Examining Insider Threat Risk at the US Citizenship and Immigration

Department of Homeland Security Office of Inspector General

Examining Insider Threat Risk at the U.S.

Citizenship and Immigration Services

(Redacted)

OIG-11-33 January 2011

Examining Insider Threat Risk at the

U.S. Citizenship and Immigration Services

PreparedforDepartmentofHomelandSecurity

OfficeofInspectorGeneral

bytheSoftwareEngineeringInstituteatCarnegieMellonUniversity

Insider Threat Center at CERT

December 2010

NOWARRANTY

THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIAL ISFURNISHEDONAN"ASIS"BASIS.CARNEGIEMELLONUNIVERSITYMAKESNO WARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTER INCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEOR MERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL. CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITH RESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENT.

Useofanytrademarksinthisreportisnotintendedinanywaytoinfringeontherightsof thetrademarkholder.

TableofContents

ExecutiveSummary................................................................................................................... 1

Recommendation#2:Incorporateinsiderthreatriskmitigationstrategiesintothe

Recommendation#3:Centralizerecordsofmisconductandviolationstobetterenablea

Background ............................................................................................................................... 2

Objective ................................................................................................................................... 3

Scope......................................................................................................................................... 3

AssessmentProcess/Methodology........................................................................................... 5

ResultsofAssessment............................................................................................................... 7

Organizational ....................................................................................................................... 7

HumanResources ................................................................................................................. 9

PhysicalSecurity.................................................................................................................. 11

BusinessProcesses.............................................................................................................. 12

IncidentResponse............................................................................................................... 14

SoftwareEngineering.......................................................................................................... 15

InformationTechnology...................................................................................................... 16

Recommendation#1:Instituteanenterpriseriskmanagementplan................................ 22

Transformationeffort ......................................................................................................... 22

coordinatedresponsetoinsiderthreats ............................................................................ 22

Recommendation#4: ...................................................................... 23

Recommendation#5:Considerseparationofdutiesforcriticalbusinessprocessesand theirrelatedinformationsystems ...................................................................................... 23

Recommendation#7:Employconsistentphysicalsecuritypoliciesforfieldofficesand

Recommendation#9:ExamineHRscreeningproceduresforhighriskpositionsandFSNs

Recommendation#10:Ensurethatphysicalandcomputeraccessisterminatedinatimely

Recommendation#11:Enforcearequirementforindividualaccountsoncriticalsystems

Recommendation#6:ConductauditofPICSandFSNaccountsforUSCISsystems........... 23

servicecenters,includingthephysicalcasefiles................................................................ 23

Recommendation#8:Consistentlyenforceexitprocedures.............................................. 24

............................................................................................................................................ 24

fashion................................................................................................................................. 24

............................................................................................................................................ 25

CERT | SOFTWARE ENGINEERING INSTITUTE | i

Recommendation#12: ........... 25

Recommendation#13:Reducethenumberofprivilegedaccountsforcriticaldatasystems ............................................................................................................................................ 25

Recommendation#14: ............................................................................................................................... 25

Recommendation#15:Implementproceduralandtechnicalcontrolstopreventsource codeunderdevelopmentfrombeingreleasedwithoutappropriatereview..................... 25

Recommendation#16: ......................... 26

Recommendation#17: ................................................................................................................ 26

Recommendation#18:Periodicsecurityrefreshertrainingshouldberegularlyconducted andrequiredforallemployees........................................................................................... 26

AppendixH:Acronyms.......................................................................................................... 107

AppendixI:ManagementCommentstotheDraftReport ................................................... 109

AppendixJ:ContributorstothisReport ............................................................................... 110

AppendixK:ReportDistribution ........................................................................................... 111

ManagementCommentsandOIGAnalysis ............................................................................ 27

Appendixes.............................................................................................................................. 28

AppendixA:Organizational .................................................................................................... 30

AppendixB:HumanResources............................................................................................... 37

AppendixC:PhysicalSecurity ................................................................................................. 42

AppendixD:BusinessProcesses ............................................................................................. 48

AppendixE:IncidentResponse............................................................................................... 62

AppendixF:SoftwareEngineering.......................................................................................... 69

AppendixG:InformationTechnology..................................................................................... 75

CERT | SOFTWARE ENGINEERING INSTITUTE | ii

ExecutiveSummary

TheU.S.DepartmentofHomelandSecurity,OfficeofInspectorGeneralengagedtheInsider ThreatCenteratCERT,oftheSoftwareEngineeringInstituteatCarnegieMellonUniversity toconductaninsiderthreatassessmentofU.S.CitizenshipandImmigrationServices.The objectiveoftheassessmentwastodeterminehowU.S.CitizenshipandImmigrationSer viceshastakenstepstoprotectitsinformationtechnologysystemsanddatafromthe threatsposedbyemployeesandcontractors.TheassessmentevaluatedU.S.Citizenship andImmigrationServicesagainstapproximately400realinsiderthreatcompromisesdocu mentedintheCERTInsiderThreatCasedatabase.Thesecases,allprosecutedintheUnited States,includefraud,sabotage,andtheftofintellectualproperty.

Theassessmentteamperformedfieldworkinthenationalcapitalregion,VermontService Center,andU.S.CitizenshipandImmigrationServicesBurlingtonoffices.Duetothelimited scopeoftheassessment,systemsreviewed,andlocationsvisited,CERTwasnotabletover ifytheinstitutionalizationandenforcementofanyU.S.CitizenshipandImmigrationSer vicespoliciesorrenderanoverallopinionoftheeffectivenessofU.S.CitizenshipandImmi grationServicesinsiderthreatposture.TheOfficeofInspectorGeneraldidnotrequest CERTtoconductacomprehensiveinformationsystemstechnicalsecuritycontrolsreviewor vulnerabilityassessmenttodeterminethesusceptibilitytointernalthreats.TheOfficeof InspectorGeneralmayperformanindepthfollowupreviewtorenderanoverallopinionof theeffectivenessofU.S.CitizenshipandImmigrationServicesinsiderthreatposture.

U.S.CitizenshipandImmigrationServiceshasmadeprogressinimplementingelementsof aneffectiveinsiderthreatprogram.Specifically,ithasestablishedaConvictionTaskForce toreviewformeremployeesconvictedofcriminalmisconductwithinthescopeoftheirdu ties;performsriskmanagementforinformationtechnologyandfinancialmanagement;de velopedexitproceduresforemployees;improvedprotectionofitsfacilitiesandassets;and adherestoformalizedprocessesforsomesystems.Inaddition,itisimplementingHome landSecurityPresidentialDirective12forphysicalandelectronicaccountmanagement.

Whiletheseeffortshaveresultedinsomeimprovements,U.S.CitizenshipandImmigration Serviceshasopportunitiestoimproveitssecuritypostureagainstthreatsposedbyemploy eesandcontractors.Forexample,itcaninstituteanenterpriseriskmanagementplanand incorporateinsiderthreatriskmitigationstrategiesintoitsnewbusinessprocesses.Itcan alsocentralizerecordsofmisconductandviolations;institutealoggingstrategytopreserve systemactivities;implementseparationofdutiesforadjudicativedecisions;conductaudits ofnonU.S.CitizenshipandImmigrationServicesaccounts;employconsistentpoliciesfor physicalsecurity;andconsistentlyenforceemployeeexitprocedures.

Theassessmentteamismaking18recommendationstotheDirectorofU.S.Citizenshipand ImmigrationServicestostrengthenthedepartmentssecuritypostureagainstmaliciousin siderthreats.USCISconcurredwithallofourrecommendationsandhasalreadybegunto takeactionstoimplementthem.Thedepartmentsresponseisincluded,initsentirety,as appendixI.

CERT | SOFTWARE ENGINEERING INSTITUTE | 1

Background

TheU.S.DepartmentofHomelandSecurity(DHS),OfficeofInspectorGeneral(DHSOIG) engagedtheCERTprogramintheSoftwareEngineeringInstituteatCarnegieMellonUniver sitytoconductaninsiderthreatvulnerabilityassessmentofU.S.CitizenshipandImmigra tionServices(USCIS).Theprojectapproachestheinsiderthreatproblemontwoprimary fronts:

Thehumanbehavioralcomponent

Thetechnologicalsolutionforautomatingpreventionanddetectioncapabilitiesto identify,measure,monitor,andcontrolinsiderthreatvectors

Insiderscanbecurrentorformeremployees,contractors,orbusinesspartnerswhohaveor hadauthorizedaccesstotheirorganization'ssystemandnetworks.Theyarefamiliarwith internalpolicies,procedures,andtechnologyandcanexploitthatknowledgetofacilitate attacksandevencolludewithexternalattackers.CERTsresearch,conductedsince2001, hasfocusedongatheringdataaboutactualmaliciousinsideracts,includinginformation technology(IT)sabotage,fraud,theftofconfidentialorproprietaryinformation,espionage, andpotentialthreatstoourNation'scriticalinfrastructures.

