ion
for
Neg
ativ
eW
ork
Rela
ted
Even
ts
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
edo
not
app
ear
tob
ean
ygu
ide
lines
tra
inin
go
rpe
rson
nela
vaila
ble
toe
valu
ate
empl
oyee
insi
der
risk
be
fore
or
afte
rfre
quen
tlyp
reci
pita
tin
gev
ents
suc
has
term
inat
ion
de
mot
ions
tra
nsfe
rso
rot
her
disa
ppo
intm
ents
or
unm
ete
xpec
tatio
ns
Ther
eal
sod
oes
nota
ppea
rto
bea
gr
oup
char
ged
with
eva
luat
ing
in
side
rri
skfr
omo
rgan
izat
iona
leve
nts
ord
evel
opm
ents
aff
ectin
ggr
oups
of
empl
oyee
ss
uch
asr
eloc
atio
nsc
on
trac
tcha
nges
lay
offs
and
reo
rgan
iza
tions
Fift
yfiv
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
had
neg
ativ
eem
pl
oym
enti
ssue
sN
inet
yfo
ur
had
ach
ange
ine
mpl
oym
ent
stat
usp
rior
toth
eir
atta
cks
20
had
com
pens
atio
nor
ben
efit
issu
esa
nd6
5w
ere
disg
runt
led
Su
perv
isor
ssh
ould
be
trai
ned
in
thes
eri
skin
dica
tors
Th
ere
shou
lda
lso
bea
nav
aila
ble
pane
lofs
peci
alis
tsfr
omth
eO
SI
orth
eLa
bor
Empl
oyee
Rel
atio
ns(L
ER)t
rain
edto
ass
ess
such
ris
k
CERT | SOFTWARE ENGINEERING INSTITUTE | 65
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Si
mila
rsp
ecia
lists
sho
uld
be
avai
labl
eto
par
ticip
ate
inp
lan
ning
and
exe
cutio
nof
res
pons
epl
ans
inp
repa
ratio
nfo
rne
ga
tive
wor
kpla
cee
vent
sth
atp
ote
ntia
llyc
ould
lead
tod
isgr
un
tlem
enta
mon
gth
ew
orkf
orce
at
USC
IS
Cont
ract
orM
an
agem
ent
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Hum
anR
esou
rces
Pers
onne
lscr
eeni
ngp
roce
dure
sfo
rco
ntra
ctor
sar
esi
mila
rto
thos
efo
rem
ploy
ees
Cont
ract
ing
com
pani
esa
rer
equi
red
tor
epor
tany
adv
erse
info
rmat
ion
rega
rdin
gth
eir
empl
oyee
sim
med
iat
ely
(ina
llco
ntra
cts)
LER
has
noin
volv
emen
twith
con
tr
acto
rs
They
hav
eno
rec
ord
of
cont
ract
orm
isbe
havi
ors
orc
om
plai
nts
agai
nstc
ontr
acto
rs
Supe
rvis
ors
the
OSI
LER
and
oth
ers
conc
erne
dw
itho
rgan
izat
iona
lsec
uri
tym
ayb
ela
rgel
yun
awar
eof
in
side
rri
sks
rela
ted
toc
ontr
acto
rs
Cont
ract
ors
are
nots
ubje
ctto
gov
er
nmen
tmon
itori
ngo
rris
kas
sess
m
ent
Ac
ontr
acto
ron
ac
ritic
als
ys
tem
may
dev
elop
or
have
sig
nific
ant
insi
der
risk
fact
ors
that
may
rem
ain
unkn
own
tog
over
nmen
tem
ploy
ees
due
tola
cko
frep
ortin
gre
quir
em
ents
Sixt
ytw
oof
the
insi
ders
doc
um
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eco
ntr
acto
rs
USC
ISc
ontr
actm
an
agem
ents
taff
sho
uld
cons
ider
th
ene
edfo
rre
port
ing
ara
nge
ofp
oten
tiali
ndic
ator
sof
insi
der
risk
am
ong
cont
ract
sta
ff
Inci
de
ntr
espo
nse
plan
ssh
ould
in
clud
ere
spon
seto
em
ploy
ee
and
cont
ract
oris
sues
Empl
oyee
or
Con
trac
tor
Conc
erni
ng
Beha
vior
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Byp
olic
yit
ise
very
em
ploy
eersquos
re
spon
sibi
lity
tor
epor
tsus
pici
ous
be
havi
oro
rm
isco
nduc
tS
uper
viso
rs
Self
repo
rted
dru
gus
ea
rres
ta
nd
asso
ciat
ions
with
fore
ign
natio
nals
du
ring
em
ploy
men
tare
sen
tto
the
Supe
rvis
ors
need
tob
eno
tifie
dim
med
iate
lyw
hen
ane
mpl
oyee
re
port
sdr
ugu
sea
rres
tso
r
CERT | SOFTWARE ENGINEERING INSTITUTE | 66
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Labo
rEm
ploy
eeR
elat
ions
who
obs
erve
con
cern
ing
ors
uspi
ciou
sbe
havi
orr
epor
titt
oLE
Ror
the
OSI
Fo
rlo
wle
velm
isco
nduc
tL
ERa
dvis
es
the
field
off
ice
man
agem
ento
nha
ndl
ing
the
mat
ter
LER
rep
orts
mor
ese
riou
sm
isco
nduc
twith
mor
ese
vere
co
nseq
uenc
esto
HR
M
isco
nduc
tcan
als
obe
rep
orte
dvi
aSi
gnifi
cant
Inci
dent
Rep
orts
(SIR
s)
SIRs
are
sen
tto
Phys
ical
Sec
urity
or
to
the
OSI
for
inve
stig
atio
n
IfCI
dis
cove
rss
omet
hing
sus
pici
ous
duri
nga
rei
nves
tigat
ion
itin
form
sth
eem
ploy
eersquos
sup
ervi
sor
The
su
perv
isor
wor
ksw
ithL
ERa
ndc
ouns
el
tod
ecid
eon
follo
wu
pac
tions
OSI
Th
eO
SIs
ends
res
ults
tos
uper
vi
sor
follo
win
gin
vest
igat
ion
asso
ciat
ion
with
fore
ign
natio
nal
ss
oth
eyh
ave
ana
ccur
ate
perc
eptio
nof
the
risk
ass
oci
ated
with
eac
hof
thei
rem
ploy
ee
sI
nad
ditio
n1
8of
the
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
had
poss
ible
psy
chol
ogic
alis
su
es
Inc
olla
bora
tion
with
the
OSI
and
LER
sup
ervi
sors
con
fr
ontin
gem
ploy
ees
who
dis
play
co
ncer
ning
beh
avio
rss
houl
dha
veth
eab
ility
tor
emov
eth
em
from
the
wor
kfor
cep
endi
nga
m
edic
alo
rps
ycho
logi
cal
eval
uatio
nto
det
erm
ine
whe
ther
they
hav
ea
diso
rder
or
illne
ssth
atm
ayim
pair
thei
rtr
ustw
orth
ines
sor
judg
men
tor
mak
eth
ema
dan
gert
oth
em
selv
eso
rot
hers
Si
mila
rly
em
po
wer
ing
supe
rvis
ors
tom
ake
ane
mpl
oyee
ass
ista
nce
pro
gram
ref
erra
land
eva
luat
ion
man
dato
ryi
nco
llabo
ratio
nw
ithL
ERo
rth
eO
SIm
ight
hel
pre
mov
eat
ris
kin
divi
dual
sfr
om
the
wor
kfor
ceu
ntil
they
can
sa
fely
and
sec
urel
yre
turn
CERT | SOFTWARE ENGINEERING INSTITUTE | 67
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEl
ectr
onic
Inve
sti
gati
ons
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Mos
talle
gatio
nsr
epor
ted
toth
eO
SI
are
notv
ery
tech
nica
lth
eO
ITp
ro
vide
sfo
rens
ics
uppo
rtfo
rin
vest
iga
tions
(pri
mar
ilyd
atab
ase
tran
sac
tions
)
PERS
ECh
asn
ever
ask
edth
eO
ITto
re
view
au
serrsquo
son
line
activ
ity
Onl
yon
epe
rson
inO
SIis
qua
lifie
dto
do
afo
rens
icin
spec
tion
USC
ISs
houl
dco
nsid
erin
clud
ing
the
OIT
inin
vest
igat
ions
ofs
us
pici
ous
activ
ity
CERT
rsquosin
side
rth
reat
res
earc
hha
ssh
own
that
no
ntec
hnic
alc
once
rnin
gbe
hav
iors
can
be
asso
ciat
edw
ith
onlin
ecr
imin
ala
ctiv
ity
It
wou
ldb
ebe
nefic
ialt
och
eck
for
past
tech
nica
lsec
urity
vio
la
tions
and
hav
eth
eO
ITa
naly
ze
curr
ento
nlin
eac
tivity
as
part
of
the
OSI
inve
stig
atio
ns
CERT | SOFTWARE ENGINEERING INSTITUTE | 68
t
efe
w de ti
nth
eca
ses
docu
men
ted
inth
eCE
RTd
atab
ase
inje
cted
cod
ein
tos
ourc
eco
deto
faci
lita
but
ina
ase
the
coo
utb
yso
f
L
oggi
ng
Cri
tica
lDat
aCo
ntro
ls
urce
cod
ew
ere
inte
nded
tos
abot
age
the
orga
niza
tionrsquo
ssy
stem
sc
ases
the
code
n
ino
nec
was
set
toe
xecu
tefo
llow
ing
the
insi
derrsquo
ste
rmin
atio
SCIS
rec
ogni
zeth
epo
dbe
car
ried
tent
iali
llici
tact
ivity
that
cou
lr
the
mos
tcri
tical
sys
tem
san
dsy
stem
com
pone
nts
Cod
eRe
view
s
Conf
igur
atio
nM
anag
emen
t
side
rsb
oth
empl
oyee
san
dco
ntra
ctor
snd
ITs
abot
age
In
mos
tcas
est
hem
odifi
catio
nsto
so
faci
litat
efr
aud
In
man
yde
was
use
dto
impo
rtan
ttha
tUfo
ra
year
bef
ore
final
lye
xecu
ting
Iti
ser
sa
ndim
plem
enta
ppro
pria
tec
ontr
ols
par
ticul
arly
fo
ciou
sin
frau
da
sth
eco
plan
ted
eng
ine
Mal
ibo
thca
sew
as
war
e
Ap
pen
dix
FS
oftw
are
Engi
nee
rin
g CERT | SOFTWARE ENGINEERING INSTITUTE | 69
Are
aof
Con
cern
C
ode
Re
view
s
Resp
onsi
ble
Pers
onne
lIS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Cont
ract
ors
are
requ
ired
tom
aint
ain
ace
rtai
nle
velo
fpro
cess
mat
urity
(C
MM
ILev
el3
)to
bein
com
plia
nce
with
USC
ISp
olic
ies
So
urce
cod
eis
res
tric
ted
toth
ose
with
the
need
tok
now
Ve
rsio
nM
anag
eris
use
dto
con
trol
an
dtr
ack
chan
ges
tos
ourc
eco
de
Sepa
ratio
nof
dut
ies
isim
plem
ente
din
the
soft
war
ere
leas
epr
oces
sC
SC
chec
ksn
ews
ourc
eco
dein
toV
ersi
on
Man
ager
aU
SCIS
em
ploy
eec
heck
sou
tthe
sou
rce
code
and
rel
ease
sit
into
pro
duct
ion
Th
eU
SCIS
DBA
mov
esn
ewd
atab
ase
obje
cts
into
the
prod
uctio
nda
ta
base
Polic
yor
Pra
ctic
eG
aps
Ano
ther
inte
rvie
wee
men
tione
dth
at
anldquo
East
ere
ggrdquo
was
foun
din
sou
rce
code
aft
erth
eco
ntra
ctw
asg
iven
toa
ne
wc
ompa
ny4
Sugg
este
dCo
unte
rmea
sure
s
4 Av
irtu
alE
aste
reg
gis
an
inte
ntio
nalh
idde
nm
essa
gej
oke
orfe
atur
ein
ap
rogr
amm
ovie
boo
ke
tc
CERT | SOFTWARE ENGINEERING INSTITUTE | 70
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
and
orC
hang
eCo
ntro
lPro
cess
N
otE
nfor
ced
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
No
evid
ence
pro
vide
d
Whe
nco
ntra
ctor
sde
velo
pso
ftw
are
rem
otel
yth
eya
res
uppo
sed
tor
egis
te
rco
dein
Ver
sion
Man
ager
but
this
is
not
alw
ays
done
con
sist
ently
Co
ntra
ctor
sso
met
imes
rel
ease
cod
eto
fix
prob
lem
sw
ithou
tfol
low
ing
the
chan
gem
anag
emen
tpro
cess
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
oft
hela
cko
fade
qu
ate
conf
igur
atio
nm
anag
emen
t
Soft
war
eEn
gine
er
ing
Cont
rols
inth
eSe
rvic
eCe
nter
s
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
ISSO
s
No
evid
ence
pro
vide
d
Soft
war
eis
bei
ngd
evel
oped
inth
eSe
rvic
eCe
nter
sw
ithou
tcon
sist
ently
en
forc
ing
the
sam
ech
ange
man
age
men
tpro
cess
ese
nfor
ced
atth
ena
tio
nal(
ente
rpris
e)le
vel
The
cen
ters
us
ea
code
rep
osito
ryb
utn
otV
ersi
on
Man
ager
to
trac
kso
ftw
are
chan
ges
Th
eyd
ope
err
evie
ws
ofc
ode
and
belie
veth
ate
nter
pris
eco
ntro
lsfo
rco
der
evie
wa
rem
ore
deta
iled
(al
thou
ghth
atb
elie
fapp
ears
tob
efa
lse
ac
cord
ing
toin
terv
iew
sat
hea
dqua
rte
rs)
USC
ISs
houl
dco
nsid
erc
onsi
sten
tpo
licie
san
dpr
oced
ures
for
soft
w
are
engi
neer
ing
for
the
entir
een
terp
rise
inc
ludi
ngth
eSe
rvic
eCe
nter
s
Mos
tins
ider
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 71
A
rea
ofC
once
rn
Resp
onsi
ble
Pers
onne
lPo
licy
and
orS
ecur
ity
Mea
sure
Po
licy
orP
ract
ice
Gap
sSu
gges
ted
Coun
term
easu
res
Dat
aO
wne
rs
ba
sew
ere
dete
cted
or
iden
tifie
d
usin
gso
me
kind
ofs
yste
mlo
g
Info
rmat
ion
Tech
nolo
gy
Lo
gsu
sed
incl
ude
data
base
logs
appl
icat
ion
logs
sys
tem
logs
re
mot
eac
cess
logs
and
man
y
othe
rs
Prod
ucti
onD
ata
in
ISSO
sD
evel
opm
enta
ndp
rodu
ctio
nsy
sIn
som
eca
ses
con
trac
tors
hav
eac
O
nly
one
insi
der
docu
men
ted
in
Dev
elop
men
tEnv
i
tem
ssh
ould
be
sepa
rate
inte
rms
of
cess
tob
oth
syst
ems
incl
udin
gpr
oth
eCE
RTIn
side
rTh
reat
Cas
eda
CERT | SOFTWARE ENGINEERING INSTITUTE | 72
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sro
nmen
t
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
data
sha
ring
and
acc
ess
cont
rol
duct
ion
data
inth
ede
velo
pmen
ten
viro
nmen
t
taba
ses
tole
pro
duct
ion
data
that
sh
ould
not
hav
ebe
ena
vaila
ble
to
deve
lope
rsin
the
deve
lopm
ent
envi
ronm
ent
How
ever
itw
as
extr
emel
yse
nsiti
ved
ata
with
ve
rys
tric
tcon
trol
sin
the
prod
uc
tion
envi
ronm
ent
and
was
not
su
bjec
tto
thos
esa
me
cont
rols
in
the
deve
lopm
ente
nvir
onm
ent
Th
isis
ver
ysi
mila
rto
the
situ
atio
nat
USC
IS
USC
ISs
houl
dex
am
ine
data
bei
ngu
sed
inth
ede
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
velo
fse
curi
tyc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 73
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 74
Ap
pen
dix
GI
nfo
rmat
ion
Tec
hn
olog
y
Acc
ount
Man
agem
ent
Rese
arch
has
dem
onst
rate
dth
atif
an
orga
niza
tionrsquo
sco
mpu
ter
acco
unts
can
be
com
prom
ised
ins
ider
sha
vea
nop
port
unity
toc
ircu
mve
ntm
an
uala
nda
utom
ated
con
trol
mec
hani
sms
inte
nded
top
reve
ntin
side
rat
tack
sE
ffec
tive
com
pute
rac
coun
tand
pas
swor
dm
anag
emen
tpol
icie
san
dpr
actic
esa
rec
ritic
alto
impe
dea
nin
side
rrsquos
abili
tyto
use
the
orga
niza
tionrsquo
ssy
stem
sfo
rill
icit
purp
oses
In
av
arie
tyo
fcas
esd
ocum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sei
nsid
ers
expl
oite
dpa
ssw
ord
vuln
erab
ilitie
ss
hare
dac
coun
tsa
ndb
ackd
oor
acco
unts
toc
arry
out
att
acks
It
isim
port
antf
oro
rgan
izat
ions
toli
mit
com
pute
rac
coun
tsto
thos
eth
ata
rea
bsol
utel
yne
cess
ary
usi
ngs
tric
tpro
cedu
res
and
tech
nica
lcon
trol
sth
atfa
cilit
ate
attr
ibut
ion
ofa
llon
line
activ
itya
ssoc
iate
dw
ithe
a ch
acco
untt
oan
indi
vidu
alu
ser
Fur
ther
mor
ea
nor
gani
zatio
nrsquos
acco
unta
nd
pass
wor
dm
anag
emen
tpol
icie
sm
ustb
eap
plie
dco
nsis
tent
lya
cros
sth
een
terp
rise
toin
clud
eco
ntra
ctor
ss
ubco
ntra
ctor
sa
ndv
endo
rsw
hoh
ave
acce
ssto
the
orga
niza
tionrsquo
sin
form
atio
nsy
stem
sor
net
wor
ks
Ins
ome
area
sc
ompu
ter
acco
unts
are
man
aged
fair
lyw
ella
tUSC
IS
USC
ISis
impl
emen
ting
Hom
elan
dSe
curi
tyP
resi
dent
ialD
irec
tive
12(H
SPD
12
)for
phy
sica
land
ele
ctro
nic
acco
untm
anag
emen
tI
nad
ditio
nm
osts
hare
dac
coun
tsa
rec
ontr
olle
dan
dal
lact
ions
per
form
edu
sing
thos
eac
coun
tsc
anb
eat
trib
uted
toa
sin
gle
user
H
owev
ers
ome
acco
untm
anag
emen
tlie
sou
tsid
eth
eco
ntro
lofU
SCIS
Th
i sp
rese
nts
ahi
ghd
egre
eof
ris
kF
irst
ofa
lla
ccou
nts
and
acce
ssfo
rFS
Ns
shou
ldb
eco
nsid
ered
car
eful
lyb
yU
SCIS
A
lthou
ghF
SNs
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
ch
anne
lsw
hich
req
uire
sau
thor
izat
ion
byth
eCS
Oa
ndC
IOo
fDH
Ss
uch
pape
rwor
kw
asn
ots
ubm
itted
con
sist
ently
pri
orto
200
7A
sa
resu
lt
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
tF
urth
erm
ore
an
FSN
acc
ount
and
aU
S
citiz
enfe
dera
lem
ploy
eea
ccou
ntc
anno
tbe
dist
ingu
ishe
don
ceit
isc
reat
ed
Alth
ough
acc
ount
nam
ing
conv
entio
nsa
red
icta
ted
byD
HS
and
the
US
Dep
artm
ento
fSta
teU
SCIS
cou
ldr
eque
sta
nam
ing
conv
entio
nto
diff
eren
tiate
bet
wee
nFS
Na
ndU
Sc
itize
nfe
dera
lem
ploy
eea
ccou
nts
In
addi
tion
USC
ISs
houl
dco
nsis
tent
lytr
ack
the
auth
oriz
atio
nan
dcr
eatio
nof
all
USC
ISa
ccou
nts
To
dete
rmin
eif
unau
thor
ized
or
lega
cya
ccou
nts
exis
tU
SCIS
sho
uld
cons
ider
con
duct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSta
tep
erso
nnel
tov
alid
ate
alle
xist
ing
FSN
ac
coun
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 75
Seco
nda
cces
sto
som
ecr
itica
lUSC
ISs
yste
ms
isc
ontr
olle
dby
the
Pass
wor
dIs
suan
cea
ndC
ontr
olS
yste
m(P
ICS)
Th
epu
rpos
eof
PIC
Sis
tofa
cili
tate
the
adm
inis
trat
ion
ofu
sern
ames
and
pas
swor
dsto
cer
tain
ICE
and
USC
ISin
form
atio
nsy
stem
sO
nea
rea
ofc
once
rnr
egar
ding
PIC
Sis
that
it
isa
dmin
iste
red
byIC
Ea
ndth
ere
are
mor
eth
an2
000
Loc
alP
ICS
Off
icer
s(L
POs)
acr
oss
vari
ous
com
pone
nts
ofD
HS
The
seL
POs
use
PICS
to
gran
taut
hori
zed
acce
ssto
ICE
and
USC
ISs
yste
ms
for
the
pers
onne
latt
heir
res
pect
ive
site
or
agen
cys
uch
aslo
cals
heri
ffs
pet
ition
ers
Cus
tom
san
dBo
rder
Pat
rol(
CBP)
Dep
artm
ento
fJus
tice
(DO
J)T
rans
port
atio
nSe
curi
tyA
dmin
istr
atio
n(T
SA)
Terr
oris
mT
ask
Forc
ea
ndD
HS
OIG
Ea
ch
LPO
can
gra
nta
cces
sto
any
sys
tem
con
trol
led
byP
ICS
In
othe
rw
ords
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
rany
oft
heir
sta
ffto
an
yU
SCIS
sys
tem
Fu
rthe
rmor
eU
SCIS
has
no
visi
bilit
yin
tow
hoh
asa
cces
sto
its
syst
ems
Giv
enth
edi
stri
bute
dna
ture
ofa
ccou
nta
dmin
istr
atio
nit
isv
ery
diff
icul
tfor
USC
ISd
ata
owne
rsa
ndO
ITs
taff
tom
anag
eau
thor
izat
ion
ofu
ser
acco
unts
toU
SCIS
cri
tical
sys
tem
sF
inal
lyt
hep
roc
ess
for
com
mun
icat
ing
chan
ges
ine
mpl
oyee
sta
tus
and
disa
blin
gac
coun
tsv
arie
sw
idel
yam
ong
indi
vidu
alfi
eld
offic
esS
ervi
ceC
ente
rsa
ndo
ffic
esin
the
NCR
D
orm
anta
ccou
nts
prov
ide
aco
nven
ient
unk
now
nac
cess
pat
hfo
rcu
rren
tand
form
ere
mpl
oyee
sto
use
for
illic
itac
tivity
Ala
cko
fcon
sist
ency
exi
sts
inth
eap
plic
atio
nof
acc
ount
man
agem
entp
ract
ices
und
erth
eco
ntro
lofU
SCIS
Fo
rex
ampl
ed
isab
ling
orte
rmin
at
ing
acco
unts
for
empl
oyee
sis
not
alw
ays
com
plet
edin
ati
mel
ym
anne
rup
onth
eem
ploy
eersquos
cha
nge
ins
tatu
sT
his
lack
ofc
onsi
sten
cyis
mad
ew
orse
whe
nde
cent
raliz
edL
POs
acro
ssU
SCIS
do
notf
ollo
wth
esa
me
proc
edur
es
Ino
ther
cas
ese
mpl
oyee
sar
ere
tain
ing
acce
ssa
fter
atr
ansf
er
whe
nth
eys
houl
dno
tw
hich
req
uire
sth
elo
sing
and
gai
ning
sup
e rvi
sors
ton
otify
pro
per
acco
untm
anag
emen
tper
sonn
el
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
ccou
ntE
stab
lis
hmen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ino
rder
for
FSN
sto
gai
nac
cess
to
USC
ISs
yste
ms
they
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
cha
nnel
s
whi
che
vent
ually
req
uire
sau
thor
iza
tion
byth
eCS
Oa
ndC
IOo
fDH
S
Prio
rto
200
7w
aive
rpa
perw
ork
for
FSN
sre
ques
ting
acco
unta
cces
sw
as
nots
ubm
itted
con
sist
ently
A
sa
re
sult
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
t
USC
ISs
houl
dco
nsid
erc
ondu
ct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSt
ate
pers
onne
lto
valid
ate
all
exis
ting
FSN
acc
ount
s
Info
rmat
ion
Tech
nolo
gy
Diff
eren
tper
sonn
ela
rer
espo
nsib
le
for
acco
untc
reat
ion
and
dele
tion
acro
ssth
een
tire
ente
rpri
sed
epe
ndin
gon
the
syst
emo
rne
twor
kin
Dat
abas
ead
min
istr
ator
sm
ayb
eab
le
toc
reat
ean
dde
lete
dat
abas
ean
dap
plic
atio
nac
coun
tsw
ithou
tas
ec
ond
pers
onv
erify
ing
that
act
ion
Beca
use
data
base
adm
inis
trat
ors
have
acc
ess
tos
uch
criti
cald
ata
U
SCIS
sho
uld
cons
ider
sep
arat
ing
the
task
ofa
utho
rizi
nga
cces
sto
CERT | SOFTWARE ENGINEERING INSTITUTE | 76
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
squ
estio
n
USC
ISd
atab
ases
from
the
task
of
man
agin
gth
eda
tain
the
data
ba
ses
Thi
sse
para
tion
ofd
utie
sm
ayr
educ
eth
eri
sko
fad
ata
base
adm
inis
trat
orc
reat
ing
an
unau
thor
ized
acc
ount
and
usi
ng
that
acc
ount
toc
arry
out
am
ali
ciou
sac
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ac
ompu
ter
acco
unti
ses
tabl
ishe
don
lya
fter
an
umbe
rof
cri
teri
aha
ve
been
met
inc
ludi
ngs
ecur
itya
war
ene
sstr
aini
ng
Ina
dditi
onto
the
step
sre
quire
dof
al
lper
sonn
elfo
rac
coun
tacc
ess
co
ntra
ctor
sha
veto
go
thro
ugh
extr
ast
eps
som
eof
whi
chin
clud
eve
rifi
catio
nby
the
COTR
Com
pute
racc
ount
acc
ess
iss
ome
times
gra
nted
bef
ore
secu
rity
aw
are
ness
trai
ning
isc
ompl
eted
Th
isp
rac
tice
may
be
true
esp
ecia
llyfo
rco
ntra
ctor
ss
ince
the
onb
oard
ing
proc
ess
depe
nds
onth
eco
ntra
ctin
gag
ency
and
the
COTR
tov
erify
that
th
etr
aini
ngis
com
plet
ed
USC
ISs
houl
dco
nsid
err
equi
ring
co
mpu
ter
secu
rity
aw
aren
ess
trai
ning
for
allp
erso
nnel
ndashfu
lltim
eem
ploy
ees
par
ttim
eem
pl
oyee
sa
ndc
ontr
acto
rsndash
and
ve
rify
that
itis
com
plet
ebe
fore
cr
eatin
gan
ysy
stem
acc
ount
sfo
rth
ese
pers
onne
l
Acc
ount
Man
age
men
tG
ener
al
Info
rmat
ion
Tech
nolo
gy
PICS
isa
dmin
iste
red
byIC
Ew
hich
ha
sov
er2
000
LPO
sac
ross
var
ious
co
mpo
nent
sof
DH
ST
hese
LPO
sar
ere
spon
sibl
efo
rgra
ntin
gau
thor
ized
ac
cess
toP
ICS
for
the
pers
onne
lat
thei
rre
spec
tive
wor
ksi
tes
Eac
hLP
Oc
ang
rant
acc
ess
toa
nys
yste
m
cont
rolle
dby
PIC
SI
not
her
wor
ds
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
ran
yof
thei
rst
afft
o
Alth
ough
the
PICS
acc
ount
pro
cess
re
quir
esth
eac
coun
tto
beli
nked
toa
va
lide
mpl
oyee
PIC
Sad
min
istr
ator
sco
uld
crea
teu
naut
hori
zed
acco
unts
in
the
nam
eof
val
ide
mpl
oyee
sw
ith
outt
heir
kno
wle
dge
Inv
alid
acc
ount
sar
ety
pica
llyfl
agge
don
lyw
hen
the
acco
unti
sdo
rman
tfor
ac
erta
inp
eri
odo
ftim
eA
nLP
Oc
ana
lso
assi
gn
righ
tsfo
ran
ysy
stem
con
trol
led
by
In1
2of
the
case
sdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
ins
uffic
ient
acc
ount
m
anag
emen
tena
bled
the
insi
der
sto
com
mit
thei
rcr
imes
U
SCIS
sho
uld
cons
ider
con
duct
in
gac
coun
taud
itsa
tthe
loca
lsi
tele
vel
whi
chw
ould
allo
wth
eva
lidat
ion
ofc
urre
ntP
ICS
ac
coun
tsa
ndr
oles
ver
sus
curr
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 77
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
yU
SCIS
sys
tem
PICS
empl
oyee
list
s
Furt
herm
ore
ICE
adm
inis
ters
this
USC
ISs
houl
dex
plor
ea
mea
nso
fsy
stem
and
cou
lda
ffec
tUSC
ISr
e
segr
egat
ing
acco
untm
anag
eco
rds
unbe
know
nstt
oU
SCIS
men
tin
PICS
so
that
LPO
sca
nad
min
iste
rac
coun
tso
nly
for
thei
row
nor
gani
zatio
nrsquos
syst
ems
In
oth
erw
ords
USC
ISL
POs
wou
ldo
nly
bea
ble
toa
dmin
iste
rau
thor
izat
ions
for
USC
ISs
yste
ms
inP
ICS
and
ICE
LPO
sw
ould
onl
ybe
abl
eto
adm
inis
ter
auth
oriz
atio
nsfo
rIC
Esy
stem
s
Info
rmat
ion
Tech
nolo
gy
Acc
ount
man
agem
enti
sha
ndle
dby
a
num
ber
ofd
iffer
entg
roup
sac
ross
U
SCIS
A
lthou
ghth
ere
isa
nef
fort
to
cent
raliz
eac
coun
tman
agem
ent
lo
cala
ndr
egio
nalo
ffic
eso
fUSC
IS
have
his
tori
cally
don
eth
eir
own
ac
coun
tman
agem
ent
Ifan
acc
ount
has
not
bee
nus
edfo
ra
cert
ain
peri
odo
ftim
eit
isa
uto
mat
ical
lyd
isab
led
The
tim
epe
riod
st
ated
by
vari
ous
inte
rvie
wee
sva
rie
dfr
om3
06
0o
r90
days
CERT | SOFTWARE ENGINEERING INSTITUTE | 78
Sugg
este
dCo
unte
rmea
sure
s
Six
insi
ders
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
wer
eab
leto
car
ryo
utth
eir
illeg
ala
ctiv
ities
bec
ause
ofldquo
priv
ile
gec
reep
rdquoU
SCIS
sho
uld
revi
ew
acco
untm
anag
emen
tpro
ce
dure
sto
ens
ure
that
the
step
scu
rren
tlyta
ken
tor
emov
eor
al
ter
acco
unta
cces
sar
eco
m
plet
ean
dbe
ing
cons
iste
ntly
fol
low
ed
Inp
artic
ular
the
pro
ce
dure
sus
edw
hen
som
eone
ch
ange
slo
catio
nso
rde
part
m
ents
with
inU
SCIS
sho
uld
be
exam
ined
A
sem
ploy
ees
tran
sfe
rth
roug
hout
an
agen
cyt
hey
shou
ldn
otb
eac
cum
ulat
ing
priv
ile
ges
The
ysh
ould
onl
yre
tain
pr
ivile
ges
com
men
sura
tew
ith
thei
rjo
bre
spon
sibi
litie
s
Twel
vep
erce
nt(4
6)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
seu
sed
syst
ema
dmin
istr
ator
pri
vile
ges
tos
abot
age
syst
ems
ord
ata
sh
ared
acc
ount
sw
ere
used
by
insi
ders
follo
win
gte
rmin
atio
nin
Polic
yor
Pra
ctic
eG
aps
The
issu
eof
acc
ount
man
agem
entf
or
empl
oyee
tran
sfer
sis
not
bei
nga
d
dres
sed
ina
con
sist
entm
anne
rT
he
O
ITr
elie
son
not
ifica
tion
bye
ither
the
ne
wo
rol
dsu
perv
isor
whe
nan
em
ploy
eetr
ansf
ers
but
ther
eha
veb
een
ca
ses
inU
SCIS
inw
hich
em
ploy
ees
have
ret
aine
dac
cess
whe
nth
ey
shou
ldn
oth
ave
Th
ough
itw
ould
req
uire
phy
sica
lac
cess
toa
USC
ISm
achi
net
hatf
orm
er
Polic
yan
dor
Sec
urit
yM
easu
re
Whe
nan
em
ploy
eem
oves
from
one
po
sitio
nto
ano
ther
or
tran
sfer
sto
an
othe
rdep
artm
ent
the
man
age
men
tin
thos
ede
part
men
tsm
ust
initi
ate
the
requ
ired
com
pute
rac
coun
tcha
nges
Ther
ear
eop
erat
ing
syst
emim
ages
us
edth
roug
hout
USC
ISth
atp
erm
itan
adm
inis
trat
orto
inst
alla
sta
nda
rdc
onfig
urat
ion
ofa
nop
erat
ing
syst
ema
nda
ccom
pany
ing
soft
war
e
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Chan
ging
Pas
sw
ord
ofS
hare
dA
ccou
ntU
pon
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 79
Sugg
este
dCo
unte
rmea
sure
s
14c
ases
A
lthou
gha
nad
min
is
trat
orw
ould
nee
dph
ysic
ala
cce
ssto
ap
iece
ofe
quip
men
t
The
lack
ofc
onsi
sten
cya
nd
awar
enes
sof
the
stan
dard
pro
ce
dure
sm
ayp
erm
itth
eac
coun
tof
an
insi
der
tob
eus
edfo
llow
ing
term
inat
ion
Term
inat
ing
acco
unts
eve
n2
wee
ksfo
llow
ing
term
inat
ion
may
Polic
yor
Pra
ctic
eG
aps
adm
inis
trat
orw
ould
hav
ead
min
istr
ato
rri
ghts
toG
FE
Itis
cle
arfr
omin
terv
iew
sw
ithU
SCIS
pe
rson
nelt
hata
sin
gle
proc
ess
isn
ei
ther
und
erst
ood
norf
ollo
wed
for
dis
ab
ling
acco
unts
follo
win
gan
em
pl
oyee
orc
ontr
acto
rte
rmin
atio
n
The
proc
edur
esu
sed
are
notc
onsi
ste
ntb
etw
een
supe
rvis
ors
orfi
eld
of
fices
and
for
fede
rale
mpl
oyee
sve
rsu
sco
ntra
ctor
sS
omet
imes
the
exit
clea
ranc
efo
rmm
akes
itto
the
OIT
an
dso
met
imes
itd
oes
not
The
OIT
rsquos
task
ism
ade
even
mor
edi
ffic
ultb
yth
efa
ctth
atit
wou
ldn
eed
tok
now
ex
actly
whi
cha
ccou
nts
anin
divi
dual
ha
sac
cess
to
Thou
ghth
isp
roce
ssis
fair
lye
ffec
tive
it
pote
ntia
llya
llow
sun
auth
oriz
ed
Polic
yan
dor
Sec
urit
yM
easu
re
The
OIT
typi
cally
isn
otifi
edo
fan
acco
untt
erm
inat
ion
ino
neo
fthr
ee
way
s
1)A
sta
ndar
dfo
rmc
alle
dan
exi
tcl
eara
nce
form
is
dist
ribu
ted
and
sign
edb
yot
her
part
ies
suc
has
Hu
man
Res
ourc
esa
ndth
eO
ffic
eof
Se
curi
tya
ndIn
tegr
ity(O
SI)
Thi
sfo
rmle
tsth
eO
ITk
now
that
an
em
ploy
eersquos
acc
ount
ssh
ould
be
dis
able
dor
term
inat
ed
2)T
hes
uper
viso
rof
the
depa
rtin
gem
ploy
eec
onta
cts
the
OIT
dire
ctly
an
din
form
sth
emo
fthe
em
ploy
eersquos
de
part
ure
3)
Whe
na
cont
ract
oris
invo
lved
it
is
the
resp
onsi
bilit
yof
the
COTR
to
info
rmth
eO
IT
The
OIT
rec
eive
san
ldquoat
triti
onli
strdquo
ever
y2
wee
ks
Whe
nth
isli
stis
re
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Upo
nEm
ploy
ee
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 80
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sH
uman
Res
ourc
es
ceiv
eda
man
ualc
heck
isd
one
to
ensu
reth
ate
mpl
oyee
sw
hoh
ave
depa
rted
inth
ela
st2
wee
ksh
ave
thei
rac
coun
tacc
ess
dele
ted
acce
ssfo
r2
wee
ksfo
llow
ing
term
ina
tion
Bec
ause
this
isa
man
ualp
roc
ess
ther
eis
cur
rent
lyn
oau
tom
atic
w
ayto
ens
ure
that
ith
appe
ns
USC
IS
pers
onne
lcite
dan
inst
ance
inw
hich
th
ese
proc
edur
esfa
iled
for
ane
m
ploy
eew
how
aste
rmin
ated
as
aco
ntr
acto
ran
dla
ter
hire
das
afe
dera
lem
ploy
ee
notb
een
ough
top
reve
ntu
nau
thor
ized
orc
rimin
ala
ctiv
ity
As
soon
as
HR
isa
war
eof
the
chan
gea
mor
eau
tom
ated
m
echa
nism
ofd
elet
ing
thes
eac
coun
tss
houl
dbe
impl
em
ente
d
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Dur
ing
Empl
oyee
Le
ave
ofA
bsen
ces
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
LPO
sw
ork
inth
eir
resp
ectiv
ere
gion
sor
off
ices
and
are
dec
entr
aliz
edb
yna
ture
Th
epo
licie
san
dpr
oced
ures
fo
llow
edo
ften
dep
end
onh
ow
thin
gsh
ave
been
don
ehi
stor
ical
lyin
th
atp
artic
ular
off
ice
Beca
use
acco
unta
utho
riza
tion
pro
cedu
res
are
nots
tand
ardi
zed
thro
ugho
uta
llor
gani
zatio
nsu
sing
the
PICS
sL
POs
acro
ssth
een
tire
USC
IS
ente
rpri
seh
ave
notb
een
cons
iste
nt
inh
owth
eyh
ave
hand
led
acco
unt
dele
tion
follo
win
gem
ploy
eete
rmin
atio
n
Ther
eis
no
offic
ialg
uida
nce
orp
rac
tice
inth
epr
oper
way
tos
uspe
nd
acce
ssfo
ran
em
ploy
eeo
na
leav
eof
ab
senc
eI
non
eca
sep
rovi
ded
by
USC
ISa
nem
ploy
eer
etai
ned
acce
ss
toc
ritic
als
yste
ms
even
aft
erb
eing
pl
aced
on
ana
dmin
istr
ativ
ele
ave
of
abse
nce
USC
ISs
houl
dco
ntin
ueit
sef
fort
sto
cen
tral
ize
orr
educ
eth
enu
m
ber
ofL
POs
ino
rder
for
stan
dard
pr
oced
ures
tob
efo
llow
ed
Ifth
isc
anno
tbe
acco
mpl
ishe
d
stan
dard
pro
cedu
res
shou
ldb
epu
blis
hed
inst
ruct
eda
ndc
onsi
ste
ntly
enf
orce
d
Afe
win
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
ser
etai
ned
acce
ssto
org
aniz
atio
nsy
stem
sw
hile
on
ale
ave
of
abse
nce
and
used
that
acc
ess
to
stea
linf
orm
atio
nor
com
mit
frau
dU
SCIS
sho
uld
impl
emen
ta
polic
yto
out
line
exac
tlyw
hat
shou
ldb
edo
new
hen
ago
vern
m
ente
mpl
oyee
or
cont
ract
or
goes
on
ale
ave
ofa
bsen
cec
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 81
Sugg
este
dCo
unte
rmea
sure
ssi
deri
ngth
eri
sks
vers
usb
enef
its
ofa
llow
ing
syst
ema
cces
s
Acc
ess
toth
ese
acco
unts
sho
uld
bec
aref
ully
doc
umen
ted
and
trac
ked
soth
atc
rede
ntia
lsc
an
bec
hang
edif
som
eone
inth
at
rest
rict
edg
roup
no
long
erw
ar
rant
sac
cess
Polic
yor
Pra
ctic
eG
aps
Alth
ough
con
cern
has
bee
nex
pres
sed
ab
outt
hee
xist
ence
oft
hese
ac
co
unts
the
bus
ines
sju
stifi
catio
nha
sta
ken
prec
eden
ceo
vert
her
isk
bein
g
assu
med
Polic
yan
dor
Sec
urit
yM
easu
re
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
Acc
ount
an
dPa
ssw
ord
In
form
atio
n
Acc
ess
Cont
rol
An
orga
niza
tionrsquo
sla
cko
fsuf
ficie
nta
cces
sco
ntro
lmec
hani
sms
was
ac
omm
onth
eme
inm
any
ofth
ein
side
rth
reat
cas
ese
xam
ined
by
CERT
In
si
ders
hav
ebe
ena
ble
toe
xplo
itex
cess
ive
priv
ilege
sto
gai
nac
cess
tos
yste
ms
and
info
rmat
ion
they
oth
erw
ise
wou
ldn
oth
ave
been
aut
hori
zed
toa
cces
sA
dditi
onal
lyi
nsid
ers
have
bee
nkn
own
tou
ser
emot
eac
cess
aft
erte
rmin
atio
nto
att
ack
ano
rgan
izat
ionrsquo
sin
tern
aln
etw
ork
Org
ani
zatio
nss
houl
den
sure
that
net
wor
km
onito
ring
and
logg
ing
ise
nabl
edfo
rex
tern
ala
cces
sM
onito
ring
ofn
etw
ork
activ
ityis
ext
rem
ely
impo
rta
nte
spec
ially
inth
epe
riod
bet
wee
nem
ploy
eer
esig
natio
nan
dte
rmin
atio
n
Giv
enth
edi
stri
bute
dna
ture
ofa
cces
sau
thor
izat
ion
via
PICS
ICE
and
the
US
Dep
artm
ento
fSta
ten
onU
SCIS
em
ploy
ees
and
cont
ract
ors
coul
dbe
gra
nted
acc
ess
toU
SCIS
cri
tical
sys
tem
sI
tis
poss
ible
that
the
non
USC
ISe
mpl
oyee
san
dco
ntra
ctor
sha
ven
otb
een
thro
ugh
the
rigo
rous
pr
eem
ploy
men
tscr
eeni
ngr
equi
red
ofU
SCIS
em
ploy
ees
and
cont
ract
ors
par
ticul
arly
thos
egr
ante
dac
cess
thro
ugh
the
US
Dep
artm
ento
fSta
te
for
acce
ssfr
ome
mba
ssie
sov
erse
as
USC
ISs
houl
dco
nsid
erth
eri
skth
ese
insi
ders
pos
eto
the
prot
ectio
nof
the
criti
calU
SCIS
dat
aan
dsy
stem
s
and
impl
emen
tpro
tect
ion
mec
hani
sms
toli
mit
the
dam
age
that
thes
ein
side
rsm
ight
cau
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 82
Oth
era
cces
sco
ntro
liss
ues
that
sho
uld
bec
onsi
dere
din
clud
eun
rest
rict
eda
cces
sto
som
ecr
itica
lsys
tem
sby
OIT
sta
ffl
ack
ofc
onsi
sten
tpro
ces
ses
for
man
agin
gem
ploy
eea
cces
sas
they
mov
efr
omo
ned
epar
tmen
tto
the
next
with
inU
SCIS
abi
lity
tou
sep
erso
nalc
ompu
ters
for
USC
IS
wor
ka
ndla
cko
fmon
itori
nga
ndc
ontr
ols
for
som
ecr
itica
lsys
tem
adm
inis
trat
ion
func
tions
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
cces
sCo
ntro
l
Fore
ign
Serv
ice
Nat
iona
ls
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
O
ffic
eof
Sec
urit
yan
dIn
te
grit
y
Curr
ently
aF
orei
gnS
ervi
ceN
atio
nal
(FSN
)req
uiri
nga
cces
sto
USC
ISs
ys
tem
ssu
bmits
pap
erw
ork
incl
udin
ga
wai
ver
thro
ugh
the
USC
ISd
irec
tor
and
the
CIO
and
CSO
ofD
HS
Alth
ough
the
asse
ssm
entt
eam
was
ab
leto
get
lim
ited
visi
bilit
yin
toth
is
prac
tice
its
eem
sto
be
alig
ned
with
th
epo
licy
Ift
rue
ith
asg
iven
USC
IS
and
DH
Sbe
tter
vis
ibili
tyin
toth
isa
ctiv
ity
The
prac
tice
shou
ldb
eco
ntin
ued
and
expa
nded
as
need
edto
in
form
all
rele
vant
USC
ISp
erso
nne
l
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
Pe
rson
nelS
ecur
ity
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Whe
nFS
Ns
requ
ire
acce
ssto
USC
