Insider Threat Program Lecture Review

Flashcards covering key definitions, directives, roles, and techniques related to Insider Threat Programs, DoD policy, and structured analytical techniques based on lecture notes.

EO 13587

Requires government agencies with classified information to establish an Insider Threat Program created by NITTF.

NITTF Co-Chairs

The Attorney General (AG) and the Director of National Intelligence (DNI).

DODI 5205.83

Establishes policy, assigns responsibilities, and prescribes procedures for the DITMAC, which is DoD's enterprise-level capability for insider threat information integration and management.

DODD 5400.11

Delegates authorities and responsibilities for the effective administration of the DoD Privacy Program.

Devil’s Advocacy

A type of Contrarian structured analytical technique.

UAM (User Activity Monitoring) Requirements

Includes file shadowing and keyboard collect, but not video.

UAM (User Activity Monitoring) Network Requirement

Required on Top Secret networks.

Imaginative Structured Analytic Techniques

Include brainstorming, red team analysis, alternative futures analysis, and Outside In Thinking.

Contrarian Techniques (Exclusions)

Do not include 'Indicators or Signposts of Change'.

DoD Insider Threat Program Senior Official

The Under Secretary of Defense for Intelligence (USDI (S)).

DITMAC (DoD Insider Threat Management and Analysis Center)

The part of the DoD Counter Insider Threat Program that develops enterprise-level risk criteria (thresholds).

Insider Threat Stressors

Often observed as personal, professional, and financial.

NITTF (National Insider Threat Task Force)

Responsible for establishing an Insider Threat policy and minimum standards for government insider threat programs.

Primary Vehicle for Civil Liberties Protection in USA

The US Bill of Rights.

First Amendment

The amendment of the constitution most applicable to the counter insider threat field.

Components of an Espionage Relationship

Motivation, communication, collection, and travel.

DoD Personnel Security Program Determinations

Uses National Adjudicative Guidelines.

EO 12333

Charges the Intelligence Community (IC) with providing the President and National Security Council with necessary information on which to base decisions.

DODI 7050.01

Establishes policy and assigns responsibilities for the DoD Hotline Program, which allows reporting of fraud, waste, abuse, violations, mismanagement, and classified information leaks.

2017 Insider Threat Guide

A NITTF document that lays out best practices for Insider Threat Programs.

Insider Threat Mitigation Responses Student Guide

Lays out the Pillars (Law Enforcement, Security, Counterintelligence, Cybersecurity, Mental Health/Behavioral Science, Human Resources, Legal) of Insider Threat.

SEAD 5

Addresses the collection and use of publicly available social media information.

DODM 5200.01

Pertains to the protection of classified information.

DODI 2000.26

Establishes policy, assigns responsibilities, and provides procedures implementing eGuardian as the DoD Law Enforcement (LE) SAR system.

Red Team Analysis

Models the behavior of an individual or group by trying to replicate how an adversary would think about an issue.

Indicators or Signposts of Change

A technique used to periodically review a list of observable events or trends to track events, monitor targets, spot emerging trends, and warn of unanticipated change.

DoD 5220.22-M (NISPOM)

Prescribes the requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information.

Contrarian Techniques (Additional)

Include Devil’s Advocacy, Team A/Team B, What If, and High Impact/Low Probability.

Indicators or Signposts of Change (Application)

Used when an analyst needs to track an event over time to monitor and evaluate change.

Records Maintenance Duration

Records are maintained for 25 years.

Counterintelligence Pillar

Deals with contact with foreign nationals, foreign visits, and foreign travel.

Human Resources (HR) Referrals

Issues related to basic employment, disciplinary actions, and performance reviews are referred to HR.

Court Records Reporting

Court records are reported to Law Enforcement.

Mirror Imaging

An inclination to assume foreign leaders would behave as we imagine our own leaders would behave in similar circumstances.

Anchoring

A cognitive bias distinct from the tendency to search for or interpret information in ways that confirm preconceptions, preferences, and assumptions (which is Confirmation Bias).

Fruit of the Poisonous Tree Doctrine

Refers to the Fourth Amendment.

Privacy Act of 1974

Establishes a code of fair information practices governing the collection, maintenance, use, and dissemination of individuals' records by federal agencies.

DoD Insider Threat Program Monitoring

USDI (S) is responsible for monitoring the DoD Insider Threat Program.

Insider Threat Hubs Responsibilities

Required to maintain records and results of mitigated activity.

Personal Predisposition

The susceptibility or inclination to do something.

DODD 5205.16

An insider threat policy document that mandates insider threat information complies with all applicable laws and DoD policy issuances.

Imaginative Techniques (Purpose)

Encourage new perspectives, insights, and alternative scenarios.

DITMAC Information Sharing

Can share adverse personnel security information with DoD Components that have an official interest in the information and CAF (Central Adjudication Facility).

DCSA (Defense Counterintelligence and Security Agency)

Responsible for background investigations, adjudication for security clearances, and the oversight of DoD insider threats and mitigation efforts.

Freedom of Information Act (FOIA) Exemptions

Most common exemptions include personnel records, law enforcement, and classified information.

Espionage Relationship Components (Comprehensive)

Motivation, communication, travel, and collection.

Reporting Federal Criminal Law Violations

Executive Branch agencies report suspicions of an employee or officer breaking a federal criminal law to the Attorney General (AG).

Fraud, Waste, and Abuse Referrals

Referred to the Office of Inspector General (OIG).

Structured Analytic Techniques (SATs)

Used to mitigate bias.

Imaginative Techniques (Examples)

Include Brainstorming, Red Team Analysis, and Outside In Thinking, but not Team A/Team B.

Diagnostic Techniques (Exclusions)

Do not include Devil’s Advocacy. Examples include Key Assumptions Check, Quality of Information Check, Indicators of Signposts of Change, and Analysis of Competing Hypotheses.

Brainstorming (Application)

A technique used at the beginning of a project to generate a range of hypotheses about an issue.

Cyber Pillar

Deals with enterprise audit monitoring tool audit logs, authentication of people, User Activity Monitoring (UAM) for data analysis, UAM trigger development, profile data, printer log data, privileged users, trusted agents, and download history.

Outside In Thinking

A Structured Analytic Technique (SAT) used to identify the full range of basic forces, factors, and trends that would indirectly shape an issue.

Key Assumptions Check

Involves listing and reviewing the key working assumptions on which fundamental judgments rest.

User Activity Monitoring (UAM) Network Placement

UAM must be on Top Secret networks.

Diagnostic Techniques (Purpose)

Aim to make assumptions and logical arguments more transparent.

Analysis of Competing Hypotheses (ACH)

A technique used when there are large amounts of data.

E.O 13526

Prescribes a uniform system for classifying, safeguarding, and declassifying national security information.