CERTdevelopedaninsiderthreatvulnerabilityassessmentinstrumentforevaluatingvulner abilitiestoinsiderthreatbasedonresearchtodate.Becauseofthecomplexityofthein siderthreatprobleminvolvingsecurityofficers,informationtechnology,informationsecu rity,management,dataowners,softwareengineering,andhumanresourcesorganizations needassistanceinmergingthewealthofavailableguidanceintoasingle,actionableframe work.CERTadvisesorganizationstousethisassessmentinstrumenttohelpsafeguardtheir criticalinfrastructure.

CERTbuilttheassessmentbasedonresearchofapproximately400insiderthreatcasesin theCERTInsiderThreatCasedatabase.1Thesecasesareacollectionofrealinsiderthreat compromisesprimarilyfraud,sabotage,andtheftofintellectualpropertythathavebeen prosecutedintheUnitedStates.Startingin2002,CERTcollaboratedwithU.S.SecretSer vicebehavioralpsychologiststocollectapproximately150actualinsiderthreatcasesthat occurredinU.S.criticalinfrastructuresectorsbetween1996and2002,andexaminedthem frombothatechnicalandabehavioralperspective.Sincethatoriginalstudy,CERThascon tinuedtoaddcases,withfundingfromCarnegieMellonsCyLab2,bringingthecaselibraryto atotalofapproximately400cases.Theinstrumentencompassestechnical,behavioral, process,andpolicyissues,andisstructuredaroundinformationtechnology,information security,humanresources,physicalsecurity,businessprocesses,legalandcontracting, management,andorganizationalissues.

1Notethatthedatabasedoesnotcontainnationalsecurityespionagecasesinvolvingclassifiedin formation. 2http://www.cylab.cmu.edu/


http:2http://www.cylab.cmu.edu/

Objective

TheobjectiveoftheinsiderthreatvulnerabilityassessmentwastodeterminehowUSCIShas takenstepstoprotectitsITsystemsanddatafromthethreatposedbyemployeesandcon tractors.Thisassessmentwasbasedonbehavioralaswellastechnicalexperienceanditis intendedtoassistUSCISinsafeguardingitscriticalinfrastructure.Theassessmentwill:

EnableUSCIStogainabetterunderstandingofitsvulnerabilitytoinsiderthreatand provideanabilitytoidentifyandmanageassociatedrisks

Identifytechnical,organizational,personnel,businesssecurity,andprocessissues intoasingle,actionableframework

Identityshorttermcountermeasuresagainstinsiderthreats

HelpguideUSCISinitsongoingriskmanagementprocessforimplementinglong term,strategiccountermeasuresagainstinsiderthreats

Scope

USCISemploysapproximately18,000governmentemployeesandcontractorslocatedat250 officesthroughouttheworld.3Theinsiderthreatvulnerabilityassessmentisintendedto focusoncriticalsystemsandhighriskareasofconcernthatcanbeassessedina3to5day timeframe.Therefore,atapreassessmentwalkthroughmeeting,USCISstaffidentified3 systemsofthe96systemsusedbytheagencyascriticaltoitsoverallmission:

VerificationInformationSystem(VIS)thispublicfacingsystemiscomposedoffive differentapplications.Thepurposeofthesystemistoprovide

o Immigrationstatusinformationtogovernmentbenefitgrantingorganiza tionstohelpthemdeterminetheeligibilityofalienswhoapplyforbenefits

o Ameansforprivateemployerstoperformemploymenteligibilityverifica tionofnewlyhiredemployees

ComputerLinkedApplicationInformationManagementSystem(CLAIMS)Thissys temprovidesthefollowingfunctions:

3http://www.uscis.gov/portal/site/uscis/menuitem.eb1d4c2a3e5b9ac89243c6a7543f6d1a/?vgnextoi d=2af29c7755cb9010VgnVCM10000045f3d6a1RCRD&vgnextchannel=2af29c7755cb9010Vgn VCM10000045f3d6a1RCRD


o CLAIMS3LocalAreaNetwork(C3LAN)wasoriginallydevelopedtotrack thereceiptingofapplicantorpetitionerremittancesandtoproducenotices documentingtheremittance.C3LANnowincludesadjudication,archive, cardproduction,casehistory,casetransfer,ondemandreports,electronic filetracking,imagecapture,productionstatistics,statusupdate,andelec tronicingestofapplicationdatacapturedthroughtheEFilingwebapplica tionandtheDepartmentofTreasurysponsoredlockboxoperations.

o C3mainframesupportsprocessingofUSCISapplicationsandpetitionsfor variousimmigrantbenefits(e.g.,changeofstatus,employmentauthoriza tion,andextensionofstay).

FraudDetectionandNationalSecurityDataSystem(FDNSDS)Thissystemwasde velopedtoidentifythreatstonationalsecurity,combatbenefitfraud,andlocate andremovevulnerabilitiesthatcompromisetheintegrityofthelegalimmigration system.

Itisimportanttonotethattheinsiderthreatvulnerabilityassessmentislimitedtoareasof concernobservedinthehundredsofcasesintheCERTInsiderThreatdatabase.People, technology,andorganizationsareconstantlychanging,andmaliciousinsiderscontinueto comeupwithnewavenuesofattackinordertodefeatapreviouslyeffectivecountermea sure.However,manyofthecountermeasuressuggestedinthisreportareapplicabletoa multitudeofattackvectors.

ItisalsoimportanttonotethatCERTsinsiderthreatresearchhasonlyexploredintentional insidercrimes.Accidentaldataleakageisanareaofsignificantconcernfororganizations; however,CERThasnotyetexploredthataspectofinsiderthreat.Inaddition,thefocusof theresearchtodateistodescribehowtheinsiderthreatproblemevolvesovertime.CERTs longtermresearchdoesincludemeasuringtheeffectivenessofmitigationstrategies.


AssessmentProcess/Methodology

AnentranceconferencewasconductedbytheDHSOIG,CERT,andUSCISonFebruary23, 2010.TheentranceconferenceintroducedUSCIStotheCERTassessmentteam.Following theentranceconference,apreassessmentwalkthroughwasheldatUSCISheadquarterson March10,2010.Atthatmeeting,theCERTassessmentteamandtheDHSOIGteamex plainedtheassessmentprocesstorepresentativesofUSCIS.USCISprovidedsomedocu mentationtotheassessmentteamatthattimeandmoredocumentsthroughouttheas sessment;thosedocumentswerereviewedtoprovidesubstantiationforfindingsinthis report.

USCISidentified96systemsituses.Followingtheinitialmeeting,USCISleadershipandthe assessmentteamchosetheVIS,CLAIMS,andFDNSDSsystemsbecausetheywerecriticalto theoverallmissionofUSCIS.Thesethreesystemswerethefocusofthe5dayonsiteas sessment.

Atthepreassessmentwalkthrough,USCISindicatedthatithadcreatedaConvictionsTask Forcetoreviewtheactivitiesof10formeremployeesconvictedofcriminalmisconduct withinthescopeoftheirofficialduties.Thepurposeofthetaskforceistoidentifyissues theseemployeesexploitedtocommittheircrimes.Thetaskforceintendedtodevelopfind ingsandrecommendationsaimedatpreventingsimilarcrimesinthefuture.Itgraciously extendedaninvitationtotheCERTandDHSOIGteamstoparticipate.Asaresult,theteams observed,orreviewedtranscriptsof,alltelephoneconferencesconductedbythetaskforce. Thesefindingsarereflectedinthisreport.

TheCERTinsiderthreatteamandtheDHSOIGliaisonwereonsiteatvariousUSCISloca tionsinthenationalcapitalregion(NCR)fromMarch30throughApril1,2010.

TheDHSOIGliaisonswerepresentatallinterviews.TheDHSOIGattendedtheseinterviews asanobserverandassistedCERTasneeded.