IS
syst
ems
ine
mba
ssie
san
dco
nsul
ates
ab
road
the
yar
eve
tted
by
the
US
D
epar
tmen
tofS
tate
Beca
use
the
US
Dep
artm
ento
fSta
te
isp
erfo
rmin
gth
eve
ttin
gpr
oces
s
USC
ISh
asv
ery
little
con
trol
or
visi
bil
ityin
toth
epr
oces
sfo
rgr
antin
gFS
Ns
acce
ssto
USC
ISs
yste
ms
and
net
wor
ks
Inte
rvie
wee
sst
ated
that
in
som
eca
ses
FSN
sha
vea
dmin
istr
ativ
eco
ntro
love
rso
me
syst
ems
and
that
in
oth
erc
ases
the
yar
ese
rvin
gas
in
form
atio
nsy
stem
sec
urity
off
icer
s(IS
SOs)
USC
ISs
houl
dga
ina
bet
ter
un
ders
tand
ing
ofth
eU
SD
epar
tm
ento
fSta
tersquos
vet
ting
proc
ess
and
clar
ifyit
sow
nre
quir
emen
ts
for
gran
ting
and
trac
king
acc
ess
for
FSN
sto
USC
ISs
yste
ms
If
cont
inue
dac
cess
isr
equi
red
the
proc
edur
esto
doc
umen
tand
co
ntro
ltha
tacc
ess
shou
ldb
ene
gotia
ted
with
the
US
De
part
men
tofS
tate
and
con
sis
tent
lye
nfor
ced
Info
rmat
ion
Tech
nolo
gy
Onc
ea
trad
ition
alu
ser
acco
unti
scr
eate
dth
ere
isli
ttle
ton
ow
ayto
di
stin
guis
han
FSN
acc
ount
from
one
be
long
ing
toa
US
citi
zen
Beca
use
anF
SNa
ccou
ntis
not
dis
tin
guis
habl
efr
omo
ther
acc
ount
sit
w
ould
be
extr
emel
ydi
ffic
ultt
oas
so
ciat
esp
ecifi
con
line
activ
ities
with
ac
coun
tsb
elon
ging
toF
SNs
Em
ail
USC
ISs
houl
dco
nsid
erw
heth
er
orn
otit
wan
tsth
eab
ility
tod
is
tingu
ish
wha
tonl
ine
activ
ities
an
dac
cess
esF
SNs
are
enga
ging
in
If
soi
tsho
uld
inco
rpor
ate
CERT | SOFTWARE ENGINEERING INSTITUTE | 83
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sad
dres
ses
appe
arth
esa
me
and
viol
atio
nac
tiviti
esw
ould
not
eas
ilyb
eat
trib
uted
toa
nFS
N
thos
est
eps
into
the
proc
edur
es
men
tione
dab
ove
Info
rmat
ion
Tech
nolo
gy
DH
Sis
inth
epr
oces
sof
bui
ldin
ga
secu
rein
tran
etc
alle
dO
neN
et
whi
chw
illb
ette
ren
able
info
rmat
ion
shar
ing
amon
gD
HS
com
pone
nts
Th
isp
roje
ctw
illb
een
able
dby
inte
rco
nnec
tion
agre
emen
tsb
etw
een
segm
ents
Onc
eth
eap
prop
riat
ein
terc
onne
ctio
nag
reem
ents
are
inp
lace
itw
illb
eha
rder
tor
estr
icta
cces
sfo
rFSN
sto
sp
ecifi
csy
stem
s(e
g
Shar
ePoi
nt)
USC
ISs
houl
dm
ake
ade
term
ina
tion
abou
twhe
ther
or
notF
SN
acce
sss
houl
dbe
any
diff
eren
tfr
omo
ther
sim
ilar
acco
unts
of
US
citi
zens
If
the
lack
ofr
est
rict
ions
isu
nacc
epta
ble
that
is
sue
shou
ldb
ebr
ough
tto
DH
Spe
rson
nelr
espo
nsib
lefo
rim
pl
emen
ting
the
One
Net
sol
utio
n
Acc
ess
cont
rols
Ther
ear
ebu
sine
ssp
roce
ssa
ndr
eso
urce
s(e
g
PICS
CLA
IMS
3a
nd
CLA
IMS
4)th
ata
res
hare
dw
ithIC
E
This
par
tner
ship
isa
nar
tifac
toft
he
past
and
cur
rent
rel
atio
nshi
psb
etw
een
depa
rtm
ents
with
inD
HS
For
thes
esh
ared
res
ourc
esto
func
tio
npr
oper
lyt
hey
requ
ire
care
ful
coor
dina
tion
whi
chd
oes
nott
ake
plac
ein
all
case
sF
ore
xam
ple
USC
IS
does
not
rec
eive
ac
opy
ofth
efo
rmal
ac
cess
req
uest
sub
mitt
edto
ICE
for
anIC
Eem
ploy
eeto
acc
ess
aU
SCIS
sy
stem
USC
ISs
houl
dca
refu
llyd
ocum
ent
wha
tacc
ess
isb
eing
gra
nted
to
any
part
ies
exte
rnal
toU
SCIS
If
addi
tiona
lcoo
rdin
atio
nis
re
quir
edi
tsho
uld
bed
one
with
th
ere
leva
ntd
epar
tmen
tso
fD
HS
For
cert
ain
info
rmat
ion
syst
ems
lo
cala
ndr
emot
elo
gins
are
not
per
m
itted
bet
wee
nth
eho
urs
of1
130
p
ma
nd6
00
am
Th
isp
ract
ice
clos
ely
adhe
res
toth
epo
licy
for
spec
ific
syst
ems
Enfo
rcin
ga
man
dato
rya
cces
spe
riod
may
hel
pen
sure
that
a
mal
icio
usin
side
ris
not
usi
ngs
ys
tem
sw
hen
supe
rvis
ion
isle
ss
ened
Ei
ghtp
erce
nt(2
9)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 84
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sus
eda
cces
sou
tsid
eof
nor
mal
w
orki
ngh
ours
toc
arry
out
thei
rill
icit
activ
ities
Whe
nan
em
ploy
eea
ttem
pts
tolo
gin
toa
res
tric
ted
syst
emd
urin
gof
fpe
akh
ours
an
auto
mat
ice
mai
lno
tice
iss
entb
yth
eO
ITto
per
sons
in
the
empl
oyee
rsquosm
anag
emen
tch
ain
ofc
omm
and
This
pra
ctic
eis
not
con
sist
enta
cros
sal
lsys
tem
san
dis
not
par
tofo
ther
in
cide
ntr
espo
nse
proc
edur
es
USC
ISs
houl
dco
nsid
erim
ple
men
ting
this
pra
ctic
ein
toth
ela
rger
sys
tem
ofi
ncid
entr
esp
onse
to
incl
ude
corr
elat
ion
with
oth
ere
vent
san
dov
era
pe
riod
oft
ime
Acc
ess
Priv
ilege
sndash
Gen
eral
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Att
heV
erm
ontS
ervi
ceC
ente
rO
IT
staf
fare
the
only
one
spr
esen
tlat
eat
nig
ht
As
part
oft
heir
dut
ies
they
al
soh
ave
elec
tron
ica
cces
sto
the
CLA
IMS3
info
rmat
ion
syst
em
As
afu
nctio
nof
the
elec
tron
ica
cces
san
dth
eph
ysic
alla
yout
oft
heS
ervi
ce
Cent
erO
ITp
erso
nnel
hav
eac
cess
to
CLA
IMS3
as
wel
las
the
phys
ical
file
sin
the
build
ing
U
SCIS
sho
uld
cons
ider
the
min
im
umle
velo
facc
ess
(leas
tpriv
ile
ge)n
eede
dfo
ral
lper
sonn
elto
ac
com
plis
hth
eir
job
dutie
sT
hir
teen
per
cent
(49)
oft
hein
side
rs
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sev
iola
ted
ane
edto
kno
win
ord
erto
per
pe
trat
eth
eir
crim
esi
nclu
ding
st
ealin
gPI
Iand
pro
prie
tary
in
form
atio
nI
nad
ditio
ns
ever
al
insi
ders
com
mitt
edth
eir
crim
es
whi
lew
orki
ngo
nth
eni
ghts
hift
w
here
they
enj
oyed
ar
educ
ed
leve
lofs
crut
iny
Unr
estr
icte
del
ectr
onic
and
phy
sica
lacc
ess
to
such
hig
hri
skd
ata
and
syst
ems
outs
ide
ofn
orm
alw
orki
ngh
ours
pr
esen
tsa
hig
hde
gree
ofr
isk
to
CERT | SOFTWARE ENGINEERING INSTITUTE | 85
Sugg
este
dCo
unte
rmea
sure
s
USC
IS
Sinc
eU
SCIS
can
notd
eter
min
ew
hata
cces
sth
eU
SD
epar
tmen
tof
Sta
teg
rant
sto
FSN
son
its
sys
tem
sU
SCIS
sho
uld
cont
inue
to
use
tech
nica
lmea
sure
sto
pre
ve
ntu
naut
hori
zed
acce
ssw
hile
w
orki
ngw
ithc
ount
erin
telli
genc
epe
rson
nelt
ode
alw
iths
uspe
cted
fo
reig
nag
ents
wor
king
aro
und
US
gov
ernm
entf
acili
ties
A
few
insi
ders
inth
eca
ses
ana
lyze
dby
CER
Tus
edth
eir
un
revo
ked
acce
ssto
the
orga
niza
Polic
yor
Pra
ctic
eG
aps
Acc
ordi
ngto
one
inte
rvie
wee
som
eFS
Ns
onth
eCo
nsul
arA
ffai
rsn
etw
ork
are
susp
ecte
dto
be
wor
king
for
arm
sof
fore
ign
inte
llige
nce
ors
ecur
ity
agen
cies
U
SCIS
has
use
dte
chni
cal
met
hods
(eg
fir
ewal
ls)t
oen
sure
th
atU
SCIS
sys
tem
sar
epr
otec
ted
from
any
inte
rcon
nect
ions
with
the
US
Dep
artm
ento
fSta
tersquos
net
wor
ks
This
sin
gle
poin
toff
ailu
rem
akes
it
diff
icul
tto
reco
ver
from
am
alic
ious
ac
ton
this
par
ticul
ars
yste
m
Polic
yan
dor
Sec
urit
yM
easu
re
The
US
Dep
artm
ento
fSta
teC
onsu
la
rA
ffai
rsn
etw
ork
gran
tsa
cces
sto
FSN
sw
orki
ngin
em
bass
ies
and
con
su
late
san
dit
conn
ects
toU
SCIS
sys
te
ms
Ther
eis
as
ingl
epe
rson
who
has
the
know
ledg
eof
and
res
pons
ibili
tyfo
rad
min
iste
ring
the
voic
emai
lsys
tem
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Are
aof
Con
cern
Acc
ess
Priv
ilege
sndash
Syst
emA
dmin
is
trat
or
CERT | SOFTWARE ENGINEERING INSTITUTE | 86
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sfo
rU
SCIS
tionrsquo
sph
one
syst
emto
har
mth
eor
gani
zatio
nI
non
eca
set
he
entir
ecu
stom
ers
ervi
cev
oice
m
ails
yste
mw
asr
edir
ecte
dto
a
porn
ogra
phic
pho
nes
ite
Ina
not
her
der
ogat
ory
com
men
ts
abou
tthe
org
aniz
atio
nw
ere
re
cord
eda
ndp
laye
dfo
rev
ery
voic
em
ailb
ox
USC
ISs
houl
dpl
ace
addi
tiona
lst
affi
nth
ero
leo
fadm
inis
trat
ors
for
the
USC
ISv
oice
mai
lsys
tem
Th
isw
ould
allo
wU
SCIS
toim
pl
emen
tsom
efo
rmo
fsep
ara
tion
ofd
utie
so
rat
the
very
le
ast
min
imal
che
cks
and
bal
ance
sto
pre
vent
tam
peri
ngw
ith
the
voic
emai
lsys
tem
U
SCIS
sho
uld
ensu
reth
atit
man
ag
esa
ccou
nts
and
pass
wor
dsfo
rin
tern
als
yste
ms
such
as
voic
em
ail
asw
ella
sex
tern
ala
cco
unts
O
nein
side
rdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
cha
nged
the
dom
ain
nam
esy
stem
reg
istr
yfo
rhis
or
gani
zatio
nrsquos
web
site
so
that
vis
ito
rsw
ere
sent
toa
por
nogr
aphi
c
CERT | SOFTWARE ENGINEERING INSTITUTE | 87
Sugg
este
dCo
unte
rmea
sure
sw
ebsi
te
Thes
ety
pes
ofa
ccou
nts
are
used
ver
yin
freq
uent
lya
nd
are
ofte
nno
tinc
lude
din
form
al
term
inat
ion
proc
edur
es
USC
ISs
houl
dco
ordi
nate
with
D
HS
pers
onne
lto
ensu
reth
at
desi
red
USC
ISs
ecur
ityp
olic
ies
are
enfo
rced
for
pers
onne
lac
cess
ing
USC
ISs
yste
ms
and
data
Se
ven
perc
ent(
26)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
toa
ttac
kin
par
tbec
ause
of
insu
ffic
ient
mon
itori
ngo
fext
er
nala
cces
s
Polic
yor
Pra
ctic
eG
aps
A
lthou
ghc
onne
ctin
ga
pers
onal
lap
top
toa
USC
ISn
etw
ork
via
are
mot
eco
nnec
tion
may
or
may
not
be
bloc
ked
the
SNO
Cw
asn
otc
onfid
ent
itw
ould
be
bloc
ked
beca
use
itdo
es
notc
ontr
olth
ata
cces
sI
tis
poss
ible
th
ata
use
rco
uld
conn
ectw
itha
per
so
nalm
achi
neif
DH
Sal
low
edit
Polic
yan
dor
Sec
urit
yM
easu
re
Port
sec
urity
wou
ldp
reve
nta
use
rfr
omc
onne
ctin
ga
pers
onal
mac
hine
di
rect
lyto
aU
SCIS
net
wor
kT
his
secu
rity
mec
hani
smis
han
dled
by
the
SNO
C
Rem
ote
acce
sso
nth
eot
herh
and
is
hand
led
byD
HS
USC
ISh
asa
cces
sto
ve
ryli
mite
din
form
atio
nin
clud
ing
logs
for
rem
ote
conn
ectio
nsb
eca
use
ofc
ontr
acts
tipul
atio
nsw
ith
Spri
nt
The
asse
ssm
entt
eam
re
ceiv
edc
onfli
ctin
gop
inio
nsa
bout
w
heth
era
per
sona
lmac
hine
cou
ld
bec
onne
cted
with
ar
emot
eac
coun
t
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Secu
rity
Net
wor
kO
pera
ti
ons
Cent
er
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Man
agem
ento
fRe
mot
eA
cces
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 88
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
The
cont
ract
ors
resp
onsi
ble
for
VIS
have
impl
emen
ted
ast
rict
acc
ess
cont
rols
olut
ion
with
Fir
epas
san
dit
appe
ars
toa
ccom
plis
hits
goa
lofe
nsu
ring
that
onl
yth
epr
oper
per
sonn
el
are
gran
ted
acce
ssa
ndth
atth
eyp
er
form
aut
hori
zed
actio
nso
nce
they
ar
eco
nnec
ted
Unf
ortu
nate
lyt
hey
are
the
only
con
trac
tors
and
sys
tem
us
ing
Fire
pass
and
itw
illn
otb
eus
ed
once
the
mov
eis
mad
eto
Ste
nnis
Sp
ace
Cent
er
They
are
uns
ure
of
wha
tcon
trol
sw
illb
eus
eda
tSte
nnis
Sugg
este
dCo
unte
rmea
sure
s
Impl
emen
ting
aFi
repa
sss
olut
ion
for
allU
SCIS
sys
tem
sm
ight
not
be
cos
tef
fect
ive
USC
ISm
an
agem
ents
houl
dat
leas
texa
min
eth
eri
skp
osed
toth
em
ostc
ritic
al
syst
ems
and
impl
emen
taF
ire
pass
like
sol
utio
nfo
rth
ose
that
re
quir
ere
mot
eac
cess
A
sst
ated
ab
ove
one
inte
nin
side
rsd
ocu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
seu
sed
the
crea
tion
ofu
nkno
wn
path
sin
to
orga
niza
tion
syst
ems
pro
per
mea
sure
sm
ight
hav
epr
even
ted
man
yof
thos
ein
stan
ces
CERT | SOFTWARE ENGINEERING INSTITUTE | 89
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Non
Sys
tem
Ad
USC
ISL
eade
rshi
pA
ccor
ding
too
nein
terv
iew
eeF
SNs
An
FSN
who
isa
sys
tem
adm
inis
trat
or
Ten
perc
ent(
39)o
fins
ider
sm
inis
trat
ors
Wit
h
are
syst
ema
dmin
istr
ator
son
som
efo
rU
SD
epar
tmen
tofS
tate
sys
tem
sdo
cum
ente
din
the
CERT
Insi
der
A
utho
rize
dA
cces
sIn
form
atio
nTe
chno
logy
U
SD
epar
tmen
tofS
tate
sys
tem
sin
do
esn
otn
eces
sari
lyh
ave
adm
inis
tra
Thre
atC
ase
data
base
took
ad
toA
dmin
istr
ator
em
bass
ies
orc
onsu
late
sab
road
to
rri
ghts
on
USC
ISs
yste
ms
One
in
vant
age
ofin
suff
icie
nta
cces
sA
ccou
nts
The
US
Dep
artm
ento
fSta
teh
as
terv
iew
eee
xpre
ssed
con
cern
how
co
ntro
lsto
con
duct
thei
rcr
imes
au
thor
ized
acc
ess
for
som
eFS
Ns
to
ever
tha
tan
adm
inis
trat
orw
hois
a
USC
ISs
houl
dex
amin
eU
SCIS
sys
so
me
USC
ISs
yste
ms
need
edfo
rth
eci
tizen
ofa
fore
ign
coun
try
coul
des
te
ma
cces
sfo
rU
SD
epar
tmen
tpe
rfor
man
ceo
fthe
ird
utie
s
cala
tep
rivi
lege
sor
use
soc
iale
ngi
ofS
tate
sys
tem
adm
inis
trat
ors
ne
erin
gta
ctic
sto
gai
nun
auth
oriz
ed
asw
ella
sho
wth
ose
conn
ectio
ns
acce
ssto
USC
ISs
yste
ms
ar
em
onito
red
orlo
gged
Th
ey
sh
ould
als
ow
ork
with
the
US
Dep
artm
ento
fSta
teto
und
er
stan
dits
pro
cess
esfo
rgr
antin
g
FSN
sac
cess
toU
SD
epar
tmen
t
ofS
tate
sys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 90
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
Lea
ders
hip
Ther
ear
ecu
rren
tlyn
olim
itso
nTh
ela
cko
flim
itsp
lace
don
req
uest
Th
ere
shou
ldb
elo
gica
lcon
trol
s
w
hich
Af
iles
ana
djud
icat
orc
anr
ein
gA
file
sin
NFT
Sm
aya
llow
adj
udi
tod
etec
tldquoex
trao
rdin
aryrdquo
or
sus
Info
rmat
ion
Tech
nolo
gy
ques
tin
the
Nat
iona
lFile
Tra
ckin
gca
tors
tor
eque
sta
file
by
nam
eev
en
pici
ous
file
tran
sfer
req
uest
sI
n
Syst
em(N
FTS)
if
they
sho
uld
notb
eac
cess
ing
that
on
eU
SCIS
cas
eth
ein
side
rre
fil
e
ques
ted
afil
etr
ansf
erto
ar
egio
nfo
ran
indi
vidu
alw
hose
file
sw
ere
ina
noth
err
egio
nan
dw
hose
form
sha
dbe
enp
revi
ousl
yde
ni
ed
CERT | SOFTWARE ENGINEERING INSTITUTE | 91
cri
tilt
om
itiga
ting
the
insi
der
rsc
arri
edo
uta
nat
tack
ta
nce
mal
icio
usin
side
rsu
sed
uste
nsur
end
enf
orce
cn
have
dev
eff
ects
on
ano
ras
tatin
gta
r
nom
alou
sin
crea
sein
net
ay
Sugg
este
dCo
unte
rmea
sure
s
ca sn
toc
ompe
titor
sor
con
spir
ator
sO
rgan
izat
ions
mth
ate
mpl
oyee
sr
esou
rces
inc
ludi
ngin
form
atio
nas
sets
aom
plia
nce
sen
sitiv
ebu
tunc
lass
ified
or
prop
rie
y)is
cri
tical
tom
itiga
ting
an
am
onito
ring
net
wor
ktr
affic
mh
elp
prot
ectc
ontr
olle
d
side
unc
lass
ified
or
prop
riet
ary)
isea
led
circ
umst
ance
sin
whi
chin
tern
ales
In
som
ein
ss
tora
ged
evic
tion
mal
icio
usin
side
rsc
ab
y
mou
nts
ofd
ata
dow
nloa
ded
orou
ghT
h
Polic
yor
Pra
ctic
eG
aps
a re
ono
fCon
trol
led
Info
rmat
ion
ntro
lled
info
rmat
ion
(ie
inf
orm
atio
nth
atis
cla
ssifi
eds
ensi
tive
but
CER
Tr
thre
atr
isk
too
rgan
izat
ions
A
var
iety
ofi
nsid
erth
reat
cas
ess
tudi
edb
yev
thro
ugh
thd
ownl
oad
ofin
form
atio
nto
por
tabl
em
edia
or
exe
unau
thor
ized
ptt
acks
or
toc
omm
unic
ate
sens
itive
info
rmat
ioun
ders
tan
tcon
stitu
tes
acce
ptab
leu
seo
fcom
pany
dpo
licie
sre
gard
ing
wha
thro
ugh
teed
info
rma
chni
calm
eans
Th
eun
auth
oriz
ede
xfilt
ratio
nof
con
trol
l(i
ei
nfor
mat
ion
that
isc
lass
ifie
gani
zatio
nP
rote
ctin
gco
ntro
lled
info
rmat
ion
dth
reat
ris
kto
org
aniz
atio
ns
impl
emen
ted
netw
ork
mon
itori
ngs
trat
egie
sth
atw
ould
det
ectl
arge
wor
ktr
affi
by
tota
lvol
ume
orty
peo
ftra
ffic
(eg
by
ce
ither
por
tor
prot
ocol
)n
Polic
yan
dor
Sec
urit
yM
easu
Resp
onsi
ble
Pers
onne
lIn
form
atio
nTe
chno
logy
ncer
nlo
adto
Prot
ecti
Prot
ectin
gco
emai
lto
lan
thei
ra
the
insi
der
USC
ISh
as
info
rmat
io
Are
aof
Co
Dat
aD
own
Med
ia
CERT | SOFTWARE ENGINEERING INSTITUTE | 92
sure
s
po
1
pria
yte
lld
be
func
he
T ed
s
ecu
itted
em
os
ogs
el
vity
by
org
za
ani
ot
sbe
nter
mea
side
rtw
o
hori
zed
inap
pro
uev
ices
co
bite
dfr
omsy
stem
s
bit
epr
ohi fa
hec
ont
oc
gn
are
per
m hus
eso
fta
ndth
cti
ciou
sa
ngth
es
her
exhi
bitin
glm
alic
iou
Cou
uld
con
ora
ut ed
thes
ed
pro
hi SSC
Iy
ar
rity
aw
aren
ess
ampa
i
evic
es lb
elo
gged
uspi
ted
for
ss
leav
i
ntia
te
Sugg
este
d
Ss
o
ptf
1)E
xce
ces
that
ar
ete
chni
cally
Ung
in
that
the
shou
nte
ldb
et
2)If
USB
dfo
ru
nal
set
held
empl
oyee pl
tion
em
oyee
sign
sof
po c
ore
t
USC
Ih
tions
stan
trac
k
tioni
fact
shou
audi
havi
ns
ider
un
t
of
wor
k
ssed
de
s
onvi
ctio ns
tne
i eng
tel
He
acce
rder
to
Prac
tice
Gap
mth
eU
SCIS
CTa
skF
orc
sho
wed
tha
oe d
ant
pe
rfor
me
sig
nific
aam
oof
ficia
lbus
ines
sin
clud
ill
apto
p
sona
mai
lin
ond
e
Polic
yor
Ac
ase
fro
onh
isp
ersy
stem
sa
sure
pmen
tSC
IS
gov
(G
FE)
orS
ecur
ity
Mea
per
aga
inst
usi
ng
son
ompu
ter
equi
cial
dut
ies
for
Ub
edo
new
ithm
entf
urni
shed
ent
ern
quip
me
Polic
yan
d
Ther
eis
ap
olic
yd
cal
lyo
wne
top
erfo
rmo
ffi
Tele
wor
ksh
ould
on
ly
nel
ble
Pers
on
Resp
onsi
o
ern
Are
aof
Con
c dt
Dat
aD
ownl
oaor
Fro
mH
ome
CERT | SOFTWARE ENGINEERING INSTITUTE | 93
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sve
lop
asy
stem
that
he
was
rew
arde
d
fo
rpr
oduc
ing
The
rea
ren
ote
chni
cal
co
ntro
lsto
cat
chth
isa
ctiv
ityu
nles
s
the
devi
ceis
phy
sica
llyp
lugg
edin
to
the
netw
ork
Prot
ecti
ngC
riti
cal
Info
rmat
ion
Tech
nolo
gy
The
SNO
Cre
spon
dsto
spi
llso
fPII
USC
ISr
espo
nds
toP
IIsp
illag
es
Fi
les
whi
cho
ccur
on
aw
eekl
yba
sis
The
ofte
nen
ough
that
its
staf
fis
wel
l
info
rmat
ion
abou
tthe
inci
dent
is
ve
rsed
inr
espo
nse
proc
edur
es
tran
sfer
red
from
the
data
ow
ner
U
nfor
tuna
tely
the
freq
uenc
yto
w
hob
ecom
esa
war
eof
the
spill
to
w
hich
inci
dent
soc
cur
and
the
the
OSI
whi
chc
reat
esa
Ser
ious
In
re
spon
sep
roce
dure
sin
pla
ced
o
cide
ntR
epor
t(SI
R)th
atit
forw
ards
nots
eem
tor
educ
eth
enu
mbe
rto
the
Priv
acy
Off
icer
and
fina
llyto
Th
ere
spon
see
ffor
tto
aPI
Ispi
llage
of
inci
dent
sor
pro
vide
aut
oth
eSN
OC
in
volv
esm
any
part
ies
and
appe
ars
to
mat
edd
etec
tion
whe
nsp
illag
ebe
ac
ompl
icat
edp
roce
ssfo
ran
eve
nt
occu
rs
that
hap
pens
on
aw
eekl
yba
sis
Thou
ghth
ese
spill
ages
are
acc
iden
tal
even
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 94
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
sho
uld
cont
inue
this
pra
ctic
eas
par
tofi
tsin
cide
ntr
esp
onse
pro
cedu
res
Inc
orpo
rat
ing
ana
ppro
pria
tele
velo
fm
onito
ring
wou
lda
lso
bea
pru
de
ntm
easu
re
Polic
yor
Pra
ctic
eG
aps
This
pra
ctic
eap
pear
sto
be
done
con
si
sten
tly
Polic
yan
dor
Sec
urit
yM
easu
re
Acc
ess
ton
etw
ork
reso
urce
sis
ter
min
ated
imm
edia
tely
whe
na
spill
or
mis
cond
ucti
ssu
spec
ted
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Aud
it
Mon
itor
B
acku
p
Reco
very
Insi
der
thre
atr
esea
rch
cond
ucte
dby
CER
Tha
ssh
own
that
logg
ing
mon
itori
nga
nda
uditi
nge
mpl
oyee
onl
ine
actio
nsc
anp
rovi
dea
nor
gani
za
tion
the
oppo
rtun
ityto
dis
cove
ran
din
vest
igat
esu
spic
ious
insi
der
activ
ityb
efor
em
ore
seri
ous
cons
eque
nces
ens
ue
Org
aniz
atio
nss
houl
dle
ver
age
auto
mat
edp
roce
sses
and
tool
sw
hene
ver
poss
ible
M
oreo
ver
net
wor
kau
ditin
gsh
ould
be
ongo
ing
and
cond
ucte
dra
ndom
lya
nde
m
ploy
ees
shou
ldb
eaw
are
that
cer
tain
act
iviti
esa
rer
egul
arly
mon
itore
dT
his
empl
oyee
aw
aren
ess
can
pote
ntia
llys
erve
as
ade
terr
entt
oin
side
rth
reat
s
Prev
entin
gin
side
rat
tack
sis
the
first
line
ofd
efen
se
Non
ethe
less
eff
ectiv
eba
ckup
and
rec
over
ypr
oces
ses
need
tob
ein
pla
cea
ndo
pera
tion
ally
eff
ectiv
eso
that
ifa
co m
prom
ise
occu
rsb
usin
ess
oper
atio
nsc
anb
esu
stai
ned
with
min
imal
inte
rrup
tion
In
one
case
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sea
nin
side
rw
asa
ble
tom
agni
fyth
eim
pact
ofh
isa
ttac
kby
acc
essi
nga
ndd
estr
oyin
gba
ckup
med
ia
Org
aniz
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 95
Ina
dditi
ont
heS
NO
Cla
cks
the
reso
urce
sto
focu
son
mon
itori
ngfo
rsu
spic
ious
insi
der
activ
ityf
ocus
ing
inst
ead
prim
arily
on
prot
ectio
nfr
om
exte
rnal
inci
dent
s
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sM
odifi
cati
on
In
form
atio
nTe
chno
logy
Lo
gfil
esa
rea
cces
sibl
eby
the
do
D
isab
ling
Log
File
sm
ain
adm
inis
trat
ors
and
syst
em
adm
inis
trat
ors
ofe
ach
resp
ectiv
e
syst
em
USC
ISs
houl
dse
ndc
ritic
allo
gsto
a
cent
raliz
edlo
gse
rver
and
pro
te
ctth
elo
gfil
esto
per
mit
afo
re
nsic
rec
onst
r uct
ion
ofn
etw
ork
orh
ost
base
dev
ents
In
form
atio
nTe
chno
logy
Th
ela
cko
fcon
sist
ency
for
wha
tis
Alth
ough
six
per
cent
(23)
oft
he
logg
eda
cros
sU
SCIS
ser
vers
sys
tem
s
insi
ders
doc
umen
ted
inth
eCE
RT
appl
icat
ions
and
wor
ksta
tions
isc
on
Insi
der
Thre
atC
ase
data
base
cern
ing
Sev
eral
par
ties
addr
esse
dw
ere
able
tom
odify
ord
isab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 96
tions
nee
dto
con
side
rth
eim
port
ance
ofb
acku
pan
dre
cove
ryp
roce
sses
and
car
em
ustb
eta
ken
that
bac
kups
are
per
form
edr
egul
arly
pro
te
cted
and
test
edto
ens
ure
busi
ness
con
tinui
tyin
the
even
tofd
amag
eto
or
loss
ofc
entr
aliz
edd
ata
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
slo
gfil
es
Mon
itor
ing
Susp
ici
ous
Act
ivit
y
Info
rmat
ion
Tech
nolo
gy
are
som
etim
esli
mite
dto
24
hour
sor
less
ofc
olle
ctio
n
the
fact
that
ITp
erso
nnel
mus
tbe
able
top
hysi
cally
rea
cha
mac
hine
in
atim
ely
fash
ion
ifth
eyh
ope
toc
ap
ture
logs
rel
ated
toa
nin
cide
nt
This
as
sum
ptio
nm
akes
itli
kely
that
cri
tica
llog
info
rmat
ion
will
be
mis
sed
CERT | SOFTWARE ENGINEERING INSTITUTE | 97
Sugg
este
dCo
unte
rmea
sure
s
Polic
yor
Pra
ctic
eG
aps
Polic
yan
dor
Sec
urit
yM
easu
re
Dat
abas
ead
min
istr
ator
sar
ere
spon
si
ble
for
mon
itori
nga
nda
lert
ing
whe
nda
taa
cces
sat
tem
pts
are
mad
eto
cri
tical
dat
ain
USC
ISd
ata
base
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 98
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
sho
uld
cons
ider
cle
arly
de
finin
gth
ere
spon
sibi
lity
ofd
ata
base
adm
inis
trat
ors
and
the
SNO
Cfo
rm
onito
ring
ale
rtin
g
and
resp
ondi
ngto
una
utho
rize
dda
taa
cces
sO
nce
the
resp
onsi
bi
lity
isa
ssig
ned
the
appr
opri
ate
grou
psh
ould
dili
gent
lyp
reve
nt
dete
cta
ndr
espo
ndto
una
utho
riz
edd
ata
acce
ssm
odifi
catio
n
and
exfil
trat
ion
atte
mpt
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
mon
itors
and
filte
rs
inbo
und
and
outb
ound
net
wor
ktr
affic
Th
iss
trat
egy
may
pre
ve
nto
rde
tect
the
unau
thor
ized
tr
ansf
ero
fUSC
ISd
ata
outs
ide
the
orga
niza
tion
Man
yin
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
sew
ere
able
toc
omm
itth
eir
mal
icio
usa
ctiv
ities
usi
ngla
ptop
s
Polic
yor
Pra
ctic
eG
aps
Net
wor
ktr
affic
filte
ring
ish
appe
ning
on
lyo
nin
boun
dtr
affic
not
out
boun
dtr
affic
Th
ere
sour
ces
don
ote
xist
toe
xam
ine
ou
tbou
ndtr
affic
onl
yin
boun
dtr
affic
Fu
rthe
rmor
eth
ein
trus
ion
dete
ctio
nsy
stem
sar
eno
topt
imiz
edto
det
ect
secu
rity
eve
nts
Polic
yan
dor
Sec
urit
yM
easu
re
USC
ISh
asth
eab
ility
toc
reat
ein
bo
und
firew
allr
ules
tofi
lter
pote
ntia
llym
alic
ious
net
wor
ktr
affic
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 99
Sugg
este
dCo
unte
rmea
sure
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
incl
udes
fore
nsic
to
ols
toa
idin
vest
igat
ions
Ins
ixp
erce
nt(2
2)o
fthe
cas
es
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
heim
pact
of
the
crim
ew
asm
agni
fied
be
caus
eof
insu
ffic
ient
bac
kups
Polic
yor
Pra
ctic
eG
aps
The
SNO
Cha
sha
dpr
oble
ms
iden
tify
ing
the
root
cau
seo
fan
affe
cted
w
orks
tatio
nor
use
rbe
caus
eof
the
lack
ofn
etw
ork
fore
nsic
app
licat
ions
Id
eally
the
SN
OC
shou
ldb
eab
leto
tr
ace
netw
ork
traf
ficfr
oms
ourc
eto
de
stin
atio
nan
dw
atch
act
ivity
It
has
a
stan
dal
one
fore
nsic
cap
abili
tyb
ut
noth
ing
onth
ene
twor
k
Tabl
etop
exe
rcis
esm
ayn
otg
ive
USC
ISa
true
indi
catio
nof
its
abili
tyto
re
cove
rfr
oma
sys
tem
icfa
ilure
W
hen
poss
ible
bac
kups
sho
uld
be
impl
emen
ted
ons
imila
rha
rdw
are
to
ensu
reth
atth
eba
ckup
tape
isfu
nc
tiona
land
the
back
upis
ope
ratio
nal
Polic
yan
dor
Sec
urit
yM
easu
re
The
SNO
Cis
res
pons
ible
for
dete
rm
inin
gth
ero
otc
ause
ofa
nin
cide
nt
incl
udin
gus
ing
fore
nsic
tool
sto
id
entif
yaf
fect
edw
orks
tatio
nsd
esk
tops
and
lapt
ops
Ba
ckup
test
ing
for
man
ysy
stem
soc
curs
onc
epe
rye
ar
Ins
ome
case
s
the
back
ups
are
only
test
edw
itha
ta
blet
ope
xerc
ise
and
don
otu
se
sim
ilar
orid
entic
alh
ardw
are
toth
at
used
inth
epr
oduc
tion
envi
ronm
ent
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Back
ups
CERT | SOFTWARE ENGINEERING INSTITUTE | 100
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Info
rmat
ion
Tech
nolo
gy
Year
sof
bac
kup
tape
sar
eke
pto
nsi
tea
tthe
Ver
mon
tSer
vice
Cen
ter
an
dsy
stem
adm
inis
trat
ors
have
ac
cess
toth
ese
back
upfi
les
Adm
inis
trat
ors
who
hav
eac
cess
to
the
back
upta
pes
wou
ldb
eab
leto
Back
upm
edia
sho
uld
bec
on
trol
led
care
fully
doc
umen
ted
an
dst
ored
off
site
with
lim
ited
acce
ss
With
outt
hose
con
trol
s
USC
ISc
anno
tbe
sure
its
back
ups
will
giv
eit
the
abili
tyto
rec
over
ss
ecur
ity o wn
Proa
ctiv
ely
addr
essi
ngk
now
nse
curi
tyv
ulne
rabi
litie
ssh
ould
be
apr
iori
tyfo
ran
yor
gani
zatio
nse
ekin
gto
miti
gate
the
risk
ofi
nsid
erth
reat
sa
wel
las
exte
rnal
thre
ats
Cas
est
udie
sha
ves
how
nth
atm
alic
ious
insi
ders
fol
low
ing
term
inat
ion
will
som
etim
ese
xplo
itkn
own
tech
nica
lho
uld
have
ap
roce
sst
vuln
erab
ilitie
sth
atth
eyk
now
hav
eno
tbee
npa
tche
dto
obt
ain
syst
ema
cces
san
dca
rry
outa
nat
tack
O
rgan
izat
ions
sdr
ess
kno
ensu
reth
ato
pera
ting
syst
ems
and
othe
rso
ftw
are
have
bee
nha
rden
edo
rpa
tche
din
ati
mel
ym
anne
rw
hen
poss
ible
Fa
ilure
toa
dvu
lner
abili
ties
prov
ides
an
insi
der
ampl
eop
port
unity
and
pat
hway
sfo
rat
tack
mak
ing
itm
ore
diff
icul
tfor
an
orga
niza
tion
top
rote
ctit
self
Tech
nica
lSec
urit
yV
ulne
rabi
litie
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 101
ount
erm
easu
res
Sugg
este
dC
CERT | SOFTW ARE ENGINE ERING INSTITUTE |102
ceG
aps
Polic
yor
Pra
cti
The
pres
ence
of
host
pe
rim
eter
and
m
prot
ectio
nfo
rCI
Sin
al
war
epu
tsU
Sa
rela
tivel
yse
curd
ing
rep
ositi
onr
ega
oads
m
alic
ious
dow
nl
Polic
yan
dor
Se
easu
re
curi
tyM
Th
eO
ITr
elie
son
tan
ism
sto
w
om
ech
wnl
ode
tect
the
doad
of
licio
us
ma
code
1)
DH
S
nte
mon
itors
the
Ig
atrn
etw
aya
nd
e
2)
orks
ta
age
nto
nw
tio
ns
ale
rts
mm
edi
the
OIT
iat
ely
upon
dis
cov
wn
mal
er
yof
kno
war
eT
heO
ITs
hth
epo
rt
uts
dow
n
tob
lock
mal
ici
ere
ap
ous
code
wh
prop
riat
e
sin
stal
la
als
ode
tect
nel
Resp
onsi
ble
Pers
onog
yIn
form
atio
nTe
chno
l ogy
Info
rmat
ion
Tech
nol
Are
ac
ofC
oner
ne
Add
rss
ino
wn
ngK
Secu
rer
it
yV
uln
ies
abili
t
eA
ddr
ssi
now
nng
KSe
cur
er
ity
Vul
nie
sab
ilit
Sugg
este
dCo
unte
rmea
sure
s
Tw
elve
per
cent
(46)
oft
hec
ases
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
invo
lve
user
sab
usin
gad
min
istr
ator
pri
vi
lege
sto
sab
otag
esy
stem
sor
da
ta
Alth
ough
USC
ISu
sers
nee
dfo
rad
min
istr
ator
righ
tsto
inst
allo
rru
nau
thor
ized
sof
twar
eth
eO
IT
shou
ldc
onsi
der
givi
ngu
sers
se
para
tea
dmin
istr
ator
acc
ount
sfo
rth
ese
expl
icit
purp
oses
U
sers
co
uld
then
use
non
adm
inis
trat
or
acco
unts
for
thei
rda
ilyw
ork
Th
isw
ould
gre
atly
min
imiz
eth
eri
sko
fmal
war
eco
mpr
omis
e
Polic
yor
Pra
ctic
eG
aps
Am
itiga
ting
fact
or
is
that
the
depa
rtin
gem
ploy
eew
ould
ne
edp
hysi
cala
cces
sto
the
syst
emto
lo
gin
A
use
rw
itha
dmin
istr
ator
pri
vile
ges
mus
tnot
rel
yso
lely
on
auto
mat
ic
mec
hani
sms
tos
afeg
uard
his
or
her
com
pute
rA
dmin
istr
ator
rig
hts
give
in
adve
rten
tlyd
ownl
oade
dm
alw
are
the
abili
tyto
com
plet
ely
com
prom
ise
asy
stem
som
etim
esw
ithou
tthe
kn
owle
dge
ofth
eus
er
Polic
yan
dor
Sec
urit
yM
easu
re
tion
ofm
alic
ious
cod
efr
omU
SBs
and
othe
rm
edia
USC
ISu
sers
hav
elo
cala
dmin
istr
ator
ri
ghts
on
thei
row
nm
achi
nes
Thi
sal
low
sus
ers
toin
stal
lsof
twar
eon
th
eirs
yste
ms
So
me
auth
oriz
eds
oftw
are
does
re
quir
ead
min
istr
ator
rig
hts
toin
stal
l
Som
eap
plic
atio
nsa
ctua
llyr
equi
re
adm
inis
trat
orri
ghts
tor
un
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Unm
anag
edS
ys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 103
Conf
igur
atio
nM
anag
emen
t
Effe
ctiv
eco
nfig
urat
ion
man
agem
enth
elps
ens
ure
the
accu
racy
int
egri
tya
ndd
ocum
enta
tion
ofa
llco
mpu
ter
and
netw
ork
syst
emc
onfig
ura
tions
A
wid
eva
riet
yof
cas
esin
the
CERT
Insi
der
Thre
atC
ase
data
base
doc
umen
tins
ider
sw
hor
elie
dhe
avily
on
the
mis
conf
igur
atio
nof
sys
te
ms
The
yhi
ghlig
htth
ene
edfo
rst
rong
erm
ore
effe
ctiv
eim
plem
enta
tion
ofa
utom
ated
con
figur
atio
nm
anag
emen
tcon
trol
sO
rgan
izat
ions
sh
ould
als
oco
nsid
erc
onsi
sten
tdef
initi
ona
nde
nfor
cem
ento
fapp
rove
dco
nfig
urat
ions
Ch
ange
sor
dev
iatio
nsfr
omth
eap
prov
edc
onfig
urat
ion
base
line
shou
ldb
elo
gged
so
they
can
be
inve
stig
ated
for
pote
ntia
lmal
icio
usin
tent
Co
nfig
urat
ion
man
agem
enta
lso
appl
ies
tos
oftw
are
sou
rce
code
and
app
licat
ion
files
O
rgan
izat
ions
that
do
note
nfor
cec
onfig
urat
ion
ma n
agem
enta
cros
sth
een
terp
rise
are
ope
ning
vul
nera
bilit
ies
for
expl
oitb
yte
chni
cali
nsid
ers
with
suf
ficie
ntm
otiv
atio
nan
da
lack
ofe
thic
s
The
OIT
has
ac
onfig
urat
ion
man
agem
entp
olic
yth
atp
rovi
des
base
line
soft
war
eco
nfig
urat
ions
for
USC
ISd
eskt
ops
and
lapt
ops
The
OIT
sca
ns
for
inco
rrec
to
utda
ted
or
unp
atch
edv
ersi
ons
ofs
oftw
are
onth
eap
prov
eds
oftw
are
list
The
OIT
kee
pstr
ack
ofd
iffer
entb
asel
ines
for
diff
er
entc
ontr
acts
D
espi
tetr
acki
nga
nda
rig
orou
sco
nfig
urat
ion
man
agem
entp
olic
yth
eO
ITh
asd
iffic
ulty
kee
ping
trac
kof
the
901
50d
iffer
ents
ys
tem
imag
esin
the
USC
ISe
nvir
onm
ent
Rog
ues
oftw
are
orm
alw
are
iso
ften
dis
cove
red
thro
ugh
ade
liber
ate
man
uals
can
rat
her
than
thro
ugh
ana
utom
ated
pro
cess
To
mak
eth
ista
skm
ore
diff
icul
tth
ere
have
bee
nU
SCIS
em
ploy
ees
with
sen
iori
tyo
rin
fluen
cew
hoa
rea
ble
tou
selo
cal
adm
inis
trat
orp
rivi
lege
sto
inst
alls
oftw
are
for
the
sake
ofc
onve
nien
ce
Conc
erns
reg
ardi
ngc
onfig
urat
ion
man
agem
entm
ake
itdi
ffic
ultf
orth
eO
ITto
ad e
quat
ely
prev
ent
det
ect
and
res
pond
tor
ogue
sof
twar
eor
m
alw
are
usin
gits
cur
rent
pro
cedu
res
We
sugg
ests
ome
cons
ider
atio
nsfo
rle
vera
ging
exi
stin
gde
ploy
men
tsa
ndm
odify
ing
inci
dent
res
pons
epr
actic
esto
incr
ease
eff
ectiv
enes
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
The
OIT
has
ac
onfig
urat
ion
man
ag
emen
tpol
icy
for
soft
war
eco
nfig
ura
tion
base
lines
Th
eO
ITs
cans
for
inco
rrec
to
utda
ted
or
unpa
tche
dve
rsio
nso
fsof
twar
eon
the
ap
Des
pite
rig
orou
sco
nfig
urat
ion
man
ag
emen
tpol
icy
the
OIT
has
diff
icul
ty
keep
ing
trac
kof
the
90to
150
diff
er
ents
yste
mim
ages
inth
eU
SCIS
env
iro
nmen
tR
ogue
sof
twar
eor
mal
war
e
Seve
ntee
nca
ses
docu
men
ted
in
the
CERT
Insi
der
Thre
atC
ase
da
taba
sein
volv
eus
ers
expl
oitin
gth
ela
cko
rw
eakn
ess
ofa
con
fig
urat
ion
man
agem
ents
yste
m
CERT | SOFTWARE ENGINEERING INSTITUTE | 104
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
spr
oved
sof
twar
elis
tT
heO
ITk
eeps
tr
ack
ofd
iffer
entb
asel
ines
for
dif
fere
ntc
ontr
acts
iso
ften
dis
cove
red
thro
ugh
ade
liber
at
em
anua
lsca
nra
ther
than
thro
ugh
ana
utom
ated
pro
cess
toc
arry
out
thei
rat
tack
s
The
OIT
cou
ldle
vera
geth
eex
ist
ing
ePO
dep
loym
entt
oco
mpl
em
enti
tsc
onfig
urat
ion
man
age
men
teff
orts
eP
Oc
and
efin
ea
base
line
for
soft
war
eap
plic
atio
ns
and
aler
ton
any
devi
atio
nsfr
om
that
bas
elin
e
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ins
ome
case
sin
divi
dual
sw
iths
en
iori
tyo
rin
fluen
cea
rea
ble
tou
se
adm
inis
trat
orp
rivi
lege
sto
inst
all
soft
war
efo
rth
esa
keo
fcon
veni
ence
USC
ISs
houl
den
sure
that
con
fig
urat
ion
polic
yis
con
sist
ently
co
mm
unic
ated
and
enf
orce
dth
roug
hout
the
orga
niza
tion
Ev
ens
enio
rle
ader
ship
sho
uld
notb
eab
leto
cas
ually
cir
cum
ve
ntth
ese
polic
ies
with
outg
oing
th
roug
hth
epr
oper
cha
nnel
sas
de
fined
by
the
conf
igur
atio
nm
anag
emen
tpol
icy
Conf
igur
atio
nM
anag
emen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Serv
ice
Cent
ers
are
resp
onsi
ble
for
lock
ing
dow
nde
skto
psto
pre
vent
un
auth
oriz
eds
oftw
are
from
runn
ing
The
lock
dow
npr
oces
sre
lies
onh
um
anin
terv
entio
nI
fcal
lvol
ume
to
the
Serv
ice
Cent
eris
hea
vyt
his
may
in
crea
ser
espo
nse
time
toa
nun
ac
cept
able
leve
l
The
OIT
sho
uld
expl
ore
way
sto
au
tom
ate
lock
dow
nof
pot
en
tially
com
prom
ised
sys
tem
sT
his
wou
ldr
equi
rea
car
eful
bal
ance
of
ser
vice
ver
sus
secu
rity
O
nth
ese
rvic
esi
ded
elay
edr
espo
nse
by
the
Serv
ice
Cent
erm
ayr
esul
tin
loss
ofp
rodu
ctiv
ity
On
the
secu
ri
tys
ide
del
ayed
res
pons
eco
uld
CERT | SOFTWARE ENGINEERING INSTITUTE | 105
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sle
adto
sys
tem
com
prom
ise
M
anag
emen
tsho
uld
eval
uate
the
risk
sof
ac
ompr
omis
ean
dw
eigh
th
ose
risk
sag
ains
tthe
pot
entia
lco
nseq
uenc
eso
fser
vice
dis
rup
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 106
Appendix H Acronyms
C3-LAN CBP CI CIO CLAIMS CMMI COTR CSC CSIRT CSO CMU DBA DHS DOJ FBI FDNS-DS FISMA FSD FSN GFE HR HSPD-12 ICE ISSO IT LER LPO NCR NFTS ODBC OIG OIT OSI PERSEC PICS PII QA SEI SIEM SIR SNOC TSA USB
CLAIMS 3 ndash Local Area Network Customs and Border Protection Counterintelligence Chief Information Officer Computer Linked Application Information Management System Capability Maturity Model Integration Contracting Officerrsquos Technical Representative Computer Sciences Corporation Computer Security Incident Response Team Chief Security Officer Carnegie Mellon University Database Administrator Department of Homeland Security Department of Justice Federal Bureau of Investigation Fraud Detection and National Security Data System Federal Information Security Management Act Field Security Division Foreign Service National Government-furnished Equipment Human Resources Homeland Security Presidential Directive 12 Immigration and Customs Enforcement Information System Security Officer Information Technology Labor and Employee Relations Local PICS Officer National Capital Region National File Tracking System Open Database Connectivity Office of Inspector General Office of Information Technology Office of Security and Integrity Personnel Security Password Issuance and Control System Personally Identifiable Information Quality Assurance Software Engineering Institute Security Information and Event Management Significant Incident Report Security Network Operations Center Transportation Security Administration Universal Serial Bus
107
Appendix H Acronyms
USCIS US Citizenship and Immigration Services VIS Verification Information System
108
Appendix I Management Comments to the Draft Report
109
Appendix J Contributors to this Report
Software Engineering Institute Carnegie Mellon University
Insider Threat Center at CERT
Department of Homeland Security Office of Inspector General
Richard Saunders Director Advanced Technology Division Steve Matthews IT Audit Manager Advanced Technology Division Philip Greene IT AuditorTeam Lead Advanced Technology Division
110
Appendix K Report Distribution
Department of Homeland Security
Secretary Deputy Secretary Chief of Staff Deputy Chiefs of Staff General Counsel Executive Secretariat Director GAOOIG Liaison Office Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs Chief Information Officer Chief Information Security Officer USCIS Chief Information Officer USCIS Chief Information Security Officer USCIS Audit Liaison Office
Office of Management and Budget
Chief Homeland Security Branch DHS OIG Budget Examiner
Congress
Congressional Oversight and Appropriations Committees as appropriate
111
ADDITIONAL INFORMATION AND COPIES
To obtain additional copies of this report please call the Office of Inspector General (OIG) at (202) 254-4100 fax your request to (202) 254-4305 or visit the OIG web site at wwwdhsgovoig
OIG HOTLINE
To report alleged fraud waste abuse or mismanagement or any other kind of criminal or noncriminal misconduct relative to department programs or operations
bull Call our Hotline at 1-800-323-8603
bull Fax the complaint directly to us at (202) 254-4292
bull Email us at DHSOIGHOTLINEdhsgov or
bull Write to us at DHS Office of Inspector GeneralMAIL STOP 2600 Attention Office of Investigations - Hotline 245 Murray Drive SW Building 410 Washington DC 20528
The OIG seeks to protect the identity of each writer and caller
ExecutiveSummary
TheUSDepartmentofHomelandSecurityOfficeofInspectorGeneralengagedtheInsider ThreatCenteratCERToftheSoftwareEngineeringInstituteatCarnegieMellonUniversity toconductaninsiderthreatassessmentofUSCitizenshipandImmigrationServicesThe objectiveoftheassessmentwastodeterminehowUSCitizenshipandImmigrationSer viceshastakenstepstoprotectitsinformationtechnologysystemsanddatafromthe threatsposedbyemployeesandcontractorsTheassessmentevaluatedUSCitizenship andImmigrationServicesagainstapproximately400realinsiderthreatcompromisesdocu mentedintheCERTInsiderThreatCasedatabaseThesecasesallprosecutedintheUnited Statesincludefraudsabotageandtheftofintellectualproperty
TheassessmentteamperformedfieldworkinthenationalcapitalregionVermontService CenterandUSCitizenshipandImmigrationServicesBurlingtonofficesDuetothelimited scopeoftheassessmentsystemsreviewedandlocationsvisitedCERTwasnotabletover ifytheinstitutionalizationandenforcementofanyUSCitizenshipandImmigrationSer vicesrsquopoliciesorrenderanoverallopinionoftheeffectivenessofUSCitizenshipandImmi grationServicesinsiderthreatpostureTheOfficeofInspectorGeneraldidnotrequest CERTtoconductacomprehensiveinformationsystemrsquostechnicalsecuritycontrolsreviewor vulnerabilityassessmenttodeterminethesusceptibilitytointernalthreatsTheOfficeof InspectorGeneralmayperformanindepthfollowupreviewtorenderanoverallopinionof theeffectivenessofUSCitizenshipandImmigrationServicesinsiderthreatposture
USCitizenshipandImmigrationServiceshasmadeprogressinimplementingelementsof aneffectiveinsiderthreatprogramSpecificallyithasestablishedaConvictionTaskForce toreviewformeremployeesconvictedofcriminalmisconductwithinthescopeoftheirdu tiesperformsriskmanagementforinformationtechnologyandfinancialmanagementde velopedexitproceduresforemployeesimprovedprotectionofitsfacilitiesandassetsand adherestoformalizedprocessesforsomesystemsInadditionitisimplementingHome landSecurityPresidentialDirective12forphysicalandelectronicaccountmanagement
WhiletheseeffortshaveresultedinsomeimprovementsUSCitizenshipandImmigration Serviceshasopportunitiestoimproveitssecuritypostureagainstthreatsposedbyemploy eesandcontractorsForexampleitcaninstituteanenterpriseriskmanagementplanand incorporateinsiderthreatriskmitigationstrategiesintoitsnewbusinessprocessesItcan alsocentralizerecordsofmisconductandviolationsinstitutealoggingstrategytopreserve systemactivitiesimplementseparationofdutiesforadjudicativedecisionsconductaudits ofnonUSCitizenshipandImmigrationServicesaccountsemployconsistentpoliciesfor physicalsecurityandconsistentlyenforceemployeeexitprocedures
Theassessmentteamismaking18recommendationstotheDirectorofUSCitizenshipand ImmigrationServicestostrengthenthedepartmentrsquossecuritypostureagainstmaliciousin siderthreatsUSCISconcurredwithallofourrecommendationsandhasalreadybegunto takeactionstoimplementthemThedepartmentrsquosresponseisincludedinitsentiretyas appendixI
CERT | SOFTWARE ENGINEERING INSTITUTE | 1
Background
TheUSDepartmentofHomelandSecurity(DHS)OfficeofInspectorGeneral(DHSOIG) engagedtheCERTprogramintheSoftwareEngineeringInstituteatCarnegieMellonUniver sitytoconductaninsiderthreatvulnerabilityassessmentofUSCitizenshipandImmigra tionServices(USCIS)Theprojectapproachestheinsiderthreatproblemontwoprimary fronts
Thehumanbehavioralcomponent
Thetechnologicalsolutionforautomatingpreventionanddetectioncapabilitiesto identifymeasuremonitorandcontrolinsiderthreatvectors
Insiderscanbecurrentorformeremployeescontractorsorbusinesspartnerswhohaveor hadauthorizedaccesstotheirorganizationssystemandnetworksTheyarefamiliarwith internalpoliciesproceduresandtechnologyandcanexploitthatknowledgetofacilitate attacksandevencolludewithexternalattackersCERTrsquosresearchconductedsince2001 hasfocusedongatheringdataaboutactualmaliciousinsideractsincludinginformation technology(IT)sabotagefraudtheftofconfidentialorproprietaryinformationespionage andpotentialthreatstoourNationscriticalinfrastructures
CERTdevelopedaninsiderthreatvulnerabilityassessmentinstrumentforevaluatingvulner abilitiestoinsiderthreatbasedonresearchtodateBecauseofthecomplexityofthein siderthreatproblemmdashinvolvingsecurityofficersinformationtechnologyinformationsecu ritymanagementdataownerssoftwareengineeringandhumanresourcesmdashorganizations needassistanceinmergingthewealthofavailableguidanceintoasingleactionableframe workCERTadvisesorganizationstousethisassessmentinstrumenttohelpsafeguardtheir criticalinfrastructure
CERTbuilttheassessmentbasedonresearchofapproximately400insiderthreatcasesin theCERTInsiderThreatCasedatabase1Thesecasesareacollectionofrealinsiderthreat compromisesmdashprimarilyfraudsabotageandtheftofintellectualpropertymdashthathavebeen prosecutedintheUnitedStatesStartingin2002CERTcollaboratedwithUSSecretSer vicebehavioralpsychologiststocollectapproximately150actualinsiderthreatcasesthat occurredinUScriticalinfrastructuresectorsbetween1996and2002andexaminedthem frombothatechnicalandabehavioralperspectiveSincethatoriginalstudyCERThascon tinuedtoaddcaseswithfundingfromCarnegieMellonrsquosCyLab2bringingthecaselibraryto atotalofapproximately400casesTheinstrumentencompassestechnicalbehavioral processandpolicyissuesandisstructuredaroundinformationtechnologyinformation securityhumanresourcesphysicalsecuritybusinessprocesseslegalandcontracting managementandorganizationalissues
1Notethatthedatabasedoesnotcontainnationalsecurityespionagecasesinvolvingclassifiedin formation 2httpwwwcylabcmuedu
CERT | SOFTWARE ENGINEERING INSTITUTE | 2
Objective
TheobjectiveoftheinsiderthreatvulnerabilityassessmentwastodeterminehowUSCIShas takenstepstoprotectitsITsystemsanddatafromthethreatposedbyemployeesandcon tractorsThisassessmentwasbasedonbehavioralaswellastechnicalexperienceanditis intendedtoassistUSCISinsafeguardingitscriticalinfrastructureTheassessmentwill
EnableUSCIStogainabetterunderstandingofitsvulnerabilitytoinsiderthreatand provideanabilitytoidentifyandmanageassociatedrisks
Identifytechnicalorganizationalpersonnelbusinesssecurityandprocessissues intoasingleactionableframework
Identityshorttermcountermeasuresagainstinsiderthreats
HelpguideUSCISinitsongoingriskmanagementprocessforimplementinglong termstrategiccountermeasuresagainstinsiderthreats
Scope
USCISemploysapproximately18000governmentemployeesandcontractorslocatedat250 officesthroughouttheworld3Theinsiderthreatvulnerabilityassessmentisintendedto focusoncriticalsystemsandhighriskareasofconcernthatcanbeassessedina3to5day timeframeThereforeatapreassessmentwalkthroughmeetingUSCISstaffidentified3 systemsofthe96systemsusedbytheagencyascriticaltoitsoverallmission
VerificationInformationSystem(VIS)mdashthispublicfacingsystemiscomposedoffive differentapplicationsThepurposeofthesystemistoprovidemdash
o Immigrationstatusinformationtogovernmentbenefitgrantingorganiza tionstohelpthemdeterminetheeligibilityofalienswhoapplyforbenefits
o Ameansforprivateemployerstoperformemploymenteligibilityverifica tionofnewlyhiredemployees
ComputerLinkedApplicationInformationManagementSystem(CLAIMS)mdashThissys temprovidesthefollowingfunctions
3httpwwwuscisgovportalsiteuscismenuitemeb1d4c2a3e5b9ac89243c6a7543f6d1avgnextoi d=2af29c7755cb9010VgnVCM10000045f3d6a1RCRDampvgnextchannel=2af29c7755cb9010Vgn VCM10000045f3d6a1RCRD
CERT | SOFTWARE ENGINEERING INSTITUTE | 3
o CLAIMS3LocalAreaNetwork(C3LAN)wasoriginallydevelopedtotrack thereceiptingofapplicantorpetitionerremittancesandtoproducenotices documentingtheremittanceC3LANnowincludesadjudicationarchive cardproductioncasehistorycasetransferondemandreportselectronic filetrackingimagecaptureproductionstatisticsstatusupdateandelec tronicingestofapplicationdatacapturedthroughtheEFilingwebapplica tionandtheDepartmentofTreasurysponsoredlockboxoperations
o C3mainframesupportsprocessingofUSCISapplicationsandpetitionsfor variousimmigrantbenefits(egchangeofstatusemploymentauthoriza tionandextensionofstay)
FraudDetectionandNationalSecurityDataSystem(FDNSDS)mdashThissystemwasde velopedtoidentifythreatstonationalsecuritycombatbenefitfraudandlocate andremovevulnerabilitiesthatcompromisetheintegrityofthelegalimmigration system
Itisimportanttonotethattheinsiderthreatvulnerabilityassessmentislimitedtoareasof concernobservedinthehundredsofcasesintheCERTInsiderThreatdatabasePeople technologyandorganizationsareconstantlychangingandmaliciousinsiderscontinueto comeupwithnewavenuesofattackinordertodefeatapreviouslyeffectivecountermea sureHowevermanyofthecountermeasuressuggestedinthisreportareapplicabletoa multitudeofattackvectors
ItisalsoimportanttonotethatCERTrsquosinsiderthreatresearchhasonlyexploredintentional insidercrimesAccidentaldataleakageisanareaofsignificantconcernfororganizations howeverCERThasnotyetexploredthataspectofinsiderthreatInadditionthefocusof theresearchtodateistodescribehowtheinsiderthreatproblemevolvesovertimeCERTrsquos longtermresearchdoesincludemeasuringtheeffectivenessofmitigationstrategies
CERT | SOFTWARE ENGINEERING INSTITUTE | 4
AssessmentProcessMethodology
AnentranceconferencewasconductedbytheDHSOIGCERTandUSCISonFebruary23 2010TheentranceconferenceintroducedUSCIStotheCERTassessmentteamFollowing theentranceconferenceapreassessmentwalkthroughwasheldatUSCISheadquarterson March102010AtthatmeetingtheCERTassessmentteamandtheDHSOIGteamex plainedtheassessmentprocesstorepresentativesofUSCISUSCISprovidedsomedocu mentationtotheassessmentteamatthattimeandmoredocumentsthroughouttheas sessmentthosedocumentswerereviewedtoprovidesubstantiationforfindingsinthis report
USCISidentified96systemsitusesFollowingtheinitialmeetingUSCISleadershipandthe assessmentteamchosetheVISCLAIMSandFDNSDSsystemsbecausetheywerecriticalto theoverallmissionofUSCISThesethreesystemswerethefocusofthe5dayonsiteas sessment
AtthepreassessmentwalkthroughUSCISindicatedthatithadcreatedaConvictionsTask Forcetoreviewtheactivitiesof10formeremployeesconvictedofcriminalmisconduct withinthescopeoftheirofficialdutiesThepurposeofthetaskforceistoidentifyissues theseemployeesexploitedtocommittheircrimesThetaskforceintendedtodevelopfind ingsandrecommendationsaimedatpreventingsimilarcrimesinthefutureItgraciously extendedaninvitationtotheCERTandDHSOIGteamstoparticipateAsaresulttheteams observedorreviewedtranscriptsofalltelephoneconferencesconductedbythetaskforce Thesefindingsarereflectedinthisreport
TheCERTinsiderthreatteamandtheDHSOIGliaisonwereonsiteatvariousUSCISloca tionsinthenationalcapitalregion(NCR)fromMarch30throughApril12010
TheDHSOIGliaisonswerepresentatallinterviewsTheDHSOIGattendedtheseinterviews asanobserverandassistedCERTasneeded
Facetofaceinterviewswereconductedwithapproximately58representativesintheNCR followedby32representativesintheVermontServiceCenterandUSCISBurlingtonoffices InadditiontelephoneconferenceswereheldwithstafffromtheOfficeofSecurityandIn tegrity(OSI)InvestigationsDivisionandtheSecurityNetworkOperationsCenter(SNOC) Intervieweesrepresentedthefollowingareas
DataOwners(VISCLAIMSandFDNSDS)
ComputerSciencesCorporation(CSC)(softwareengineeringandoperationalsup portforVISCLAIMSandFDNSDS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 5
OSI(PhysicalSecurityRegionalSecurityInvestigationsPersonnelSecurityCounter intelligence)
HumanCapitalandTraining(TrainingHumanResourcesOperationsCenterLabor EmployeeRelations)
OfficeofInformationTechnology(OIT)(ITSecurityComputerSecurityIncidentRe sponseTeamSecurityandNetworkOperationsCenterAccountManagementEn terpriseOperations)
Legal(ProcurementLaw)
VermontServiceCenter(adjudicatorsdataentryclerkssupervisordirectorsOIT softwareengineering)
Allinterviewswereconsideredconfidentialnorecordofparticipatingemployeesisincluded inthisreportorinsubsequentbriefingsFindingsareattributedonlytoagroupordepart mentinterviewedadocumenttheConvictionsTaskForcetelephoneconferencesordirect observation
CERT | SOFTWARE ENGINEERING INSTITUTE | 6
CERT | SOFTWARE ENGINEERING INSTITUTE | 7
AcriticalissueforUSCISisensuringthattheentireorganizationisriskawareandimple mentingaformalriskmanagementprocesstoaddressriskconsistentlyandcontinually acrosstheenterpriseTheredoesnotappeartobeaconsistentunderstandingofthebroad spectrumofrisksfacingUSCISTheassessmentteamwastoldthereisnoenterprisewide riskmanagementprogramatUSCISOITperformsriskmanagementforInformationTech nology(IT)andFinancialManagementperformsriskmanagementforfinancialmattersbut noonewasawareofanyenterprisewideeffortsInadditioneachfieldofficeandservice centerappearstooperatefairlyindependentlyItisimportantforthoseorganizationsto worktogethertoidentifyprioritizeandaddressriskOngoingcommunicationbetweenall componentsofUSCISwillhelpensurethatnewthreatsattackvectorsandcountermea suresarecommunicatedandhandledeffectivelybyall
InadditionUSCISemployeesandcontractorsholdthekeystooneoftheworldrsquosmostcov etedkingdomsmdashUScitizenshipThismakesemployeesandcontractorsattractivetargets forrecruitmentBecauseofthesensitivenatureofUSCISmissionsomeofitsemployees andcontractorshavebeentargetsforrecruitmentfortheftorunauthorizedmodificationof USCISdataAllemployeesshouldbeawareoftheconsequencesofparticipatinginfraud againstUSCISTheyshouldalsobeinstructedonhowtoreportsolicitationsmadetocom mitfraud
Transformation
TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesUSCISisrelyingheavilyonTransformationtocorrectmanyoftheproblemsresulting fromlegacysystemsThisrelianceonasingleeffortmakesitseffectivenessveryimportant TheteamfoundtheTransformationefforttobeamassiveundertakingthatappearstobe implementingaverydetailedprojectplan
Basedontheteamrsquosreviewoftherequirementsforfrauddetectionandnationalsecurity issuesitappearstherearenorequirementstoaddressinsiderthreatsTheassessment teamreviewedfivecomprehensiveTransformationdocumentsaspartofthisassessment ThedocumentsdescribesystemrequirementsindetailFrauddetectionreferstodetection offraudperpetratedbyapplicantsandpetitionersnationalsecurityissuesfocusonthe handlingofinvestigationswithinUSCISthatinvolvenationalsecurityissues
Againanenterpriseriskmanagementapproachshouldbeconsideredwhendefiningre quirementsforTransformationInsidersatUSCIShaveperpetratedfraudinthepastasevi dencedbytheConvictionsTaskForceInadditionUSCISinsidersarecapableofgranting legalresidencyorcitizenshipstatustosomeonewhoposesanationalsecurityrisktothe UnitedStates
CERT | SOFTWARE ENGINEERING INSTITUTE | 8
TrainingandAwareness
Itisessentialthatsecurityawarenesstrainingisconsistentlyprovidedtoallemployeesto ensuresecuritypoliciesandpracticesareinstitutionalizedthroughoutanorganization Manytimescoworkersandsupervisorsarethefirstpeopletoobserveconcerningbehavior exhibitedbymaliciousinsidersFailuretoreportconcerningbehaviorbycoworkersoroth ersinanorganizationwasaprimaryreasoninsidersintheCERTInsiderThreatCasedata basecontinuedtosetuporcarryouttheirattacks
USCISshouldcontinuetoprovidesecurityawarenesstrainingtoallemployeesandcontrac torsacrosstheglobeThistrainingshouldbeconsistentlyappliedtoeachsitewithaconsis tentmessageofsecurityofUSCISpeoplesystemsanddataItisimperativethatallUSCIS employeesberesponsibleforachievingthemissionofUSCISandprotectingthecriticalas setstothehighestextentpossible
HumanResources
Anorganizationrsquosapproachtoreducinginsiderthreatshouldfocusonproactivelymanaging employeeissuesandbehaviorsThisconceptbeginswitheffectivehiringprocessesand backgroundinvestigationstoscreenpotentialcandidatesOrganizationsshouldalsotrain supervisorstomonitorandrespondtobehaviorsofconcernexhibitedbycurrentemploy eesSomecasesfromtheCERTInsiderThreatdatabaserevealedthatsuspiciousactivity wasnoticedintheworkplacebutnotacteduponOrganizationsmustestablishawell organizedandprofessionalmethodforhandlingnegativeemploymentissuesandensuring thathumanresourcepolicyviolationsareaddressed
Organizationalissuesrelatedtofunctionssharedbyhumanresources(HR)andsecurityper sonnelareattheheartofinsiderriskmanagementEmployeescreeningandselectionis vitaltopreventingcandidateswithknownbehavioralriskfactorsfromenteringtheorgani zationoriftheydoensuringthattheserisksareunderstoodandmonitoredClearpolicy guidelinesaddressingbothpermittedandprohibitedemployeebehaviorarevitaltorisk detectionandmonitoringClearrequirementsforensuringemployeesrsquoknowledgeofthese guidelinesarealsoessentialtotheirsuccessInadditionreportsofpolicyquestionsand violationsneedtobesystematicallyrecordedsothatmanagementHRandsecurityper sonnelcanapproachcasedecisionswithcompletebackgroundinformation
Analysisofthesereportsacrossindividualsanddepartmentscansupplyvitalknowledgeof problemareasbeyondindividualcasesRelationshipsinwhichHRsecurityandmanage mentpersonnelcollaborateaseducatorsandconsultantsarevitaltoearlydetectionand effectivemanagementofemployeesposinganinsiderriskTheneedforclearpolicies
CERT | SOFTWARE ENGINEERING INSTITUTE | 9
completepersonnelriskdataandclosemanagementHRsecuritycollaborationisrarely greaterthanwhenhandlingemployeeterminationissueswhethervoluntaryorinvoluntary
ScreeningandHiringPractices
SeveralpersonnelscreeningandhiringpracticesposearisktoUSCISsystemsanddata
USCISdoesnothaveaconsistentprocedurefordecidingwhethertoconductafacetoface interviewpriortohiringanapplicantbeingscreenedforgovernmentemploymentThere wasanimpressionatUSCISheadquartersthatnearly100ofthoseemployeeshiredby managersareinterviewedbutrepresentativesinBurlingtonVermonttoldusotherwise Thisgapbetweenperceptionandreality(thereisnotapolicystatingthatthismustbedone) isaconcernUSCISshouldrequireinterviewsforallpositionsTheinterviewsneedtobe conductedbysomeoneinvolvedinthedaytodaysupervisionofthepositiontobefilled
Ifapersonalissue(egsubstanceabuserelativelylargefinancialindebtedness)arisesdur ingPersonnelSecurityrsquos(PERSECrsquos)screeningPERSECmayissuealetterofadvisementto thecandidateandclearthatpersonforhirePERSECishesitanttosharenegativeinforma tionaboutapplicantswithUSCISbecauseofprivacyconcernsBecauseoftheseconcernsa managermaynotknowthatsomeoneiscomingintoapositionwithahistoryofalcohol andordrugabusefinancialindebtednessetcTheprivacywallbetweenPERSECandfield personnelconcernedwithhiringistroublingItisdifficultforPERSECrepresentativestoin dicatetheirconcernsaboutpotentialhiresiftheyhaveriskfactorsthatdonotcrossadjudi cationguidelinesfordisqualification
ForeignServiceNational(FSN)employeeswhoworkatUSembassiesandconsulates abroadhaveaccesstoUSCIScriticalsystemsanddatainsomecasesInordertobehired andgrantedaccesstoanyofthosesystemsFSNsarevettedbytheUSDepartmentof StateAlthoughtheaccesstoUSCISsystemsmustbeapprovedbythechiefsecurityofficer (CSO)andchiefinformationofficer(CIO)forDHSUSCIShasverylittlevisibilityintothe screeningprocessforFSNs
ExitProcedures
Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerorContract ingOfficerrsquosTechnicalRepresentative(COTR)Italsoappearsdifferentmanagersfollow
CERT | SOFTWARE ENGINEERING INSTITUTE | 10
differentprocedurestoensurethataccessisdisabledandequipmentisreturnedasem ployeesandcontractorsleaveUSCISThisgapmaymanifestitselfintheinconsistentcollec tionofbadgeslaptopsmobiledevicesandotherUSCISequipmentandimproperdisabling orterminationofaccess
PhysicalSecurity
SomeinsidersdocumentedintheCERTInsiderThreatCasedatabaseexploitedphysicalse curityvulnerabilitiesSomewereabletogainaccesstoorganizationfacilitiesoutsideof normalworkinghourstostealcontrolledinformationortoexactrevengeontheorganiza tionbysabotagingcriticaloperationsPhysicalsecuritycanprovideanotherlayerofdefense againstterminatedinsiderswhowishtoregainphysicalaccesstoattackJustaswithelec tronicsecurityhoweverformeremployeeshavebeensuccessfulinworkingaroundtheir organizationrsquosphysicalsecuritymeasuresItisimportantfororganizationstomanage physicalsecurityforfulltimeparttimeandtemporaryemployeescontractorsandcon tractlaborers
USCISPhysicalSecurityhasmadesignificantprogressprotectingUSCISfacilitiesandassetsin theNCRsinceJanuary2008whenitstoodupanewphysicalsecurityprogramAlthough physicalsecurityintheNCRisconsistentlydirectedandenforcedbyPhysicalSecurityeach fieldofficesetsitsownpoliciesandaccesscontrols
Finallyissuescon cerningthesecurityofapplicantsrsquophysicalcasefilesshouldbeconsideredaspartofaUSCIS riskmanagementstrategybyUSCIS
ControllingandMonitoringProperAccessAuthorization
USCIShandlesthephysicalsecurityandaccessauthorizationoffacilitiesdifferentlydepend ingonwherethefacilityislocatedThephysicalsecurityofNCRfacilitiesishandledbyone groupofUSCISpersonnelbutthephysicalsecurityoffieldofficesfallsundertheFieldSecu rityDivision(FSD)Insomecasesaphysicalsecurityrepresentativeisnotlocatedinafield officeatallWhenthisisthecasetheresponsibilityfallsonothermanagementpersonnel whomaynotbeequippedtohandletheseissuesproperlyandreporttheminatimelyman ner
In10casesdocumentedin
CERT | SOFTWARE ENGINEERING INSTITUTE | 11
theCERTInsiderThreatCasedatabasetheinsiderwasabletocommitacrimefollowing terminationbecauseoffailuretonotifysecurityemployeesandbusinesspartnersofthe terminationTocontrolaccesstoUSCISfacilitiesitisimportantforUSCIStocomparecur rentemployeesandcontractorstotheauthorizedaccesslistineachfacilityrsquosaccesscontrol systemDisablingphysicalaccesstofacilitieswhenemployeesandcontractorsterminateis essentialtoprotectingUSCISemployeesandfacilities
SecurityofPhysicalCaseFiles
AttheVermontServiceCentertheassessmentteamobservedphysicalcasefilesofbenefit applicantsstackedincratesinthehallwaysCasefilesareassumedtobesecureoncethey arecontainedwithinaServiceCenterbuttheycouldbephysicallyalteredorstolenbyany onewithphysicalaccesstothefacilityOneintervieweestatedthatadjudicatorstypically have50to100filesscatteredaroundtheirofficesordesksSomearetrackedandsome maynotbeAdjudicatorsconductinterviewswithapplicantsintheirofficesandtheymay leaveapplicantsunescortedintheirofficeswiththecasefileswhenforinstancemaking copiesorattendingtootherUSCISbusinessAccordingtothesameintervieweeinonefield officenaturalizationcertificatespassportsandcreditcardinformationhavebeenfoundin garbagecansinthehallwayThirteeninsidersdocumentedintheCERTdatabasestole physicalpropertybelongingtotheirorganization
BusinessProcesses
AvarietyofcasesfromtheCERTInsiderThreatCasedatabasedocumentinsiderattacksin whichgapsinbusinessprocessesprovidedapathwayforattackEnforcingseparationof dutiesandtheprincipleofleastprivilegeareprovenmethodsforlimitingauthorizedaccess byinsidersIdeallyorganizationsshouldincludeseparationofdutiesinthedesignofkey businessprocessesandfunctionsandenforcethemviatechnicalandnontechnicalmeans Accesscontrolbasedonseparationofdutiesandleastprivilegeinboththephysicaland virtualenvironmentiscrucialtomitigatingtheriskofinsiderattackTheseconceptsalone willnoteliminatethethreatposedbyinsiderstheyarehoweveranotherlayerinthede fensivepostureofanorganization
BecauseofthesensitivenatureoftheUSCISmissionsomeofitsemployeesandcontractors havebeentargetsforrecruitmentfortheftorunauthorizedmodificationofUSCISdata TwentyninepercentoftheinsidersdocumentedintheCERTdatabasewererecruitedby outsiderstocommittheircrimesMostoftheseinsiderscommittedtheircrimesforfinan cialgainCriticalUSCISbusinessprocessesshouldincludetechnicalcontrolstoenforce separationofdutiesanddualcontroltoreducetheriskofinsiderfraudInadditionpoten tialvulnerabilitiessurroundtheuseoftheICEPasswordIssuanceandControlSystem(PICS) forauthorizationforcriticalUSCISsystemsAlthoughPICSisoutsidethecontrolofUSCIS
CERT | SOFTWARE ENGINEERING INSTITUTE | 12
CERTrecommendsthatUSCISexplorethepossibilityofauditingandcontrollingauthoriza tionsinPICSforcriticalUSCISsystemsFinallyaccountmanagementissuesrelatedtocriti calsystemsshouldbeconsidered
VerificationInformationSystem
TheVerificationInformationSystem(VIS)providesimmigrantstatusinformationtoboth governmentagenciesandprivateemployersinordertoverifybenefitandemploymenteli gibilityBecausethesefunctionsrequiregrantingVISaccesstopartiesexternaltoUSCIS USCISmustissueaccountsandrequirethatthoseaccountsbeusedproperlyTwentyfour (6)oftheinsidersdocumentedintheCERTdatabasewereabletocarryouttheircrimes becauseinsiderssharedaccountandpasswordinformationoftentomaketheirjobseasier andtoincreaseproductivity