Facetofaceinterviewswereconductedwithapproximately58representativesintheNCR, followedby32representativesintheVermontServiceCenterandUSCISBurlingtonoffices. Inaddition,telephoneconferenceswereheldwithstafffromtheOfficeofSecurityandIn tegrity(OSI)InvestigationsDivisionandtheSecurityNetworkOperationsCenter(SNOC). Intervieweesrepresentedthefollowingareas:

DataOwners(VIS,CLAIMS,andFDNSDS) ComputerSciencesCorporation(CSC)(softwareengineeringandoperationalsup

portforVIS,CLAIMS,andFDNSDS)


OSI(PhysicalSecurity,RegionalSecurity,Investigations,PersonnelSecurity,Counter intelligence)

HumanCapitalandTraining(Training,HumanResourcesOperationsCenter,Labor EmployeeRelations)

OfficeofInformationTechnology(OIT)(ITSecurity,ComputerSecurityIncidentRe sponseTeam,SecurityandNetworkOperationsCenter,AccountManagement,En terpriseOperations)

Legal(ProcurementLaw) VermontServiceCenter(adjudicators,dataentryclerks,supervisor,directors,OIT,

softwareengineering)

Allinterviewswereconsideredconfidential;norecordofparticipatingemployeesisincluded inthisreportorinsubsequentbriefings.Findingsareattributedonlytoagroupordepart mentinterviewed,adocument,theConvictionsTaskForcetelephoneconferences,ordirect observation.


AcriticalissueforUSCISisensuringthattheentireorganizationisriskaware,andimple mentingaformalriskmanagementprocesstoaddressriskconsistentlyandcontinually acrosstheenterprise.Theredoesnotappeartobeaconsistentunderstandingofthebroad spectrumofrisksfacingUSCIS.Theassessmentteamwastoldthereisnoenterprisewide riskmanagementprogramatUSCIS.OITperformsriskmanagementforInformationTech nology(IT),andFinancialManagementperformsriskmanagementforfinancialmatters,but noonewasawareofanyenterprisewideefforts.Inaddition,eachfieldofficeandservice centerappearstooperatefairlyindependently.Itisimportantforthoseorganizationsto worktogethertoidentify,prioritize,andaddressrisk.Ongoingcommunicationbetweenall componentsofUSCISwillhelpensurethatnewthreats,attackvectors,andcountermea suresarecommunicatedandhandledeffectivelybyall.

Inaddition,USCISemployeesandcontractorsholdthekeystooneoftheworldsmostcov etedkingdomsU.S.citizenship.Thismakesemployeesandcontractorsattractivetargets forrecruitment.BecauseofthesensitivenatureofUSCISmission,someofitsemployees andcontractorshavebeentargetsforrecruitmentfortheftorunauthorizedmodificationof USCISdata.Allemployeesshouldbeawareoftheconsequencesofparticipatinginfraud againstUSCIS.Theyshouldalsobeinstructedonhowtoreportsolicitationsmadetocom mitfraud.

Transformation

TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerservice,workflowautomation,frauddetection,andnationalsecurity issues.USCISisrelyingheavilyonTransformationtocorrectmanyoftheproblemsresulting fromlegacysystems.Thisrelianceonasingleeffortmakesitseffectivenessveryimportant. TheteamfoundtheTransformationefforttobeamassiveundertakingthatappearstobe implementingaverydetailedprojectplan.

Basedontheteamsreviewoftherequirementsforfrauddetectionandnationalsecurity issues,itappearstherearenorequirementstoaddressinsiderthreats.Theassessment teamreviewedfivecomprehensiveTransformationdocumentsaspartofthisassessment. Thedocumentsdescribesystemrequirementsindetail.Frauddetectionreferstodetection offraudperpetratedbyapplicantsandpetitioners;nationalsecurityissuesfocusonthe handlingofinvestigationswithinUSCISthatinvolvenationalsecurityissues.

Again,anenterpriseriskmanagementapproachshouldbeconsideredwhendefiningre quirementsforTransformation.InsidersatUSCIShaveperpetratedfraudinthepast,asevi dencedbytheConvictionsTaskForce.Inaddition,USCISinsidersarecapableofgranting legalresidencyorcitizenshipstatustosomeonewhoposesanationalsecurityrisktothe UnitedStates.


TrainingandAwareness

Itisessentialthatsecurityawarenesstrainingisconsistentlyprovidedtoallemployeesto ensuresecuritypoliciesandpracticesareinstitutionalizedthroughoutanorganization. Manytimes,coworkersandsupervisorsarethefirstpeopletoobserveconcerningbehavior exhibitedbymaliciousinsiders.Failuretoreportconcerningbehaviorbycoworkersoroth ersinanorganizationwasaprimaryreasoninsidersintheCERTInsiderThreatCasedata basecontinuedtosetuporcarryouttheirattacks.

USCISshouldcontinuetoprovidesecurityawarenesstrainingtoallemployeesandcontrac torsacrosstheglobe.Thistrainingshouldbeconsistentlyappliedtoeachsite,withaconsis tentmessageofsecurityofUSCISpeople,systems,anddata.ItisimperativethatallUSCIS employeesberesponsibleforachievingthemissionofUSCISandprotectingthecriticalas setstothehighestextentpossible.

HumanResources

Anorganizationsapproachtoreducinginsiderthreatshouldfocusonproactivelymanaging employeeissuesandbehaviors.Thisconceptbeginswitheffectivehiringprocessesand backgroundinvestigationstoscreenpotentialcandidates.Organizationsshouldalsotrain supervisorstomonitorandrespondtobehaviorsofconcernexhibitedbycurrentemploy ees.SomecasesfromtheCERTInsiderThreatdatabaserevealedthatsuspiciousactivity wasnoticedintheworkplacebutnotactedupon.Organizationsmustestablishawell organizedandprofessionalmethodforhandlingnegativeemploymentissuesandensuring thathumanresourcepolicyviolationsareaddressed.

Organizationalissuesrelatedtofunctionssharedbyhumanresources(HR)andsecurityper sonnelareattheheartofinsiderriskmanagement.Employeescreeningandselectionis vitaltopreventingcandidateswithknownbehavioralriskfactorsfromenteringtheorgani zation;or,iftheydo,ensuringthattheserisksareunderstoodandmonitored.Clearpolicy guidelines,addressingbothpermittedandprohibitedemployeebehavior,arevitaltorisk detectionandmonitoring.Clearrequirementsforensuringemployeesknowledgeofthese guidelinesarealsoessentialtotheirsuccess.Inaddition,reportsofpolicyquestionsand violationsneedtobesystematicallyrecordedsothatmanagement,HR,andsecurityper sonnelcanapproachcasedecisionswithcompletebackgroundinformation.

Analysisofthesereportsacrossindividualsanddepartmentscansupplyvitalknowledgeof problemareasbeyondindividualcases.RelationshipsinwhichHR,security,andmanage mentpersonnelcollaborateaseducatorsandconsultantsarevitaltoearlydetectionand effectivemanagementofemployeesposinganinsiderrisk.Theneedforclearpolicies,


completepersonnelriskdata,andclosemanagementHRsecuritycollaborationisrarely greaterthanwhenhandlingemployeeterminationissues,whethervoluntaryorinvoluntary.

ScreeningandHiringPractices

SeveralpersonnelscreeningandhiringpracticesposearisktoUSCISsystemsanddata.

USCISdoesnothaveaconsistentprocedurefordecidingwhethertoconductafacetoface interviewpriortohiringanapplicantbeingscreenedforgovernmentemployment.There wasanimpressionatUSCISheadquartersthatnearly100%ofthoseemployeeshiredby managersareinterviewed,butrepresentativesinBurlington,Vermonttoldusotherwise. Thisgapbetweenperceptionandreality(thereisnotapolicystatingthatthismustbedone) isaconcern.USCISshouldrequireinterviewsforallpositions.Theinterviewsneedtobe conductedbysomeoneinvolvedinthedaytodaysupervisionofthepositiontobefilled.

Ifapersonalissue(e.g.,substanceabuse,relativelylargefinancialindebtedness)arisesdur ingPersonnelSecuritys(PERSECs)screening,PERSECmayissuealetterofadvisementto thecandidateandclearthatpersonforhire.PERSECishesitanttosharenegativeinforma tionaboutapplicantswithUSCISbecauseofprivacyconcerns.Becauseoftheseconcerns,a managermaynotknowthatsomeoneiscomingintoapositionwithahistoryofalcohol and/ordrugabuse,financialindebtedness,etc.TheprivacywallbetweenPERSECandfield personnelconcernedwithhiringistroubling.ItisdifficultforPERSECrepresentativestoin dicatetheirconcernsaboutpotentialhiresiftheyhaveriskfactorsthatdonotcrossadjudi cationguidelinesfordisqualification.

ForeignServiceNational(FSN)employees,whoworkatU.S.embassiesandconsulates abroad,haveaccesstoUSCIScriticalsystemsanddatainsomecases.Inordertobehired andgrantedaccesstoanyofthosesystems,FSNsarevettedbytheU.S.Departmentof State.AlthoughtheaccesstoUSCISsystemsmustbeapprovedbythechiefsecurityofficer (CSO)andchiefinformationofficer(CIO)forDHS,USCIShasverylittlevisibilityintothe screeningprocessforFSNs.

ExitProcedures

Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretires,re signsorisfired,transferred,orputonaleaveofabsence.TheseproceduresforUSCIShave beenrecentlydevelopedand,insomecases,arestillunderdevelopment.USCISexpectsto releasemoreformalizedproceduresinthenext3months,butthereisnotacommonun derstandingoftheproperprocedures.Itappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerorContract ingOfficersTechnicalRepresentative(COTR).Italsoappearsdifferentmanagersfollow


differentprocedurestoensurethataccessisdisabledandequipmentisreturnedasem ployeesandcontractorsleaveUSCIS.Thisgapmaymanifestitselfintheinconsistentcollec tionofbadges,laptops,mobiledevices,andotherUSCISequipment,andimproperdisabling orterminationofaccess.

PhysicalSecurity

SomeinsidersdocumentedintheCERTInsiderThreatCasedatabaseexploitedphysicalse curityvulnerabilities.Somewereabletogainaccesstoorganizationfacilitiesoutsideof normalworkinghourstostealcontrolledinformationortoexactrevengeontheorganiza tionbysabotagingcriticaloperations.Physicalsecuritycanprovideanotherlayerofdefense againstterminatedinsiderswhowishtoregainphysicalaccesstoattack.Justaswithelec tronicsecurity,however,formeremployeeshavebeensuccessfulinworkingaroundtheir organizationsphysicalsecuritymeasures.Itisimportantfororganizationstomanage physicalsecurityforfulltime,parttime,andtemporaryemployees,contractors,andcon tractlaborers.

USCISPhysicalSecurityhasmadesignificantprogressprotectingUSCISfacilitiesandassetsin theNCRsinceJanuary2008,whenitstoodupanewphysicalsecurityprogram.Although physicalsecurityintheNCRisconsistentlydirectedandenforcedbyPhysicalSecurity,each fieldofficesetsitsownpoliciesandaccesscontrols.

Finally,issuescon cerningthesecurityofapplicantsphysicalcasefilesshouldbeconsideredaspartofaUSCIS riskmanagementstrategybyUSCIS.

ControllingandMonitoringProperAccessAuthorization

USCIShandlesthephysicalsecurityandaccessauthorizationoffacilitiesdifferentlydepend ingonwherethefacilityislocated.ThephysicalsecurityofNCRfacilitiesishandledbyone groupofUSCISpersonnel,butthephysicalsecurityoffieldofficesfallsundertheFieldSecu rityDivision(FSD).Insomecases,aphysicalsecurityrepresentativeisnotlocatedinafield officeatall.Whenthisisthecase,theresponsibilityfallsonothermanagementpersonnel whomaynotbeequippedtohandletheseissuesproperlyandreporttheminatimelyman ner.

In10casesdocumentedin


theCERTInsiderThreatCasedatabase,theinsiderwasabletocommitacrimefollowing terminationbecauseoffailuretonotifysecurity,employees,andbusinesspartnersofthe termination.TocontrolaccesstoUSCISfacilities,itisimportantforUSCIStocomparecur rentemployeesandcontractorstotheauthorizedaccesslistineachfacilitysaccesscontrol system.Disablingphysicalaccesstofacilitieswhenemployeesandcontractorsterminateis essentialtoprotectingUSCISemployeesandfacilities.

SecurityofPhysicalCaseFiles

AttheVermontServiceCenter,theassessmentteamobservedphysicalcasefilesofbenefit applicantsstackedincratesinthehallways.Casefilesareassumedtobesecureoncethey arecontainedwithinaServiceCenter,buttheycouldbephysicallyalteredorstolenbyany onewithphysicalaccesstothefacility.Oneintervieweestatedthatadjudicatorstypically have50to100filesscatteredaroundtheirofficesordesks.Somearetrackedandsome maynotbe.Adjudicatorsconductinterviewswithapplicantsintheirofficesandtheymay leaveapplicantsunescortedintheirofficeswiththecasefileswhen,forinstance,making copiesorattendingtootherUSCISbusiness.Accordingtothesameinterviewee,inonefield office,naturalizationcertificates,passports,andcreditcardinformationhavebeenfoundin garbagecansinthehallway.ThirteeninsidersdocumentedintheCERTdatabasestole physicalpropertybelongingtotheirorganization.

BusinessProcesses

AvarietyofcasesfromtheCERTInsiderThreatCasedatabasedocumentinsiderattacksin whichgapsinbusinessprocessesprovidedapathwayforattack.Enforcingseparationof dutiesandtheprincipleofleastprivilegeareprovenmethodsforlimitingauthorizedaccess byinsiders.Ideally,organizationsshouldincludeseparationofdutiesinthedesignofkey businessprocessesandfunctionsandenforcethemviatechnicalandnontechnicalmeans. Accesscontrolbasedonseparationofdutiesandleastprivilege,inboththephysicaland virtualenvironment,iscrucialtomitigatingtheriskofinsiderattack.Theseconceptsalone willnoteliminatethethreatposedbyinsiders;theyare,however,anotherlayerinthede fensivepostureofanorganization.

BecauseofthesensitivenatureoftheUSCISmission,someofitsemployeesandcontractors havebeentargetsforrecruitmentfortheftorunauthorizedmodificationofUSCISdata. TwentyninepercentoftheinsidersdocumentedintheCERTdatabasewererecruitedby outsiderstocommittheircrimes.Mostoftheseinsiderscommittedtheircrimesforfinan cialgain.CriticalUSCISbusinessprocessesshouldincludetechnicalcontrolstoenforce separationofdutiesanddualcontroltoreducetheriskofinsiderfraud.Inaddition,poten tialvulnerabilitiessurroundtheuseoftheICEPasswordIssuanceandControlSystem(PICS) forauthorizationforcriticalUSCISsystems.AlthoughPICSisoutsidethecontrolofUSCIS,


CERTrecommendsthatUSCISexplorethepossibilityofauditingandcontrollingauthoriza tionsinPICSforcriticalUSCISsystems.Finally,accountmanagementissuesrelatedtocriti calsystemsshouldbeconsidered.

VerificationInformationSystem

TheVerificationInformationSystem(VIS)providesimmigrantstatusinformationtoboth governmentagenciesandprivateemployersinordertoverifybenefitandemploymenteli gibility.BecausethesefunctionsrequiregrantingVISaccesstopartiesexternaltoUSCIS, USCISmustissueaccountsandrequirethatthoseaccountsbeusedproperly.Twentyfour (6%)oftheinsidersdocumentedintheCERTdatabasewereabletocarryouttheircrimes becauseinsiderssharedaccountandpasswordinformation,oftentomaketheirjobseasier andtoincreaseproductivity.

ModificationsbyVISuserstocriticaldataarelogged,

CLAIMS3LAN

Currently,alldeniedbenefitsapplicationsarereviewedbyasupervisor;onlyasubsetofap provedapplicationsarereviewed.Adiscrepancyaroseduringinterviews:adjudicatorssaid thatsupervisorsstoppedlookingatalldenialsbecausetheyaretoobusy.Supervisorsalso receiveareportofalladjudicationdecisionsenteredbyanadjudicatorforaformtypethat theadjudicatordoesnotnormallyapprove.Whenadjudicatorsareintraining,whichtakes placeforatleast6monthsonaspecifictypeofcase,theyareunder100%review.Aquality assurance(QA)processisalsoinplace.OnepartofQAinvolvesasupervisorpulling10 casespermonthperadjudicatortoreview.Thesupervisorexaminesadjudicativedecision, security,andproceduralissues.InanotheraspectoftheQA,othersisterUSCISService Centersreviewarandomselectionofcases.TheprimarypurposeofQAistoidentifythe needforremedialtrainingratherthandeliberatefraud.Auditingeverydeniedrequestindi catesthatthebiggestrisktoUSCISistoincorrectlydenyabenefittoanapplicantrather thantograntabenefittosomeonewhodoesnotdeserveit.