ModificationsbyVISuserstocriticaldataarelogged
CLAIMS3LAN
Currentlyalldeniedbenefitsapplicationsarereviewedbyasupervisoronlyasubsetofap provedapplicationsarereviewedAdiscrepancyaroseduringinterviewsadjudicatorssaid thatsupervisorsstoppedlookingatalldenialsbecausetheyaretoobusySupervisorsalso receiveareportofalladjudicationdecisionsenteredbyanadjudicatorforaformtypethat theadjudicatordoesnotnormallyapproveWhenadjudicatorsareintrainingwhichtakes placeforatleast6monthsonaspecifictypeofcasetheyareunder100reviewAquality assurance(QA)processisalsoinplaceOnepartofQAinvolvesasupervisorpulling10 casespermonthperadjudicatortoreviewThesupervisorexaminesadjudicativedecision securityandproceduralissuesInanotheraspectoftheQAotherldquosisterrdquoUSCISService CentersreviewarandomselectionofcasesTheprimarypurposeofQAistoidentifythe needforremedialtrainingratherthandeliberatefraudAuditingeverydeniedrequestindi catesthatthebiggestrisktoUSCISistoincorrectlydenyabenefittoanapplicantrather thantograntabenefittosomeonewhodoesnotdeserveit
FDNSDS
CERT | SOFTWARE ENGINEERING INSTITUTE | 13
IncidentResponse
ThroughcaseanalysisCERThasnotedthatproceduresforrespondingtopotentialinsider incidentspresentuniquechallengesanincidentresponseplanforinsiderincidentsdiffers fromaresponseplanforincidentscausedbyanexternalattackerInadditioninadequate detectionandresponsetosecurityviolationscouldemboldentheinsidermakingtheor ganizationevenmorevulnerabletoaninsidercrimeInfactin18ofthecasesdocumented intheCERTInsiderThreatCasedatabasetheorganizationexperiencedrepeatinsiderinci dentsofasimilarnatureInsiderincidentmanagementshouldleverageexistingsecurity policiesandformalproceduresforhandlingpolicyviolationsSomeofthecasesfromthe CERTInsiderThreatCasedatabaseillustrateinsiderattacksinwhichanorganizationrsquoslackof incidentresponseprocedureslimiteditsabilitytomanageitsresponseeffortsometimes evenresultinginmultiplecriminalactsbythesameinsider
Furthermore81oftheinsidersdocumentedintheCERTInsiderThreatCasedatabasedis playedconcerningbehaviorsintheworkplacepriortoorwhilecarryingouttheircriminal activitiesonlineSupervisorsandemployeesshouldbetrainedtorecognizeandrespondto indicatorsofriskforviolencesabotagefraudtheftandothermaliciousinsideractsEvenif itisnotpossibletorequirenonsupervisorstoreportconcernsthistrainingmayincreasethe frequencyofreportingandthedeterrenceofinsideractions
IncidentManagement
USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductOrganizationsinvolved includetheOfficeofInvestigationswithintheOSILaborandEmployeeRelations(LER)HR ComputerSecurityIncidentResponseTeam(CSIRT)PERSECCounterintelligence(CI) COTRsOITDHSOIGPhysicalSecuritysupervisorsandpossiblydataownersandISSOs Manydifferentpartiesexplainedhowtheymightbeinvolvedinoneaspectofanincident butnosingledepartmentcoordinatestheseactivitiesorconductsaholisticriskanalysisof individualswhohavecommittedviolationsThiscomplexandwidelydistributedbusiness processhasresultedinasituationinwhichitisverydifficulttoobtainacompletepictureof anindividualrsquosinsiderthreatrisklevelConsequentlyanyefforttocoordinateaproactive
CERT | SOFTWARE ENGINEERING INSTITUTE | 14
programforinsiderthreatmitigationwouldhavetocrosssignificantbureaucraticbounda rieswithinthesemyriaddepartmentsofUSCIS
SoftwareEngineering
CodeReviews
SomeUSCISsystemsadheretoaformalizedprocessofsoftwareengineeringusingcontrac torswithaspecifiedlevelofprocessmaturity(iecapabilitymaturitymodelintegration (CMMI)level3)
Therewasevenadocumentedcaseinwhichsourcecodecontainedsomethinginap propriateandwasonlydiscoveredonlyafterthecodewasturnedoverfromonecontractor toanother
CERT | SOFTWARE ENGINEERING INSTITUTE | 15
Insidersinsertedmaliciouscodeintoanoperationalsystemin33casesdocumentedinthe CERTInsiderThreatCasedatabaseandintosourcecodein10casesThesetypesofcrimes canhaveseriousresultsenablinginsiderstoconcealtheiractionsoveranextendedperiod oftimeTheseactionshavebeenusedtocreatemechanismsforcommittingfraudwithout detectionandtosetupfutureITsabotageattacks
Codereviewscanbeverytimeconsumingbutmostmaliciousinsidersinsertmaliciouscode intoproductionsystemsoncetheyarestableandinthemaintenancephasewhenchanges arelessfrequentandlesssubstantial
InformationTechnology
AccountManagement
Researchhasdemonstratedthatifanorganizationrsquoscomputeraccountscanbecompro misedinsidershaveanopportunitytocircumventmanualandautomatedcontrolmecha nismsintendedtopreventinsiderattacksEffectivecomputeraccountandpasswordman agementpoliciesandpracticesarecriticaltoimpedeaninsiderrsquosabilitytousethe organizationrsquossystemsforillicitpurposesInavarietyofcasesdocumentedintheCERTIn siderThreatCasedatabaseinsidersexploitedpasswordvulnerabilitiessharedaccounts andbackdooraccountstocarryoutattacksItisimportantfororganizationstolimitcom puteraccountstothosethatareabsolutelynecessaryusingstrictproceduresandtechnical controlsthatfacilitateattributionofallonlineactivityassociatedwitheachaccounttoan individualuserFurthermoreanorganizationrsquosaccountandpasswordmanagementpolicies mustbeappliedconsistentlyacrosstheenterprisetoincludecontractorssubcontractors andvendorswhohaveaccesstotheorganizationrsquosinformationsystemsandornetworks
InsomeareascomputeraccountsaremanagedfairlywellatUSCISItisimplementing HomelandSecurityPresidentialDirective12(HSPD12)forphysicalandelectronicaccount managementInadditionmostsharedaccountsarecontrolledandallactionsperformed usingthoseaccountscanbeattributedtoasingleuserHoweversomeaccountmanage mentliesoutsidethecontrolofUSCISThispresentsahighdegreeofriskFirstofallac countsandaccessforFSNsshouldbeconsideredcarefullybyUSCISAlthoughFSNsmust submitpaperworkthroughproperchannelswhichrequiresauthorizationbytheCSOand CIOofDHSsuchpaperworkwasnotsubmittedconsistentlypriorto2007Asaresultthere maybeactiveaccountsforwhichthereislittletonoaccountingforthecreationoftheac count
Althoughaccountnamingconventionsaredictatedby DHSandtheUSDepartmentofStateUSCIScouldrequestanamingconventiontodiffer entiatebetweenFSNandUScitizenfederalemployeeaccountsInadditionUSCISshould consistentlytracktheauthorizationandcreationofallUSCISaccountsTodetermineifun
CERT | SOFTWARE ENGINEERING INSTITUTE | 16
authorizedorlegacyaccountsexistUSCISshouldconsiderconductinganaccountauditwith theassistanceofUSDepartmentofStatepersonneltovalidateallexistingFSNaccounts
SecondaccesstosomecriticalUSCISsystemsiscontrolledbythePasswordIssuanceand ControlSystem(PICS)ThepurposeofPICSistofacilitatetheadministrationofusernames andpasswordstocertainICEandUSCISinformationsystemsOneareaofconcernregard ingPICSisthatitisadministeredbyICEandtherearemorethan2000LocalPICSOfficers (LPOs)acrossvariouscomponentsofDHSTheseLPOsusePICStograntauthorizedaccess toICEandUSCISsystemsforthepersonnelattheirrespectivesiteoragencysuchaslocal sheriffspetitionersCustomsandBorderPatrol(CBP)DepartmentofJustice(DOJ)Trans portationSecurityAdministration(TSA)TerrorismTaskForceandDHSOIGEachLPOcan grantaccesstoanysystemcontrolledbyPICSInotherwordsLPOsthroughoutUSCISand ICEcangrantaccessforanyoftheirstafftoanyUSCISsystemFurthermore
Giventhedistributednatureofaccountadmini strationitisverydifficultforUSCISdataownersandOITstafftomanageauthorizationof useraccountstoUSCIScriticalsystemsFinallytheprocessforcommunicatingchangesin employeestatusanddisablingaccountsvarieswidelyamongindividualfieldofficesService CentersandofficesintheNCR
TheapplicationofaccountmanagementpracticesunderthecontrolofUSCISisinconsistent Forexampledisablingorterminatingaccountsforemployeesisnotalwayscompletedina timelymannerupontheemployeersquoschangeinstatusThislackofconsistencyismade worsewhendecentralizedLPOsacrossUSCISdonotfollowthesameproceduresInother casesemployeesareretainingaccessafteratransferwhentheyshouldnotwhichrequires thelosingandgainingsupervisorstonotifyproperaccountmanagementpersonnel
AccessControl
Anorganizationrsquoslackofsufficientaccesscontrolmechanismswasacommonthemein manyoftheinsiderthreatcasesexaminedbyCERTInsidershavebeenabletoexploitex cessiveprivilegestogainaccesstosystemsandinformationtheyotherwisewouldnothave beenauthorizedtoaccessAdditionallyinsidershavebeenknowntouseremoteaccess afterterminationtoattackanorganizationrsquosinternalnetworkOrganizationsshouldensure networkmonitoringandloggingisenabledforexternalaccessMonitoringofnetworkactiv ityisextremelyimportantespeciallyintheperiodbetweenemployeeresignationandter mination
GiventhedistributednatureofaccessauthorizationviaPICSICEandtheUSDepartment ofStatenonUSCISemployeesandcontractorscouldbegrantedaccesstoUSCIScriticalsys temsItispossiblethatthenonUSCISemployeesandcontractorsparticularlythose
CERT | SOFTWARE ENGINEERING INSTITUTE | 17
grantedaccessthroughtheUSDepartmentofStateforaccessfromembassiesoverseas havenotbeenthroughtherigorouspreemploymentscreeningrequiredofUSCISemploy eesandcontractorsUSCISshouldconsidertherisktheseinsidersposetotheprotectionof thecriticalUSCISdataandsystemsandimplementprotectionmechanismstolimitthe damagethattheseinsidersmightcause
OtheraccesscontrolissuesthatshouldbeconsideredbyUSCISincludeunrestrictedaccess tosomecriticalsystemsbyOITstafflackofconsistentprocessesformanagingemployee accessastheymovefromonedepartmenttothenextwithinUSCISabilitytousepersonal computersforUSCISworkandlackofmonitoringandcontrolsforsomecriticalsystemad ministrationfunctions
ProtectionofControlledInformation
Protectingcontrolledinformation(ieinformationthatisclassifiedsensitivebutunclassi fiedorproprietary)iscriticaltomitigatingtheinsiderthreatrisktoorganizationsAvariety ofinsiderthreatcasesstudiedbyCERTrevealedcircumstancesinwhichinsiderscarriedout anattackthroughtheunauthorizeddownloadofinformationtoportablemediaorexternal storagedevicesInsomeinstancesmaliciousinsidersusedemailtoplantheirattacksorto communicatesensitiveinformationtocompetitorsorconspiratorsOrganizationsmusten surethatemployeesunderstandpoliciesregardingwhatconstitutesacceptableuseofcom panyresourcesincludinginformationassetsandenforcecompliancethroughtechnical meansTheunauthorizedexfiltrationofcontrolledinformationbymaliciousinsiderscan havedevastatingeffectsonanorganizationProtectingcontrolledinformation(ieinfor mationthatisclassifiedsensitivebutunclassifiedorproprietary)iscriticaltomitigatingthe insiderthreatrisktoorganizations
USCIShasimplementednetworkmonitoringstrategiesthatwoulddetectlargeamountsof datadownloadedorananomalousincreaseinnetworktrafficeitherbytotalvolumeor typeoftraffic(egbyportorprotocol)Thoughmonitoringnetworktrafficmayhelppro tectcontrolledinformation
CERT | SOFTWARE ENGINEERING INSTITUTE | 18
LoggingAuditingMonitoring
InsiderthreatresearchconductedbyCERThasshownthatloggingmonitoringandauditing employeeonlineactionscanprovideanorganizationtheopportunitytodiscoverandinves tigatesuspiciousinsideractivitybeforemoreseriousconsequencesensueOrganizations shouldleverageautomatedprocessesandtoolswheneverpossibleMoreovernetwork auditingshouldbeongoingandconductedrandomlyandemployeesshouldbeawarethat certainactivitiesareregularlymonitoredThisemployeeawarenesscanpotentiallyserveas adeterrenttoinsiderthreats
ThepreventionofinsiderattacksisthefirstlineofdefenseNonethelesseffectivebackup andrecoveryprocessesneedtobeinplaceandoperationallyeffectivesothatifacompro miseoccursbusinessoperationscanbesustainedwithminimalinterruptionInonecase documentedintheCERTInsiderThreatCasedatabaseaninsiderwasabletomagnifythe impactofhisattackbyaccessinganddestroyingbackupmediaOrganizationsneedtocon sidertheimportanceofbackupandrecoveryprocessesandcaremustbetakenthatback upsareperformedregularlyprotectedandtestedtoensurebusinesscontinuityinthe eventofdamagetoorlossofcentralizeddata
TechnicalSecurityVulnerabilities
Proactivelyaddressingknownsecurityvulnerabilitiesshouldbeapriorityforanyorganiza tionseekingtomitigatetheriskofinsiderthreatsaswellasexternalthreatsCasestudies haveshownthatmaliciousinsidersfollowingterminationwillsometimesexploitknown technicalsecurityvulnerabilitiesthattheyknowhavenotbeenpatchedtoobtainsystem accessandcarryoutanattackOrganizationsshouldhaveaprocesstoensurethatoperat ingsystemsandothersoftwarehavebeenhardenedorpatchedinatimelymannerwhen possibleFailuretoaddressknownvulnerabilitiesprovidesaninsiderampleopportunity andpathwaysforattackmakingitmoredifficultforanorganizationtoprotectitself
CERT | SOFTWARE ENGINEERING INSTITUTE | 19
ThereisaprimaryconcerninthisareaatUSCISUSCISshouldconsiderthefrequencywith whichitscansitssystemsfortechnicalsecurityvulnerabilities
ThereisalsoanotherconcerninthisareaatUSCIS
ConfigurationManagement
Effectiveconfigurationmanagementhelpsensuretheaccuracyintegrityanddocumenta tionofallcomputerandnetworksystemconfigurationsAwidevarietyofcasesintheCERT InsiderThreatCasedatabasedocumentinsiderswhoreliedheavilyonthemisconfiguration ofsystemsTheyhighlighttheneedforstrongermoreeffectiveimplementationofauto matedconfigurationmanagementcontrolsOrganizationsshouldalsoconsiderconsistent definitionandenforcementofapprovedconfigurationsChangesordeviationsfromthe approvedconfigurationbaselineshouldbeloggedsotheycanbeinvestigatedforpotential maliciousintentConfigurationmanagementalsoappliestosoftwaresourcecodeandap plicationfilesOrganizationsthatdonotenforceconfigurationmanagementacrosstheen terpriseareopeningvulnerabilitiesforexploitbytechnicalinsiderswithsufficientmotiva tionandalackofethics
TheOIThasaconfigurationmanagementpolicythatprovidesbaselinesoftwareconfigura tionsforUSCISdesktopsandlaptopsTheOITscansforincorrectoutdatedorunpatched versionsofsoftwareontheapprovedsoftwarelistTheOITkeepstrackofdifferentbase linesfordifferentcontractsDespitetrackingandarigorousconfigurationmanagementpol icy
Roguesoftwareormalwareisoftendiscoveredthroughadeliberatemanual scanratherthanthroughanautomatedprocessTomakethistaskmoredifficultUSCIS employeeswithseniorityorinfluencehavebeenabletouselocaladministratorprivilegesto installsoftwareforthesakeofconvenienceConcernsregardingconfigurationmanagement surroundthedifficultyfortheOITtoadequatelypreventdetectandrespondtorogue softwareormalwareusingitscurrentproceduresWesuggestsomeconsiderationsforlev
CERT | SOFTWARE ENGINEERING INSTITUTE | 20
eragingexistingdeploymentsandmodifyingincidentresponsepracticestoincreaseeffec tiveness
CERT | SOFTWARE ENGINEERING INSTITUTE | 21
Recommendations
Thefollowing18recommendationspresentactionablestepsthatwillenableUSCIStoim proveitspostureagainstmaliciousinsiderthreatsThesehighlevelstrategiesshouldbe plannedandimplementedwiththeassistanceofthemanydiversedepartmentswithin USCISAppendixescontainmorespecificrecommendationsthatpertaintoaparticularde partment(egOITandHR)TheappendixesalsolisttherelevantpartiestoassistUSCISin reviewingeachissuemoregranularlyandtodecidewhetherUSCIShasresourcestoimple mentaparticularrecommendation
Recommendation1Instituteanenterpriseriskmanagementplan USCISmustensurethattheentireorganizationisriskawareandimplementaformalrisk managementprocesstoaddressriskconsistentlyandcontinuallyacrosstheenterprise Theredoesnotappeartobeaconsistentunderstandingofthebroadspectrumofrisksfac ingUSCISTheOITperformsriskmanagementforITandFinancialManagementperforms riskmanagementforfinancialmattersbutnoonewasawareofanyenterprisewideefforts InadditioneachfieldofficeandservicecenterappearstooperatefairlyindependentlyItis importantforthoseorganizationstoworktogethertoidentifyprioritizeandaddressrisk OngoingcommunicationbetweenallcomponentsofUSCISwillhelpensurethatnew threatsattackvectorsandcountermeasuresarecommunicatedandhandledeffectivelyby all
Recommendation2Incorporateinsiderthreatriskmitigation strategiesintotheTransformationeffort TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerserviceworkflowautomationfrauddetectionandnationalsecurity issuesRiskmanagementiswithinthescopeofTransformationbutonlyasitpertainsto automatedriskscoringofapplicantsandtoworkflowmanagementtooptimizeadjudicator workloadUSCISshouldincorporatecomprehensiveinsiderthreatriskmitigationrequire mentsintotheTransformationeffort
Recommendation3Centralizerecordsofmisconductandviola tionstobetterenableacoordinatedresponsetoinsiderthreats USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting trackinginvestigatingandfollowinguponemployeemisconductThiscomplexandwidely distributedbusinessprocesshasresultedinasituationinwhichitisverydifficulttoobtaina completepictureofanindividualrsquosinsiderthreatrisklevelUSCISshouldcreateacentral repositoryofemployeeandcontractormisconductsecurityviolationsSignificantIncident Reports(SIRs)andothersuspiciousactivityreportssorepeatoffenderscanbeeasilyidenti
CERT | SOFTWARE ENGINEERING INSTITUTE | 22
CERT | SOFTWARE ENGINEERING INSTITUTE | 23
storesphysicalfilesforbenefitapplicantsintheVermontServiceCenterwithnophysical protectionbeyondtheexteriorbuildingandguardcontrolsUSCISshouldevaluatecurrent physicalaccessprocedurestodetermineiftheyadequatelyaddressriskandiftheyareen forcedconsistentlyacrosstheenterprise
Recommendation8Consistentlyenforceexitprocedures Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretiresre signsorisfiredtransferredorputonaleaveofabsenceTheseproceduresforUSCIShave beenrecentlydevelopedandinsomecasesarestillunderdevelopmentUSCISexpectsto releasemoreformalizedproceduresinthenext3monthsbutthereisnotacommonun derstandingoftheproperproceduresItappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerandCOTRIt alsoappearsthatdifferentmanagersfollowdifferentprocedurestoensurethataccessis disabledandequipmentisreturnedasemployeesandcontractorsleaveUSCISThisgap maymanifestitselfintheinconsistentcollectionofbadgeslaptopsmobiledevicesand otherUSCISequipmentandimproperdisablingorterminationofaccessUSCISshould adoptanenterprisewideexitproceduretoensureconsistentterminationofallemployees andcontractors
Recommendation9ExamineHRscreeningproceduresforhighrisk positionsandFSNs ChangesshouldbemadetotheUSCIShiringprocessesforselecthighriskpositionsFor exampleUSCISshouldconsideradditionalscreeningforadjudicatorsUSCISshouldbe moreinvolvedindecidingwhoisgrantedauthorizedaccessbecauseofthesensitivenature ofthesystemsanddatathatUSCISmanages
Recommendation10Ensurethatphysicalandcomputeraccessis terminatedinatimelyfashion
USCISshouldautomatetherevocationofemployeeandcontractorphysicalaccesswhena terminationoccursTheterminationchecklistshouldincludeanotificationtoPhysicalSecu ritysophysicalaccesscanbedisabledinatimelymannerUSCISshouldalsoreviewaccount managementprocedurestoensurethatthestepstakentoremoveoralteraccountaccess arecompleteunderstoodbyallrelevantpartiesandconsistentlyfollowed
CERT | SOFTWARE ENGINEERING INSTITUTE | 24
Recommendation11Enforcearequirementforindividualaccounts oncriticalsystems
InsomecasesUSCISisawareofaccountsharingtakingplaceatthirdpartyemployerswho useUSCISsystemstoverifyimmigrationstatusToconsistentlyidentifymaliciousinsider activityallactionsmustbeattributabletooneandonlyoneindividualUSCISshouldcon siderincreasingtheconsequencesforinfractionsandpossiblyimplementstrongerauthen ticationtomakesharingofaccountsmoredifficult
Recommendation12
Recommendation13Reducethenumberofprivilegedaccountsfor criticaldatasystems SomedatasystemsincludingFDNSDShaveahighnumberofprivilegedusersManyof theseusersdonotneedtheescalatedaccesstocompletetheirjobresponsibilitiesUSCIS shouldaudittheprivilegeduseraccountsandreducethoseaccountscommensuratewith jobresponsibilities
Recommendation14
Recommendation15Implementproceduralandtechnicalcontrols topreventsourcecodeunderdevelopmentfrombeingreleased withoutappropriatereview USCISshouldconsiderimplementingproceduralandtechnicalcontrolstoenforcesepara tionofdutiesbetweensoftwareengineersandthesystemadministratorsresponsiblefor
CERT | SOFTWARE ENGINEERING INSTITUTE | 25
releasingchangesintoproductionsystemsUSCISshouldconsideridentifyinghighrisk criticalsoftwaremodulesthatcouldbeusedtocarryoutillicitactivityInadditionformal softwaredevelopmentpracticesshouldbefollowed
Recommendation16
Recommendation17
Recommendation18Periodicsecurityrefreshertrainingshouldbe regularlyconductedandrequiredforallemployees USCISshouldreinforcesecuritypracticesandproceduresforallemployeesespeciallythose assignedtosecurityrolesthroughInformationAssurancerefreshertrainingThoughannual refreshertrainingismandatedithasnotbeencompletedinatimelymannerforallroles USCISshouldensurethatthistrainingisadaptedtospecificrolesregularlyconductedand trackedandconsequencesimposedforthosewhohavenotcompletedthetraining
CERT | SOFTWARE ENGINEERING INSTITUTE | 26
ManagementCommentsandOIGAnalysis
WeobtainedwrittencommentsonadraftofthisreportfromtheUSCISDeputyDirector WehaveincludedacopyofthecommentsinitsentiretyinappendixI
USCISconcurredwithourfindingsandrecommendationsandindicatedthatthereportwill beofgreatassistanceastheyseektofurtherstrengtheninternalcontrolsinthisareaInthe writtencommentsUSCISdidnotprovideinformationonhowitintendstoaddressourrec ommendationsThereforeweconsiderourrecommendationsunresolvedandopenpend ingourreviewofUSCIScorrectiveactionplans
CERT | SOFTWARE ENGINEERING INSTITUTE | 27
Appendixes
ThefollowingpagescontainappendixesAthroughGthatcontainacompletedetailedlistof findingsfromtheassessment
Theappendixesareorganizedintothefollowingsections
AppendixAOrganizational
AppendixBHumanResources
AppendixCPhysicalSecurity
AppendixDBusinessProcess
AppendixEIncidentResponse
AppendixFSoftwareEngineering
AppendixGInformationTechnology
AppendixHAcronyms
AppendixIManagementCommentstotheDraftReport
AppendixJContributorstothisReport
AppendixKReportDistribution
EachsectioninappendixesAndashGcontainsabriefintroductionsummaryofthefindingsfor thatareaandatablelistingdetailedfindingsThetablesarestructuredasfollows
Areaof Responsible PolicyandorSecu PolicyorPrac SuggestedCounter Concern Personnel rityMeasure ticeGaps measures
EachrowrepresentsauniqueareaofconcernResponsiblePersonnelliststhegroups withinUSCISthatwouldberesponsibleforimplementingsuggestedcountermeasuresfor thatareaPolicyandorSecurityMeasurelistsinformationrelatedtothatareaofconcern specifictoUSCISobtainedininterviewsIfthatcolumnwasintentionallyleftblankitindi catesthatnoevidencewasprovidedfortheexistenceofapolicyandorsecuritymeasure PolicyorPracticeGapsdescribesgapsidentifiedbyintervieweesorgapsnotedbyCERT staffFinallySuggestedCountermeasuresdescribescountermeasuresthatUSCIScouldim plementtoaddressaparticularvulnerability
Itisimportanttonotethatallsuggestedcountermeasuresmustbeconsideredinthecon textofabroaderriskanalysisItisnotpracticalformostorganizationstoimplement100 protectionagainsteverythreattoeveryorganizationalresourceThereforeitisimportant toadequatelyprotectcriticalinformationandotherresourcesandnotdirectsignificantef forttowardprotectingrelativelyunimportantdataandresourcesArealisticandachievable
CERT | SOFTWARE ENGINEERING INSTITUTE | 28
securitygoalistoprotectthoseassetsdeemedcriticaltotheorganizationrsquosmissionfrom bothexternalandinternalthreats
RiskisthecombinationofthreatvulnerabilityandmissionimpactSomecountermeasures inthisreportareintendedtohelpUSCISrecognizeandunderstandtheinsiderthreatOth ersfocusonclosinggapsthatleaveUSCISmorevulnerabletoinsiderattackMissionimpact cannotbeadequatelyassessedbyCERTthroughthisexercisebecauseitwillvarydepending onthecriticalityofsystemsandinformation
Theresultsofthisinsiderthreatvulnerabilityassessmentshouldbeusedtodeveloporre finetheorganizationrsquosoverallstrategyforsecuringitsnetworkedsystemsstrikingthe properbalancebetweencounteringthethreatandaccomplishingtheorganizationalmis sion
Manyofthefindingsinthisreportincludetherelativefrequencyoftheissueraisedinthe CERTInsiderThreatCasedatabaseAtthetimethisreportwaswrittentherewere386 casesofmaliciousinsideractivityagainstwhichthesuggestedcountermeasurepercentage iscalculatedSoifaparticularactivitywasseenin38ofourcaseswemayindicatethatit wasseenin10ofthecasesintheInsiderThreatCasedatabase
CERT | SOFTWARE ENGINEERING INSTITUTE | 29
Ap
pen
dix
AO
rgan
izat
ion
al
Risk
Man
agem
ent
Co
mm
unic
atio
n
Secu
rity
Pro
cess
Impr
ovem
ent
USC
ISis
ina
diff
icul
tpos
ition
Pa
rto
fits
mis
sion
isto
pro
vide
cus
tom
ers
ervi
ceto
thos
ese
ekin
gim
mig
ratio
nan
dci
tizen
ship
ben
efits
from
the
US
Gov
ernm
ent
How
ever
iti
sch
alle
ngin
gto
opt
imiz
ebu
sine
ssp
roce
sses
for
cust
omer
ser
vice
whi
lea
tthe
sam
etim
eim
plem
entin
gpr
otec
tiv
em
easu
res
toc
ount
erth
eri
skp
osed
by
gran
ting
thos
eve
ryb
enef
its
Man
yU
SCIS
em
ploy
ees
inte
rvie
wed
for
this
ass
essm
enti
dent
ified
the
orga
niza
tionrsquo
spr
imar
yri
ska
sal
low
ing
the
next
terr
oris
tto
live
and
wor
kle
gally
inth
eU
nite
dSt
ates
Th
eyd
esir
ehe
lpin
iden
tifyi
nga
ndim
ple
men
ting
inte
rnal
con
trol
sto
cou
nter
that
ris
kS
ome
ofth
ein
terv
iew
ees
how
ever
mdashev
ens
ome
ofth
eIS
SOs
and
data
ow
ners
mdashfo
cuse
don
leak
ag
eof
PII
asth
eir
prim
ary
conc
ern
Aft
erd
elvi
ngin
toth
em
atte
rw
ithth
eas
sess
men
ttea
mt
hey
cam
eto
und
erst
and
the
risk
pos
edb
yex
po
sure
or
mis
use
ofc
ritic
ald
ata
asth
egr
eate
str
isk
face
dby
USC
ISp
rim
arily
bec
ause
suc
ha
secu
rity
bre
ach
coul
dre
sult
ina
llow
ing
ate
rror
isti
nto
the
coun
try
Ac
ritic
alis
sue
for
USC
ISis
ens
urin
gth
een
tire
orga
niza
tion
isr
isk
awar
ea
ndim
plem
entin
ga
form
alr
isk
man
agem
entp
roce
ssto
add
ress
ris
kco
nsis
tent
lya
ndc
ontin
ually
acr
oss
the
ente
rpri
se
Ther
edo
esn
ota
ppea
rto
be
aco
nsis
tent
und
erst
andi
ngo
fthe
bro
ads
pect
rum
ofr
isks
faci
ng
USC
IS
The
asse
ssm
entt
eam
was
told
ther
eis
no
ente
rpri
sew
ide
risk
man
agem
entp
rogr
ama
tUSC
IS
OIT
per
form
sri
skm
anag
emen
tfor
ITa
nd
Fina
ncia
lMan
agem
entp
erfo
rms
risk
man
agem
entf
orfi
nanc
ialm
atte
rsb
utn
oon
ew
asa
war
eof
any
ent
erpr
ise
wid
eef
fort
sI
nad
ditio
ne
ach
field
off
ice
and
serv
ice
cent
era
ppea
rsto
ope
rate
fair
lyin
depe
nden
tly
Itis
impo
rtan
tfor
thos
eor
gani
zatio
nsto
wor
kto
geth
erto
iden
tify
pri
or
itize
and
add
ress
ris
kO
ngoi
ngc
omm
unic
atio
nbe
twee
nal
lcom
pone
nts
ofU
SCIS
will
hel
pen
sure
that
new
thre
ats
att
ack
vect
ors
and
cou
nte
rmea
sure
sar
eco
mm
unic
ated
and
han
dled
eff
ectiv
ely
bya
ll
Ina
dditi
onU
SCIS
em
ploy
ees
and
cont
ract
ors
hold
the
keys
too
neo
fthe
wor
ldrsquos
mos
tcov
eted
kin
gdom
smdashU
Sc
itize
nshi
pT
his
mak
ese
mpl
oy
ees
and
cont
ract
ors
attr
activ
eta
rget
sfo
rre
crui
tmen
tB
ecau
seo
fthe
sen
sitiv
ena
ture
ofU
SCIS
mis
sion
som
eof
its
empl
oyee
san
dco
ntra
ctor
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 30
have
bee
nta
rget
sfo
rre
crui
tmen
tfor
thef
tor
unau
thor
ized
mod
ifica
tion
ofU
SCIS
dat
aA
llem
ploy
ees
shou
ldb
eaw
are
ofth
eco
nseq
uenc
eso
fpa
rtic
ipat
ing
infr
aud
agai
nstU
SCIS
Th
eys
houl
dal
sob
ein
stru
cted
on
how
tor
epor
tsol
icita
tions
mad
eto
com
mit
frau
d
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEn
terp
rise
Ris
kM
anag
emen
t
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Indi
vidu
alo
rgan
izat
ions
with
inU
SCIS
do
ris
km
anag
emen
trel
ated
toth
eir
part
icul
ard
omai
nF
orin
stan
ceI
Tdo
esr
isk
man
agem
entf
rom
an
IT
pers
pect
ive
and
the
Fina
ncia
lMan
ag
emen
tdoe
sfin
anci
alr
isk
man
ag
emen
t
USC
ISp
erso
nnel
sta
ted
ther
eis
no
ente
rpri
ser
isk
man
agem
entp
roce
ss
for
anal
yzin
gth
eor
gani
zatio
nrsquos
over
al
lris
k
We
sugg
estt
hatU
SCIS
inst
itute
an
ent
erpr
ise
risk
man
agem
ent
prog
ram
W
ithou
tac
omm
on
visi
onfo
rri
skm
anag
emen
tth
eIS
SOs
and
allo
rgan
izat
ions
w
ithin
USC
ISc
anno
teff
ectiv
ely
unde
rsta
ndth
eri
ske
nvir
onm
ent
and
wor
kto
geth
erto
eff
ectiv
ely
miti
gate
ris
k
Inin
terv
iew
ss
ome
USC
ISs
taff
in
clud
ing
som
eIS
SOs
dat
aow
ners
an
dO
ITs
taff
see
med
tov
iew
loss
of
PIIa
sth
em
osti
mpo
rtan
tins
ider
th
reat
ris
kA
llof
the
asse
ssm
ent
ques
tions
wer
ean
swer
edin
the
con
text
ofl
oss
ofP
II
Whe
nw
eas
ked
spec
ifica
llyw
hatt
hey
see
asth
ebi
gges
tins
ider
thre
atr
isk
ev
eryo
nes
eem
edto
agr
eeit
isc
rea
tion
ofr
ealc
itize
nshi
pdo
cum
ents
for
peop
lew
hos
houl
dno
thav
eth
em
In
fact
int
ervi
ewee
sat
the
Verm
ont
Serv
ice
Cent
erc
ateg
oriz
edth
efu
nc
tions
cha
ract
eriz
edb
yth
ehi
ghes
tris
kas
follo
ws
1)
Unl
awfu
lalie
nin
the
Uni
ted
Stat
es
gran
ted
non
imm
igra
nts
tatu
s
2)S
omeo
new
ithn
onim
mig
rant
st
atus
gra
nted
per
man
entr
esid
ency
w
hich
mea
nsh
eor
she
can
live
and
w
ork
inde
finite
lyin
the
Uni
ted
Stat
es
Aga
ina
nen
terp
rise
ris
km
an
agem
entp
rogr
amw
ille
nsur
eth
ate
very
one
acro
ssU
SCIS
is
wor
king
toge
ther
tom
itiga
teth
ehi
ghes
tpri
ority
ris
ks
Ther
ear
ere
gula
tions
and
law
ssu
rrou
nd
ing
prot
ectio
nof
PII
but
focu
sin
gpr
imar
ilyo
nth
atis
sue
can
lead
toa
fals
ese
nse
ofs
ecur
ity
ifot
her
mor
eim
port
antr
isk
ar
eas
are
give
nle
ssa
tten
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 31
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dal
soc
anp
etiti
onfo
rre
lativ
es
The
Verm
ontS
ervi
ceC
ente
ris
im
plem
entin
gse
para
tion
ofd
utie
sfo
rpe
rfor
min
gfu
nctio
ns
1an
d2
ab
ove
(gra
ntin
gno
nim
mig
rant
st
atus
and
mov
ing
som
eone
from
no
nim
mig
rant
sta
tus
top
erm
anen
tre
side
ncy)
so
that
one
USC
ISa
djud
ica
tor
alon
eca
nnot
take
an
appl
ican
tfr
omu
nlaw
fult
ope
rman
entr
esi
dent
Th
ese
two
func
tions
will
be
perf
orm
eda
tdiff
eren
tphy
sica
lloc
atio
ns2
9m
iles
apar
t
The
Verm
ontS
ervi
ceC
ente
rhas
not
ha
dan
adj
udic
ator
who
per
form
ed
both
func
tions
1
and
2fo
rth
esa
me
appl
ican
t
This
dec
isio
nde
mon
stra
tes
that
le
ader
ship
att
heV
erm
ontS
er
vice
Cen
terr
ecog
nize
sth
esi
gni
fican
tris
kof
cre
atin
gle
gal
citiz