FDNSDS


IncidentResponse

Throughcaseanalysis,CERThasnotedthatproceduresforrespondingtopotentialinsider incidentspresentuniquechallenges;anincidentresponseplanforinsiderincidentsdiffers fromaresponseplanforincidentscausedbyanexternalattacker.Inaddition,inadequate detectionandresponsetosecurityviolationscouldemboldentheinsider,makingtheor ganizationevenmorevulnerabletoaninsidercrime.Infact,in18ofthecasesdocumented intheCERTInsiderThreatCasedatabase,theorganizationexperiencedrepeatinsiderinci dentsofasimilarnature.Insiderincidentmanagementshouldleverageexistingsecurity policiesandformalproceduresforhandlingpolicyviolations.Someofthecasesfromthe CERTInsiderThreatCasedatabaseillustrateinsiderattacksinwhichanorganizationslackof incidentresponseprocedureslimiteditsabilitytomanageitsresponseeffort,sometimes evenresultinginmultiplecriminalactsbythesameinsider.

Furthermore,81oftheinsidersdocumentedintheCERTInsiderThreatCasedatabasedis playedconcerningbehaviorsintheworkplacepriorto,orwhilecarryingout,theircriminal activitiesonline.Supervisorsandemployeesshouldbetrainedtorecognizeandrespondto indicatorsofriskforviolence,sabotage,fraud,theftandothermaliciousinsideracts.Evenif itisnotpossibletorequirenonsupervisorstoreportconcerns,thistrainingmayincreasethe frequencyofreportingandthedeterrenceofinsideractions.

IncidentManagement

USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting, tracking,investigating,andfollowinguponemployeemisconduct.Organizationsinvolved includetheOfficeofInvestigationswithintheOSI,LaborandEmployeeRelations(LER),HR, ComputerSecurityIncidentResponseTeam(CSIRT),PERSEC,Counterintelligence(CI), COTRs,OIT,DHSOIG,PhysicalSecurity,supervisors,andpossiblydataownersandISSOs. Manydifferentpartiesexplainedhowtheymightbeinvolvedinoneaspectofanincident, butnosingledepartmentcoordinatestheseactivitiesorconductsaholisticriskanalysisof individualswhohavecommittedviolations.Thiscomplexandwidelydistributedbusiness processhasresultedinasituationinwhichitisverydifficulttoobtainacompletepictureof anindividualsinsiderthreatrisklevel.Consequently,anyefforttocoordinateaproactive


programforinsiderthreatmitigationwouldhavetocrosssignificantbureaucraticbounda rieswithinthesemyriaddepartmentsofUSCIS.

SoftwareEngineering

CodeReviews

SomeUSCISsystemsadheretoaformalizedprocessofsoftwareengineering,usingcontrac torswithaspecifiedlevelofprocessmaturity(i.e.,capabilitymaturitymodelintegration (CMMI)level3),

Therewasevenadocumentedcaseinwhichsourcecodecontainedsomethinginap propriateandwasonlydiscoveredonlyafterthecodewasturnedoverfromonecontractor toanother.


Insidersinsertedmaliciouscodeintoanoperationalsystemin33casesdocumentedinthe CERTInsiderThreatCasedatabase,andintosourcecodein10cases.Thesetypesofcrimes canhaveseriousresults,enablinginsiderstoconcealtheiractionsoveranextendedperiod oftime.Theseactionshavebeenusedtocreatemechanismsforcommittingfraudwithout detectionandtosetupfutureITsabotageattacks.

Codereviewscanbeverytimeconsuming,butmostmaliciousinsidersinsertmaliciouscode intoproductionsystemsoncetheyarestableandinthemaintenancephase,whenchanges arelessfrequentandlesssubstantial.

InformationTechnology

AccountManagement

Researchhasdemonstratedthatifanorganizationscomputeraccountscanbecompro mised,insidershaveanopportunitytocircumventmanualandautomatedcontrolmecha nismsintendedtopreventinsiderattacks.Effectivecomputeraccountandpasswordman agementpoliciesandpracticesarecriticaltoimpedeaninsidersabilitytousethe organizationssystemsforillicitpurposes.InavarietyofcasesdocumentedintheCERTIn siderThreatCasedatabase,insidersexploitedpasswordvulnerabilities,sharedaccounts, andbackdooraccountstocarryoutattacks.Itisimportantfororganizationstolimitcom puteraccountstothosethatareabsolutelynecessary,usingstrictproceduresandtechnical controlsthatfacilitateattributionofallonlineactivityassociatedwitheachaccounttoan individualuser.Furthermore,anorganizationsaccountandpasswordmanagementpolicies mustbeappliedconsistentlyacrosstheenterprisetoincludecontractors,subcontractors, andvendorswhohaveaccesstotheorganizationsinformationsystemsand/ornetworks.

Insomeareas,computeraccountsaremanagedfairlywellatUSCIS.Itisimplementing HomelandSecurityPresidentialDirective12(HSPD12)forphysicalandelectronicaccount management.Inaddition,mostsharedaccountsarecontrolledandallactionsperformed usingthoseaccountscanbeattributedtoasingleuser.However,someaccountmanage mentliesoutsidethecontrolofUSCIS.Thispresentsahighdegreeofrisk.Firstofall,ac countsandaccessforFSNsshouldbeconsideredcarefullybyUSCIS.AlthoughFSNsmust submitpaperworkthroughproperchannels,whichrequiresauthorizationbytheCSOand CIOofDHS,suchpaperworkwasnotsubmittedconsistentlypriorto2007.Asaresult,there maybeactiveaccountsforwhichthereislittletonoaccountingforthecreationoftheac count.

Althoughaccountnamingconventionsaredictatedby DHSandtheU.S.DepartmentofState,USCIScouldrequestanamingconventiontodiffer entiatebetweenFSNandU.S.citizenfederalemployeeaccounts.Inaddition,USCISshould consistentlytracktheauthorizationandcreationofallUSCISaccounts.Todetermineifun


authorizedorlegacyaccountsexist,USCISshouldconsiderconductinganaccountauditwith theassistanceofU.S.DepartmentofStatepersonneltovalidateallexistingFSNaccounts.

Second,accesstosomecriticalUSCISsystemsiscontrolledbythePasswordIssuanceand ControlSystem(PICS).ThepurposeofPICSistofacilitatetheadministrationofusernames andpasswordstocertainICEandUSCISinformationsystems.Oneareaofconcernregard ingPICSisthatitisadministeredbyICE,andtherearemorethan2,000LocalPICSOfficers (LPOs)acrossvariouscomponentsofDHS.TheseLPOsusePICStograntauthorizedaccess toICEandUSCISsystemsforthepersonnelattheirrespectivesiteoragency,suchaslocal sheriffs,petitioners,CustomsandBorderPatrol(CBP),DepartmentofJustice(DOJ),Trans portationSecurityAdministration(TSA),TerrorismTaskForce,andDHSOIG.EachLPOcan grantaccesstoanysystemcontrolledbyPICS.Inotherwords,LPOsthroughoutUSCISand ICEcangrantaccessforanyoftheirstafftoanyUSCISsystem.Furthermore,

Giventhedistributednatureofaccountadmini stration,itisverydifficultforUSCISdataownersandOITstafftomanageauthorizationof useraccountstoUSCIScriticalsystems.Finally,theprocessforcommunicatingchangesin employeestatusanddisablingaccountsvarieswidelyamongindividualfieldoffices,Service Centers,andofficesintheNCR.

TheapplicationofaccountmanagementpracticesunderthecontrolofUSCISisinconsistent. Forexample,disablingorterminatingaccountsforemployeesisnotalwayscompletedina timelymannerupontheemployeeschangeinstatus.Thislackofconsistencyismade worsewhendecentralizedLPOsacrossUSCISdonotfollowthesameprocedures.Inother cases,employeesareretainingaccessafteratransferwhentheyshouldnot,whichrequires thelosingandgainingsupervisorstonotifyproperaccountmanagementpersonnel.

AccessControl

Anorganizationslackofsufficientaccesscontrolmechanismswasacommonthemein manyoftheinsiderthreatcasesexaminedbyCERT.Insidershavebeenabletoexploitex cessiveprivilegestogainaccesstosystemsandinformationtheyotherwisewouldnothave beenauthorizedtoaccess.Additionally,insidershavebeenknowntouseremoteaccess afterterminationtoattackanorganizationsinternalnetwork.Organizationsshouldensure networkmonitoringandloggingisenabledforexternalaccess.Monitoringofnetworkactiv ityisextremelyimportant,especiallyintheperiodbetweenemployeeresignationandter mination.

GiventhedistributednatureofaccessauthorizationviaPICS,ICE,andtheU.S.Department ofState,nonUSCISemployeesandcontractorscouldbegrantedaccesstoUSCIScriticalsys tems.ItispossiblethatthenonUSCISemployeesandcontractors,particularlythose


grantedaccessthroughtheU.S.DepartmentofStateforaccessfromembassiesoverseas, havenotbeenthroughtherigorouspreemploymentscreeningrequiredofUSCISemploy eesandcontractors.USCISshouldconsidertherisktheseinsidersposetotheprotectionof thecriticalUSCISdataandsystems,andimplementprotectionmechanismstolimitthe damagethattheseinsidersmightcause.

OtheraccesscontrolissuesthatshouldbeconsideredbyUSCISincludeunrestrictedaccess tosomecriticalsystemsbyOITstaff,lackofconsistentprocessesformanagingemployee accessastheymovefromonedepartmenttothenextwithinUSCIS,abilitytousepersonal computersforUSCISwork,andlackofmonitoringandcontrolsforsomecriticalsystemad ministrationfunctions.

ProtectionofControlledInformation

Protectingcontrolledinformation(i.e.,informationthatisclassified,sensitivebutunclassi fied,orproprietary)iscriticaltomitigatingtheinsiderthreatrisktoorganizations.Avariety ofinsiderthreatcasesstudiedbyCERTrevealedcircumstancesinwhichinsiderscarriedout anattackthroughtheunauthorizeddownloadofinformationtoportablemediaorexternal storagedevices.Insomeinstances,maliciousinsidersusedemailtoplantheirattacksorto communicatesensitiveinformationtocompetitorsorconspirators.Organizationsmusten surethatemployeesunderstandpoliciesregardingwhatconstitutesacceptableuseofcom panyresources,includinginformationassets,andenforcecompliancethroughtechnical means.Theunauthorizedexfiltrationofcontrolledinformationbymaliciousinsiderscan havedevastatingeffectsonanorganization.Protectingcontrolledinformation(i.e.,infor mationthatisclassified,sensitivebutunclassified,orproprietary)iscriticaltomitigatingthe insiderthreatrisktoorganizations.

USCIShasimplementednetworkmonitoringstrategiesthatwoulddetectlargeamountsof datadownloadedorananomalousincreaseinnetworktraffic,eitherbytotalvolumeor typeoftraffic(e.g.,byportorprotocol).Thoughmonitoringnetworktrafficmayhelppro tectcontrolledinformation,


Logging/Auditing/Monitoring

InsiderthreatresearchconductedbyCERThasshownthatlogging,monitoring,andauditing employeeonlineactionscanprovideanorganizationtheopportunitytodiscoverandinves tigatesuspiciousinsideractivitybeforemoreseriousconsequencesensue.Organizations shouldleverageautomatedprocessesandtoolswheneverpossible.Moreover,network auditingshouldbeongoingandconductedrandomly,andemployeesshouldbeawarethat certainactivitiesareregularlymonitored.Thisemployeeawarenesscanpotentiallyserveas adeterrenttoinsiderthreats.

Thepreventionofinsiderattacksisthefirstlineofdefense.Nonetheless,effectivebackup andrecoveryprocessesneedtobeinplaceandoperationallyeffectivesothatifacompro miseoccurs,businessoperationscanbesustainedwithminimalinterruption.Inonecase documentedintheCERTInsiderThreatCasedatabase,aninsiderwasabletomagnifythe impactofhisattackbyaccessinganddestroyingbackupmedia.Organizationsneedtocon sidertheimportanceofbackupandrecoveryprocessesandcaremustbetakenthatback upsareperformedregularly,protected,andtestedtoensurebusinesscontinuityinthe eventofdamagetoorlossofcentralizeddata.

TechnicalSecurityVulnerabilities

Proactivelyaddressingknownsecurityvulnerabilitiesshouldbeapriorityforanyorganiza tionseekingtomitigatetheriskofinsiderthreatsaswellasexternalthreats.Casestudies haveshownthatmaliciousinsiders,followingtermination,willsometimesexploitknown technicalsecurityvulnerabilitiesthattheyknowhavenotbeenpatchedtoobtainsystem accessandcarryoutanattack.Organizationsshouldhaveaprocesstoensurethatoperat ingsystemsandothersoftwarehavebeenhardenedorpatchedinatimelymannerwhen possible.Failuretoaddressknownvulnerabilitiesprovidesaninsiderampleopportunity andpathwaysforattack,makingitmoredifficultforanorganizationtoprotectitself.


ThereisaprimaryconcerninthisareaatUSCIS.USCISshouldconsiderthefrequencywith whichitscansitssystemsfortechnicalsecurityvulnerabilities.

ThereisalsoanotherconcerninthisareaatUSCIS.

ConfigurationManagement

Effectiveconfigurationmanagementhelpsensuretheaccuracy,integrity,anddocumenta tionofallcomputerandnetworksystemconfigurations.AwidevarietyofcasesintheCERT InsiderThreatCasedatabasedocumentinsiderswhoreliedheavilyonthemisconfiguration ofsystems.Theyhighlighttheneedforstronger,moreeffectiveimplementationofauto matedconfigurationmanagementcontrols.Organizationsshouldalsoconsiderconsistent definitionandenforcementofapprovedconfigurations.Changesordeviationsfromthe approvedconfigurationbaselineshouldbeloggedsotheycanbeinvestigatedforpotential maliciousintent.Configurationmanagementalsoappliestosoftware,sourcecode,andap plicationfiles.Organizationsthatdonotenforceconfigurationmanagementacrosstheen terpriseareopeningvulnerabilitiesforexploitbytechnicalinsiderswithsufficientmotiva tionandalackofethics.

TheOIThasaconfigurationmanagementpolicythatprovidesbaselinesoftwareconfigura tionsforUSCISdesktopsandlaptops.TheOITscansforincorrect,outdated,orunpatched versionsofsoftwareontheapprovedsoftwarelist.TheOITkeepstrackofdifferentbase linesfordifferentcontracts.Despitetrackingandarigorousconfigurationmanagementpol icy,

Roguesoftwareormalwareisoftendiscoveredthroughadeliberatemanual scan,ratherthanthroughanautomatedprocess.Tomakethistaskmoredifficult,USCIS employeeswithseniorityorinfluencehavebeenabletouselocaladministratorprivilegesto installsoftwareforthesakeofconvenience.Concernsregardingconfigurationmanagement surroundthedifficultyfortheOITtoadequatelyprevent,detect,andrespondtorogue softwareormalwareusingitscurrentprocedures.Wesuggestsomeconsiderationsforlev


eragingexistingdeploymentsandmodifyingincidentresponsepracticestoincreaseeffec tiveness.


Recommendations

Thefollowing18recommendationspresentactionablestepsthatwillenableUSCIStoim proveitspostureagainstmaliciousinsiderthreats.Thesehighlevelstrategiesshouldbe plannedandimplementedwiththeassistanceofthemanydiversedepartmentswithin USCIS.Appendixescontainmorespecificrecommendationsthatpertaintoaparticularde partment(e.g.,OITandHR).TheappendixesalsolisttherelevantpartiestoassistUSCISin reviewingeachissuemoregranularlyandtodecidewhetherUSCIShasresourcestoimple mentaparticularrecommendation.

Recommendation#1:Instituteanenterpriseriskmanagementplan USCISmustensurethattheentireorganizationisriskawareandimplementaformalrisk managementprocesstoaddressriskconsistentlyandcontinuallyacrosstheenterprise. Theredoesnotappeartobeaconsistentunderstandingofthebroadspectrumofrisksfac ingUSCIS.TheOITperformsriskmanagementforIT,andFinancialManagementperforms riskmanagementforfinancialmatters,butnoonewasawareofanyenterprisewideefforts. Inaddition,eachfieldofficeandservicecenterappearstooperatefairlyindependently.Itis importantforthoseorganizationstoworktogethertoidentify,prioritize,andaddressrisk. OngoingcommunicationbetweenallcomponentsofUSCISwillhelpensurethatnew threats,attackvectors,andcountermeasuresarecommunicatedandhandledeffectivelyby all.