ensh
ipd
ocum
ents
fori
llega
lal
iens
and
ista
king
ste
psto
m
itiga
teth
atr
isk
How
ever
our
in
side
rth
reat
ass
essm
enth
as
unco
vere
dot
her
issu
esth
at
coul
dbe
add
ress
edto
miti
gate
th
atr
isk
Aga
ina
form
alr
isk
anal
ysis
wou
lde
nabl
eU
SCIS
to
thor
ough
lye
xam
ine
the
issu
es
and
prio
ritiz
eco
unte
rmea
sure
sus
ing
afo
rmal
pro
cess
Fo
rex
am
ple
an
alte
rnat
ive
toth
eph
ysic
alm
ove
coul
dbe
toim
pl
emen
tan
audi
tmec
hani
smto
lo
okfo
rad
judi
cato
rsw
hop
er
form
edb
oth
func
tions
1
and
2
for
the
sam
eap
plic
ant
Ente
rpri
seW
ide
Com
mun
icat
ion
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ther
eis
no
cons
iste
ncy
ofc
ontr
ols
from
one
ser
vice
cen
ter
toth
ene
xt
We
wer
eto
ldth
eye
ach
oper
ate
fair
ly
inde
pend
ently
USC
ISw
ould
ben
efit
from
ong
oin
gco
mm
unic
atio
nsa
bout
ris
kba
sed
issu
esb
etw
een
the
ser
vice
cen
ters
Fo
rin
stan
ce
com
mun
icat
ions
con
cern
ing
prob
lem
se
ffec
tive
coun
ter
mea
sure
sm
odifi
catio
nsto
CERT | SOFTWARE ENGINEERING INSTITUTE | 32
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sbu
sine
ssp
roce
sses
or
idea
sfo
rco
unte
ring
incr
ease
dri
skc
ould
le
adto
an
impr
oved
ris
kpo
stur
efo
rth
een
tire
USC
ISe
nter
pris
e
Cont
inua
lSec
urit
yPr
oces
sIm
prov
em
ent
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
The
USC
ISC
onvi
ctio
nsT
ask
Forc
eis
an
exc
elle
ntfo
rum
for
anal
yzin
gpa
st
crim
inal
cas
esa
ndd
eter
min
ing
mea
sure
sth
ats
houl
dbe
inst
itute
dto
pre
vent
sim
ilar
crim
esin
the
fu
ture
Ther
eis
no
proc
ess
for
follo
win
gup
on
ac
ase
afte
rthe
Off
ice
ofS
peci
al
Inve
stig
atio
n(O
SI)f
inis
hes
anin
vest
iga
tion
Th
eCo
nvic
tions
Tas
kFo
rce
isth
eon
ly
proc
ess
we
foun
dfo
rfor
mal
trac
king
an
alys
isa
ndp
roce
ssim
prov
emen
tba
sed
ona
ctua
linc
iden
ts
The
as
sess
men
ttea
ma
sked
var
ious
gro
ups
ifth
ere
isa
nyfo
llow
up
toin
cide
nts
fo
rin
stan
ceim
plem
entin
gau
tom
ated
sc
ript
sor
con
trol
sto
det
ectt
hes
ame
inci
dent
inth
efu
ture
Th
ete
amc
ould
no
tfin
da
sing
lep
erso
nw
hok
now
sof
su
cha
nac
tivity
Man
yex
ampl
eso
fem
ploy
eem
isco
ndu
ctc
ited
toth
eas
sess
men
ttea
m
coul
dea
sily
hav
ebe
end
etec
ted
or
even
pre
vent
edv
iaa
utom
ated
con
tr
ols
In
add
ition
the
reis
no
mec
hani
smfo
rco
mm
unic
atin
gis
sues
out
side
ofa
In
nea
rly2
5(9
1)o
fthe
cas
esin
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
hein
side
rw
asa
ble
to
carr
you
tthe
cri
me
beca
use
of
inad
equa
tea
uditi
ngo
fcri
tical
pr
oces
ses
in2
8of
thes
eca
ses
it
was
bec
ause
ofi
nade
quat
eau
ditin
gof
irre
gula
rpr
oces
ses
In
29
ofth
eca
ses
the
orga
niza
tio
nha
dre
peat
edin
cide
nts
ofa
si
mila
rna
ture
A
utom
ated
sc
ript
sar
ean
exc
elle
ntm
echa
ni
smfo
rde
tect
ing
susp
icio
us
tran
sact
ions
as
wel
las
hone
st
mis
take
sU
SCIS
sho
uld
cons
ider
a
form
alp
roce
ssfo
ran
alys
iso
fth
eO
SIrsquos
find
ings
and
the
deve
lop
men
tofa
utom
ated
che
cks
impl
emen
ted
natio
nally
CERT | SOFTWARE ENGINEERING INSTITUTE | 33
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sgi
ven
serv
ice
cent
er
U
SCIS
Em
ploy
ees
are
Pote
ntia
lTar
ge
tsfo
rRe
crui
tm
ent
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
No
evid
ence
pro
vide
d
Som
eU
SCIS
em
ploy
ees
inte
rvie
wed
ha
ver
ecei
ved
are
ques
tfor
ass
ista
nce
from
afr
iend
rel
ativ
eo
rst
rang
er
seek
ing
top
rom
ote
aca
sefo
rso
me
form
ofa
pplic
ant
One
adj
udic
ator
sa
idh
edo
esn
otte
llot
hers
who
he
wor
ksfo
rH
owev
ert
hed
istin
ctiv
egr
een
park
ing
stic
ker
onh
isc
arc
ould
in
as
mal
ltow
nlik
eBu
rlin
gton
VT
re
veal
the
iden
tity
ofh
ise
mpl
oyer
U
SCIS
per
sonn
ela
reth
eref
ore
unus
ual
lyv
ulne
rabl
eto
sol
icita
tion
byo
ut
side
rs
Twen
tyn
ine
perc
ento
fthe
in
side
rsin
the
CERT
Insi
der
Thre
at
Case
dat
abas
ew
ere
recr
uite
dby
ou
tsid
ers
toc
omm
itth
eir
crim
es
USC
ISs
houl
dco
nsid
er
incr
easi
ngth
ese
curi
tya
war
ene
sstr
aini
ngp
rovi
ded
toU
SCIS
em
ploy
ees
and
cont
ract
ors
The
tr
aini
ngs
houl
dbe
con
tinuo
us
incl
udin
gpo
rtio
nsin
tend
edto
ra
ise
awar
enes
sof
the
pote
ntia
lta
rget
that
USC
ISe
mpl
oyee
spr
esen
tA
llem
ploy
ees
shou
ld
bea
war
eof
the
cons
eque
nces
of
par
ticip
atin
gin
frau
dag
ains
tU
SCIS
as
wel
las
how
tor
epor
tso
licita
tions
mad
eto
com
mit
frau
d
Tran
sfor
mat
ion
USC
ISL
eade
rshi
p D
ata
Ow
ners
In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Tran
sfor
mat
ion
isa
larg
ebu
sine
ss
proc
ess
reen
gine
erin
gef
fort
inU
SCIS
th
atis
pri
mar
ilyfo
cuse
don
impr
oved
cu
stom
ers
ervi
cea
ndfr
aud
dete
ctio
nF
ore
xam
ple
the
asse
ssm
ent
team
was
told
that
Tra
nsfo
rmat
ion
will
aut
omat
ical
lyv
alid
ate
data
in
CLA
IMS
agai
nsto
ther
ext
erna
lsys
te
ms
(eg
IC
Ean
dFB
I)a
ndth
at
secu
rity
req
uire
men
tsa
ndc
ontr
ols
Tran
sfor
mat
ion
was
men
tione
din
m
osti
nter
view
sfo
rth
isa
sses
smen
t
Ita
ppea
rsth
atU
SCIS
isr
elyi
ngh
eavi
ly
upon
Tra
nsfo
rmat
ion
toc
orre
ctm
any
ofth
epr
oble
ms
resu
lting
from
lega
cy
syst
ems
How
ever
iti
sun
clea
rw
heth
erin
tern
alp
erso
nnel
sec
urity
an
din
form
atio
nse
curi
tyc
once
rns
will
bein
clud
edin
this
pro
gram
This
rel
ianc
eon
as
ingl
eef
fort
m
akes
the
effe
ctiv
enes
sof
this
ef
fort
ver
yim
port
ant
USC
IS
shou
ldc
onsi
der
the
Tran
sfor
ma
tion
proj
ectf
rom
an
ente
rpris
ew
ide
pers
pect
ive
Iti
sim
port
ant
for
itto
use
afo
rmal
req
uire
m
ents
gat
herin
gpr
oces
sin
or
der
toe
ffec
tivel
ym
itiga
teb
oth
inte
rnal
and
ext
erna
lthr
eats
CERT | SOFTWARE ENGINEERING INSTITUTE | 34
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
veb
een
iden
tifie
dby
cur
rent
C3
LAN
dat
aow
ners
Read
ing
the
Tran
sfor
mat
ion
requ
ire
men
tsd
ocum
enta
tion
itis
not
cle
ar
that
insi
ders
are
con
side
red
inth
ese
curi
tyr
equi
rem
ents
for
prev
entio
nan
dde
tect
ion
offr
aud
orn
atio
nal
secu
rity
inU
SCIS
sys
tem
s
Pers
onne
lsec
urity
sho
uld
be
incl
uded
as
wel
las
info
rmat
ion
secu
rity
to
ensu
reth
atth
eap
pr
opri
ate
inte
rnal
con
trol
sar
ein
pl
ace
tor
educ
eth
eri
skp
osed
by
mal
icio
usin
side
rs
CERT | SOFTWARE ENGINEERING INSTITUTE | 35
Trai
ning
and
Aw
aren
ess
Itis
ess
entia
ltha
tsec
urity
aw
aren
ess
trai
ning
be
cons
iste
ntly
pro
vide
dto
all
empl
oyee
sto
ens
ure
that
sec
urity
pol
icie
san
dpr
actic
esa
rein
stitu
tio
naliz
edth
roug
hout
an
orga
niza
tion
Man
ytim
esc
owor
kers
and
sup
ervi
sors
are
the
first
peo
ple
too
bser
vec
once
rnin
gbe
havi
ore
xhib
ited
by
mal
icio
usin
side
rs
Failu
reb
yco
wor
kers
or
othe
rsin
an
orga
niza
tion
tor
epor
tcon
cern
ing
beha
vior
was
ap
rim
ary
reas
onin
side
rsin
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
tos
etu
por
car
ryo
utth
eir
atta
cks
USC
ISs
houl
dco
ntin
ueto
pro
vide
sec
urity
aw
aren
ess
trai
ning
toa
llem
ploy
ees
and
cont
ract
ors
acro
ssth
egl
obe
Thi
str
aini
ngs
houl
dbe
con
sis
tent
lya
pplie
dto
eac
hsi
tew
itha
con
sist
entm
essa
geo
fsec
urity
ofU
SCIS
peo
ple
sys
tem
sa
ndd
ata
Iti
sim
pera
tive
that
all
USC
ISe
mpl
oyee
sbe
re
spon
sibl
efo
rac
hiev
ing
the
mis
sion
ofU
SCIS
and
pro
tect
ing
the
criti
cala
sset
sto
the
high
este
xten
tpos
sibl
e
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sTr
aini
ngo
rSk
ills
Requ
ired
ofT
hose
in
App
oint
edS
ecu
rity
Rol
es
USC
ISL
eade
rshi
p
USC
ISh
asa
trai
ning
pro
cess
thro
ugh
anin
form
atio
nsy
stem
sse
curi
ty
man
ager
(ISS
M)
USC
ISr
elie
she
av
ilyo
nco
ntra
ctor
sto
pro
vide
ade
qu
atel
ytr
aine
dst
aff
Man
yIS
SOs
are
notw
ellv
erse
din
se
curi
ty
ISSO
sar
ecu
rren
tlyin
an
educ
atio
npr
oces
sb
utIS
SOs
are
typi
ca
llyn
ots
ecur
ityw
atch
dogs
ISSO
sm
usth
ave
prop
ertr
aini
ng
ino
rder
tok
eep
upw
ithth
eev
erc
hang
ing
info
rmat
ion
secu
ri
tye
nvir
onm
enta
ndto
be
able
to
dea
lwith
the
myr
iad
tech
no
logi
esa
ndto
ols
avai
labl
eto
th
em
App
ropr
iate
bud
get
shou
ldb
eal
loca
ted
forI
SSO
tr
aini
ngi
nclu
ding
ven
dor
spec
ific
trai
ning
(eg
M
cAfe
ean
dCi
sco)
and
indu
stry
spe
cific
tr
aini
ng(e
g
SAN
S)
CERT | SOFTWARE ENGINEERING INSTITUTE | 36
Ap
pen
dix
BH
um
anR
esou
rces
Empl
oyee
Issu
es
An
orga
niza
tionrsquo
sap
proa
chto
red
ucin
gin
side
rth
reat
sho
uld
focu
son
pro
activ
ely
man
agin
gem
ploy
eeis
sues
and
beh
avio
rs
This
con
cept
beg
ins
with
eff
ectiv
ehi
ring
pro
cess
esa
ndb
ackg
roun
din
vest
igat
ions
tos
cree
npo
tent
ialc
andi
date
sO
rgan
izat
ions
sho
uld
also
trai
nsu
perv
isor
sto
m
onito
ran
dre
spon
dto
beh
avio
rso
fcon
cern
by
curr
ente
mpl
oyee
sS
ome
case
sfr
omth
eCE
RTIn
sid e
rTh
reat
Cas
eda
taba
ser
evea
led
that
sus
pi
ciou
sac
tivity
was
not
iced
inth
ew
orkp
lace
but
not
act
edu
pon
Org
aniz
atio
nss
houl
des
tabl
ish
aw
ello
rgan
ized
and
pro
fess
iona
lmet
hod
for
hand
ling
nega
tive
empl
oym
enti
ssue
san
den
suri
ngth
ath
uman
res
ourc
epo
licy
viol
atio
nsa
rea
ddre
ssed
Org
aniz
atio
nali
ssue
sre
late
dto
func
tions
sha
red
byH
Ran
dse
curi
typ
erso
nnel
are
att
heh
eart
ofi
nsid
err
isk
man
agem
ent
Em
ploy
ees
cree
ning
an
dse
lect
ion
isv
italt
opr
even
ting
cand
idat
esw
ithk
now
nbe
havi
oral
ris
kfa
ctor
sfr
ome
nter
ing
the
orga
niza
tion
or
ifth
eyd
oe
nsur
ing
that
th
ese
risk
sar
eun
ders
tood
and
mon
itore
dC
lear
pol
icy
guid
elin
esa
ddre
ssin
gbo
thp
erm
itted
and
pro
hibi
ted
empl
oyee
beh
avio
rar
evi
talt
ori
sk
dete
ctio
nan
dm
onito
ring
and
cle
arr
equi
rem
ents
for
ensu
ring
em
ploy
eesrsquo
kno
wle
dge
ofth
ese
guid
elin
esa
ree
ssen
tialt
oth
eir
succ
ess
In
addi
tio
nr
epor
tso
fpol
icy
ques
tions
and
vio
latio
nsn
eed
tob
esy
stem
atic
ally
rec
orde
dso
that
man
agem
ent
HR
and
sec
urity
per
sonn
elc
ana
ppr
oach
cas
ede
cisi
ons
with
com
plet
eba
ckgr
ound
info
rmat
ion
Ana
lysi
sof
thes
ere
port
sac
ross
indi
vidu
als
and
depa
rtm
ents
can
sup
ply
vita
lkno
wle
dge
ofp
robl
ema
reas
bey
ond
indi
vidu
alc
ases
Re
latio
nshi
ps
inw
hich
HR
sec
urity
and
man
agem
entp
erso
nnel
col
labo
rate
as
educ
ator
san
dco
nsul
tant
sar
evi
talt
oea
rly
dete
ctio
nan
def
fect
ive
man
age
men
tofe
mpl
oyee
spo
sing
an
insi
der
risk
Th
ene
edfo
rcl
ear
polic
ies
com
plet
epe
rson
nelr
isk
data
and
clo
sem
anag
emen
tH
Rse
curi
tyc
olla
bo
ratio
nis
rar
ely
grea
ter
than
whe
nha
ndlin
gem
ploy
eete
rmin
atio
nis
sues
whe
ther
vol
unta
ryo
rin
volu
ntar
y
CERT
sug
gest
sen
hanc
emen
tsto
the
USC
ISh
irin
gan
dte
rmin
atio
npr
oces
ses
For
exa
mpl
eU
SCIS
sho
uld
cons
ider
add
ition
als
cree
ning
for
high
ri
skp
ositi
ons
suc
has
adj
udic
ator
sU
SCIS
sho
uld
als o
con
side
rbe
com
ing
mor
ein
volv
edin
vet
ting
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)p
rior
tog
rant
CERT | SOFTWARE ENGINEERING INSTITUTE | 37
ing
them
acc
ess
toU
SCIS
cri
tical
sys
tem
san
dda
ta
Fina
llyU
SCIS
sho
uld
cons
ider
ado
ptin
gan
ent
erpr
ise
wid
eex
itpr
oced
ure
toe
nsur
eco
nsis
te
ntte
rmin
atio
nof
all
empl
oyee
san
dco
ntra
ctor
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPr
eEm
ploy
men
tSc
reen
ing
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
No
evid
ence
pro
vide
d
The
empl
oyee
scr
eeni
ngp
roce
ssla
cks
any
form
ofp
sych
olog
ical
scr
eeni
ng
for
ara
nge
ofp
ositi
ons
incl
udin
gad
ju
dica
tors
Five
per
cent
(18)
oft
hein
side
rs
inth
eCE
RTd
atab
ase
had
poss
ibl
eps
ycho
logi
cali
ssue
sU
SCIS
sh
ould
con
side
rin
clud
ing
psy
chol
ogic
alte
stin
gas
par
toft
h e
new
hir
epr
oces
sfo
rse
lect
pos
itio
nsi
nclu
ding
adj
udic
ator
s
Giv
enth
esi
gnifi
cant
soc
ialp
res
sure
son
adj
udic
ator
san
dth
ere
lativ
ela
cko
fmon
itori
ngfo
rin
side
rri
ski
tsee
ms
impo
rtan
tto
impr
ove
this
asp
ecto
fscr
een
ing
Hum
anR
esou
rces
App
lican
tsa
rea
ssig
ned
ara
ting
by
HR
the
ratin
gis
use
dto
ran
kap
pli
cant
s
Ther
eis
cur
rent
lyn
oau
ditl
ogth
at
wou
ldc
aptu
rein
stan
ces
inw
hich
so
meo
nein
HR
chan
ged
ara
ting
to
enab
les
omeo
neto
get
hir
edm
ore
easi
ly
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
udit
log
totr
a ck
the
cand
idat
era
tings
and
ale
rtw
hen
cand
idat
era
tings
are
cha
nged
by
som
eone
inH
R
CERT | SOFTWARE ENGINEERING INSTITUTE | 38
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Ifa
pers
onal
issu
e(e
g
subs
tanc
eab
use
rel
ativ
ely
larg
efin
anci
alin
de
bted
ness
)aris
esd
urin
gPe
rson
nel
Secu
rity
rsquos(P
ERSE
Crsquos)
scr
eeni
ng
PERS
ECm
ayis
sue
ale
tter
ofa
dvis
em
entt
oth
eca
ndid
ate
and
clea
rth
at
pers
onfo
rhir
eP
ERSE
RCis
hes
itant
to
sha
ren
egat
ive
info
rmat
ion
abou
tap
plic
ants
with
USC
ISb
eca u
seo
fpr
ivac
yco
ncer
ns
Beca
use
ofth
ese
conc
erns
am
anag
erm
ayn
otk
now
th
ats
omeo
neis
com
ing
into
ap
osi
tion
with
ah
isto
ryo
falc
ohol
and
or
drug
abu
sef
inan
cial
inde
bted
ness
et
c
The
priv
acy
wal
lbet
wee
nPE
RSEC
and
fie
ldp
erso
nnel
con
cern
edw
ithh
irin
gis
trou
blin
gI
tis
diff
icul
tfor
PER
SEC
repr
esen
tativ
esto
indi
cate
thei
rco
nce
rns
abou
tpot
entia
lhir
esw
hoh
ave
risk
fact
ors
that
do
notc
ross
adj
udic
atio
ngu
idel
ines
for
disq
ualif
icat
ion
USC
ISs
houl
dco
nsid
era
dditi
onal
sc
reen
ing
for
adju
dica
tors
U
SCIS
sho
uld
bem
ore
invo
lved
in
dec
idin
gw
hois
gra
nted
au
thor
ized
acc
ess
beca
use
ofth
ese
nsiti
ven
atur
eof
the
syst
ems
and
data
tha t
USC
ISm
anag
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Each
fiel
dof
fice
dete
rmin
esw
heth
er
orn
otto
mee
tan
appl
ican
tfac
eto
fa
ceb
efor
ehi
ring
Ther
ew
asa
nim
pres
sion
ath
eadq
uar
ters
that
nea
rly1
00
oft
hose
hir
ed
bym
anag
ers
are
inte
rvie
wed
but
re
pres
enta
tives
inB
urlin
gton
Ver
m
ontt
old
uso
ther
wis
eT
his
gap
be
twee
npe
rcep
tion
(the
reis
not
ap
ol
icy
stat
ing
this
mus
tbe
done
)and
re
ality
iso
fcon
cern
Ther
eha
veb
een
know
nin
stan
ces
in
whi
cha
pplic
ants
wer
eon
lys
cree
ned
USC
ISs
houl
dre
quir
ein
terv
iew
sfo
ral
lpos
ition
sT
hein
terv
iew
sne
edto
be
cond
ucte
dby
som
eon
ein
volv
edin
the
day
tod
ay
supe
rvis
ion
ofth
epo
sitio
nto
be
fille
d
CERT | SOFTWARE ENGINEERING INSTITUTE | 39
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
son
pap
ero
rove
rth
eph
one
befo
re
bein
ghi
red
Sta
ndar
dop
erat
ing
pro
cedu
res
are
notf
ollo
wed
ata
llfie
ld
offic
es
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
PERS
ECv
ets
fede
rale
mpl
oyee
san
dco
ntra
ctor
s(w
itha
min
imum
bac
kgr
ound
inve
stig
atio
n)
USC
ISr
elie
son
the
US
Dep
artm
ent
ofS
tate
tov
etfo
reig
nna
tiona
lem
pl
oyee
sw
how
ork
ate
mba
ssie
sor
co
nsul
ates
abr
oad
FSN
sin
som
ein
stan
ces
are
gra
nted
ac
coun
tso
nU
SCIS
info
rmat
ion
sys
tem
sI
fFSN
sne
eda
cces
sto
DH
Ssy
ste
ms
(incl
udin
gU
SCIS
)cur
rent
lyt
his
acce
ssm
ustb
eap
prov
edb
yth
eCS
O
and
CIO
for
DH
ST
his
prac
tice
was
no
talw
ays
follo
wed
con
sist
ently
in
the
past
so
ther
em
ayb
eFS
Ns
who
w
ere
gran
ted
acce
ssw
ithou
tall
the
curr
entv
ettin
gan
dap
prov
als
U
SCIS
sho
uld
cons
ider
be c
omin
gm
ore
invo
lved
inv
ettin
gof
FSN
spr
ior
tog
rant
ing
them
acc
ess
to
USC
ISs
yste
ms
In
addi
tion
U
SCIS
sho
uld
audi
tcur
rent
FSN
sw
itha
cces
sto
USC
ISs
yste
ms
and
ensu
reth
ata
ppro
pria
te
vett
ing
was
per
form
ed
Cand
idat
eCe
rtifi
ca
tion
Ver
ifica
tion
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
USC
ISd
oes
noth
ave
ast
anda
rdp
ro
cedu
refo
rve
rifyi
ngth
ece
rtifi
catio
ns
ofjo
bap
plic
ants
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ast
epin
the
new
hir
epr
oces
sto
ver
ifyc
ertif
icat
ions
of
allc
andi
date
sA
few
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 40
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sto
obt
ain
posi
tions
ino
rgan
iza
tions
by
prov
idin
gfa
lsifi
edc
erti
ficat
ions
Empl
oyee
and
Co
ntra
ctor
Ter
mi
nati
on
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Exit
proc
edur
esa
rer
ecen
tlyd
evel
op
eda
ndi
nso
me
case
ss
tillu
nder
de
velo
pmen
t(ie
fo
rmal
exi
tpro
ce
dure
sar
eex
pect
edto
be
rele
ased
in
3m
onth
s)
This
gap
may
man
ifest
itse
lfin
the
inco
nsis
tent
col
lect
ion
ofb
adge
sla
pto
psm
obile
dev
ices
and
oth
erU
SCIS
eq
uipm
ent
USC
ISs
houl
dco
nsid
era
dopt
ing
ane
nter
pris
ew
ide
exit
proc
edu
reto
ens
ure
cons
iste
ntte
rmi
natio
nof
all
empl
oyee
san
dco
ntr
acto
rs
Ita
ppea
rsth
ere
spon
sibi
lity
for
ensu
ring
that
em
ploy
ees
and
cont
ract
ors
are
term
inat
edr
ests
sol
ely
with
the
man
ager
It
als
oap
pear
sdi
ffer
en
tman
ager
sfo
llow
diff
eren
tpr
oced
ures
toe
nsur
eth
ata
cce
ssis
dis
able
dan
deq
uipm
ent
isr
etur
ned
ase
mpl
oyee
san
dco
ntra
ctor
sle
ave
USC
IS
Empl
oyee
and
Co
ntra
ctor
Man
da
tory
Dru
gTe
stin
g
Hum
anR
esou
rces
All
fede
ralp
ositi
ons
are
subj
ectt
odr
ugte
stin
gb
uto
nly
forn
ewh
ires
Acc
ordi
ngto
aU
SCIS
Con
vict
ions
Tas
kFo
rce
inve
stig
atio
nca
sec
all
cont
rac
tor
posi
tions
do
notr
equi
red
rug
test
in
g
Fift
een
insi
ders
doc
umen
ted
in
the
CERT
Insi
der
Thre
atC
ase
data
base
exh
ibite
dsu
bsta
nce
abus
eU
SCIS
sho
uld
cons
ider
im
plem
entin
gm
anda
tory
pos
thi
red
rug
test
ing
for
alle
mpl
oy
ees
and
cont
ract
ors
CERT | SOFTWARE ENGINEERING INSTITUTE | 41
Ap
pen
dix
CP
hys
ical
Sec
uri
ty
Fiel
dof
fices
A
cces
sFo
llow
ing
Term
inat
ion
Se
curi
tyo
fPhy
sica
lCas
eFi
les
Som
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
exp
loite
dph
ysic
als
ecur
ityv
ulne
rabi
litie
s
Som
ew
ere
able
tog
ain
acce
ss
too
rgan
izat
ion
faci
litie
sou
tsid
eof
nor
mal
wor
king
hou
rsto
ste
alc
ontr
olle
din
form
atio
nor
toe
xact
rev
enge
on
the
orga
niza
tion
bys
abot
agin
gcr
itica
lope
ratio
ns
Phys
ical
sec
urity
can
als
opr
ovid
ean
othe
rla
yer
ofd
efen
sea
gain
stte
rmin
ated
insi
ders
who
wis
hto
reg
ain
phys
ical
acc
ess
to
atta
ck
Just
as
with
ele
ctro
nic
secu
rity
how
ever
for
mer
em
ploy
ees
have
bee
nsu
cces
sful
inw
orki
nga
roun
dth
eir
orga
niza
tionrsquo
sph
ysic
als
ecu
rity
mea
sure
sI
tis
impo
rtan
tfor
org
aniz
atio
nsto
man
age
phys
ical
sec
urity
for
full
time
par
ttim
ea
ndte
mpo
rary
em
ploy
ees
con
trac
tors
and
co
ntra
ctla
bore
rs
USC
ISP
hysi
calS
ecur
ityh
asm
ade
sign
ifica
ntp
rogr
ess
prot
ectin
gU
SCIS
faci
litie
san
das
sets
inth
ena
tiona
lcap
italr
egio
n(N
CR)s
ince
Janu
ary
2008
whe
nit
stoo
dup
an
ewp
hysi
cals
ecur
ityp
rogr
am
Alth
ough
phy
sica
lsec
urity
inth
eN
CRis
con
sist
ently
dir
ecte
dan
den
forc
edb
yPh
ysic
al
Secu
rity
eac
hfie
ldo
ffic
ese
tsit
sow
npo
licie
san
dac
cess
con
trol
sI
nad
ditio
ng
aps
inte
rmin
atio
npr
oced
ures
hav
ere
sulte
din
ong
oing
phy
sica
lac
cess
follo
win
gte
rmin
atio
nF
inal
lyi
ssue
sco
ncer
ning
the
secu
rity
ofp
hysi
calc
ase
files
sho
uld
bec
onsi
dere
das
par
tofa
USC
ISr
isk
man
age
men
tstr
ateg
y
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sPh
ysic
alS
ecur
ity
ofF
ield
Off
ices
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
USC
ISis
inth
epr
oces
sof
put
ting
ane
wa
cces
sco
ntro
lsys
tem
inp
lace
fo
rth
eN
CR
Befo
reit
doe
sit
will
di
sabl
eac
cess
for
anyo
new
hoh
as
notu
sed
phys
ical
acc
ess
inm
ore
Each
USC
ISfa
cilit
yha
sits
ow
n
polic
ies
and
acce
ssc
ontr
ols
syst
ems
Som
efie
ldo
ffic
esw
ithin
USC
ISh
ave
acce
ss
cont
rols
yste
ms
oth
ers
don
ot
Not
al
loff
ices
inth
efie
ldh
ave
elec
tron
ic
Fort
yof
the
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
took
adv
an
tage
ofi
nade
quat
eph
ysic
als
ecu
rity
toc
arry
out
thei
rcr
imes
El
ectr
onic
acc
ess
cont
rols
pro
vide
CERT | SOFTWARE ENGINEERING INSTITUTE | 42
Sugg
este
dCo
unte
rmea
sure
slo
gsth
atc
ould
be
usef
ulin
inve
s
tigat
ions
ofi
llici
tact
ivity
out
side
of
nor
mal
wor
king
hou
rs
USC
IS
shou
ldc
onsi
der
deve
lopi
nge
nte
rpri
sew
ide
phys
ical
sec
urity
pr
oced
ures
rol
ltho
seo
utto
ea
chfi
eld
offic
ea
ndr
equi
rea
ph
ysic
als
ecur
ityr
epre
sent
ativ
eat
eac
hsi
teto
ens
ure
cons
iste
nt
enfo
rcem
ento
fthe
pol
icie
s
USC
ISs
houl
dco
nsid
erp
rohi
bitin
gea
chfi
eld
offic
efr
omd
evel
opin
gsi
tes
peci
ficp
olic
ies
and
rem
ov
ing
enfo
rcem
entc
ontr
olfr
om
each
site
In1
0ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
follo
win
gte
rmin
atio
ndu
eto
fa
ilure
ton
otify
sec
urity
em
pl
oyee
san
dbu
sine
ssp
artn
ers
of
the
term
inat
ion
To
cont
rola
cce
ssto
USC
ISfa
cilit
ies
itis
im
port
antf
orU
SCIS
toc
ompa
re
curr
ente
mpl
oyee
san
dco
ntra
cto
rsto
the
auth
oriz
eda
cces
slis
t
Polic
yor
Pra
ctic
eG
aps
acce
ssc
ontr
ols
ndashso
me
only
hav
elo
cks
and
keys
N
ote
very
USC
ISs
iteh
asa
phy
sica
lse
curi
tyr
epre
sent
ativ
eW
here
no
re
pres
enta
tive
isp
rese
ntt
his
resp
on
sibi
lity
falls
on
othe
rm
anag
emen
t pe
rson
nelw
hom
ayn
otb
eeq
uipp
ed
toh
andl
eth
ese
issu
esp
rope
rly
and
repo
rtth
emin
ati
mel
ym
anne
r
So
me
man
ager
str
ack
who
acc
esse
s
wha
twhe
nan
dot
hers
do
not
Ac
cord
ing
toP
hysi
calS
ecur
ityin
Ver
m
ont
onl
y20
o
fvio
latio
nsa
reb
ein
gre
port
edto
sec
urity
Polic
yan
dor
Sec
urit
yM
easu
re
than
12
mon
ths
as
wel
las
anyo
ne
nolo
nger
em
ploy
edb
yU
SCIS
It
als
opl
ans
one
xam
inin
gal
lacc
ount
sth
at
have
not
use
dph
ysic
ala
cces
sin
m
ore
than
30
days
Se
curi
tyo
ffie
ldo
ffic
esfa
llsu
nder
th
eFi
eld
Secu
rity
Div
isio
n(F
SD)
The
O
ffic
eof
Sec
urity
and
Inte
grity
(OSI
)re
cent
lyd
evel
oped
an
insp
ectio
nw
orkb
ook
and
isfi
eld
test
ing
itw
ith
FSD
U
SCIS
Fie
ldS
ecur
ityD
ivis
ion
isp
lan
ning
top
uta
sec
urity
rep
rese
ntat
ive
ine
very
fiel
dof
fice
Ite
xpec
tstw
oto
thre
etim
esm
ore
repo
rts
ofv
iola
tio
nso
nce
itha
sa
repr
esen
tativ
ein
ever
ylo
catio
n
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
Phys
ical
Acc
ess
Follo
win
gTe
rmi
nati
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 43
Sugg
este
dCo
unte
rmea
sure
s
ine
ach
faci
lityrsquo
sac
cess
con
trol
syst
em
D
isab
ling
phys
ical
acc
ess
tofa
cili
ties
whe
nem
ploy
ees
and
con
trac
tors
term
inat
eis
ess
entia
lto
prot
ectin
gU
SCIS
em
ploy
ees
and
faci
litie
sU
SCIS
sho
uld
cons
ider
au
tom
atin
gth
ere
voca
tion
of
empl
oyee
and
con
trac
tor
phys
ica
lacc
ess
whe
na
term
inat
ion
occu
rs
The
term
inat
ion
chec
klis
tsh
ould
incl
ude
ano
tific
atio
nto
ph
ysic
als
ecur
itys
oph
ysic
ala
cce
ssc
anb
edi
sabl
ed
Cons
ider
con
sist
ente
nfor
cem
ent
and
inve
stig
atio
nof
USC
ISp
hysi
ca
lsec
urity
inci
dent
sA
llal
erts
sh
ould
be
inve
stig
ated
and
Polic
yor
Pra
ctic
eG
aps
Secu
rity
gua
rds
ats
itelo
catio
nsh
ave
on
occ
asio
nig
nore
ddo
orp
ropp
ed
open
ala
rms
beca
use
thef
thas
trad
itio
nally
bee
na
very
sm
allp
robl
ema
t
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Are
aof
Con
cern
No
Two
Pers
on
Cont
rol
CERT | SOFTWARE ENGINEERING INSTITUTE | 44
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
docu
men
ted
ifth
eal
erti
sde
emed
unn
eces
sary
then
it
shou
ldb
edi
scon
tinue
dA
llse
cu
rity
vio
latio
nss
houl
dbe
trac
ked
ina
cen
tral
rep
osito
rys
oa
com
pl
ete
hist
ory
for
each
indi
vidu
alis
av
aila
ble
Aft
erH
ours
Acc
ess
Phys
ical
Sec
urit
y
Aut
hori
zed
Acc
ess
Mos
tacc
ess
is2
4ho
urs
ada
y7
days
a
wee
kndash
Tw
enty
nin
eof
the
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seu
sed
phys
ical
acc
ess
outs
ide
ofn
orm
alw
orki
ngh
ours
toa
tta
ck
USC
ISs
houl
dco
nsid
erim
pl
emen
ting
ana
cces
sco
ntro
lsy
stem
that
gra
nts
acce
ssc
om
men
sura
tew
ithth
epo
sitio
nan
em
ploy
eeo
rcon
trac
tor
fills
If
apo
sitio
ndo
esn
otr
equi
rea
cces
sou
tsid
eof
nor
mal
wor
king
hou
rs
the
acce
ssc
ontr
ols
yste
ms
houl
dpr
ohib
itsu
cha
cces
san
dlo
gun
su
cces
sful
acc
ess
atte
mpt
s
Secu
rity
ofP
hysi
ca
lCas
eFi
les
Phys
ical
Sec
urit
y
Prot
ectio
nof
USC
ISC
ase
File
Dat
a
Phys
ical
file
sw
ere
obse
rved
inc
rate
sst
acke
din
the
hallw
ays
inth
eVe
rm
ontS
ervi
ceC
ente
rA
ccor
ding
toa
nin
terv
iew
att
heS
ervi
ceC
ente
ra
ny
one
coul
dw
alk
outw
itha
ldquocr
ate
fullrdquo
of
file
saf
ter
hour
se
spec
ially
ify
ou
are
ate
lew
orke
r
USC
ISa
ssum
esit
sca
sefi
led
ata
is
secu
reb
ecau
seit
sem
ploy
ees
and
cont
ract
ors
have
ac
lear
ance
or
hav
eha
da
back
grou
ndc
heck
It
isim
port
antt
ono
teth
at4
9in
side
rsd
ocum
ente
din
the
CERT
da
taba
sev
iola
ted
need
to
know
CERT | SOFTWARE ENGINEERING INSTITUTE | 45
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ca
sefi
les
are
assu
med
tob
ese
cure
on
ceth
eya
rec
onta
ined
with
ina
Ser
vi
ceC
ente
rb
utth
eyc
ould
be
phys
ica
llya
ltere
dor
sto
len
bya
nyon
ew
ith
phys
ical
acc
ess
toth
efa
cilit
y
One
inte
rvie
wee
sta
ted
that
adj
udic
ato
rsty
pica
llyh
ave
50to
100
file
ssc
at
tere
dar
ound
thei
rof
fice
ord
esk
So
me
are
trac
ked
and
som
em
ayn
ot
be
Adj
udic
ator
sco
nduc
tint
ervi
ews
with
app
lican
tsin
thei
rof
fices
and
th
eym
ight
leav
eap
plic
ants
une
sco
rted
inth
eir
offic
esw
ithth
eca
se
files
whe
nfo
rin
stan
cem
akin
gco
pie
sor
att
endi
ngto
oth
erU
SCIS
bus
ine
ss
Acc
ordi
ngto
the
sam
ein
terv
iew
eei
non
efie
ldo
ffic
en
atur
aliz
atio
nce
rtifi
ca
tes
pas
spor
tsa
ndc
redi
tcar
din
fo
rmat
ion
has
been
foun
din
gar
bage
ca
nsin
the
hallw
ay
Adj
udic
ator
spi
cku
pth
eir
case
sin
an
enve
lope
inth
eir
mai
lbox
D
urin
gth
esi
tev
isit
the
asse
ssm
entt
eam
ob
serv
edth
em
ailr
oom
att
heV
erm
ont
Serv
ice
Cent
eru
natt
ende
dbe
twee
n
polic
ies
inth
eco
mm
issi
ono
fth
eir
crim
es
Ther
efor
er
elyi
ng
onc
lear
ance
sal
one
can
bev
ery
dang
erou
s
Thir
teen
insi
ders
doc
umen
ted
in
the
CERT
dat
abas
est
ole
phys
ical
pr
oper
tyb
elon
ging
toth
eor
gani
za
tion
CER
Tsu
gges
tsU
SCIS
con
si
der
the
cons
eque
nces
oft
heft
or
una
utho
rize
dac
cess
top
hysi
ca
lcas
efil
esa
ndm
ake
ari
sk
base
dde
cisi
onr
egar
ding
pot
en
tialp
olic
yan
dpr
oced
ure
chan
ges
Th
ere
are
stan
dard
pol
icie
san
dpr
oced
ures
forh
andl
ing
sens
itive
in
form
atio
nb
uta
str
ong
educ
atio
nalc
ampa
ign
isn
eede
dto
en
sure
the
prot
ectio
nof
dat
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 46
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
ssh
ifts
(app
roxi
mat
ely
3p
m)
Whe
nad
judi
cato
rsfi
nish
with
afi
let
hey
retu
rnit
toa
dro
pof
fspo
tT
hea
sse
ssm
entt
eam
obs
erve
dth
ose
spot
s
whi
cha
rein
the
open
and
una
tte
nded
A
djud
icat
ors
may
kee
pca
ses
over
nigh
tand
usu
ally
ret
urn
them
w
ithin
1w
eek
Tele
wor
kers
at
Serv
ice
Cent
ers
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
One
hun
dred
eig
hty
nine
peo
ple
at
the
Verm
ontS
ervi
ceC
ente
rare
au
thor
ized
tow
ork
from
hom
eT
hese
em
ploy
ees
pick
up
files
att
heV
er
mon
tSer
vice
Cen
ter
and
take
them
ho
me
The
yw
ork
2da
ysp
erw
eek
in
the
Serv
ice
Cent
era
nd3
day
spe
rw
eek
ath
ome
USC
ISp
ays
anu
nan
noun
ced
visi
tto
allh
omes
toin
ven
tory
the
empl
oyee
srsquofi
les
atle
ast
quar
terl
yT
hese
em
ploy
ees
mus
tha
vea
lock
edfa
cilit
yin
thei
rho
me
and
mus
talw
ays
have
the
abili
tyto
re
turn
the
files
toth
eSe
rvic
eCe
nter
w
ithin
4h
ours
The
cont
rolo
fUSC
ISd
ata
whe
nit
leav
esth
eVe
rmon
tSer
vice
Cen
ter
is
diff
icul
tto
enfo
rce
Em
ploy
ees
mus
tha
vea
ppro
pria
tes
tora
gefa
cilit
ies
bu
tthe
yco
uld
easi
lyc
opy
USC
ISd
ata
and
shar
eit
with
una
utho
rize
din
di
vidu
als
Twen
tyn
ine
perc
ento
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
taba
sew
ere
recr
uite
dby
out
si
ders
toc
omm
itth
eir
crim
e
Mos
toft
hese
insi
ders
com
mitt
ed
the
crim
efo
rfin
anci
alg
ain
Iti
sim
port
antt
hatU
SCIS
rec
ogni
ze
the
pote
ntia
lfor
recr
uitm
ent
an
dth
ela
cko
fcon
trol
exe
rcis
ed
over
sen
sitiv
eda
taa
tadj
udic
ato
rsrsquor
esid
ence
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 47
Ap
pen
dix
DB
usi
nes
sP
roce
sses
Tech
nica
lCon
trol
s
Aut
hori
zati
onv
iaP
ICS
A
ccou
ntM
anag
emen
t
Av
arie
tyo
fcas
esfr
omth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sed
ocum
enti
nsid
era
ttac
ksw
here
gap
sin
bus
ines
spr
oces
ses
prov
ided
ap
athw
ay
for
atta
ck
Enfo
rcin
gse
para
tion
ofd
utie
san
dth
epr
inci
ple
ofle
astp
rivi
lege
are
pro
ven
met
hods
for
limiti
nga
utho
rize
dac
cess
by
insi
ders
Id
eal
lyo
rgan
izat
ions
sho
uld
incl
ude
sepa
ratio
nof
dut
ies
inth
ede
sign
ofk
eyb
usin
ess
proc
esse
san
dfu
nctio
nsa
nde
nfor
ceth
emv
iate
chni
cala
nd
nont
echn
ical
mea
ns
Acc
ess
cont
rolb
ased
on
sepa
ratio
nof
dut
ies
and
leas
tpri
vile
gei
nbo
thth
eph
ysic
ala
ndv
irtu
ale
nvir
onm
ents
is
cruc
ialt
om
itiga
ting
the
risk
ofi
nsid
era
ttac
kT
hese
con
cept
sal
one
will
not
elim
inat
eth
eth
reat
pos
edb
yin
side
rst
hey
are
how
ever
ano
ther
laye
rin
the
defe
nsiv
epo
stur
eof
an
orga
niza
tion
Beca
use
ofth
ese
nsiti
ven
atur
eof
the
USC
ISm
issi
ons
ome
ofit
sem
ploy
ees
and
cont
ract
ors
are
targ
ets
for
recr
uitm
entf
orth
efto
run
auth
or
ized
mod
ifica
tion
ofU
SCIS
dat
aT
wen
tyn
ine
perc
ento
fthe
insi
ders
doc
umen
ted
inth
eCE
RTd
atab
ase
we r
ere
crui
ted
byo
utsi
ders
toc
omm
itth
eir
crim
eM
osto
fthe
sein
side
rsc
omm
itted
the
crim
efo
rfin
anci
alg
ain
Cri
tical
USC
ISb
usin
ess
proc
esse
ssh
ould
incl
ude
tech
nica
lcon
trol
sto
en
forc
ese
para
tion
ofd
utie
san
ddu
alc
ontr
olto
red
uce
the
risk
ofi
nsid
erfr
aud
In
addi
tion
pot
entia
lvul
nera
bilit
ies
surr
ound
the
use
ofth
eIC
EPI
CSs
yste
mfo
rau
thor
izat
ion
for
criti
calU
SCIS
sys
tem
sA
lthou
ghP
ICS
iso
utsi
deth
eco
ntro
lofU
SCIS
CER
Tre
com
men
dsth
atU
SCIS
exp
lore
the
poss
ibili
tyo
faud
iting
and
con
trol
ling
auth
oriz
atio
nsin
PIC
Sfo
rcr
itica
lUSC
ISs
yste
ms
Fin
ally
acc
ount
man
agem
enti
ssue
sre
late
dto
cri
tical
sys
te
ms
shou
ldb
eco
nsid
ered
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
utho
riza
tion
for
USC
ISC
riti
calS
ys
tem
sth
roug
hP
ICS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Seve
ralc
ritic
alU
SCIS
sys
tem
sar
etie
dto
PIC
Sfo
raut
hent
icat
ion
whi
ch
isa
dmin
istr
ated
by
the
ICE
PI
CSlo
gsa
ccou
ntc
reat
ions
whe
nth
eac
coun
tsw
ere
crea
ted
wha
tro
les
appl
ied
toth
eac
coun
tse
tc
PICS
per
mits
use
rso
utsi
deo
fUSC
ISto
au
thor
ize
user
sfo
ran
yU
SCIS
app
lica
tion
tied
toP
ICS
Tw
oth
ousa
ndlo
cal
PICS
off
icer
s(L
POs)
inth
eIC
Ean
dU
SCIS
can
cre
ate
new
acc
ount
sin
PIC
Sfo
rem
ploy
ees
loca
ted
atth
eir
site
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ana
utho
riza
tion
proc
es
san
dsy
stem
that
ena
bles
itto
co
ntro
lwho
isg
rant
e da
cces
sto
U
SCIS
sys
tem
san
dda
ta
CERT | SOFTWARE ENGINEERING INSTITUTE | 48
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLP
Os
cont
rola
cces
sfo
rshe
riff
sp
eti
tione
rsC
BPD
OJ
TSA
DH
SO
IGT
er
rori
smT
ask
Forc
ea
ndo
ther
s
Acc
ount
sar
eba
sed
onp
erso
nnel
re
cord
so
LPO
sca
nnot
cre
ate
acco
unts
fo
ran
yone
who
isn
ota
nem
ploy
eea
tth
eir
site
H
owev
erP
ICS
adm
inis
tra
tors
can
cre
ate
acco
unts
for
anyo
ne
wor
king
att
heir
site
for
any
syst
em
tied
toP
ICS
CERT
sug
gest
sth
atU
SCIS
val
ida
tec
urre
ntP
ICS
acco
unts
and
ro
les
agai
nstc
urre
nte
mpl
oyee
lis
ts
Ten
perc
ent(
37)o
fth e
in
side
rsd
ocum
ente
din
the
CERT
da
taba
seh
ade
xces
sive
pri
vi
lege
sw
hich
ena
bled
them
to
atta
ck
Ina
dditi
on
b
ecau
seldquo
priv
ilege
cr
eeprdquo
ena
bled
afe
w(s
ix)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
da
tab a
seto
car
ryo
utth
eir
crim
es
CERT | SOFTWARE ENGINEERING INSTITUTE | 49
Sugg
este
dCo
unte
rmea
sure
s
Twen
tyfo
ur(6
per
cent
)oft
he
insi
ders
doc
umen
ted
inth
eCE
RT
data
base
wer
eab
leto
car
ryo
ut
thei
rcr
imes
bec
ause
insi
ders
sh
ared
acc
ount
and
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bse
asie
ran
dto
incr
ease
pro
du
ctiv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tio
nsa
ndp
ossi
bly
impl
emen
tst
rong
era
uthe
ntic
atio
nto
ma k
esh
arin
gac
coun
tsm
ore
diff
icul
t
Polic
yor
Pra
ctic
eG
aps
VIS
adm
inis
trat
ors
ine
xter
nalc
ompa
ni
eso
rag
enci
esh
ave
been
cau
ght
le
ttin
gm
ultip
lee
mpl
oyee
sus
eth
e
sa
me
VIS
acco
unt
but
USC
ISh
asn
o ab
ility
tota
kea
nya
ctio
nT
hea
cco
unts
ena
ble
empl
oyee
sto
val
idat
ePI
Iand
citi
zens
hip
info
rmat
ion
Polic
yan
dor
Sec
urit
yM
easu
re
No
evid
ence
pro
vide
d
Mod
ifica
tions
by
VIS
user
sto
cri
tical
da
taa
relo
gged
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
VIS
Ac
coun
ts
Logg
ing
Aud
itin
g
and
Ale
rtin
gin
VIS
Ver
ifica
tion
Info
rmat
ion
Syst
em(V
IS) CERT | SOFTWARE ENGINEERING INSTITUTE | 50
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Com
pute
rLi
nked
App
licat
ion
Info
rmat
ion
Man
agem
ent
Syst
em(C
LAIM
S)3
LA
N
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Su
gges
ted
Coun
term
easu
res
Self
Sele
ctio
nof
A
djud
icat
ion
Case
s
ISSO
s D
ata
Ow
ners
Adj
udic
ator
sca
nse
lfse
lect
cas
es
(acc
ordi
ngto
an
inte
rvie
wc
once
rn
ing
anin
tern
alin
cide
ntth
ato
ccur
red
atth
eU
SCIS
and
inte
rvie
ws
with
da
tao
wne
rsa
tthe
Ver
mon
tSer
vice
Ce
nter
)
With
inth
eSe
rvic
eCe
nter
sa
djud
ica
tors
hav
evi
rtua
llyu
nlim
ited
acce
ssto
ap
plic
antf
ilesmdash
ther
ear
eno
nee
dto
kn
owli
mita
tions
or
cont
rols
top
re
vent
an
adju
dica
tor
from
acc
essi
ng
sens
itive
info
rmat
ion
and
repo
rtin
git
too
utsi
ders
or
mod
ifyin
ga
file
(ent
er
ing
anin
valid
dec
isio
n)
Adj
udic
ator
sca
nal
soa
ppro
vea
cas
eth
atis
not
ass
igne
dto
them
Th
ere
is
noti
ebe
twee
nth
eca
sem
anag
emen
tsy
stem
(ie
N
atio
nalF
ileT
rack
ing
Syst
emo
rN
FTS)
and
the
case
adj
udi
catio
nsy
stem
(ie
CL
AIM
S)
Inth
ein
tern
alc
ase
that
occ
urre
dat
U
SCIS
the
per
petr
ator
cir
cum
vent
ed
the
inte
rvie
wp
roce
ssfo
r14
mon
ths
ndash
USC
ISs
houl
dco
nsid
erim
ple
men
ting
tech
nica
lcon
trol
sto
pr
ohib
itad
judi
cato
rsfr
oms
elf
sele
ctin
gca
ses
toa
djud
icat
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 51
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
she
app
rove
dldquon
osh
owrdquo
case
sT
here
w
ere
noc
ontr
ols
tod
etec
tthi
s
Ina
dditi
ona
djud
icat
ors
can
adju
di
cate
any
type
ofc
ase
eve
nth
ough
th
eya
ree
ach
assi
gned
cer
tain
type
sof
ben
efits
cas
esfo
rad
judi
catio
n
Emph
asis
on
Cus
tom
erS
ervi
ceO
ver
Risk
Dat
aO
wne
rs
No
evid
ence
pro
vide
d
One
inte
rvie
wee
att
heV
erm
ontD
ata
Cent
ers
aid
that
ldquost
atsrdquo
can
be
ast
rain
esp
ecia
llyfo
rne
wh
ires
al
thou
ghth
eyd
oge
ta9
0da
ygr
ace
peri
od
USC
ISs
houl
dus
eca
utio
nin
em
ph
asiz
ing
cust
omer
ser
vice
as
the
only
per
form
ance
met
ric
beca
use
this
cou
lde
ncou
rage
la
cko
fatt
entio
nto
ris
kre
late
dac
tiviti
es(s
uch
asa
ccur
ate
adju
di
catio
nde
cisi
ons)
Lack
ofS
epar
atio
nof
Dut
ies
in
CLA
IMS
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Curr
ently
all
decl
ined
req
uest
sfo
rbe
nefit
sar
ere
view
edb
ya
supe
rvi
sor
H
owev
ert
here
was
ad
iscr
ep
ancy
dur
ing
inte
rvie
ws
adj
udic
ator
ssa
idth
ats
uper
viso
rss
topp
edlo
okin
gat
all
deni
als
beca
use
they
are
too
busy
Su
perv
isor
sal
sor
ecei
vea
rep
orto
fal
ladj
udic
atio
nde
cisi
ons
ente
red
by
ana
djud
icat
orfo
ra
form
type
that
th
ead
judi
cato
rdo
esn
otn
orm
ally
ap
prov
e
Onl
ya
rand
oms
ampl
eof
app
rove
dad
judi
catio
nde
cisi
ons
isr
evie
wed
For
som
eca
ses
(for
inst
ance
vic
tims
case
s)a
sen
ior
adju
dica
tor
has
to
revi
ewth
ede
cisi
ona
fter
the
adju
dica
to
ren
ters
itt
hen
the
supe
rvis
orr
evi
ews
itT
his
isa
man
ually
enf
orce
dpr
oces
s
Ther
ew
asa
noth
erd
iscr
epan
cy
in
inte
rvie
ws
the
adju
dica
tors
sai
dth
at
USC
ISs
houl
dco
nsid
erim
ple
men
ting
auto
mat
edp
roce
sses
to
prev
enta
ndd
etec
tfra
ud
Man
ag
emen
tind
icat
edit
wou
ldli
ke
tos
eea
utom
ated
tech
nica
len
forc
emen
toft
her
evie
wa
nd
appr
oval
pro
cess
Inn
earl y
ten
perc
ent(
39)o
fthe
ca
ses
docu
men
ted
inth
eCE
RT
data
base
ins
ider
sto
oka
dvan
CERT | SOFTWARE ENGINEERING INSTITUTE | 52
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s W
hen
adju
dica
tors
are
intr
aini
ng
they
are
und
er1
00
rev
iew
Th
ey
are
intr
aini
ngo
na
spec
ific
type
of
case
for
atle
ast6
mon
ths
A
uditi
ngfo
rim
prop
erly
gra
nted
be
nefit
sis
bas
edo
nsa
mpl
ing
and
or
blin
dqu
ality
ass
uran
ce(Q
A)a
ccor
din
gldquot
oA
rmy
stan
dard
srdquoa
fter
the
fact
A
rand
omly
sel
ecte
d30
cas
es
per
quar
ter
are
also
rev
iew
edb
yldquos
iste
rce
nter
srdquo
QA
pro
cess
var
ies
offic
eby
off
ice
(no
natio
nalp
roce
ss)
Th
isQ
Ah
asb
een
done
fort
hep
ast
year
and
ah
alf
Inth
eVe
rmon
tfie
ld
offic
ee
ach
supe
rvis
orp
ulls
atl
east
10
cas
esp
era
djud
icat
orp
erm
onth
Th
eyr
evie
wd
ecis
ion
rela
ted
issu
es
secu
rity
rel
ated
issu
esa
ndp
roce
du
rali
ssue
s(d
idth
eyfo
llow
the
righ
tst
eps
)T
hey
also
look
for
less
ons
lear
ned
The
pri
mar
ypu
rpos
eof
QA
is
toid
entif
yth
ene
edfo
rre
med
ial
trai
ning
rath
erth
and
elib
erat
efr
aud
So
me
case
sar
em
ore
than
10
00
page
ss
oev
ery
deta
ilca
nnot
be
prac
tical
lyr
evie
wed
for
ever
yca
se
cler
ksp
ullc
ases
ac
oupl
eof
tim
esp
er
mon
thndash
ac
erta
inn
umbe
rof
cas
es
per
empl
oyee
Th
ose
case
sar
epa
ssed
toQ
Aw
hor
evie
ws
the
case
s
QA
then
sen
dsfe
edba
ckto
the
supe
rvi
sor
and
adju
dica
tor
ifth
eyfi
nd
som
ethi
ngth
atd
oes
notl
ook
righ
t
tage
ofi
nsuf
ficie
nts
epar
atio
nof
du
ties
toc
arr y
out
thei
rcr
imes
U
SCIS
sho
uld
care
fully
con
side
rth
ebi
gges
tris
kto
the
orga
niza
tio
nM
any
ofth
eU
SCIS
em
pl
oyee
sin
terv
iew
edfo
rth
isa
sse
ssm
enti
dent
ified
the
prim
ary
risk
for
the
orga
niza
tion
asa
llo
win
gth
ene
xtte
rror
istt
oliv
ean
dw
ork
lega
llyin
the
Uni
ted
Stat
es
They
des
ire
assi
stan
cein
id
entif
ying
and
impl
emen
ting
inte
rnal
con
trol
sto
cou
nter
that
ri
sk
Aud
iting
eve
ryd
enie
dre
ques
tin
dica
tes
that
the
bigg
estr
isk
to
USC
ISis
toin
corr
ectly
den
ya
bene
fitto
an
appl
ican
trat
her
than
tog
rant
ab
enef
itto
som
eon
ew
hod
oes
notd
eser
veit
IfU
SCIS
agr
ees
that
gra
ntin
gle
gald
ocum
ents
toil
lega
lapp
lica
nts
iso
neo
fthe
big
gest
ris
ks
toth
eor
gani
zatio
nth
enit
sh
ould
con
side
rre
quir
ing
dual
CERT | SOFTWARE ENGINEERING INSTITUTE | 53
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sau
thor
izat
ion
for
thes
ead
judi
ca
tion
deci
sion
s
Lack
ofA
utom
ated
Ch
ecks
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Verm
ontI
Tha
sdo
ned
ata
swee
ps
afte
rit
foun
dso
met
hing
sus
pici
ous
W
hen
itha
sdo
nes
oit
has
foun
dm
ore
ofth
esa
me
activ
ity
Ther
ear
eno
aut
omat
edc
heck
s(t
here
w
illb
ein
Tra
nsfo
rmat
ion)
Chec
ksth
atd
oex
ista
rem
anag
eda
tth
elo
call
evel
rat
her
than
ale
rtin
gto
th
ehe
adqu
arte
rsle
vel
Inn
early
twen
tyf
ive
perc
ent
(91)
ofc
ases
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
ca
rry
outt
hec
rim
ebe
caus
eof
in
adeq
uate
aud
iting
ofc
ritic
al
proc
esse
sin
28
case
sit
was
be
caus
eof
inad
equa
tea
uditi
ng
ofir
regu
lar
proc
esse
sI
n29
of
the
case
sth
eor
gani
zatio
nha
dre
peat
edin
cide
nts
ofa
sim
ilar
natu
re
Aut
omat
eds
crip
tsa
re
ane
xcel
lent
mec
hani
smfo
rde
te
ctin
gsu
spic
ious
tran
sact
ions
as
wel
las
hone
stm
ista
kes
U
SCIS
sho
uld
cons
ider
afo
rmal
pr
oces
sfo
ran
alyz
ing
the
OSI
rsquos
findi
ngs
and
deve
lopi
nga
uto
mat
edc
heck
sth
ata
rer
olle
dou
tna
tiona
lly
Phys
ical
Sec
urit
yof
Ca
seF
iles
Dat
aO
wne
rs
Adj
udic
ator
s
No
evid
ence
pro
vide
d
The
NFT
Str
acks
mill
ions
off
iles
It
was
des
crib
edh
owev
era
sa
very
la
rge
war
ehou
sew
here
file
sdo
occ
a
Ten
perc
ent(
40)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
sec
arri
edo
utth
eir
crim
esb
y
CERT | SOFTWARE ENGINEERING INSTITUTE | 54
C
ER
T | S
OFT
WA
RE
EN
GIN
EE
RIN
G IN
STI
TUTE
| 55
Sugg
este
dCo
unte
rmea
sure
s
the
sam
eap
plic
ant
C3LA
Nw
illb
ere
tired
as
part
of
Tran
sfor
mat
ion
C4
will
als
obe
re
tired
A
cop
yof
sec
urity
con
tr
ols
and
requ
irem
ents
has
bee
npr
ovid
edb
yC3
LAN
dat
aow
ners
to
Tra
nsfo
rmat
ion
Iti
sim
por
tant
for
the
Tran
sfor
mat
ion
team
tom
ake
risk
bas
edd
eci
sion
sin
Tra
nsfo
rmat
ion
desi
gn
and
deve
lopm
ent
Polic
yor
Pra
ctic
eG
aps
T
hen
ewH
Rfo
rmh
asn
otb
een
soci
aliz
edo
rw
idel
yad
vert
ised
It
is
upto
the
COTR
san
dsu
perv
isor
sto
co
nsis
tent
lyr
eque
stth
ata
cces
sbe
di
sabl
edw
hen
ane
mpl
oyee
or
con
trac
tor
nolo
nger
nee
dsa
cces
s
Polic
yan
dor
Sec
urit
yM
easu
re
Curr
ently
eve
rym
onth
USC
ISc
om
pare
sth
eH
uman
Res
ourc
esa
ttri
tion
lista
gain
stth
eC3
LA
Na
ccou
ntli
st
and
disa
bles
inac
tive
empl
oyee
ac
coun
ts
Resp
onsi
ble
Pers
onne
l
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
cces
sto
CL
AIM
S
CERT | SOFTWARE ENGINEERING INSTITUTE | 56
Are
aof
Con
cern
Non
Att
ribu
tion
fo
rD
BAA
ccou
nts
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 57
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Pend
ing
Redu
ctio
nin
For
cefo
rD
ata
Entr
yCl
erks
Dat
aO
wne
rs
Hum
anR
esou
rces
No
evid
ence
pro
vide
d
Dat
aen
try
cler
ksw
illb
elo
sing
thei
rjo
bsw
hen
they
mov
eto
Loc
kBox
w
hich
will
take
ove
rth
efu
nctio
nal
ityo
facc
eptin
gre
mitt
ance
sfo
rbe
nefit
app
lican
ts
Itw
ass
tate
dth
atth
eda
tae
ntry
cle
rks
mig
htb
ehi
red
away
tow
ork
atth
eor
gani
za
tion
whi
chp
erfo
rms
that
func
tio
n
USC
ISs
houl
dbe
aw
are
ofth
ein
crea
sed
insi
der
risk
inth
efa
ce
ofn
egat
ive
orga
niza
tiona
lev
ents
like
this
It
sho
uld
con
side
rpr
oact
ive
step
sto
dec
reas
est
ress
inth
ew
orkp
lace
and
to
ease
pot
entia
lfin
anci
alb
urde
ns
that
cou
ldm
ake
empl
oyee
sm
ore
susc
eptib
leto
rec
ruitm
ent
byo
utsi
ders
Shar
ing
Acc
ount
sin
CLA
IMS
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Dat
aEn
try
Cler
ks
The
NFT
Sw
illn
otle
tcle
rks
log
inif
th
eyh
ave
notu
sed
the
syst
emfo
ra
cert
ain
num
ber
ofd
ays
Ac
lerk
rsquosc
ube
mat
ew
illlo
gin
for
thei
rcu
bem
ate
ifit
isth
een
dof
the
day
and
ITh
asg
one
hom
efo
rthe
day
Twen
tyf
our
(6
)oft
hein
side
rs
docu
men
ted
inth
eCE
RTd
ata
base
wer
eab
leto
car
ryo
utth
eir
crim
esb
ecau
sein
side
rss
hare
dac
coun
tand
pas
swor
din
form
atio
no
ften
tom
ake
thei
rjo
bs
easi
era
ndto
incr
ease
pro
duct
iv
ity
USC
ISs
houl
dco
nsid
erin
crea
sing
th
eco
nseq
uenc
esfo
rin
frac
tions
an
dpo
ssib
lyim
plem
ents
tron
ger
auth
entic
atio
nto
mak
eac
coun
tsh
arin
gm
ore
diff
icul
t
CERT | SOFTWARE ENGINEERING INSTITUTE | 58
Sugg
este
dCo
unte
rmea
sure
s
Ten
perc
ent(
39)o
fthe
insi
ders
do
cum
ente
din
the
CERT
dat
aba
seto
oka
dvan
tage
ofi
nsuf
fici
enta
cces
sco
ntro
ls
USC
IS
shou
ldc
onsi
der
redu
cing
the
num
ber
ofp
rivi
lege
dac
coun
ts
with
acc
ess
toth
eFD
NS
DS
If
the
num
ber
ofs
uper
user
ac
coun
tsw
ere
redu
ced
then
en
hanc
eda
uditi
ngc
ould
be
em
ploy
edo
ntr
ansa
ctio
ns
cond
ucte
dus
ing
thos
eac
coun
ts
Polic
yor
Pra
ctic
eG
aps
b
ut
ther
ear
ena
tiona
lcon
trol
sto
ens
ure
th
atc
eleb
ritie
srsquofi
les
are
notb
eing
ac
cess
ed
Ther
eis
ala
rge
supe
ruse
rco
mm
unity
m
ore
than
thirt
ype
rcen
tofa
llFD
NS
DS
user
sw
itha
cces
sto
the
FDN
SD
S
Thes
eac
coun
tsh
ave
exte
nsiv
epo
wer
a
mal
icio
uss
uper
user
can
com
plet
ely
dele
tea
rec
ord
orm
odify
the
sum
m
ary
offi
ndin
gs
Polic
yan
dor
Sec
urit
yM
easu
re
The
FDN
SD
Sis
ac
entr
alr
epos
itory
of
frau
dan
dna
tiona
lsec
urity
inve
stig
atio
ns
This
sys
tem
hol
dsa
ppli
cant
san
dpe
titio
ners
as
wel
las
PII
Th
ere
isa
lso
ana
tiona
lsec
urity
tab
N
oev
iden
cep
rovi
ded
nnel
logy
logy
sibl
ePe
rso
wne
rs
tion
Tec
hno
wne
rs
tion
Tec
hno
Resp
onD
ata
O In
form
a
Dat
aO
Info
rma
rn
sac
ges
eCo
ncn e
Priv
ilD
S
Are
aof
ng
oLo
ggi
fTra
tion
s
Elev
ated
N
Sto
FD
Frau
dD
etec
tion
and
Nat
ural
izat
ion
Syst
emndash
Dat
aSy
stem
(FD
NS
DS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 59
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Unk
now
n
Conn
ecti
ons
to
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Failu
reto
Add
ress
Kn
own
Secu
rity
V
ulne
rabi
litie
s
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
Ther
eis
no
auto
mat
edp
atch
ing
be
caus
eof
the
age
ofth
ese
rver
san
dth
eap
plic
atio
nO
nly
criti
calp
atch
es
are
appl
ied
forf
ear
ofc
rash
ing
the
serv
ers
Thir
teen
insi
ders
inth
eCE
RT
data
base
exp
loite
dkn
own
secu
ri
tyv
ulne
rabi
litie
sth
atw
ere
not
addr
esse
dby
the
orga
niza
tion
U
SCIS
sho
uld
cons
ider
upg
radi
ng
the
FDN
SD
Ssi
nce
thes
evu
lner
ab
ilitie
sin
crea
ser
isk
ofa
ttac
kfr
omo
utsi
dea
ndin
side
Prod
ucti
onD
ata
Ava
ilabl
eto
Con
tr
acto
rsin
Dev
el
opm
ent
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
No
evid
ence
pro
vide
d
CSC
has
prod
uctio
nda
tain
the
deve
lop
men
tenv
iron
men
te
ven
thou
ghit
sh
ould
not
hav
eac
cess
top
rodu
ctio
nda
ta
Onl
yon
ein
side
rdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
ses
tole
pro
duct
ion
data
th
ats
houl
dno
thav
ebe
ena
vail
able
tod
evel
oper
sin
the
deve
lop
men
tenv
iron
men
tH
owev
er
itw
ase
xtre
mel
yse
nsiti
ved
ata
with
ver
yst
rict
con
trol
sin
the
prod
uctio
nen
viro
nmen
ta
nd
was
not
sub
ject
toth
ose
sam
eco
ntro
lsin
the
deve
lopm
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 60
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sen
viro
nmen
tT
his
isv
ery
sim
ilar
toth
esi
tuat
ion
atU
SCIS
U
SCIS
sh
ould
exa
min
eda
tab
eing
use
din
the
rem
ote
con
trac
tor
owne
dde
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
vel
ofs
ecur
ityc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
Conf
igur
atio
nM
anag
emen
tan
dor
Cha
nge
Cont
rolP
roce
ss
Not
Enf
orce
d
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
Dev
elop
ers
cann
otr
elea
sen
ewe
xec
utab
les
as
epar
ate
syst
ema
dmin
is
trat
orh
asto
pus
hth
emo
ut
Cont
ract
ors
som
etim
esr
elea
sec
ode
tofi
xpr
oble
ms
with
outf
ollo
win
gth
ech
ange
man
agem
entp
roce
ss
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
ofl
ack
ofa
de
quat
eco
nfig
urat
ion
man
age
men
tU
SCIS
has
afo
rmal
con
fig
urat
ion
man
agem
entp
roce
ss
Itis
impo
rtan
tto
enfo
rce
itsu
se
for
alle
mpl
oyee
san
dco
ntra
cto
rs
Oth
erw
ise
itw
illb
eex
tr
emel
ydi
ffic
ultt
oin
vest
igat
ea
crim
eco
mm
itted
usi
ngfl
aws
inte
ntio
nally
inje
cted
into
sou
rce
code
by
aco
ntra
ctor
CERT | SOFTWARE ENGINEERING INSTITUTE | 61
Ap
pen
dix
EI
nci
den
tR
esp
onse
Inci
dent
Man
agem
ent
Se
curi
tyA
war
enes
s
Conc
erni
ngB
ehav
iors
Thro
ugh
case
ana
lysi
sC
ERT
has
note
dth
atp
roce
dure
sfo
rre
spon
ding
top
oten
tiali
nsid
erin
cide
nts
pres
entu
niqu
ech
alle
nges
an
inci
dent
re
spon
sep
lan
for
insi
der
inci
dent
sdi
ffer
sfr
oma
res
pons
epl
anfo
rin
cide
nts
caus
edb
yan
ext
erna
latt
acke
rI
nad
ditio
nin
adeq
uate
det
ectio
nan
dre
spon
seto
sec
urity
vio
latio
nsc
ould
em
bold
enth
ein
side
rm
akin
gth
eor
gani
zatio
nev
enm
ore
vuln
erab
leto
an
insi
der
crim
eI
nfa
cti
n18
of
the
case
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
the
org
aniz
atio
nex
peri
ence
dre
peat
insi
der
inci
dent
sof
as
imila
rna
ture
In
si
der
inci
dent
man
agem
ents
houl
dle
vera
gee
xist
ing
secu
rity
pol
icie
san
dfo
rmal
pro
cedu
res
for
hand
ling
polic
yvi
olat
ions
So
me
ofth
eca
ses
from
the
CERT
Insi
d er
Thre
atC
ase
data
base
illu
stra
tein
side
rat
tack
sin
whi
cha
nor
gani
zatio
nrsquos
lack
ofi
ncid
entr
espo
nse
proc
edur
esli
mite
dits
ab
ility
tom
anag
eits
res
pons
eef
fort
som
etim
ese
ven
resu
lting
inm
ultip
lec
rim
inal
act
sby
the
sam
ein
side
r
USC
ISis
ac
ompl
exo
rgan
izat
ion
with
man
ydi
ffer
entc
ompo
nent
sin
volv
edin
det
ectin
gtr
acki
ngi
nves
tigat
ing
and
follo
win
gup
on
empl
oyee
m
isco
nduc
tT
his
com
plex
itya
ndw
idel
ydi
stri
bute
dfu
nctio
ncr
eate
sa
situ
atio
nin
whi
chit
isv
ery
diff
icul
tto
obta
ina
com
plet
epi
ctur
eof
an
in
divi
dual
rsquosin
side
rth
reat
ris
kle
vel
Bec
ause
oft
his
itis
pra
ctic
ally
impo
ssib
lefo
rU
SCIS
toim
plem
enta
pro
activ
epr
ogra
mto
miti
gate
insi
der
thre
at
CERT
str
ongl
yre
com
men
dsth
atU
SCIS
cre
ate
ace
ntra
lrep
osito
ryo
fem
ploy
eem
isco
nduc
tso
itca
nde
tect
indi
cato
rso
finc
reas
ing
in
side
rth
reat
ris
kan
dm
itiga
teth
ema
squ
ickl
yas
pos
sibl
e
Furt
herm
ore
81
ofth
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
edc
once
rnin
gbe
havi
ors
inth
ew
orkp
lace
pri
orto
or
whi
lec
arry
ing
out
thei
rcr
imin
ala
ctiv
ities
onl
ine
Sup
ervi
sors
and
em
ploy
ees
shou
ldb
etr
aine
dto
rec
ogni
zea
ndr
espo
ndto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
and
oth
erm
alic
ious
insi
der
acts
Ev
enif
itis
not
pos
sibl
eto
req
uire
non
sup
ervi
sors
to
repo
rtc
o nce
rns
this
tr
aini
ngm
ayin
crea
seth
efr
eque
ncy
ofr
epor
ting
and
the
dete
rren
ceo
fins
ider
act
ions
CERT | SOFTWARE ENGINEERING INSTITUTE | 62
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sLa
cko
fCen
tral
Re
posi
tory
ofE
m
ploy
eeM
isco
nduc
t
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
IfFi
eld
Secu
rity
rec
eive
sa
Sign
ifica
nt
Inci
dent
Rep
ort(
SIR)
the
nit
inve
sti
gate
sE
mpl
oyee
mis
cond
ucti
sth
en
repo
rted
toO
ffic
eof
Sec
urity
and
In
tegr
ity(O
SI)
Ifth
eO
SIin
vest
igat
ion
subs
tant
iate
san
em
ploy
eersquos
mis
con
duct
itp
rovi
des
Coun
teri
ntel
ligen
ce
(CI)
am
onth
lyr
epor
tI
tals
opr
ovid
es
the
empl
oyee
rsquosm
anag
emen
tac
opy
CI
iss
tart
ing
tog
etm
ore
repo
rts
of
acce
ptab
leu
sev
iola
tions
and
sec
urity
vi
olat
ions
It
trac
kse
very
thin
gin
a
file
for
late
rus
ein
rei
nves
tigat
ions
La
bor
Empl
oyee
Rel
atio
ns(L
ER)h
asa
re
cord
oft
here
port
sit
rece
ives
of
mis
cond
uct
com
plai
nts
agai
nsta
nem
ploy
eer
ule
viol
atio
nsa
nds
oon
H
Rm
aint
ains
the
Off
icia
lPer
sonn
el
File
whi
chc
onta
ins
reco
rds
ofs
us
pens
ions
etc
LE
Rco
ntac
tsH
Ron
ly
for
thos
ety
pes
ofa
ctio
ns
Th
eO
SIe
valu
ates
all
com
plai
nts
itre
ceiv
esa
ndlo
gsth
emin
toth
eca
se
man
agem
ents
yste
m
Ita
ssig
nsth
em
toa
fiel
dof
fice
Att
hatp
oint
any
co
mpl
aint
sar
eth
ere
spon
sibi
lity
of
the
spec
iala
gent
inc
harg
eat
the
field
of
fice
The
fiel
dof
fice
inve
stig
ates
Ther
eis
no
sing
lep
lace
tog
ofo
ran
em
ploy
eersquos
dis
cipl
inar
yre
cord
sT
he
num
ber
ofo
rgan
izat
ions
invo
lved
an
dm
anag
emen
tofr
ecor
dsis
ver
yco
mpl
exa
ndd
istr
ibut
edth
roug
hout
th
eor
gani
zatio
n
Acc
ordi
ngto
Phy
sica
lSec
urity
the
fie
ldo
ffic
edo
esn
otte
llth
eO
SI
abou
tpro
blem
sndashth
eO
SIfi
nds
out
whe
nit
ldquohits
the
pres
srdquo
For
exa
m
ple
the
OSI
isn
otin
form
edo
fad
is
grun
tled
syst
ema
dmin
istr
ator
who
is
exhi
bitin
gco
ncer
ning
beh
avio
rs
USC
ISs
houl
dco
nsid
err
equi
ring
m
anda
tory
rep
ortin
gof
all
inci
de
nts
toth
eO
SI
This
com
mu
nica
tion
stre
amw
illa
llow
the
OSI
tog
etin
volv
eda
sea
rly
as
poss
ible
and
tod
ocum
enta
nd
mai
ntai
na
cent
ralr
epos
itory
of
alli
ncid
ents
Th
isc
entr
alr
epo
sito
ryis
cri
tical
for
ade
quat
ely
man
agin
gin
side
rth
reat
sin
USC
IS
CERT | SOFTWARE ENGINEERING INSTITUTE | 63
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dse
nds
the
case
for
corr
ectiv
eac
tio
nto
the
regi
onal
dir
ecto
rin
the
chai
nof
com
man
da
ndth
enth
ere
gi
onal
dir
ecto
rret
urns
am
anag
emen
tre
port
ofa
ctio
nto
the
spec
iala
gent
in
cha
rge
Th
eO
SIc
onta
cts
the
DH
SO
IGfo
rpo
te
ntia
llyc
rim
inal
beh
avio
ror
ser
ious
m
isco
nduc
tI
fthe
DH
SO
IGtu
rns
the
case
dow
nth
enit
iss
entt
oth
efie
ld
offic
eor
tola
we
nfor
cem
ent
Th
ePe
rson
nelS
ecur
ityd
ivis
ion
(PER
SEC)
not
ifies
the
OSI
mon
thly
of
arre
sts
(tra
cked
inth
eca
sem
anag
em
ents
yste
m)a
ndth
eO
SIn
otifi
es
PERS
ECo
finv
estig
atio
ns
Trac
king
ofO
nlin
eIn
cide
nts
Info
rmat
ion
Tech
nolo
gy
Com
pute
ror
net
wor
kvi
olat
ion
inci
de
nts
are
trac
ked
bya
Rem
edy
sys
tem
tied
toa
uni
que
com
pute
rid
enti
fier
rath
erth
ana
use
rin
an
atte
mpt
to
kee
pPI
Iout
oft
heti
cket
Itis
diff
icul
tto
tiea
nev
entt
oa
par
ticul
arp
erso
nE
ven
ifth
eid
entit
yof
an
off
ende
ris
know
nr
epea
toff
end
ers
are
nott
rack
edin
any
aut
omat
ed
orc
orre
late
dw
ay
USC
ISs
houl
dco
nsid
erin
clud
ing
user
info
rmat
ion
for
each
inci
de
nts
oth
atr
epea
toff
ende
rs
can
bee
asily
iden
tifie
da
sre
pe
ato
ffen
ses
coul
din
dica
tea
nin
side
rof
hig
her
risk
Cons
iste
ncy
inR
esp
onse
toS
ecur
ity
Vio
lati
ons
and
Con
cern
ing
Beha
vior
s
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
eis
no
requ
ired
trai
ning
for
su
perv
isor
son
how
tor
espo
ndto
a
rang
eof
beh
avio
rsa
ssoc
iate
dw
ith
man
yfo
rms
ofin
side
rri
sk
Co
mpu
ter
use
viol
atio
nsa
ren
ot
Eigh
tyo
neo
fthe
insi
ders
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
dis
play
ed
conc
erni
ngb
ehav
iors
pri
orto
or
whi
lec
arry
ing
outt
heir
cri
min
al
activ
ities
Em
ploy
ees
shou
ldb
e
CERT | SOFTWARE ENGINEERING INSTITUTE | 64
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
ndle
dco
nsis
tent
lya
cros
sde
part
m
ents
sup
ervi
sors
and
type
ofe
m
ploy
ee
Egre
giou
svi
olat
ions
are
re
ferr
edto
the
OSI
for
afu
llin
vest
igat
ion
but
the
crite
rion
for
deci
ding
whe
nth
atis
war
rant
edis
a
gutr
eact
ion
trai
ned
tor
ecog
nize
and
re
spon
dto
indi
cato
rso
fris
kfo
rvi
olen
ces
abot
age
frau
dth
eft
an
dot
her
insi
der
acts
Ev
enif
it
isn
otp
ossi
ble
tor
equi
ren
on
supe
rvis
ors
tor
epor
tcon
cern
s
this
trai
ning
may
incr
ease
the
freq
uenc
yof
repo
rtin
gan
dde
te
rren
ceo
fins
ider
act
ions
US
Dep
artm
ento
fSt
ate
Inve
stig
atio
ns
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
OSI
Inve
stig
atio
nsh
ave
been
sub
ject
to
alle
gatio
nso
fvio
latio
nsin
volv
ing
Fore
ign
Serv
ice
Nat
iona
ls(F
SN)
but
the
OIS
rel
ies
onth
eU
SD
epar
tmen
tof
Sta
teto
inve
stig
ate
USC
ISh
asn
ovi
sibi
lity
into
US
De
part
men
tofS
tate
inve
stig
atio
ns
FSN
sw
hoh
ave
acce
ssto
USC
IS
syst
ems
and
data
sho
uld
be
incl
uded
ina
nin
side
rth
reat
risk
m
itiga
tion
stra
tegy
Prep
arat
ion
for
Neg
ativ
eW
ork
Rela
ted
Even
ts
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Phys
ical
Sec
urit
y
No
evid
ence
pro
vide
d
Ther
edo
not
app
ear
tob
ean
ygu
ide
lines
tra
inin
go
rpe
rson
nela
vaila
ble
toe
valu
ate
empl
oyee
insi
der
risk
be
fore
or
afte
rfre
quen
tlyp
reci
pita
tin
gev
ents
suc
has
term
inat
ion
de
mot
ions
tra
nsfe
rso
rot
her
disa
ppo
intm
ents
or
unm
ete
xpec
tatio
ns
Ther
eal
sod
oes
nota
ppea
rto
bea
gr
oup
char
ged
with
eva
luat
ing
in
side
rri
skfr
omo
rgan
izat
iona
leve
nts
ord
evel
opm
ents
aff
ectin
ggr
oups
of
empl
oyee
ss
uch
asr
eloc
atio
nsc
on
trac
tcha
nges
lay
offs
and
reo
rgan
iza
tions
Fift
yfiv
ein
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
had
neg
ativ
eem
pl
oym
enti
ssue
sN
inet
yfo
ur
had
ach
ange
ine
mpl
oym
ent
stat
usp
rior
toth
eir
atta
cks
20
had
com
pens
atio
nor
ben
efit
issu
esa
nd6
5w
ere
disg
runt
led
Su
perv
isor
ssh
ould
be
trai
ned
in
thes
eri
skin
dica
tors
Th
ere
shou
lda
lso
bea
nav
aila
ble
pane
lofs
peci
alis
tsfr
omth
eO
SI
orth
eLa
bor
Empl
oyee
Rel
atio
ns(L
ER)t
rain
edto
ass
ess
such
ris
k
CERT | SOFTWARE ENGINEERING INSTITUTE | 65
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Si
mila
rsp
ecia
lists
sho
uld
be
avai
labl
eto
par
ticip
ate
inp
lan
ning
and
exe
cutio
nof
res
pons
epl
ans
inp
repa
ratio
nfo
rne
ga
tive
wor
kpla
cee
vent
sth
atp
ote
ntia
llyc
ould
lead
tod
isgr
un
tlem
enta
mon
gth
ew
orkf
orce
at
USC
IS
Cont
ract
orM
an
agem
ent
USC
ISL
eade
rshi
p Ph
ysic
alS
ecur
ity
Hum
anR
esou
rces
Pers
onne
lscr
eeni
ngp
roce
dure
sfo
rco
ntra
ctor
sar
esi
mila
rto
thos
efo
rem
ploy
ees
Cont
ract
ing
com
pani
esa
rer
equi
red
tor
epor
tany
adv
erse
info
rmat
ion
rega
rdin
gth
eir
empl
oyee
sim
med
iat
ely
(ina
llco
ntra
cts)
LER
has
noin
volv
emen
twith
con
tr
acto
rs
They
hav
eno
rec
ord
of
cont
ract
orm
isbe
havi
ors
orc
om
plai
nts
agai
nstc
ontr
acto
rs
Supe
rvis
ors
the
OSI
LER
and
oth
ers
conc
erne
dw
itho
rgan
izat
iona
lsec
uri
tym
ayb
ela
rgel
yun
awar
eof
in
side
rri
sks
rela
ted
toc
ontr
acto
rs
Cont
ract
ors
are
nots
ubje
ctto
gov
er
nmen
tmon
itori
ngo
rris
kas
sess
m
ent
Ac
ontr
acto
ron
ac
ritic
als
ys
tem
may
dev
elop
or
have
sig
nific
ant
insi
der
risk
fact
ors
that
may
rem
ain
unkn
own
tog
over
nmen
tem
ploy
ees
due
tola
cko
frep
ortin
gre
quir
em
ents
Sixt
ytw
oof
the
insi
ders
doc
um
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
wer
eco
ntr
acto
rs
USC
ISc
ontr
actm
an
agem
ents
taff
sho
uld
cons
ider
th
ene
edfo
rre
port
ing
ara
nge
ofp
oten
tiali
ndic
ator
sof
insi
der
risk
am
ong
cont
ract
sta
ff
Inci
de
ntr
espo
nse
plan
ssh
ould
in
clud
ere
spon
seto
em
ploy
ee
and
cont
ract
oris
sues
Empl
oyee
or
Con
trac
tor
Conc
erni
ng
Beha
vior
USC
ISL
eade
rshi
p H
uman
Res
ourc
es
Byp
olic
yit
ise
very
em
ploy
eersquos
re
spon
sibi
lity
tor
epor
tsus
pici
ous
be
havi
oro
rm
isco
nduc
tS
uper
viso
rs
Self
repo
rted
dru
gus
ea
rres
ta
nd
asso
ciat
ions
with
fore
ign
natio
nals
du
ring
em
ploy
men
tare
sen
tto
the
Supe
rvis
ors
need
tob
eno
tifie
dim
med
iate
lyw
hen
ane
mpl
oyee
re
port
sdr
ugu
sea
rres
tso
r
CERT | SOFTWARE ENGINEERING INSTITUTE | 66
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s Ph
ysic
alS
ecur
ity
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Labo
rEm
ploy
eeR
elat
ions
who
obs
erve
con
cern
ing
ors
uspi
ciou
sbe
havi
orr
epor
titt
oLE
Ror
the
OSI
Fo
rlo
wle
velm
isco
nduc
tL
ERa
dvis
es
the
field
off
ice
man
agem
ento
nha
ndl
ing
the
mat
ter
LER
rep
orts
mor
ese
riou
sm
isco
nduc
twith
mor
ese
vere
co
nseq
uenc
esto
HR
M
isco
nduc
tcan
als
obe
rep
orte
dvi
aSi
gnifi
cant
Inci
dent
Rep
orts
(SIR
s)
SIRs
are
sen
tto
Phys
ical
Sec
urity
or
to
the
OSI
for
inve
stig
atio
n
IfCI
dis
cove
rss
omet
hing
sus
pici
ous
duri
nga
rei
nves
tigat
ion
itin
form
sth
eem
ploy
eersquos
sup
ervi
sor
The
su
perv
isor
wor
ksw
ithL
ERa
ndc
ouns
el
tod
ecid
eon
follo
wu
pac
tions
OSI
Th
eO
SIs
ends
res
ults
tos
uper
vi
sor
follo
win
gin
vest
igat
ion
asso
ciat
ion
with
fore
ign
natio
nal
ss
oth
eyh
ave
ana
ccur
ate
perc
eptio
nof
the
risk
ass
oci
ated
with
eac
hof
thei
rem
ploy
ee
sI
nad
ditio
n1
8of
the
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
had
poss
ible
psy
chol
ogic
alis
su
es
Inc
olla
bora
tion
with
the
OSI
and
LER
sup
ervi
sors
con
fr
ontin
gem
ploy
ees
who
dis
play
co
ncer
ning
beh
avio
rss
houl
dha
veth
eab
ility
tor
emov
eth
em
from
the
wor
kfor
cep
endi
nga
m
edic
alo
rps
ycho
logi
cal
eval
uatio
nto
det
erm
ine
whe
ther
they
hav
ea
diso
rder
or
illne
ssth
atm
ayim
pair
thei
rtr
ustw
orth
ines
sor
judg
men
tor
mak
eth
ema
dan
gert
oth
em
selv
eso
rot
hers
Si
mila
rly
em
po
wer
ing
supe
rvis
ors
tom
ake
ane
mpl
oyee
ass
ista
nce
pro
gram
ref
erra
land
eva
luat
ion
man
dato
ryi
nco
llabo
ratio
nw
ithL
ERo
rth
eO
SIm
ight
hel
pre
mov
eat
ris
kin
divi
dual
sfr
om
the
wor
kfor
ceu
ntil
they
can
sa
fely
and
sec
urel
yre
turn
CERT | SOFTWARE ENGINEERING INSTITUTE | 67
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEl
ectr
onic
Inve
sti
gati
ons
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
Inte
gri
ty
Mos
talle
gatio
nsr
epor
ted
toth
eO
SI
are
notv
ery
tech
nica
lth
eO
ITp
ro
vide
sfo
rens
ics
uppo
rtfo
rin
vest
iga
tions
(pri
mar
ilyd
atab
ase
tran
sac
tions
)
PERS
ECh
asn
ever
ask
edth
eO
ITto
re
view
au
serrsquo
son
line
activ
ity
Onl
yon
epe
rson
inO
SIis
qua
lifie
dto
do
afo
rens
icin
spec
tion
USC
ISs
houl
dco
nsid
erin
clud
ing
the
OIT
inin
vest
igat
ions
ofs
us
pici
ous
activ
ity
CERT
rsquosin
side
rth
reat
res
earc
hha
ssh
own
that
no
ntec
hnic
alc
once
rnin
gbe
hav
iors
can
be
asso
ciat
edw
ith
onlin
ecr
imin
ala
ctiv
ity
It
wou
ldb
ebe
nefic
ialt
och
eck
for
past
tech
nica
lsec
urity
vio
la
tions
and
hav
eth
eO
ITa
naly
ze
curr
ento
nlin
eac
tivity
as
part
of
the
OSI
inve
stig
atio
ns
CERT | SOFTWARE ENGINEERING INSTITUTE | 68
t
efe
w de ti
nth
eca
ses
docu
men
ted
inth
eCE
RTd
atab
ase
inje
cted
cod
ein
tos
ourc
eco
deto
faci
lita
but
ina
ase
the
coo
utb
yso
f
L
oggi
ng
Cri
tica
lDat
aCo
ntro
ls
urce
cod
ew
ere
inte
nded
tos
abot
age
the
orga
niza
tionrsquo
ssy
stem
sc
ases
the
code
n
ino
nec
was
set
toe
xecu
tefo
llow
ing
the
insi
derrsquo
ste
rmin
atio
SCIS
rec
ogni
zeth
epo
dbe
car
ried
tent
iali
llici
tact
ivity
that
cou
lr
the
mos
tcri
tical
sys
tem
san
dsy
stem
com
pone
nts
Cod
eRe
view
s
Conf
igur
atio
nM
anag
emen