Recommendation#2:Incorporateinsiderthreatriskmitigation strategiesintotheTransformationeffort TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerservice,workflowautomation,frauddetection,andnationalsecurity issues.RiskmanagementiswithinthescopeofTransformation,butonlyasitpertainsto automatedriskscoringofapplicantsandtoworkflowmanagementtooptimizeadjudicator workload.USCISshouldincorporatecomprehensiveinsiderthreatriskmitigationrequire mentsintotheTransformationeffort.

Recommendation#3:Centralizerecordsofmisconductandviola tionstobetterenableacoordinatedresponsetoinsiderthreats USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting, tracking,investigating,andfollowinguponemployeemisconduct.Thiscomplexandwidely distributedbusinessprocesshasresultedinasituationinwhichitisverydifficulttoobtaina completepictureofanindividualsinsiderthreatrisklevel.USCISshouldcreateacentral repositoryofemployeeandcontractormisconduct,securityviolations,SignificantIncident Reports(SIRs),andothersuspiciousactivityreportssorepeatoffenderscanbeeasilyidenti


storesphysicalfilesforbenefitapplicantsintheVermontServiceCenterwithnophysical protectionbeyondtheexteriorbuildingandguardcontrols.USCISshouldevaluatecurrent physicalaccessprocedurestodetermineiftheyadequatelyaddressriskandiftheyareen forcedconsistentlyacrosstheenterprise.

Recommendation#8:Consistentlyenforceexitprocedures Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretires,re signsorisfired,transferred,orputonaleaveofabsence.TheseproceduresforUSCIShave beenrecentlydevelopedand,insomecases,arestillunderdevelopment.USCISexpectsto releasemoreformalizedproceduresinthenext3months,butthereisnotacommonun derstandingoftheproperprocedures.Itappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerandCOTR.It alsoappearsthatdifferentmanagersfollowdifferentprocedurestoensurethataccessis disabledandequipmentisreturnedasemployeesandcontractorsleaveUSCIS.Thisgap maymanifestitselfintheinconsistentcollectionofbadges,laptops,mobiledevices,and otherUSCISequipment,andimproperdisablingorterminationofaccess.USCISshould adoptanenterprisewideexitproceduretoensureconsistentterminationofallemployees andcontractors.

Recommendation#9:ExamineHRscreeningproceduresforhighrisk positionsandFSNs ChangesshouldbemadetotheUSCIShiringprocessesforselect,highriskpositions.For example,USCISshouldconsideradditionalscreeningforadjudicators.USCISshouldbe moreinvolvedindecidingwhoisgrantedauthorizedaccessbecauseofthesensitivenature ofthesystemsanddatathatUSCISmanages.

Recommendation#10:Ensurethatphysicalandcomputeraccessis terminatedinatimelyfashion

USCISshouldautomatetherevocationofemployeeandcontractorphysicalaccesswhena terminationoccurs.TheterminationchecklistshouldincludeanotificationtoPhysicalSecu ritysophysicalaccesscanbedisabledinatimelymanner.USCISshouldalsoreviewaccount managementprocedurestoensurethatthestepstakentoremoveoralteraccountaccess arecomplete,understoodbyallrelevantparties,andconsistentlyfollowed.


Recommendation#11:Enforcearequirementforindividualaccounts oncriticalsystems

Insomecases,USCISisawareofaccountsharingtakingplaceatthirdpartyemployerswho useUSCISsystemstoverifyimmigrationstatus.Toconsistentlyidentifymaliciousinsider activity,allactionsmustbeattributabletooneandonlyoneindividual.USCISshouldcon siderincreasingtheconsequencesforinfractions,andpossiblyimplementstrongerauthen ticationtomakesharingofaccountsmoredifficult.

Recommendation#12:

Recommendation#13:Reducethenumberofprivilegedaccountsfor criticaldatasystems Somedatasystems,includingFDNSDS,haveahighnumberofprivilegedusers.Manyof theseusersdonotneedtheescalatedaccesstocompletetheirjobresponsibilities.USCIS shouldaudittheprivilegeduseraccountsandreducethoseaccountscommensuratewith jobresponsibilities.

Recommendation#14:

Recommendation#15:Implementproceduralandtechnicalcontrols topreventsourcecodeunderdevelopmentfrombeingreleased withoutappropriatereview USCISshouldconsiderimplementingproceduralandtechnicalcontrolstoenforcesepara tionofdutiesbetweensoftwareengineersandthesystemadministratorsresponsiblefor


releasingchangesintoproductionsystems.USCISshouldconsideridentifyinghighrisk, criticalsoftwaremodulesthatcouldbeusedtocarryoutillicitactivity.Inaddition,formal softwaredevelopmentpracticesshouldbefollowed,

Recommendation#16:

Recommendation#17:

Recommendation#18:Periodicsecurityrefreshertrainingshouldbe regularlyconductedandrequiredforallemployees USCISshouldreinforcesecuritypracticesandproceduresforallemployees,especiallythose assignedtosecurityroles,throughInformationAssurancerefreshertraining.Thoughannual refreshertrainingismandated,ithasnotbeencompletedinatimelymannerforallroles. USCISshouldensurethatthistrainingisadaptedtospecificroles,regularlyconductedand tracked,andconsequencesimposedforthosewhohavenotcompletedthetraining.


ManagementCommentsandOIGAnalysis

WeobtainedwrittencommentsonadraftofthisreportfromtheUSCISDeputyDirector. Wehaveincludedacopyofthecomments,initsentirety,inappendixI.

USCISconcurredwithourfindingsandrecommendationsandindicatedthatthereportwill beofgreatassistanceastheyseektofurtherstrengtheninternalcontrolsinthisarea.Inthe writtencomments,USCISdidnotprovideinformationonhowitintendstoaddressourrec ommendations.Therefore,weconsiderourrecommendationsunresolvedandopenpend ingourreviewofUSCIS'correctiveactionplans.


Appendixes

ThefollowingpagescontainappendixesAthroughGthatcontainacomplete,detailedlistof findingsfromtheassessment.

Theappendixesareorganizedintothefollowingsections:

AppendixA:Organizational AppendixB:HumanResources AppendixC:PhysicalSecurity AppendixD:BusinessProcess AppendixE:IncidentResponse AppendixF:SoftwareEngineering AppendixG:InformationTechnology AppendixH:Acronyms AppendixI:ManagementCommentstotheDraftReport AppendixJ:ContributorstothisReport AppendixK:ReportDistribution

EachsectioninappendixesAGcontainsabriefintroduction,summaryofthefindingsfor thatarea,andatablelistingdetailedfindings.Thetablesarestructuredasfollows:

Areaof Responsible Policyand/orSecu PolicyorPrac SuggestedCounter Concern Personnel rityMeasure ticeGaps measures

Eachrowrepresentsauniqueareaofconcern.ResponsiblePersonnelliststhegroups withinUSCISthatwouldberesponsibleforimplementingsuggestedcountermeasuresfor thatarea.Policyand/orSecurityMeasurelistsinformationrelatedtothatareaofconcern specifictoUSCISobtainedininterviews.Ifthatcolumnwasintentionallyleftblank,itindi catesthatnoevidencewasprovidedfortheexistenceofapolicyand/orsecuritymeasure. PolicyorPracticeGapsdescribesgapsidentifiedbyintervieweesorgapsnotedbyCERT staff.Finally,SuggestedCountermeasuresdescribescountermeasuresthatUSCIScouldim plementtoaddressaparticularvulnerability.

Itisimportanttonotethatallsuggestedcountermeasuresmustbeconsideredinthecon textofabroaderriskanalysis.Itisnotpracticalformostorganizationstoimplement100% protectionagainsteverythreattoeveryorganizationalresource.Therefore,itisimportant toadequatelyprotectcriticalinformationandotherresourcesandnotdirectsignificantef forttowardprotectingrelativelyunimportantdataandresources.Arealisticandachievable


securitygoalistoprotectthoseassetsdeemedcriticaltotheorganizationsmissionfrom bothexternalandinternalthreats.

Riskisthecombinationofthreat,vulnerability,andmissionimpact.Somecountermeasures inthisreportareintendedtohelpUSCISrecognizeandunderstandtheinsiderthreat.Oth ersfocusonclosinggapsthatleaveUSCISmorevulnerabletoinsiderattack.Missionimpact cannotbeadequatelyassessedbyCERTthroughthisexercisebecauseitwillvarydepending onthecriticalityofsystemsandinformation.