t
side
rsb
oth
empl
oyee
san
dco
ntra
ctor
snd
ITs
abot
age
In
mos
tcas
est
hem
odifi
catio
nsto
so
faci
litat
efr
aud
In
man
yde
was
use
dto
impo
rtan
ttha
tUfo
ra
year
bef
ore
final
lye
xecu
ting
Iti
ser
sa
ndim
plem
enta
ppro
pria
tec
ontr
ols
par
ticul
arly
fo
ciou
sin
frau
da
sth
eco
plan
ted
eng
ine
Mal
ibo
thca
sew
as
war
e
Ap
pen
dix
FS
oftw
are
Engi
nee
rin
g CERT | SOFTWARE ENGINEERING INSTITUTE | 69
Are
aof
Con
cern
C
ode
Re
view
s
Resp
onsi
ble
Pers
onne
lIS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Polic
yan
dor
Sec
urit
yM
easu
re
Cont
ract
ors
are
requ
ired
tom
aint
ain
ace
rtai
nle
velo
fpro
cess
mat
urity
(C
MM
ILev
el3
)to
bein
com
plia
nce
with
USC
ISp
olic
ies
So
urce
cod
eis
res
tric
ted
toth
ose
with
the
need
tok
now
Ve
rsio
nM
anag
eris
use
dto
con
trol
an
dtr
ack
chan
ges
tos
ourc
eco
de
Sepa
ratio
nof
dut
ies
isim
plem
ente
din
the
soft
war
ere
leas
epr
oces
sC
SC
chec
ksn
ews
ourc
eco
dein
toV
ersi
on
Man
ager
aU
SCIS
em
ploy
eec
heck
sou
tthe
sou
rce
code
and
rel
ease
sit
into
pro
duct
ion
Th
eU
SCIS
DBA
mov
esn
ewd
atab
ase
obje
cts
into
the
prod
uctio
nda
ta
base
Polic
yor
Pra
ctic
eG
aps
Ano
ther
inte
rvie
wee
men
tione
dth
at
anldquo
East
ere
ggrdquo
was
foun
din
sou
rce
code
aft
erth
eco
ntra
ctw
asg
iven
toa
ne
wc
ompa
ny4
Sugg
este
dCo
unte
rmea
sure
s
4 Av
irtu
alE
aste
reg
gis
an
inte
ntio
nalh
idde
nm
essa
gej
oke
orfe
atur
ein
ap
rogr
amm
ovie
boo
ke
tc
CERT | SOFTWARE ENGINEERING INSTITUTE | 70
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
and
orC
hang
eCo
ntro
lPro
cess
N
otE
nfor
ced
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
No
evid
ence
pro
vide
d
Whe
nco
ntra
ctor
sde
velo
pso
ftw
are
rem
otel
yth
eya
res
uppo
sed
tor
egis
te
rco
dein
Ver
sion
Man
ager
but
this
is
not
alw
ays
done
con
sist
ently
Co
ntra
ctor
sso
met
imes
rel
ease
cod
eto
fix
prob
lem
sw
ithou
tfol
low
ing
the
chan
gem
anag
emen
tpro
cess
In1
7ca
ses
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
the
insi
der
was
abl
eto
at
tack
bec
ause
oft
hela
cko
fade
qu
ate
conf
igur
atio
nm
anag
emen
t
Soft
war
eEn
gine
er
ing
Cont
rols
inth
eSe
rvic
eCe
nter
s
ISSO
s D
ata
Ow
ners
In
form
atio
nTe
chno
logy
ISSO
s
No
evid
ence
pro
vide
d
Soft
war
eis
bei
ngd
evel
oped
inth
eSe
rvic
eCe
nter
sw
ithou
tcon
sist
ently
en
forc
ing
the
sam
ech
ange
man
age
men
tpro
cess
ese
nfor
ced
atth
ena
tio
nal(
ente
rpris
e)le
vel
The
cen
ters
us
ea
code
rep
osito
ryb
utn
otV
ersi
on
Man
ager
to
trac
kso
ftw
are
chan
ges
Th
eyd
ope
err
evie
ws
ofc
ode
and
belie
veth
ate
nter
pris
eco
ntro
lsfo
rco
der
evie
wa
rem
ore
deta
iled
(al
thou
ghth
atb
elie
fapp
ears
tob
efa
lse
ac
cord
ing
toin
terv
iew
sat
hea
dqua
rte
rs)
USC
ISs
houl
dco
nsid
erc
onsi
sten
tpo
licie
san
dpr
oced
ures
for
soft
w
are
engi
neer
ing
for
the
entir
een
terp
rise
inc
ludi
ngth
eSe
rvic
eCe
nter
s
Mos
tins
ider
sdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 71
A
rea
ofC
once
rn
Resp
onsi
ble
Pers
onne
lPo
licy
and
orS
ecur
ity
Mea
sure
Po
licy
orP
ract
ice
Gap
sSu
gges
ted
Coun
term
easu
res
Dat
aO
wne
rs
ba
sew
ere
dete
cted
or
iden
tifie
d
usin
gso
me
kind
ofs
yste
mlo
g
Info
rmat
ion
Tech
nolo
gy
Lo
gsu
sed
incl
ude
data
base
logs
appl
icat
ion
logs
sys
tem
logs
re
mot
eac
cess
logs
and
man
y
othe
rs
Prod
ucti
onD
ata
in
ISSO
sD
evel
opm
enta
ndp
rodu
ctio
nsy
sIn
som
eca
ses
con
trac
tors
hav
eac
O
nly
one
insi
der
docu
men
ted
in
Dev
elop
men
tEnv
i
tem
ssh
ould
be
sepa
rate
inte
rms
of
cess
tob
oth
syst
ems
incl
udin
gpr
oth
eCE
RTIn
side
rTh
reat
Cas
eda
CERT | SOFTWARE ENGINEERING INSTITUTE | 72
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sro
nmen
t
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
data
sha
ring
and
acc
ess
cont
rol
duct
ion
data
inth
ede
velo
pmen
ten
viro
nmen
t
taba
ses
tole
pro
duct
ion
data
that
sh
ould
not
hav
ebe
ena
vaila
ble
to
deve
lope
rsin
the
deve
lopm
ent
envi
ronm
ent
How
ever
itw
as
extr
emel
yse
nsiti
ved
ata
with
ve
rys
tric
tcon
trol
sin
the
prod
uc
tion
envi
ronm
ent
and
was
not
su
bjec
tto
thos
esa
me
cont
rols
in
the
deve
lopm
ente
nvir
onm
ent
Th
isis
ver
ysi
mila
rto
the
situ
atio
nat
USC
IS
USC
ISs
houl
dex
am
ine
data
bei
ngu
sed
inth
ede
velo
pmen
tenv
iron
men
tand
ei
ther
san
itize
or
anon
ymiz
eth
eda
tao
renf
orce
the
sam
ele
velo
fse
curi
tyc
ontr
ols
exer
cise
dfo
rth
epr
oduc
tion
data
CERT | SOFTWARE ENGINEERING INSTITUTE | 73
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 74
Ap
pen
dix
GI
nfo
rmat
ion
Tec
hn
olog
y
Acc
ount
Man
agem
ent
Rese
arch
has
dem
onst
rate
dth
atif
an
orga
niza
tionrsquo
sco
mpu
ter
acco
unts
can
be
com
prom
ised
ins
ider
sha
vea
nop
port
unity
toc
ircu
mve
ntm
an
uala
nda
utom
ated
con
trol
mec
hani
sms
inte
nded
top
reve
ntin
side
rat
tack
sE
ffec
tive
com
pute
rac
coun
tand
pas
swor
dm
anag
emen
tpol
icie
san
dpr
actic
esa
rec
ritic
alto
impe
dea
nin
side
rrsquos
abili
tyto
use
the
orga
niza
tionrsquo
ssy
stem
sfo
rill
icit
purp
oses
In
av
arie
tyo
fcas
esd
ocum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sei
nsid
ers
expl
oite
dpa
ssw
ord
vuln
erab
ilitie
ss
hare
dac
coun
tsa
ndb
ackd
oor
acco
unts
toc
arry
out
att
acks
It
isim
port
antf
oro
rgan
izat
ions
toli
mit
com
pute
rac
coun
tsto
thos
eth
ata
rea
bsol
utel
yne
cess
ary
usi
ngs
tric
tpro
cedu
res
and
tech
nica
lcon
trol
sth
atfa
cilit
ate
attr
ibut
ion
ofa
llon
line
activ
itya
ssoc
iate
dw
ithe
a ch
acco
untt
oan
indi
vidu
alu
ser
Fur
ther
mor
ea
nor
gani
zatio
nrsquos
acco
unta
nd
pass
wor
dm
anag
emen
tpol
icie
sm
ustb
eap
plie
dco
nsis
tent
lya
cros
sth
een
terp
rise
toin
clud
eco
ntra
ctor
ss
ubco
ntra
ctor
sa
ndv
endo
rsw
hoh
ave
acce
ssto
the
orga
niza
tionrsquo
sin
form
atio
nsy
stem
sor
net
wor
ks
Ins
ome
area
sc
ompu
ter
acco
unts
are
man
aged
fair
lyw
ella
tUSC
IS
USC
ISis
impl
emen
ting
Hom
elan
dSe
curi
tyP
resi
dent
ialD
irec
tive
12(H
SPD
12
)for
phy
sica
land
ele
ctro
nic
acco
untm
anag
emen
tI
nad
ditio
nm
osts
hare
dac
coun
tsa
rec
ontr
olle
dan
dal
lact
ions
per
form
edu
sing
thos
eac
coun
tsc
anb
eat
trib
uted
toa
sin
gle
user
H
owev
ers
ome
acco
untm
anag
emen
tlie
sou
tsid
eth
eco
ntro
lofU
SCIS
Th
i sp
rese
nts
ahi
ghd
egre
eof
ris
kF
irst
ofa
lla
ccou
nts
and
acce
ssfo
rFS
Ns
shou
ldb
eco
nsid
ered
car
eful
lyb
yU
SCIS
A
lthou
ghF
SNs
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
ch
anne
lsw
hich
req
uire
sau
thor
izat
ion
byth
eCS
Oa
ndC
IOo
fDH
Ss
uch
pape
rwor
kw
asn
ots
ubm
itted
con
sist
ently
pri
orto
200
7A
sa
resu
lt
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
tF
urth
erm
ore
an
FSN
acc
ount
and
aU
S
citiz
enfe
dera
lem
ploy
eea
ccou
ntc
anno
tbe
dist
ingu
ishe
don
ceit
isc
reat
ed
Alth
ough
acc
ount
nam
ing
conv
entio
nsa
red
icta
ted
byD
HS
and
the
US
Dep
artm
ento
fSta
teU
SCIS
cou
ldr
eque
sta
nam
ing
conv
entio
nto
diff
eren
tiate
bet
wee
nFS
Na
ndU
Sc
itize
nfe
dera
lem
ploy
eea
ccou
nts
In
addi
tion
USC
ISs
houl
dco
nsis
tent
lytr
ack
the
auth
oriz
atio
nan
dcr
eatio
nof
all
USC
ISa
ccou
nts
To
dete
rmin
eif
unau
thor
ized
or
lega
cya
ccou
nts
exis
tU
SCIS
sho
uld
cons
ider
con
duct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSta
tep
erso
nnel
tov
alid
ate
alle
xist
ing
FSN
ac
coun
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 75
Seco
nda
cces
sto
som
ecr
itica
lUSC
ISs
yste
ms
isc
ontr
olle
dby
the
Pass
wor
dIs
suan
cea
ndC
ontr
olS
yste
m(P
ICS)
Th
epu
rpos
eof
PIC
Sis
tofa
cili
tate
the
adm
inis
trat
ion
ofu
sern
ames
and
pas
swor
dsto
cer
tain
ICE
and
USC
ISin
form
atio
nsy
stem
sO
nea
rea
ofc
once
rnr
egar
ding
PIC
Sis
that
it
isa
dmin
iste
red
byIC
Ea
ndth
ere
are
mor
eth
an2
000
Loc
alP
ICS
Off
icer
s(L
POs)
acr
oss
vari
ous
com
pone
nts
ofD
HS
The
seL
POs
use
PICS
to
gran
taut
hori
zed
acce
ssto
ICE
and
USC
ISs
yste
ms
for
the
pers
onne
latt
heir
res
pect
ive
site
or
agen
cys
uch
aslo
cals
heri
ffs
pet
ition
ers
Cus
tom
san
dBo
rder
Pat
rol(
CBP)
Dep
artm
ento
fJus
tice
(DO
J)T
rans
port
atio
nSe
curi
tyA
dmin
istr
atio
n(T
SA)
Terr
oris
mT
ask
Forc
ea
ndD
HS
OIG
Ea
ch
LPO
can
gra
nta
cces
sto
any
sys
tem
con
trol
led
byP
ICS
In
othe
rw
ords
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
rany
oft
heir
sta
ffto
an
yU
SCIS
sys
tem
Fu
rthe
rmor
eU
SCIS
has
no
visi
bilit
yin
tow
hoh
asa
cces
sto
its
syst
ems
Giv
enth
edi
stri
bute
dna
ture
ofa
ccou
nta
dmin
istr
atio
nit
isv
ery
diff
icul
tfor
USC
ISd
ata
owne
rsa
ndO
ITs
taff
tom
anag
eau
thor
izat
ion
ofu
ser
acco
unts
toU
SCIS
cri
tical
sys
tem
sF
inal
lyt
hep
roc
ess
for
com
mun
icat
ing
chan
ges
ine
mpl
oyee
sta
tus
and
disa
blin
gac
coun
tsv
arie
sw
idel
yam
ong
indi
vidu
alfi
eld
offic
esS
ervi
ceC
ente
rsa
ndo
ffic
esin
the
NCR
D
orm
anta
ccou
nts
prov
ide
aco
nven
ient
unk
now
nac
cess
pat
hfo
rcu
rren
tand
form
ere
mpl
oyee
sto
use
for
illic
itac
tivity
Ala
cko
fcon
sist
ency
exi
sts
inth
eap
plic
atio
nof
acc
ount
man
agem
entp
ract
ices
und
erth
eco
ntro
lofU
SCIS
Fo
rex
ampl
ed
isab
ling
orte
rmin
at
ing
acco
unts
for
empl
oyee
sis
not
alw
ays
com
plet
edin
ati
mel
ym
anne
rup
onth
eem
ploy
eersquos
cha
nge
ins
tatu
sT
his
lack
ofc
onsi
sten
cyis
mad
ew
orse
whe
nde
cent
raliz
edL
POs
acro
ssU
SCIS
do
notf
ollo
wth
esa
me
proc
edur
es
Ino
ther
cas
ese
mpl
oyee
sar
ere
tain
ing
acce
ssa
fter
atr
ansf
er
whe
nth
eys
houl
dno
tw
hich
req
uire
sth
elo
sing
and
gai
ning
sup
e rvi
sors
ton
otify
pro
per
acco
untm
anag
emen
tper
sonn
el
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
ccou
ntE
stab
lis
hmen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ino
rder
for
FSN
sto
gai
nac
cess
to
USC
ISs
yste
ms
they
mus
tsub
mit
pape
rwor
kth
roug
hpr
oper
cha
nnel
s
whi
che
vent
ually
req
uire
sau
thor
iza
tion
byth
eCS
Oa
ndC
IOo
fDH
S
Prio
rto
200
7w
aive
rpa
perw
ork
for
FSN
sre
ques
ting
acco
unta
cces
sw
as
nots
ubm
itted
con
sist
ently
A
sa
re
sult
ther
em
ayb
eac
tive
acco
unts
for
whi
chth
ere
isli
ttle
ton
oac
coun
ting
for
the
crea
tion
ofth
eac
coun
t
USC
ISs
houl
dco
nsid
erc
ondu
ct
ing
ana
ccou
nta
udit
with
the
assi
stan
ceo
fUS
Dep
artm
ento
fSt
ate
pers
onne
lto
valid
ate
all
exis
ting
FSN
acc
ount
s
Info
rmat
ion
Tech
nolo
gy
Diff
eren
tper
sonn
ela
rer
espo
nsib
le
for
acco
untc
reat
ion
and
dele
tion
acro
ssth
een
tire
ente
rpri
sed
epe
ndin
gon
the
syst
emo
rne
twor
kin
Dat
abas
ead
min
istr
ator
sm
ayb
eab
le
toc
reat
ean
dde
lete
dat
abas
ean
dap
plic
atio
nac
coun
tsw
ithou
tas
ec
ond
pers
onv
erify
ing
that
act
ion
Beca
use
data
base
adm
inis
trat
ors
have
acc
ess
tos
uch
criti
cald
ata
U
SCIS
sho
uld
cons
ider
sep
arat
ing
the
task
ofa
utho
rizi
nga
cces
sto
CERT | SOFTWARE ENGINEERING INSTITUTE | 76
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
squ
estio
n
USC
ISd
atab
ases
from
the
task
of
man
agin
gth
eda
tain
the
data
ba
ses
Thi
sse
para
tion
ofd
utie
sm
ayr
educ
eth
eri
sko
fad
ata
base
adm
inis
trat
orc
reat
ing
an
unau
thor
ized
acc
ount
and
usi
ng
that
acc
ount
toc
arry
out
am
ali
ciou
sac
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Ac
ompu
ter
acco
unti
ses
tabl
ishe
don
lya
fter
an
umbe
rof
cri
teri
aha
ve
been
met
inc
ludi
ngs
ecur
itya
war
ene
sstr
aini
ng
Ina
dditi
onto
the
step
sre
quire
dof
al
lper
sonn
elfo
rac
coun
tacc
ess
co
ntra
ctor
sha
veto
go
thro
ugh
extr
ast
eps
som
eof
whi
chin
clud
eve
rifi
catio
nby
the
COTR
Com
pute
racc
ount
acc
ess
iss
ome
times
gra
nted
bef
ore
secu
rity
aw
are
ness
trai
ning
isc
ompl
eted
Th
isp
rac
tice
may
be
true
esp
ecia
llyfo
rco
ntra
ctor
ss
ince
the
onb
oard
ing
proc
ess
depe
nds
onth
eco
ntra
ctin
gag
ency
and
the
COTR
tov
erify
that
th
etr
aini
ngis
com
plet
ed
USC
ISs
houl
dco
nsid
err
equi
ring
co
mpu
ter
secu
rity
aw
aren
ess
trai
ning
for
allp
erso
nnel
ndashfu
lltim
eem
ploy
ees
par
ttim
eem
pl
oyee
sa
ndc
ontr
acto
rsndash
and
ve
rify
that
itis
com
plet
ebe
fore
cr
eatin
gan
ysy
stem
acc
ount
sfo
rth
ese
pers
onne
l
Acc
ount
Man
age
men
tG
ener
al
Info
rmat
ion
Tech
nolo
gy
PICS
isa
dmin
iste
red
byIC
Ew
hich
ha
sov
er2
000
LPO
sac
ross
var
ious
co
mpo
nent
sof
DH
ST
hese
LPO
sar
ere
spon
sibl
efo
rgra
ntin
gau
thor
ized
ac
cess
toP
ICS
for
the
pers
onne
lat
thei
rre
spec
tive
wor
ksi
tes
Eac
hLP
Oc
ang
rant
acc
ess
toa
nys
yste
m
cont
rolle
dby
PIC
SI
not
her
wor
ds
LPO
sth
roug
hout
USC
ISa
ndIC
Eca
ngr
anta
cces
sfo
ran
yof
thei
rst
afft
o
Alth
ough
the
PICS
acc
ount
pro
cess
re
quir
esth
eac
coun
tto
beli
nked
toa
va
lide
mpl
oyee
PIC
Sad
min
istr
ator
sco
uld
crea
teu
naut
hori
zed
acco
unts
in
the
nam
eof
val
ide
mpl
oyee
sw
ith
outt
heir
kno
wle
dge
Inv
alid
acc
ount
sar
ety
pica
llyfl
agge
don
lyw
hen
the
acco
unti
sdo
rman
tfor
ac
erta
inp
eri
odo
ftim
eA
nLP
Oc
ana
lso
assi
gn
righ
tsfo
ran
ysy
stem
con
trol
led
by
In1
2of
the
case
sdo
cum
ente
din
th
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
ins
uffic
ient
acc
ount
m
anag
emen
tena
bled
the
insi
der
sto
com
mit
thei
rcr
imes
U
SCIS
sho
uld
cons
ider
con
duct
in
gac
coun
taud
itsa
tthe
loca
lsi
tele
vel
whi
chw
ould
allo
wth
eva
lidat
ion
ofc
urre
ntP
ICS
ac
coun
tsa
ndr
oles
ver
sus
curr
ent
CERT | SOFTWARE ENGINEERING INSTITUTE | 77
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
yU
SCIS
sys
tem
PICS
empl
oyee
list
s
Furt
herm
ore
ICE
adm
inis
ters
this
USC
ISs
houl
dex
plor
ea
mea
nso
fsy
stem
and
cou
lda
ffec
tUSC
ISr
e
segr
egat
ing
acco
untm
anag
eco
rds
unbe
know
nstt
oU
SCIS
men
tin
PICS
so
that
LPO
sca
nad
min
iste
rac
coun
tso
nly
for
thei
row
nor
gani
zatio
nrsquos
syst
ems
In
oth
erw
ords
USC
ISL
POs
wou
ldo
nly
bea
ble
toa
dmin
iste
rau
thor
izat
ions
for
USC
ISs
yste
ms
inP
ICS
and
ICE
LPO
sw
ould
onl
ybe
abl
eto
adm
inis
ter
auth
oriz
atio
nsfo
rIC
Esy
stem
s
Info
rmat
ion
Tech
nolo
gy
Acc
ount
man
agem
enti
sha
ndle
dby
a
num
ber
ofd
iffer
entg
roup
sac
ross
U
SCIS
A
lthou
ghth
ere
isa
nef
fort
to
cent
raliz
eac
coun
tman
agem
ent
lo
cala
ndr
egio
nalo
ffic
eso
fUSC
IS
have
his
tori
cally
don
eth
eir
own
ac
coun
tman
agem
ent
Ifan
acc
ount
has
not
bee
nus
edfo
ra
cert
ain
peri
odo
ftim
eit
isa
uto
mat
ical
lyd
isab
led
The
tim
epe
riod
st
ated
by
vari
ous
inte
rvie
wee
sva
rie
dfr
om3
06
0o
r90
days
CERT | SOFTWARE ENGINEERING INSTITUTE | 78
Sugg
este
dCo
unte
rmea
sure
s
Six
insi
ders
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
ta
base
wer
eab
leto
car
ryo
utth
eir
illeg
ala
ctiv
ities
bec
ause
ofldquo
priv
ile
gec
reep
rdquoU
SCIS
sho
uld
revi
ew
acco
untm
anag
emen
tpro
ce
dure
sto
ens
ure
that
the
step
scu
rren
tlyta
ken
tor
emov
eor
al
ter
acco
unta
cces
sar
eco
m
plet
ean
dbe
ing
cons
iste
ntly
fol
low
ed
Inp
artic
ular
the
pro
ce
dure
sus
edw
hen
som
eone
ch
ange
slo
catio
nso
rde
part
m
ents
with
inU
SCIS
sho
uld
be
exam
ined
A
sem
ploy
ees
tran
sfe
rth
roug
hout
an
agen
cyt
hey
shou
ldn
otb
eac
cum
ulat
ing
priv
ile
ges
The
ysh
ould
onl
yre
tain
pr
ivile
ges
com
men
sura
tew
ith
thei
rjo
bre
spon
sibi
litie
s
Twel
vep
erce
nt(4
6)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
seu
sed
syst
ema
dmin
istr
ator
pri
vile
ges
tos
abot
age
syst
ems
ord
ata
sh
ared
acc
ount
sw
ere
used
by
insi
ders
follo
win
gte
rmin
atio
nin
Polic
yor
Pra
ctic
eG
aps
The
issu
eof
acc
ount
man
agem
entf
or
empl
oyee
tran
sfer
sis
not
bei
nga
d
dres
sed
ina
con
sist
entm
anne
rT
he
O
ITr
elie
son
not
ifica
tion
bye
ither
the
ne
wo
rol
dsu
perv
isor
whe
nan
em
ploy
eetr
ansf
ers
but
ther
eha
veb
een
ca
ses
inU
SCIS
inw
hich
em
ploy
ees
have
ret
aine
dac
cess
whe
nth
ey
shou
ldn
oth
ave
Th
ough
itw
ould
req
uire
phy
sica
lac
cess
toa
USC
ISm
achi
net
hatf
orm
er
Polic
yan
dor
Sec
urit
yM
easu
re
Whe
nan
em
ploy
eem
oves
from
one
po
sitio
nto
ano
ther
or
tran
sfer
sto
an
othe
rdep
artm
ent
the
man
age
men
tin
thos
ede
part
men
tsm
ust
initi
ate
the
requ
ired
com
pute
rac
coun
tcha
nges
Ther
ear
eop
erat
ing
syst
emim
ages
us
edth
roug
hout
USC
ISth
atp
erm
itan
adm
inis
trat
orto
inst
alla
sta
nda
rdc
onfig
urat
ion
ofa
nop
erat
ing
syst
ema
nda
ccom
pany
ing
soft
war
e
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Chan
ging
Pas
sw
ord
ofS
hare
dA
ccou
ntU
pon
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 79
Sugg
este
dCo
unte
rmea
sure
s
14c
ases
A
lthou
gha
nad
min
is
trat
orw
ould
nee
dph
ysic
ala
cce
ssto
ap
iece
ofe
quip
men
t
The
lack
ofc
onsi
sten
cya
nd
awar
enes
sof
the
stan
dard
pro
ce
dure
sm
ayp
erm
itth
eac
coun
tof
an
insi
der
tob
eus
edfo
llow
ing
term
inat
ion
Term
inat
ing
acco
unts
eve
n2
wee
ksfo
llow
ing
term
inat
ion
may
Polic
yor
Pra
ctic
eG
aps
adm
inis
trat
orw
ould
hav
ead
min
istr
ato
rri
ghts
toG
FE
Itis
cle
arfr
omin
terv
iew
sw
ithU
SCIS
pe
rson
nelt
hata
sin
gle
proc
ess
isn
ei
ther
und
erst
ood
norf
ollo
wed
for
dis
ab
ling
acco
unts
follo
win
gan
em
pl
oyee
orc
ontr
acto
rte
rmin
atio
n
The
proc
edur
esu
sed
are
notc
onsi
ste
ntb
etw
een
supe
rvis
ors
orfi
eld
of
fices
and
for
fede
rale
mpl
oyee
sve
rsu
sco
ntra
ctor
sS
omet
imes
the
exit
clea
ranc
efo
rmm
akes
itto
the
OIT
an
dso
met
imes
itd
oes
not
The
OIT
rsquos
task
ism
ade
even
mor
edi
ffic
ultb
yth
efa
ctth
atit
wou
ldn
eed
tok
now
ex
actly
whi
cha
ccou
nts
anin
divi
dual
ha
sac
cess
to
Thou
ghth
isp
roce
ssis
fair
lye
ffec
tive
it
pote
ntia
llya
llow
sun
auth
oriz
ed
Polic
yan
dor
Sec
urit
yM
easu
re
The
OIT
typi
cally
isn
otifi
edo
fan
acco
untt
erm
inat
ion
ino
neo
fthr
ee
way
s
1)A
sta
ndar
dfo
rmc
alle
dan
exi
tcl
eara
nce
form
is
dist
ribu
ted
and
sign
edb
yot
her
part
ies
suc
has
Hu
man
Res
ourc
esa
ndth
eO
ffic
eof
Se
curi
tya
ndIn
tegr
ity(O
SI)
Thi
sfo
rmle
tsth
eO
ITk
now
that
an
em
ploy
eersquos
acc
ount
ssh
ould
be
dis
able
dor
term
inat
ed
2)T
hes
uper
viso
rof
the
depa
rtin
gem
ploy
eec
onta
cts
the
OIT
dire
ctly
an
din
form
sth
emo
fthe
em
ploy
eersquos
de
part
ure
3)
Whe
na
cont
ract
oris
invo
lved
it
is
the
resp
onsi
bilit
yof
the
COTR
to
info
rmth
eO
IT
The
OIT
rec
eive
san
ldquoat
triti
onli
strdquo
ever
y2
wee
ks
Whe
nth
isli
stis
re
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Upo
nEm
ploy
ee
Term
inat
ion
CERT | SOFTWARE ENGINEERING INSTITUTE | 80
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sH
uman
Res
ourc
es
ceiv
eda
man
ualc
heck
isd
one
to
ensu
reth
ate
mpl
oyee
sw
hoh
ave
depa
rted
inth
ela
st2
wee
ksh
ave
thei
rac
coun
tacc
ess
dele
ted
acce
ssfo
r2
wee
ksfo
llow
ing
term
ina
tion
Bec
ause
this
isa
man
ualp
roc
ess
ther
eis
cur
rent
lyn
oau
tom
atic
w
ayto
ens
ure
that
ith
appe
ns
USC
IS
pers
onne
lcite
dan
inst
ance
inw
hich
th
ese
proc
edur
esfa
iled
for
ane
m
ploy
eew
how
aste
rmin
ated
as
aco
ntr
acto
ran
dla
ter
hire
das
afe
dera
lem
ploy
ee
notb
een
ough
top
reve
ntu
nau
thor
ized
orc
rimin
ala
ctiv
ity
As
soon
as
HR
isa
war
eof
the
chan
gea
mor
eau
tom
ated
m
echa
nism
ofd
elet
ing
thes
eac
coun
tss
houl
dbe
impl
em
ente
d
Dis
ablin
gA
ccou
nts
orC
onne
ctio
ns
Dur
ing
Empl
oyee
Le
ave
ofA
bsen
ces
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
LPO
sw
ork
inth
eir
resp
ectiv
ere
gion
sor
off
ices
and
are
dec
entr
aliz
edb
yna
ture
Th
epo
licie
san
dpr
oced
ures
fo
llow
edo
ften
dep
end
onh
ow
thin
gsh
ave
been
don
ehi
stor
ical
lyin
th
atp
artic
ular
off
ice
Beca
use
acco
unta
utho
riza
tion
pro
cedu
res
are
nots
tand
ardi
zed
thro
ugho
uta
llor
gani
zatio
nsu
sing
the
PICS
sL
POs
acro
ssth
een
tire
USC
IS
ente
rpri
seh
ave
notb
een
cons
iste
nt
inh
owth
eyh
ave
hand
led
acco
unt
dele
tion
follo
win
gem
ploy
eete
rmin
atio
n
Ther
eis
no
offic
ialg
uida
nce
orp
rac
tice
inth
epr
oper
way
tos
uspe
nd
acce
ssfo
ran
em
ploy
eeo
na
leav
eof
ab
senc
eI
non
eca
sep
rovi
ded
by
USC
ISa
nem
ploy
eer
etai
ned
acce
ss
toc
ritic
als
yste
ms
even
aft
erb
eing
pl
aced
on
ana
dmin
istr
ativ
ele
ave
of
abse
nce
USC
ISs
houl
dco
ntin
ueit
sef
fort
sto
cen
tral
ize
orr
educ
eth
enu
m
ber
ofL
POs
ino
rder
for
stan
dard
pr
oced
ures
tob
efo
llow
ed
Ifth
isc
anno
tbe
acco
mpl
ishe
d
stan
dard
pro
cedu
res
shou
ldb
epu
blis
hed
inst
ruct
eda
ndc
onsi
ste
ntly
enf
orce
d
Afe
win
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
ser
etai
ned
acce
ssto
org
aniz
atio
nsy
stem
sw
hile
on
ale
ave
of
abse
nce
and
used
that
acc
ess
to
stea
linf
orm
atio
nor
com
mit
frau
dU
SCIS
sho
uld
impl
emen
ta
polic
yto
out
line
exac
tlyw
hat
shou
ldb
edo
new
hen
ago
vern
m
ente
mpl
oyee
or
cont
ract
or
goes
on
ale
ave
ofa
bsen
cec
on
CERT | SOFTWARE ENGINEERING INSTITUTE | 81
Sugg
este
dCo
unte
rmea
sure
ssi
deri
ngth
eri
sks
vers
usb
enef
its
ofa
llow
ing
syst
ema
cces
s
Acc
ess
toth
ese
acco
unts
sho
uld
bec
aref
ully
doc
umen
ted
and
trac
ked
soth
atc
rede
ntia
lsc
an
bec
hang
edif
som
eone
inth
at
rest
rict
edg
roup
no
long
erw
ar
rant
sac
cess
Polic
yor
Pra
ctic
eG
aps
Alth
ough
con
cern
has
bee
nex
pres
sed
ab
outt
hee
xist
ence
oft
hese
ac
co
unts
the
bus
ines
sju
stifi
catio
nha
sta
ken
prec
eden
ceo
vert
her
isk
bein
g
assu
med
Polic
yan
dor
Sec
urit
yM
easu
re
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Shar
ing
Acc
ount
an
dPa
ssw
ord
In
form
atio
n
Acc
ess
Cont
rol
An
orga
niza
tionrsquo
sla
cko
fsuf
ficie
nta
cces
sco
ntro
lmec
hani
sms
was
ac
omm
onth
eme
inm
any
ofth
ein
side
rth
reat
cas
ese
xam
ined
by
CERT
In
si
ders
hav
ebe
ena
ble
toe
xplo
itex
cess
ive
priv
ilege
sto
gai
nac
cess
tos
yste
ms
and
info
rmat
ion
they
oth
erw
ise
wou
ldn
oth
ave
been
aut
hori
zed
toa
cces
sA
dditi
onal
lyi
nsid
ers
have
bee
nkn
own
tou
ser
emot
eac
cess
aft
erte
rmin
atio
nto
att
ack
ano
rgan
izat
ionrsquo
sin
tern
aln
etw
ork
Org
ani
zatio
nss
houl
den
sure
that
net
wor
km
onito
ring
and
logg
ing
ise
nabl
edfo
rex
tern
ala
cces
sM
onito
ring
ofn
etw
ork
activ
ityis
ext
rem
ely
impo
rta
nte
spec
ially
inth
epe
riod
bet
wee
nem
ploy
eer
esig
natio
nan
dte
rmin
atio
n
Giv
enth
edi
stri
bute
dna
ture
ofa
cces
sau
thor
izat
ion
via
PICS
ICE
and
the
US
Dep
artm
ento
fSta
ten
onU
SCIS
em
ploy
ees
and
cont
ract
ors
coul
dbe
gra
nted
acc
ess
toU
SCIS
cri
tical
sys
tem
sI
tis
poss
ible
that
the
non
USC
ISe
mpl
oyee
san
dco
ntra
ctor
sha
ven
otb
een
thro
ugh
the
rigo
rous
pr
eem
ploy
men
tscr
eeni
ngr
equi
red
ofU
SCIS
em
ploy
ees
and
cont
ract
ors
par
ticul
arly
thos
egr
ante
dac
cess
thro
ugh
the
US
Dep
artm
ento
fSta
te
for
acce
ssfr
ome
mba
ssie
sov
erse
as
USC
ISs
houl
dco
nsid
erth
eri
skth
ese
insi
ders
pos
eto
the
prot
ectio
nof
the
criti
calU
SCIS
dat
aan
dsy
stem
s
and
impl
emen
tpro
tect
ion
mec
hani
sms
toli
mit
the
dam
age
that
thes
ein
side
rsm
ight
cau
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 82
Oth
era
cces
sco
ntro
liss
ues
that
sho
uld
bec
onsi
dere
din
clud
eun
rest
rict
eda
cces
sto
som
ecr
itica
lsys
tem
sby
OIT
sta
ffl
ack
ofc
onsi
sten
tpro
ces
ses
for
man
agin
gem
ploy
eea
cces
sas
they
mov
efr
omo
ned
epar
tmen
tto
the
next
with
inU
SCIS
abi
lity
tou
sep
erso
nalc
ompu
ters
for
USC
IS
wor
ka
ndla
cko
fmon
itori
nga
ndc
ontr
ols
for
som
ecr
itica
lsys
tem
adm
inis
trat
ion
func
tions
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sA
cces
sCo
ntro
l
Fore
ign
Serv
ice
Nat
iona
ls
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
O
ffic
eof
Sec
urit
yan
dIn
te
grit
y
Curr
ently
aF
orei
gnS
ervi
ceN
atio
nal
(FSN
)req
uiri
nga
cces
sto
USC
ISs
ys
tem
ssu
bmits
pap
erw
ork
incl
udin
ga
wai
ver
thro
ugh
the
USC
ISd
irec
tor
and
the
CIO
and
CSO
ofD
HS
Alth
ough
the
asse
ssm
entt
eam
was
ab
leto
get
lim
ited
visi
bilit
yin
toth
is
prac
tice
its
eem
sto
be
alig
ned
with
th
epo
licy
Ift
rue
ith
asg
iven
USC
IS
and
DH
Sbe
tter
vis
ibili
tyin
toth
isa
ctiv
ity
The
prac
tice
shou
ldb
eco
ntin
ued
and
expa
nded
as
need
edto
in
form
all
rele
vant
USC
ISp
erso
nne
l
Info
rmat
ion
Tech
nolo
gy
Hum
anR
esou
rces
Pe
rson
nelS
ecur
ity
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Whe
nFS
Ns
requ
ire
acce
ssto
USC
IS
syst
ems
ine
mba
ssie
san
dco
nsul
ates
ab
road
the
yar
eve
tted
by
the
US
D
epar
tmen
tofS
tate
Beca
use
the
US
Dep
artm
ento
fSta
te
isp
erfo
rmin
gth
eve
ttin
gpr
oces
s
USC
ISh
asv
ery
little
con
trol
or
visi
bil
ityin
toth
epr
oces
sfo
rgr
antin
gFS
Ns
acce
ssto
USC
ISs
yste
ms
and
net
wor
ks
Inte
rvie
wee
sst
ated
that
in
som
eca
ses
FSN
sha
vea
dmin
istr
ativ
eco
ntro
love
rso
me
syst
ems
and
that
in
oth
erc
ases
the
yar
ese
rvin
gas
in
form
atio
nsy
stem
sec
urity
off
icer
s(IS
SOs)
USC
ISs
houl
dga
ina
bet
ter
un
ders
tand
ing
ofth
eU
SD
epar
tm
ento
fSta
tersquos
vet
ting
proc
ess
and
clar
ifyit
sow
nre
quir
emen
ts
for
gran
ting
and
trac
king
acc
ess
for
FSN
sto
USC
ISs
yste
ms
If
cont
inue
dac
cess
isr
equi
red
the
proc
edur
esto
doc
umen
tand
co
ntro
ltha
tacc
ess
shou
ldb
ene
gotia
ted
with
the
US
De
part
men
tofS
tate
and
con
sis
tent
lye
nfor
ced
Info
rmat
ion
Tech
nolo
gy
Onc
ea
trad
ition
alu
ser
acco
unti
scr
eate
dth
ere
isli
ttle
ton
ow
ayto
di
stin
guis
han
FSN
acc
ount
from
one
be
long
ing
toa
US
citi
zen
Beca
use
anF
SNa
ccou
ntis
not
dis
tin
guis
habl
efr
omo
ther
acc
ount
sit
w
ould
be
extr
emel
ydi
ffic
ultt
oas
so
ciat
esp
ecifi
con
line
activ
ities
with
ac
coun
tsb
elon
ging
toF
SNs
Em
ail
USC
ISs
houl
dco
nsid
erw
heth
er
orn
otit
wan
tsth
eab
ility
tod
is
tingu
ish
wha
tonl
ine
activ
ities
an
dac
cess
esF
SNs
are
enga
ging
in
If
soi
tsho
uld
inco
rpor
ate
CERT | SOFTWARE ENGINEERING INSTITUTE | 83
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sad
dres
ses
appe
arth
esa
me
and
viol
atio
nac
tiviti
esw
ould
not
eas
ilyb
eat
trib
uted
toa
nFS
N
thos
est
eps
into
the
proc
edur
es
men
tione
dab
ove
Info
rmat
ion
Tech
nolo
gy
DH
Sis
inth
epr
oces
sof
bui
ldin
ga
secu
rein
tran
etc
alle
dO
neN
et
whi
chw
illb
ette
ren
able
info
rmat
ion
shar
ing
amon
gD
HS
com
pone
nts
Th
isp
roje
ctw
illb
een
able
dby
inte
rco
nnec
tion
agre
emen
tsb
etw
een
segm
ents
Onc
eth
eap
prop
riat
ein
terc
onne
ctio
nag
reem
ents
are
inp
lace
itw
illb
eha
rder
tor
estr
icta
cces
sfo
rFSN
sto
sp
ecifi
csy
stem
s(e
g
Shar
ePoi
nt)
USC
ISs
houl
dm
ake
ade
term
ina
tion
abou
twhe
ther
or
notF
SN
acce
sss
houl
dbe
any
diff
eren
tfr
omo
ther
sim
ilar
acco
unts
of
US
citi
zens
If
the
lack
ofr
est
rict
ions
isu
nacc
epta
ble
that
is
sue
shou
ldb
ebr
ough
tto
DH
Spe
rson
nelr
espo
nsib
lefo
rim
pl
emen
ting
the
One
Net
sol
utio
n
Acc
ess
cont
rols
Ther
ear
ebu
sine
ssp
roce
ssa
ndr
eso
urce
s(e
g
PICS
CLA
IMS
3a
nd
CLA
IMS
4)th
ata
res
hare
dw
ithIC
E
This
par
tner
ship
isa
nar
tifac
toft
he
past
and
cur
rent
rel
atio
nshi
psb
etw
een
depa
rtm
ents
with
inD
HS
For
thes
esh
ared
res
ourc
esto
func
tio
npr
oper
lyt
hey
requ
ire
care
ful
coor
dina
tion
whi
chd
oes
nott
ake
plac
ein
all
case
sF
ore
xam
ple
USC
IS
does
not
rec
eive
ac
opy
ofth
efo
rmal
ac
cess
req
uest
sub
mitt
edto
ICE
for
anIC
Eem
ploy
eeto
acc
ess
aU
SCIS
sy
stem
USC
ISs
houl
dca
refu
llyd
ocum
ent
wha
tacc
ess
isb
eing
gra
nted
to
any
part
ies
exte
rnal
toU
SCIS
If
addi
tiona
lcoo
rdin
atio
nis
re
quir
edi
tsho
uld
bed
one
with
th
ere
leva
ntd
epar
tmen
tso
fD
HS
For
cert
ain
info
rmat
ion
syst
ems
lo
cala
ndr
emot
elo
gins
are
not
per
m
itted
bet
wee
nth
eho
urs
of1
130
p
ma
nd6
00
am
Th
isp
ract
ice
clos
ely
adhe
res
toth
epo
licy
for
spec
ific
syst
ems
Enfo
rcin
ga
man
dato
rya
cces
spe
riod
may
hel
pen
sure
that
a
mal
icio
usin
side
ris
not
usi
ngs
ys
tem
sw
hen
supe
rvis
ion
isle
ss
ened
Ei
ghtp
erce
nt(2
9)o
fthe
in
side
rsd
ocum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
se
CERT | SOFTWARE ENGINEERING INSTITUTE | 84
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sus
eda
cces
sou
tsid
eof
nor
mal
w
orki
ngh
ours
toc
arry
out
thei
rill
icit
activ
ities
Whe
nan
em
ploy
eea
ttem
pts
tolo
gin
toa
res
tric
ted
syst
emd
urin
gof
fpe
akh
ours
an
auto
mat
ice
mai
lno
tice
iss
entb
yth
eO
ITto
per
sons
in
the
empl
oyee
rsquosm
anag
emen
tch
ain
ofc
omm
and
This
pra
ctic
eis
not
con
sist
enta
cros
sal
lsys
tem
san
dis
not
par
tofo
ther
in
cide
ntr
espo
nse
proc
edur
es
USC
ISs
houl
dco
nsid
erim
ple
men
ting
this
pra
ctic
ein
toth
ela
rger
sys
tem
ofi
ncid
entr
esp
onse
to
incl
ude
corr
elat
ion
with
oth
ere
vent
san
dov
era
pe
riod
oft
ime
Acc
ess
Priv
ilege
sndash
Gen
eral
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Att
heV
erm
ontS
ervi
ceC
ente
rO
IT
staf
fare
the
only
one
spr
esen
tlat
eat
nig
ht
As
part
oft
heir
dut
ies
they
al
soh
ave
elec
tron
ica
cces
sto
the
CLA
IMS3
info
rmat
ion
syst
em
As
afu
nctio
nof
the
elec
tron
ica
cces
san
dth
eph
ysic
alla
yout
oft
heS
ervi
ce
Cent
erO
ITp
erso
nnel
hav
eac
cess
to
CLA
IMS3
as
wel
las
the
phys
ical
file
sin
the
build
ing
U
SCIS
sho
uld
cons
ider
the
min
im
umle
velo
facc
ess
(leas
tpriv
ile
ge)n
eede
dfo
ral
lper
sonn
elto
ac
com
plis
hth
eir
job
dutie
sT
hir
teen
per
cent
(49)
oft
hein
side
rs
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sev
iola
ted
ane
edto
kno
win
ord
erto
per
pe
trat
eth
eir
crim
esi
nclu
ding
st
ealin
gPI
Iand
pro
prie
tary
in
form
atio
nI
nad
ditio
ns
ever
al
insi
ders
com
mitt
edth
eir
crim
es
whi
lew
orki
ngo
nth
eni
ghts
hift
w
here
they
enj
oyed
ar
educ
ed
leve
lofs
crut
iny
Unr
estr
icte
del
ectr
onic
and
phy
sica
lacc
ess
to
such
hig
hri
skd
ata
and
syst
ems
outs
ide
ofn
orm
alw
orki
ngh
ours
pr
esen
tsa
hig
hde
gree
ofr
isk
to
CERT | SOFTWARE ENGINEERING INSTITUTE | 85
Sugg
este
dCo
unte
rmea
sure
s
USC
IS
Sinc
eU
SCIS
can
notd
eter
min
ew
hata
cces
sth
eU
SD
epar
tmen
tof
Sta
teg
rant
sto
FSN
son
its
sys
tem
sU
SCIS
sho
uld
cont
inue
to
use
tech
nica
lmea
sure
sto
pre
ve
ntu
naut
hori
zed
acce
ssw
hile
w
orki
ngw
ithc
ount
erin
telli
genc
epe
rson
nelt
ode
alw
iths
uspe
cted
fo
reig
nag
ents
wor
king
aro
und
US
gov
ernm
entf
acili
ties
A
few
insi
ders
inth
eca
ses
ana
lyze
dby
CER
Tus
edth
eir
un
revo
ked
acce
ssto
the
orga
niza
Polic
yor
Pra
ctic
eG
aps
Acc
ordi
ngto
one
inte
rvie
wee
som
eFS
Ns
onth
eCo
nsul
arA
ffai
rsn
etw
ork
are
susp
ecte
dto
be
wor
king
for
arm
sof
fore
ign
inte
llige
nce
ors
ecur
ity
agen
cies
U
SCIS
has
use
dte
chni
cal
met
hods
(eg
fir
ewal
ls)t
oen
sure
th
atU
SCIS
sys
tem
sar
epr
otec
ted
from
any
inte
rcon
nect
ions
with
the
US
Dep
artm
ento
fSta
tersquos
net
wor
ks
This
sin
gle
poin
toff
ailu
rem
akes
it
diff
icul
tto
reco
ver
from
am
alic
ious
ac
ton
this
par
ticul
ars
yste
m
Polic
yan
dor
Sec
urit
yM
easu
re
The
US
Dep
artm
ento
fSta
teC
onsu
la
rA
ffai
rsn
etw
ork
gran
tsa
cces
sto
FSN
sw
orki
ngin
em
bass
ies
and
con
su
late
san
dit
conn
ects
toU
SCIS
sys
te
ms
Ther
eis
as
ingl
epe
rson
who
has
the
know
ledg
eof
and
res
pons
ibili
tyfo
rad
min
iste
ring
the
voic
emai
lsys
tem
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Off
ice
ofS
ecur
ity
and
In
tegr
ity
Are
aof
Con
cern
Acc
ess
Priv
ilege
sndash
Syst
emA
dmin
is
trat
or
CERT | SOFTWARE ENGINEERING INSTITUTE | 86
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sfo
rU
SCIS
tionrsquo
sph
one
syst
emto
har
mth
eor
gani
zatio
nI
non
eca
set
he
entir
ecu
stom
ers
ervi
cev
oice
m
ails
yste
mw
asr
edir
ecte
dto
a
porn
ogra
phic
pho
nes
ite
Ina
not
her
der
ogat
ory
com
men
ts
abou
tthe
org
aniz
atio
nw
ere
re
cord
eda
ndp
laye
dfo
rev
ery
voic
em
ailb
ox
USC
ISs
houl
dpl
ace
addi
tiona
lst
affi
nth
ero
leo
fadm
inis
trat
ors
for
the
USC
ISv
oice
mai
lsys
tem
Th
isw
ould
allo
wU
SCIS
toim
pl
emen
tsom
efo
rmo
fsep
ara
tion
ofd
utie
so
rat
the
very
le
ast
min
imal
che
cks
and
bal
ance
sto
pre
vent
tam
peri
ngw
ith
the
voic
emai
lsys
tem
U
SCIS
sho
uld
ensu
reth
atit
man
ag
esa
ccou
nts
and
pass
wor
dsfo
rin
tern
als
yste
ms
such
as
voic
em
ail
asw
ella
sex
tern
ala
cco
unts
O
nein
side
rdo
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
cha
nged
the
dom
ain
nam
esy
stem
reg
istr
yfo
rhis
or
gani
zatio
nrsquos
web
site
so
that
vis
ito
rsw
ere
sent
toa
por
nogr
aphi
c
CERT | SOFTWARE ENGINEERING INSTITUTE | 87
Sugg
este
dCo
unte
rmea
sure
sw
ebsi
te
Thes
ety
pes
ofa
ccou
nts
are
used
ver
yin
freq
uent
lya
nd
are
ofte
nno
tinc
lude
din
form
al
term
inat
ion
proc
edur
es
USC
ISs
houl
dco
ordi
nate
with
D
HS
pers
onne
lto
ensu
reth
at
desi
red
USC
ISs
ecur
ityp
olic
ies
are
enfo
rced
for
pers
onne
lac
cess
ing
USC
ISs
yste
ms
and
data
Se
ven
perc
ent(
26)o
fthe
insi
der
sdo
cum
ente
din
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
toa
ttac
kin
par
tbec
ause
of
insu
ffic
ient
mon
itori
ngo
fext
er
nala
cces
s
Polic
yor
Pra
ctic
eG
aps
A
lthou
ghc
onne
ctin
ga
pers
onal
lap
top
toa
USC
ISn
etw
ork
via
are
mot
eco
nnec
tion
may
or
may
not
be
bloc
ked
the
SNO
Cw
asn
otc
onfid
ent
itw
ould
be
bloc
ked
beca
use
itdo
es
notc
ontr
olth
ata
cces
sI
tis
poss
ible
th
ata
use
rco
uld
conn
ectw
itha
per
so
nalm
achi
neif
DH
Sal
low
edit
Polic
yan
dor
Sec
urit
yM
easu
re
Port
sec
urity
wou
ldp
reve
nta
use
rfr
omc
onne
ctin
ga
pers
onal
mac
hine
di
rect
lyto
aU
SCIS
net
wor
kT
his
secu
rity
mec
hani
smis
han
dled
by
the
SNO
C
Rem
ote
acce
sso
nth
eot
herh
and
is
hand
led
byD
HS
USC
ISh
asa
cces
sto
ve
ryli
mite
din
form
atio
nin
clud
ing
logs
for
rem
ote
conn
ectio
nsb
eca
use
ofc
ontr
acts
tipul
atio
nsw
ith
Spri
nt
The
asse
ssm
entt
eam
re
ceiv
edc
onfli
ctin
gop
inio
nsa
bout
w
heth
era
per
sona
lmac
hine
cou
ld
bec
onne
cted
with
ar
emot
eac
coun
t
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Secu
rity
Net
wor
kO
pera
ti
ons
Cent
er
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Man
agem
ento
fRe
mot
eA
cces
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 88
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
The
cont
ract
ors
resp
onsi
ble
for
VIS
have
impl
emen
ted
ast
rict
acc
ess
cont
rols
olut
ion
with
Fir
epas
san
dit
appe
ars
toa
ccom
plis
hits
goa
lofe
nsu
ring
that
onl
yth
epr
oper
per
sonn
el
are
gran
ted
acce
ssa
ndth
atth
eyp
er
form
aut
hori
zed
actio
nso
nce
they
ar
eco
nnec
ted
Unf
ortu
nate
lyt
hey
are
the
only
con
trac
tors
and
sys
tem
us
ing
Fire
pass
and
itw
illn
otb
eus
ed
once
the
mov
eis
mad
eto
Ste
nnis
Sp
ace
Cent
er
They
are
uns
ure
of
wha
tcon
trol
sw
illb
eus
eda
tSte
nnis
Sugg
este
dCo
unte
rmea
sure
s
Impl
emen
ting
aFi
repa
sss
olut
ion
for
allU
SCIS
sys
tem
sm
ight
not
be
cos
tef
fect
ive
USC
ISm
an
agem
ents
houl
dat
leas
texa
min
eth
eri
skp
osed
toth
em
ostc
ritic
al
syst
ems
and
impl
emen
taF
ire
pass
like
sol
utio
nfo
rth
ose
that
re
quir
ere
mot
eac
cess
A
sst
ated
ab
ove
one
inte
nin
side
rsd
ocu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
seu
sed
the
crea
tion
ofu
nkno
wn
path
sin
to
orga
niza
tion
syst
ems
pro
per
mea
sure
sm
ight
hav
epr
even
ted
man
yof
thos
ein
stan
ces
CERT | SOFTWARE ENGINEERING INSTITUTE | 89
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Non
Sys
tem
Ad
USC
ISL
eade
rshi
pA
ccor
ding
too
nein
terv
iew
eeF
SNs
An
FSN
who
isa
sys
tem
adm
inis
trat
or
Ten
perc
ent(
39)o
fins
ider
sm
inis
trat
ors
Wit
h
are
syst
ema
dmin
istr
ator
son
som
efo
rU
SD
epar
tmen
tofS
tate
sys
tem
sdo
cum
ente
din
the
CERT
Insi
der
A
utho
rize
dA
cces
sIn
form
atio
nTe
chno
logy
U
SD
epar
tmen
tofS
tate
sys
tem
sin
do
esn
otn
eces
sari
lyh
ave
adm
inis
tra
Thre
atC
ase
data
base
took
ad
toA
dmin
istr
ator
em
bass
ies
orc
onsu
late
sab
road
to
rri
ghts
on
USC
ISs
yste
ms
One
in
vant
age
ofin
suff
icie
nta
cces
sA
ccou
nts
The
US
Dep
artm
ento
fSta
teh
as
terv
iew
eee
xpre
ssed
con
cern
how
co
ntro
lsto
con
duct
thei
rcr
imes
au
thor
ized
acc
ess
for
som
eFS
Ns
to
ever
tha
tan
adm
inis
trat
orw
hois
a
USC
ISs
houl
dex
amin
eU
SCIS
sys
so
me
USC
ISs
yste
ms
need
edfo
rth
eci
tizen
ofa
fore
ign
coun
try
coul
des
te
ma
cces
sfo
rU
SD
epar
tmen
tpe
rfor
man
ceo
fthe
ird
utie
s
cala
tep
rivi
lege
sor
use
soc
iale
ngi
ofS
tate
sys
tem
adm
inis
trat
ors
ne
erin
gta
ctic
sto
gai
nun
auth
oriz
ed
asw
ella
sho
wth
ose
conn
ectio
ns
acce
ssto
USC
ISs
yste
ms
ar
em
onito
red
orlo
gged
Th
ey
sh
ould
als
ow
ork
with
the
US
Dep
artm
ento
fSta
teto
und
er
stan
dits
pro
cess
esfo
rgr
antin
g
FSN
sac
cess
toU
SD
epar
tmen
t
ofS
tate
sys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 90
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
Lea
ders
hip
Ther
ear
ecu
rren
tlyn
olim
itso
nTh
ela
cko
flim
itsp
lace
don
req
uest
Th
ere
shou
ldb
elo
gica
lcon
trol
s
w
hich
Af
iles
ana
djud
icat
orc
anr
ein
gA
file
sin
NFT
Sm
aya
llow
adj
udi
tod
etec
tldquoex
trao
rdin
aryrdquo
or
sus
Info
rmat
ion
Tech
nolo
gy
ques
tin
the
Nat
iona
lFile
Tra
ckin
gca
tors
tor
eque
sta
file
by
nam
eev
en
pici
ous
file
tran
sfer
req
uest
sI
n
Syst
em(N
FTS)
if
they
sho
uld
notb
eac
cess
ing
that
on
eU
SCIS
cas
eth
ein
side
rre
fil
e
ques
ted
afil
etr
ansf
erto
ar
egio
nfo
ran
indi
vidu
alw
hose
file
sw
ere
ina
noth
err
egio
nan
dw
hose
form
sha
dbe
enp
revi
ousl
yde
ni
ed
CERT | SOFTWARE ENGINEERING INSTITUTE | 91
cri
tilt
om
itiga
ting
the
insi
der
rsc
arri
edo
uta
nat
tack
ta
nce
mal
icio
usin
side
rsu
sed
uste
nsur
end
enf
orce
cn
have
dev
eff
ects
on
ano
ras
tatin
gta
r
nom
alou
sin
crea
sein
net
ay
Sugg
este
dCo
unte
rmea
sure
s
ca sn
toc
ompe
titor
sor
con
spir
ator
sO
rgan
izat
ions
mth
ate
mpl
oyee
sr
esou
rces
inc
ludi
ngin
form
atio
nas
sets
aom
plia
nce
sen
sitiv
ebu
tunc
lass
ified
or
prop
rie
y)is
cri
tical
tom
itiga
ting
an
am
onito
ring
net
wor
ktr
affic
mh
elp
prot
ectc
ontr
olle
d
side
unc
lass
ified
or
prop
riet
ary)
isea
led
circ
umst
ance
sin
whi
chin
tern
ales
In
som
ein
ss
tora
ged
evic
tion
mal
icio
usin
side
rsc
ab
y
mou
nts
ofd
ata
dow
nloa
ded
orou
ghT
h
Polic
yor
Pra
ctic
eG
aps
a re
ono
fCon
trol
led
Info
rmat
ion
ntro
lled
info
rmat
ion
(ie
inf
orm
atio
nth
atis
cla
ssifi
eds
ensi
tive
but
CER
Tr
thre
atr
isk
too
rgan
izat
ions
A
var
iety
ofi
nsid
erth
reat
cas
ess
tudi
edb
yev
thro
ugh
thd
ownl
oad
ofin
form
atio
nto
por
tabl
em
edia
or
exe
unau
thor
ized
ptt
acks
or
toc
omm
unic
ate
sens
itive
info
rmat
ioun
ders
tan
tcon
stitu
tes
acce
ptab
leu
seo
fcom
pany
dpo
licie
sre
gard
ing
wha
thro
ugh
teed
info
rma
chni
calm
eans
Th
eun
auth
oriz
ede
xfilt
ratio
nof
con
trol
l(i
ei
nfor
mat
ion
that
isc
lass
ifie
gani
zatio
nP
rote
ctin
gco
ntro
lled
info
rmat
ion
dth
reat
ris
kto
org
aniz
atio
ns
impl
emen
ted
netw
ork
mon
itori
ngs
trat
egie
sth
atw
ould
det
ectl
arge
wor
ktr
affi
by
tota
lvol
ume
orty
peo
ftra
ffic
(eg
by
ce
ither
por
tor
prot
ocol
)n
Polic
yan
dor
Sec
urit
yM
easu
Resp
onsi
ble
Pers
onne
lIn
form
atio
nTe
chno
logy
ncer
nlo
adto
Prot
ecti
Prot
ectin
gco
emai
lto
lan
thei
ra
the
insi
der
USC
ISh
as
info
rmat
io
Are
aof
Co
Dat
aD
own
Med
ia
CERT | SOFTWARE ENGINEERING INSTITUTE | 92
sure
s
po
1
pria
yte
lld
be
func
he
T ed
s
ecu
itted
em
os
ogs
el
vity
by
org
za
ani
ot
sbe
nter
mea
side
rtw
o
hori
zed
inap
pro
uev
ices
co
bite
dfr
omsy
stem
s
bit
epr
ohi fa
hec
ont
oc
gn
are
per
m hus
eso
fta
ndth
cti
ciou
sa
ngth
es
her
exhi
bitin
glm
alic
iou
Cou
uld
con
ora
ut ed
thes
ed
pro
hi SSC
Iy
ar
rity
aw
aren
ess
ampa
i
evic
es lb
elo
gged
uspi
ted
for
ss
leav
i
ntia
te
Sugg
este
d
Ss
o
ptf
1)E
xce
ces
that
ar
ete
chni
cally
Ung
in
that
the
shou
nte
ldb
et
2)If
USB
dfo
ru
nal
set
held
empl
oyee pl
tion
em
oyee
sign
sof
po c
ore
t
USC
Ih
tions
stan
trac
k
tioni
fact
shou
audi
havi
ns
ider
un
t
of
wor
k
ssed
de
s
onvi
ctio ns
tne
i eng
tel
He
acce
rder
to
Prac
tice
Gap
mth
eU
SCIS
CTa
skF
orc
sho
wed
tha
oe d
ant
pe
rfor
me
sig
nific
aam
oof
ficia
lbus
ines
sin
clud
ill
apto
p
sona
mai
lin
ond
e
Polic
yor
Ac
ase
fro
onh
isp
ersy
stem
sa
sure
pmen
tSC
IS
gov
(G
FE)
orS
ecur
ity
Mea
per
aga
inst
usi
ng
son
ompu
ter
equi
cial
dut
ies
for
Ub
edo
new
ithm
entf
urni
shed
ent
ern
quip
me
Polic
yan
d
Ther
eis
ap
olic
yd
cal
lyo
wne
top
erfo
rmo
ffi
Tele
wor
ksh
ould
on
ly
nel
ble
Pers
on
Resp
onsi
o
ern
Are
aof
Con
c dt
Dat
aD
ownl
oaor
Fro
mH
ome
CERT | SOFTWARE ENGINEERING INSTITUTE | 93
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sve
lop
asy
stem
that
he
was
rew
arde
d
fo
rpr
oduc
ing
The
rea
ren
ote
chni
cal
co
ntro
lsto
cat
chth
isa
ctiv
ityu
nles
s
the
devi
ceis
phy
sica
llyp
lugg
edin
to
the
netw
ork
Prot
ecti
ngC
riti
cal
Info
rmat
ion
Tech
nolo
gy
The
SNO
Cre
spon
dsto
spi
llso
fPII
USC
ISr
espo
nds
toP
IIsp
illag
es
Fi
les
whi
cho
ccur
on
aw
eekl
yba
sis
The
ofte
nen
ough
that
its
staf
fis
wel
l
info
rmat
ion
abou
tthe
inci
dent
is
ve
rsed
inr
espo
nse
proc
edur
es
tran
sfer
red
from
the
data
ow
ner
U
nfor
tuna
tely
the
freq
uenc
yto
w
hob
ecom
esa
war
eof
the
spill
to
w
hich
inci
dent
soc
cur
and
the
the
OSI
whi
chc
reat
esa
Ser
ious
In
re
spon
sep
roce
dure
sin
pla
ced
o
cide
ntR
epor
t(SI
R)th
atit
forw
ards
nots
eem
tor
educ
eth
enu
mbe
rto
the
Priv
acy
Off
icer
and
fina
llyto
Th
ere
spon
see
ffor
tto
aPI
Ispi
llage
of
inci
dent
sor
pro
vide
aut
oth
eSN
OC
in
volv
esm
any
part
ies
and
appe
ars
to
mat
edd
etec
tion
whe
nsp
illag
ebe
ac
ompl
icat
edp
roce
ssfo
ran
eve
nt
occu
rs
that
hap
pens
on
aw
eekl
yba
sis
Thou
ghth
ese
spill
ages
are
acc
iden
tal
even
ts
CERT | SOFTWARE ENGINEERING INSTITUTE | 94
Sugg
este
dCo
unte
rmea
sure
s
U
SCIS
sho
uld
cont
inue
this
pra
ctic
eas
par
tofi
tsin
cide
ntr
esp
onse
pro
cedu
res
Inc
orpo
rat
ing
ana
ppro
pria
tele
velo
fm
onito
ring
wou
lda
lso
bea
pru
de
ntm
easu
re
Polic
yor
Pra
ctic
eG
aps
This
pra
ctic
eap
pear
sto
be
done
con
si
sten
tly
Polic
yan
dor
Sec
urit
yM
easu
re
Acc
ess
ton
etw
ork
reso
urce
sis
ter
min
ated
imm
edia
tely
whe
na
spill
or
mis
cond
ucti
ssu
spec
ted
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Aud
it
Mon
itor
B
acku
p
Reco
very
Insi
der
thre
atr
esea
rch
cond
ucte
dby
CER
Tha
ssh
own
that
logg
ing
mon
itori
nga
nda
uditi
nge
mpl
oyee
onl
ine
actio
nsc
anp
rovi
dea
nor
gani
za
tion
the
oppo
rtun
ityto
dis
cove
ran
din
vest
igat
esu
spic
ious
insi
der
activ
ityb
efor
em
ore
seri
ous
cons
eque
nces
ens
ue
Org
aniz
atio
nss
houl
dle
ver
age
auto
mat
edp
roce
sses
and
tool
sw
hene
ver
poss
ible
M
oreo
ver
net
wor
kau
ditin
gsh
ould
be
ongo
ing
and
cond
ucte
dra
ndom
lya
nde
m
ploy
ees
shou
ldb
eaw
are
that
cer
tain
act
iviti
esa
rer
egul
arly
mon
itore
dT
his
empl
oyee
aw
aren
ess
can
pote
ntia
llys
erve
as
ade
terr
entt
oin
side
rth
reat
s
Prev
entin
gin
side
rat
tack
sis
the
first
line
ofd
efen
se
Non
ethe
less
eff
ectiv
eba
ckup
and
rec
over
ypr
oces
ses
need
tob
ein
pla
cea
ndo
pera
tion
ally
eff
ectiv
eso
that
ifa
co m
prom
ise
occu
rsb
usin
ess
oper
atio
nsc
anb
esu
stai
ned
with
min
imal
inte
rrup
tion
In
one
case
doc
umen
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
sea
nin
side
rw
asa
ble
tom
agni
fyth
eim
pact
ofh
isa
ttac
kby
acc
essi
nga
ndd
estr
oyin
gba
ckup
med
ia
Org
aniz
a
CERT | SOFTWARE ENGINEERING INSTITUTE | 95
Ina
dditi
ont
heS
NO
Cla
cks
the
reso
urce
sto
focu
son
mon
itori
ngfo
rsu
spic
ious
insi
der
activ
ityf
ocus
ing
inst
ead
prim
arily
on
prot
ectio
nfr
om
exte
rnal
inci
dent
s
Are
aof
Con
cern
Re
spon
sibl
ePe
rson
nel
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sM
odifi
cati
on
In
form
atio
nTe
chno
logy
Lo
gfil
esa
rea
cces
sibl
eby
the
do
D
isab
ling
Log
File
sm
ain
adm
inis
trat
ors
and
syst
em
adm
inis
trat
ors
ofe
ach
resp
ectiv
e
syst
em
USC
ISs
houl
dse
ndc
ritic
allo
gsto
a
cent
raliz
edlo
gse
rver
and
pro
te
ctth
elo
gfil
esto
per
mit
afo
re
nsic
rec
onst
r uct
ion
ofn
etw
ork
orh
ost
base
dev
ents
In
form
atio
nTe
chno
logy
Th
ela
cko
fcon
sist
ency
for
wha
tis
Alth
ough
six
per
cent
(23)
oft
he
logg
eda
cros
sU
SCIS
ser
vers
sys
tem
s
insi
ders
doc
umen
ted
inth
eCE
RT
appl
icat
ions
and
wor
ksta
tions
isc
on
Insi
der
Thre
atC
ase
data
base
cern
ing
Sev
eral
par
ties
addr
esse
dw
ere
able
tom
odify
ord
isab
le
CERT | SOFTWARE ENGINEERING INSTITUTE | 96
tions
nee
dto
con
side
rth
eim
port
ance
ofb
acku
pan
dre
cove
ryp
roce
sses
and
car
em
ustb
eta
ken
that
bac
kups
are
per
form
edr
egul
arly
pro
te
cted
and
test
edto
ens
ure
busi
ness
con
tinui
tyin
the
even
tofd
amag
eto
or
loss
ofc
entr
aliz
edd
ata
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
slo
gfil
es
Mon
itor
ing
Susp
ici
ous
Act
ivit
y
Info
rmat
ion
Tech
nolo
gy
are
som
etim
esli
mite
dto
24
hour
sor
less
ofc
olle
ctio
n
the
fact
that
ITp
erso
nnel
mus
tbe
able
top
hysi
cally
rea
cha
mac
hine
in
atim
ely
fash
ion
ifth
eyh
ope
toc
ap
ture
logs
rel
ated
toa
nin
cide
nt
This
as
sum
ptio
nm
akes
itli
kely
that
cri
tica
llog
info
rmat
ion
will
be
mis
sed
CERT | SOFTWARE ENGINEERING INSTITUTE | 97
Sugg
este
dCo
unte
rmea
sure
s
Polic
yor
Pra
ctic
eG
aps
Polic
yan
dor
Sec
urit
yM
easu
re
Dat
abas
ead
min
istr
ator
sar
ere
spon
si
ble
for
mon
itori
nga
nda
lert
ing
whe
nda
taa
cces
sat
tem
pts
are
mad
eto
cri
tical
dat
ain
USC
ISd
ata
base
s
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 98
Sugg
este
dCo
unte
rmea
sure
sU
SCIS
sho
uld
cons
ider
cle
arly
de
finin
gth
ere
spon
sibi
lity
ofd
ata
base
adm
inis
trat
ors
and
the
SNO
Cfo
rm
onito
ring
ale
rtin
g
and
resp
ondi
ngto
una
utho
rize
dda
taa
cces
sO
nce
the
resp
onsi
bi
lity
isa
ssig
ned
the
appr
opri
ate
grou
psh
ould
dili
gent
lyp
reve
nt
dete
cta
ndr
espo
ndto
una
utho
riz
edd
ata
acce
ssm
odifi
catio
n
and
exfil
trat
ion
atte
mpt
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
mon
itors
and
filte
rs
inbo
und
and
outb
ound
net
wor
ktr
affic
Th
iss
trat
egy
may
pre
ve
nto
rde
tect
the
unau
thor
ized
tr
ansf
ero
fUSC
ISd
ata
outs
ide
the
orga
niza
tion
Man
yin
side
rsd
ocum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
ba
sew
ere
able
toc
omm
itth
eir
mal
icio
usa
ctiv
ities
usi
ngla
ptop
s
Polic
yor
Pra
ctic
eG
aps
Net
wor
ktr
affic
filte
ring
ish
appe
ning
on
lyo
nin
boun
dtr
affic
not
out
boun
dtr
affic
Th
ere
sour
ces
don
ote
xist
toe
xam
ine
ou
tbou
ndtr
affic
onl
yin
boun
dtr
affic
Fu
rthe
rmor
eth
ein
trus
ion
dete
ctio
nsy
stem
sar
eno
topt
imiz
edto
det
ect
secu
rity
eve
nts
Polic
yan
dor
Sec
urit
yM
easu
re
USC
ISh
asth
eab
ility
toc
reat
ein
bo
und
firew
allr
ules
tofi
lter
pote
ntia
llym
alic
ious
net
wor
ktr
affic
No
evid
ence
pro
vide
d
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
CERT | SOFTWARE ENGINEERING INSTITUTE | 99
Sugg
este
dCo
unte
rmea
sure
s
USC
ISs
houl
dco
nsid
erim
ple
men
ting
ane
twor
km
onito
ring
stra
tegy
that
incl
udes
fore
nsic
to
ols
toa
idin
vest
igat
ions
Ins
ixp
erce
nt(2
2)o
fthe
cas
es
docu
men
ted
inth
eCE
RTIn
side
rTh
reat
Cas
eda
taba
set
heim
pact
of
the
crim
ew
asm
agni
fied
be
caus
eof
insu
ffic
ient
bac
kups
Polic
yor
Pra
ctic
eG
aps
The
SNO
Cha
sha
dpr
oble
ms
iden
tify
ing
the
root
cau
seo
fan
affe
cted
w
orks
tatio
nor
use
rbe
caus
eof
the
lack
ofn
etw
ork
fore
nsic
app
licat
ions
Id
eally
the
SN
OC
shou
ldb
eab
leto
tr
ace
netw
ork
traf
ficfr
oms
ourc
eto
de
stin
atio
nan
dw
atch
act
ivity
It
has
a
stan
dal
one
fore
nsic
cap
abili
tyb
ut
noth
ing
onth
ene
twor
k
Tabl
etop
exe
rcis
esm
ayn
otg
ive
USC
ISa
true
indi
catio
nof
its
abili
tyto
re
cove
rfr
oma
sys
tem
icfa
ilure
W
hen
poss
ible
bac
kups
sho
uld
be
impl
emen
ted
ons
imila
rha
rdw
are
to
ensu
reth
atth
eba
ckup
tape
isfu
nc
tiona
land
the
back
upis
ope
ratio
nal
Polic
yan
dor
Sec
urit
yM
easu
re
The
SNO
Cis
res
pons
ible
for
dete
rm
inin
gth
ero
otc
ause
ofa
nin
cide
nt
incl
udin
gus
ing
fore
nsic
tool
sto
id
entif
yaf
fect
edw
orks
tatio
nsd
esk
tops
and
lapt
ops
Ba
ckup
test
ing
for
man
ysy
stem
soc
curs
onc
epe
rye
ar
Ins
ome
case
s
the
back
ups
are
only
test
edw
itha
ta
blet
ope
xerc
ise
and
don
otu
se
sim
ilar
orid
entic
alh
ardw
are
toth
at
used
inth
epr
oduc
tion
envi
ronm
ent
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Back
ups
CERT | SOFTWARE ENGINEERING INSTITUTE | 100
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
s
Info
rmat
ion
Tech
nolo
gy
Year
sof
bac
kup
tape
sar
eke
pto
nsi
tea
tthe
Ver
mon
tSer
vice
Cen
ter
an
dsy
stem
adm
inis
trat
ors
have
ac
cess
toth
ese
back
upfi
les
Adm
inis
trat
ors
who
hav
eac
cess
to
the
back
upta
pes
wou
ldb
eab
leto
Back
upm
edia
sho
uld
bec
on
trol
led
care
fully
doc
umen
ted
an
dst
ored
off
site
with
lim
ited
acce
ss
With
outt
hose
con
trol
s
USC
ISc
anno
tbe
sure
its
back
ups
will
giv
eit
the
abili
tyto
rec
over
ss
ecur
ity o wn
Proa
ctiv
ely
addr
essi
ngk
now
nse
curi
tyv
ulne
rabi
litie
ssh
ould
be
apr
iori
tyfo
ran
yor
gani
zatio
nse
ekin
gto
miti
gate
the
risk
ofi
nsid
erth
reat
sa
wel
las
exte
rnal
thre
ats
Cas
est
udie
sha
ves
how
nth
atm
alic
ious
insi
ders
fol
low
ing
term
inat
ion
will
som
etim
ese
xplo
itkn
own
tech
nica
lho
uld
have
ap
roce
sst
vuln
erab
ilitie
sth
atth
eyk
now
hav
eno
tbee
npa
tche
dto
obt
ain
syst
ema
cces
san
dca
rry
outa
nat
tack
O
rgan
izat
ions
sdr
ess
kno
ensu
reth
ato
pera
ting
syst
ems
and
othe
rso
ftw
are
have
bee
nha
rden
edo
rpa
tche
din
ati
mel
ym
anne
rw
hen
poss
ible
Fa
ilure
toa
dvu
lner
abili
ties
prov
ides
an
insi
der
ampl
eop
port
unity
and
pat
hway
sfo
rat
tack
mak
ing
itm
ore
diff
icul
tfor
an
orga
niza
tion
top
rote
ctit
self
Tech
nica
lSec
urit
yV
ulne
rabi
litie
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 101
ount
erm
easu
res
Sugg
este
dC
CERT | SOFTW ARE ENGINE ERING INSTITUTE |102
ceG
aps
Polic
yor
Pra
cti
The
pres
ence
of
host
pe
rim
eter
and
m
prot
ectio
nfo
rCI
Sin
al
war
epu
tsU
Sa
rela
tivel
yse
curd
ing
rep
ositi
onr
ega
oads
m
alic
ious
dow
nl
Polic
yan
dor
Se
easu
re
curi
tyM
Th
eO
ITr
elie
son
tan
ism
sto
w
om
ech
wnl
ode
tect
the
doad
of
licio
us
ma
code
1)
DH
S
nte
mon
itors
the
Ig
atrn
etw
aya
nd
e
2)
orks
ta
age
nto
nw
tio
ns
ale
rts
mm
edi
the
OIT
iat
ely
upon
dis
cov
wn
mal
er
yof
kno
war
eT
heO
ITs
hth
epo
rt
uts
dow
n
tob
lock
mal
ici
ere
ap
ous
code
wh
prop
riat
e
sin
stal
la
als
ode
tect
nel
Resp
onsi
ble
Pers
onog
yIn
form
atio
nTe
chno
l ogy
Info
rmat
ion
Tech
nol
Are
ac
ofC
oner
ne
Add
rss
ino
wn
ngK
Secu
rer
it
yV
uln
ies
abili
t
eA
ddr
ssi
now
nng
KSe
cur
er
ity
Vul
nie
sab
ilit
Sugg
este
dCo
unte
rmea
sure
s
Tw
elve
per
cent
(46)
oft
hec
ases
do
cum
ente
din
the
CERT
Insi
der
Thre
atC
ase
data
base
invo
lve
user
sab
usin
gad
min
istr
ator
pri
vi
lege
sto
sab
otag
esy
stem
sor
da
ta
Alth
ough
USC
ISu
sers
nee
dfo
rad
min
istr
ator
righ
tsto
inst
allo
rru
nau
thor
ized
sof
twar
eth
eO
IT
shou
ldc
onsi
der
givi
ngu
sers
se
para
tea
dmin
istr
ator
acc
ount
sfo
rth
ese
expl
icit
purp
oses
U
sers
co
uld
then
use
non
adm
inis
trat
or
acco
unts
for
thei
rda
ilyw
ork
Th
isw
ould
gre
atly
min
imiz
eth
eri
sko
fmal
war
eco
mpr
omis
e
Polic
yor
Pra
ctic
eG
aps
Am
itiga
ting
fact
or
is
that
the
depa
rtin
gem
ploy
eew
ould
ne
edp
hysi
cala
cces
sto
the
syst
emto
lo
gin
A
use
rw
itha
dmin
istr
ator
pri
vile
ges
mus
tnot
rel
yso
lely
on
auto
mat
ic
mec
hani
sms
tos
afeg
uard
his
or
her
com
pute
rA
dmin
istr
ator
rig
hts
give
in
adve
rten
tlyd
ownl
oade
dm
alw
are
the
abili
tyto
com
plet
ely
com
prom
ise
asy
stem
som
etim
esw
ithou
tthe
kn
owle
dge
ofth
eus
er
Polic
yan
dor
Sec
urit
yM
easu
re
tion
ofm
alic
ious
cod
efr
omU
SBs
and
othe
rm
edia
USC
ISu
sers
hav
elo
cala
dmin
istr
ator
ri
ghts
on
thei
row
nm
achi
nes
Thi
sal
low
sus
ers
toin
stal
lsof
twar
eon
th
eirs
yste
ms
So
me
auth
oriz
eds
oftw
are
does
re
quir
ead
min
istr
ator
rig
hts
toin
stal
l
Som
eap
plic
atio
nsa
ctua
llyr
equi
re
adm
inis
trat
orri
ghts
tor
un
Resp
onsi
ble
Pers
onne
l
Info
rmat
ion
Tech
nolo
gy
Are
aof
Con
cern
Unm
anag
edS
ys
tem
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 103
Conf
igur
atio
nM
anag
emen
t
Effe
ctiv
eco
nfig
urat
ion
man
agem
enth
elps
ens
ure
the
accu
racy
int
egri
tya
ndd
ocum
enta
tion
ofa
llco
mpu
ter
and
netw
ork
syst
emc
onfig
ura
tions
A
wid
eva
riet
yof
cas
esin
the
CERT
Insi
der
Thre
atC
ase
data
base
doc
umen
tins
ider
sw
hor
elie
dhe
avily
on
the
mis
conf
igur
atio
nof
sys
te
ms
The
yhi
ghlig
htth
ene
edfo
rst
rong
erm
ore
effe
ctiv
eim
plem
enta
tion
ofa
utom
ated
con
figur
atio
nm
anag
emen
tcon
trol
sO
rgan
izat
ions
sh
ould
als
oco
nsid
erc
onsi
sten
tdef
initi
ona
nde
nfor
cem
ento
fapp
rove
dco
nfig
urat
ions
Ch
ange
sor
dev
iatio
nsfr
omth
eap
prov
edc
onfig
urat
ion
base
line
shou
ldb
elo
gged
so
they
can
be
inve
stig
ated
for
pote
ntia
lmal
icio
usin
tent
Co
nfig
urat
ion
man
agem
enta
lso
appl
ies
tos
oftw
are
sou
rce
code
and
app
licat
ion
files
O
rgan
izat
ions
that
do
note
nfor
cec
onfig
urat
ion
ma n
agem
enta
cros
sth
een
terp
rise
are
ope
ning
vul
nera
bilit
ies
for
expl
oitb
yte
chni
cali
nsid
ers
with
suf
ficie
ntm
otiv
atio
nan
da
lack
ofe
thic
s
The
OIT
has
ac
onfig
urat
ion
man
agem
entp
olic
yth
atp
rovi
des
base
line
soft
war
eco
nfig
urat
ions
for
USC
ISd
eskt
ops
and
lapt
ops
The
OIT
sca
ns
for
inco
rrec
to
utda
ted
or
unp
atch
edv
ersi
ons
ofs
oftw
are
onth
eap
prov
eds
oftw
are
list
The
OIT
kee
pstr
ack
ofd
iffer
entb
asel
ines
for
diff
er
entc
ontr
acts
D
espi
tetr
acki
nga
nda
rig
orou
sco
nfig
urat
ion
man
agem
entp
olic
yth
eO
ITh
asd
iffic
ulty
kee
ping
trac
kof
the
901
50d
iffer
ents
ys
tem
imag
esin
the
USC
ISe
nvir
onm
ent
Rog
ues
oftw
are
orm
alw
are
iso
ften
dis
cove
red
thro
ugh
ade
liber
ate
man
uals
can
rat
her
than
thro
ugh
ana
utom
ated
pro
cess
To
mak
eth
ista
skm
ore
diff
icul
tth
ere
have
bee
nU
SCIS
em
ploy
ees
with
sen
iori
tyo
rin
fluen
cew
hoa
rea
ble
tou
selo
cal
adm
inis
trat
orp
rivi
lege
sto
inst
alls
oftw
are
for
the
sake
ofc
onve
nien
ce
Conc
erns
reg
ardi
ngc
onfig
urat
ion
man
agem
entm
ake
itdi
ffic
ultf
orth
eO
ITto
ad e
quat
ely
prev
ent
det
ect
and
res
pond
tor
ogue
sof
twar
eor
m
alw
are
usin
gits
cur
rent
pro
cedu
res
We
sugg
ests
ome
cons
ider
atio
nsfo
rle
vera
ging
exi
stin
gde
ploy
men
tsa
ndm
odify
ing
inci
dent
res
pons
epr
actic
esto
incr
ease
eff
ectiv
enes
s
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sCo
nfig
urat
ion
Man
agem
ent
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
The
OIT
has
ac
onfig
urat
ion
man
ag
emen
tpol
icy
for
soft
war
eco
nfig
ura
tion
base
lines
Th
eO
ITs
cans
for
inco
rrec
to
utda
ted
or
unpa
tche
dve
rsio
nso
fsof
twar
eon
the
ap
Des
pite
rig
orou
sco
nfig
urat
ion
man
ag
emen
tpol
icy
the
OIT
has
diff
icul
ty
keep
ing
trac
kof
the
90to
150
diff
er
ents
yste
mim
ages
inth
eU
SCIS
env
iro
nmen
tR
ogue
sof
twar
eor
mal
war
e
Seve
ntee
nca
ses
docu
men
ted
in
the
CERT
Insi
der
Thre
atC
ase
da
taba
sein
volv
eus
ers
expl
oitin
gth
ela
cko
rw
eakn
ess
ofa
con
fig
urat
ion
man
agem
ents
yste
m
CERT | SOFTWARE ENGINEERING INSTITUTE | 104
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
spr
oved
sof
twar
elis
tT
heO
ITk
eeps
tr
ack
ofd
iffer
entb
asel
ines
for
dif
fere
ntc
ontr
acts
iso
ften
dis
cove
red
thro
ugh
ade
liber
at
em
anua
lsca
nra
ther
than
thro
ugh
ana
utom
ated
pro
cess
toc
arry
out
thei
rat
tack
s
The
OIT
cou
ldle
vera
geth
eex
ist
ing
ePO
dep
loym
entt
oco
mpl
em
enti
tsc
onfig
urat
ion
man
age
men
teff
orts
eP
Oc
and
efin
ea
base
line
for
soft
war
eap
plic
atio
ns
and
aler
ton
any
devi
atio
nsfr
om
that
bas
elin
e
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ins
ome
case
sin
divi
dual
sw
iths
en
iori
tyo
rin
fluen
cea
rea
ble
tou
se
adm
inis
trat
orp
rivi
lege
sto
inst
all
soft
war
efo
rth
esa
keo
fcon
veni
ence
USC
ISs
houl
den
sure
that
con
fig
urat
ion
polic
yis
con
sist
ently
co
mm
unic
ated
and
enf
orce
dth
roug
hout
the
orga
niza
tion
Ev
ens
enio
rle
ader
ship
sho
uld
notb
eab
leto
cas
ually
cir
cum
ve
ntth
ese
polic
ies
with
outg
oing
th
roug
hth
epr
oper
cha
nnel
sas
de
fined
by
the
conf
igur
atio
nm
anag
emen
tpol
icy
Conf
igur
atio
nM
anag
emen
t
USC
ISL
eade
rshi
p In
form
atio
nTe
chno
logy
Serv
ice
Cent
ers
are
resp
onsi
ble
for
lock
ing
dow
nde
skto
psto
pre
vent
un
auth
oriz
eds
oftw
are
from
runn
ing
The
lock
dow
npr
oces
sre
lies
onh
um
anin
terv
entio
nI
fcal
lvol
ume
to
the
Serv
ice
Cent
eris
hea
vyt
his
may
in
crea
ser
espo
nse
time
toa
nun
ac
cept
able
leve
l
The
OIT
sho
uld
expl
ore
way
sto
au
tom
ate
lock
dow
nof
pot
en
tially
com
prom
ised
sys
tem
sT
his
wou
ldr
equi
rea
car
eful
bal
ance
of
ser
vice
ver
sus
secu
rity
O
nth
ese
rvic
esi
ded
elay
edr
espo
nse
by
the
Serv
ice
Cent
erm
ayr
esul
tin
loss
ofp
rodu
ctiv
ity
On
the
secu
ri
tys
ide
del
ayed
res
pons
eco
uld
CERT | SOFTWARE ENGINEERING INSTITUTE | 105
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
dor
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sle
adto
sys
tem
com
prom
ise
M
anag
emen
tsho
uld
eval
uate
the
risk
sof
ac
ompr
omis
ean
dw
eigh
th
ose
risk
sag
ains
tthe
pot
entia
lco
nseq
uenc
eso
fser
vice
dis
rup
tion
CERT | SOFTWARE ENGINEERING INSTITUTE | 106
Appendix H Acronyms
C3-LAN CBP CI CIO CLAIMS CMMI COTR CSC CSIRT CSO CMU DBA DHS DOJ FBI FDNS-DS FISMA FSD FSN GFE HR HSPD-12 ICE ISSO IT LER LPO NCR NFTS ODBC OIG OIT OSI PERSEC PICS PII QA SEI SIEM SIR SNOC TSA USB
CLAIMS 3 ndash Local Area Network Customs and Border Protection Counterintelligence Chief Information Officer Computer Linked Application Information Management System Capability Maturity Model Integration Contracting Officerrsquos Technical Representative Computer Sciences Corporation Computer Security Incident Response Team Chief Security Officer Carnegie Mellon University Database Administrator Department of Homeland Security Department of Justice Federal Bureau of Investigation Fraud Detection and National Security Data System Federal Information Security Management Act Field Security Division Foreign Service National Government-furnished Equipment Human Resources Homeland Security Presidential Directive 12 Immigration and Customs Enforcement Information System Security Officer Information Technology Labor and Employee Relations Local PICS Officer National Capital Region National File Tracking System Open Database Connectivity Office of Inspector General Office of Information Technology Office of Security and Integrity Personnel Security Password Issuance and Control System Personally Identifiable Information Quality Assurance Software Engineering Institute Security Information and Event Management Significant Incident Report Security Network Operations Center Transportation Security Administration Universal Serial Bus
107
Appendix H Acronyms
USCIS US Citizenship and Immigration Services VIS Verification Information System
108
Appendix I Management Comments to the Draft Report
109
Appendix J Contributors to this Report
Software Engineering Institute Carnegie Mellon University
Insider Threat Center at CERT
Department of Homeland Security Office of Inspector General
Richard Saunders Director Advanced Technology Division Steve Matthews IT Audit Manager Advanced Technology Division Philip Greene IT AuditorTeam Lead Advanced Technology Division
110
Appendix K Report Distribution
Department of Homeland Security
Secretary Deputy Secretary Chief of Staff Deputy Chiefs of Staff General Counsel Executive Secretariat Director GAOOIG Liaison Office Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs Chief Information Officer Chief Information Security Officer USCIS Chief Information Officer USCIS Chief Information Security Officer USCIS Audit Liaison Office
Office of Management and Budget
Chief Homeland Security Branch DHS OIG Budget Examiner
Congress
Congressional Oversight and Appropriations Committees as appropriate
111
ADDITIONAL INFORMATION AND COPIES
To obtain additional copies of this report please call the Office of Inspector General (OIG) at (202) 254-4100 fax your request to (202) 254-4305 or visit the OIG web site at wwwdhsgovoig
OIG HOTLINE
To report alleged fraud waste abuse or mismanagement or any other kind of criminal or noncriminal misconduct relative to department programs or operations
bull Call our Hotline at 1-800-323-8603
bull Fax the complaint directly to us at (202) 254-4292
bull Email us at DHSOIGHOTLINEdhsgov or
bull Write to us at DHS Office of Inspector GeneralMAIL STOP 2600 Attention Office of Investigations - Hotline 245 Murray Drive SW Building 410 Washington DC 20528
The OIG seeks to protect the identity of each writer and caller