Theresultsofthisinsiderthreatvulnerabilityassessmentshouldbeusedtodeveloporre finetheorganizationsoverallstrategyforsecuringitsnetworkedsystems,strikingthe properbalancebetweencounteringthethreatandaccomplishingtheorganizationalmis sion.

Manyofthefindingsinthisreportincludetherelativefrequencyoftheissueraisedinthe CERTInsiderThreatCasedatabase.Atthetimethisreportwaswritten,therewere386 casesofmaliciousinsideractivityagainstwhichthesuggestedcountermeasurepercentage iscalculated.So,ifaparticularactivitywasseenin38ofourcases,wemayindicatethatit wasseenin10%ofthecasesintheInsiderThreatCasedatabase.


Ap

pen

dix

A:O

rgan

izat

ion

al

Risk

Man

agem

ent

/Co

mm

unic

atio

n/

Secu

rity

Pro

cess

Impr

ovem

ent

USC

ISis

ina

diff

icul

tpos

ition

.Pa

rto

fits

mis

sion

isto

pro

vide

cus

tom

ers

ervi

ceto

thos

ese

ekin

gim

mig

ratio

nan

dci

tizen

ship

ben

efits

from

the

U.S

.Gov

ernm

ent.

How

ever

,iti

sch

alle

ngin

gto

opt

imiz

ebu

sine

ssp

roce

sses

for

cust

omer

ser

vice

whi

lea

tthe

sam

etim

eim

plem

entin

gpr

otec

tiv

em

easu

res

toc

ount

erth

eri

skp

osed

by

gran

ting

thos

eve

ryb

enef

its.

Man

yU

SCIS

em

ploy

ees

inte

rvie

wed

for

this

ass

essm

enti

dent

ified

the

orga

niza

tion

spr

imar

yri

ska

sal

low

ing

the

next

terr

oris

tto

live

and

wor

kle

gally

inth

eU

nite

dSt

ates

.Th

eyd

esir

ehe

lpin

iden

tifyi

nga

ndim

ple

men

ting

inte

rnal

con

trol

sto

cou

nter

that

ris

k.S

ome

ofth

ein

terv

iew

ees,

how

ever

ev

ens

ome

ofth

eIS

SOs

and

data

ow

ners

fo

cuse

don

leak

ag

eof

PII

asth

eir

prim

ary

conc

ern.

Aft

erd

elvi

ngin

toth

em

atte

rw

ithth

eas

sess

men

ttea

m,t

hey

cam

eto

und

erst

and

the

risk

pos

edb

yex

po

sure

or

mis

use

ofc

ritic

ald

ata

asth

egr

eate

str

isk

face

dby

USC

IS,p

rim

arily

bec

ause

suc

ha

secu

rity

bre

ach

coul

dre

sult

ina

llow

ing

ate

rror

isti

nto

the

coun

try.

Ac

ritic

alis

sue

for

USC

ISis

ens

urin

gth

een

tire

orga

niza

tion

isr

isk

awar

e,a

ndim

plem

entin

ga

form

alr

isk

man

agem

entp

roce

ssto

add

ress

ris

kco

nsis

tent

lya

ndc

ontin

ually

acr

oss

the

ente

rpri

se.

Ther

edo

esn

ota

ppea

rto

be

aco

nsis

tent

und

erst

andi

ngo

fthe

bro

ads

pect

rum

ofr

isks

faci

ng

USC

IS.

The

asse

ssm

entt

eam

was

told

ther

eis

no

ente

rpri

sew

ide

risk

man

agem

entp

rogr

ama

tUSC

IS.

OIT

per

form

sri

skm

anag

emen

tfor

ITa

nd

Fina

ncia

lMan

agem

entp

erfo

rms

risk

man

agem

entf

orfi

nanc

ialm

atte

rs,b

utn

oon

ew

asa

war

eof

any

ent

erpr

ise

wid

eef

fort

s.I

nad

ditio

n,e

ach

field

off

ice

and

serv

ice

cent

era

ppea

rsto

ope

rate

fair

lyin

depe

nden

tly.

Itis

impo

rtan

tfor

thos

eor

gani

zatio

nsto

wor

kto

geth

erto

iden

tify,

pri

or

itize

,and

add

ress

ris

k.O

ngoi

ngc

omm

unic

atio

nbe

twee

nal

lcom

pone

nts

ofU

SCIS

will

hel

pen

sure

that

new

thre

ats,

att

ack

vect

ors,

and

cou

nte

rmea

sure

sar

eco

mm

unic

ated

and

han

dled

eff

ectiv

ely

bya

ll.

Ina

dditi

on,U

SCIS

em

ploy

ees

and

cont

ract

ors

hold

the

keys

too

neo

fthe

wor

lds

mos

tcov

eted

kin

gdom

sU

.S.c

itize

nshi

p.T

his

mak

ese

mpl

oy

ees

and

cont

ract

ors

attr

activ

eta

rget

sfo

rre

crui

tmen

t.B

ecau

seo

fthe

sen

sitiv

ena

ture

ofU

SCIS

mis

sion

,som

eof

its

empl

oyee

san

dco

ntra

ctor

s


have

bee

nta

rget

sfo

rre

crui

tmen

tfor

thef

tor

unau

thor

ized

mod

ifica

tion

ofU

SCIS

dat

a.A

llem

ploy

ees

shou

ldb

eaw

are

ofth

eco

nseq

uenc

eso

fpa

rtic

ipat

ing

infr

aud

agai

nstU

SCIS

.Th

eys

houl

dal

sob

ein

stru

cted

on

how

tor

epor

tsol

icita

tions

mad

eto

com

mit

frau

d.

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

d/or

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sEn

terp

rise

Ris

kM

anag

emen

t

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

Indi

vidu

alo

rgan

izat

ions

with

inU

SCIS

do

ris

km

anag

emen

trel

ated

toth

eir

part

icul

ard

omai

n.F

orin

stan

ce,I

Tdo

esr

isk

man

agem

entf

rom

an

IT

pers

pect

ive,

and

the

Fina

ncia

lMan

ag

emen

tdoe

sfin

anci

alr

isk

man

ag

emen

t.

USC

ISp

erso

nnel

sta

ted

ther

eis

no

ente

rpri

ser

isk

man

agem

entp

roce

ss

for

anal

yzin

gth

eor

gani

zatio

ns

over

al

lris

k.

We

sugg

estt

hatU

SCIS

inst

itute

an

ent

erpr

ise

risk

man

agem

ent

prog

ram

.W

ithou

tac

omm

on

visi

onfo

rri

skm

anag

emen

t,th

eIS

SOs

and

allo

rgan

izat

ions

w

ithin

USC

ISc

anno

teff

ectiv

ely

unde

rsta

ndth

eri

ske

nvir

onm

ent

and

wor

kto

geth

erto

eff

ectiv

ely

miti

gate

ris

k.

Inin

terv

iew

s,s

ome

USC

ISs

taff

,in

clud

ing

som

eIS

SOs,

dat

aow

ners

,an

dO

ITs

taff

,see

med

tov

iew

loss

of

PIIa

sth

em

osti

mpo

rtan

tins

ider

th

reat

ris

k.A

llof

the

asse

ssm

ent

ques

tions

wer

ean

swer

edin

the

con

text

ofl

oss

ofP

II.

Whe

nw

eas

ked

spec

ifica

llyw

hatt

hey

see

asth

ebi

gges

tins

ider

thre

atr

isk,

ev

eryo

nes

eem

edto

agr

eeit

isc

rea

tion

ofr

ealc

itize

nshi

pdo

cum

ents

for

peop

lew

hos

houl

dno

thav

eth

em.

In

fact

,int

ervi

ewee

sat

the

Verm

ont

Serv

ice

Cent

erc

ateg

oriz

edth

efu

nc

tions

cha

ract

eriz

edb

yth

ehi

ghes

tris

kas

follo

ws:

1)

Unl

awfu

lalie

nin

the

Uni

ted

Stat

es

gran

ted

non

imm

igra

nts

tatu

s

2)S

omeo

new

ithn

onim

mig

rant

st

atus

gra

nted

per

man

entr

esid

ency

,w

hich

mea

nsh

eor

she

can

live

and

w

ork

inde

finite

lyin

the

Uni

ted

Stat

es

Aga

in,a

nen

terp

rise

ris

km

an

agem

entp

rogr

amw

ille

nsur

eth

ate

very

one

acro

ssU

SCIS

is

wor

king

toge

ther

tom

itiga

teth

ehi

ghes

tpri

ority

ris

ks.

Ther

ear

ere

gula

tions

and

law

ssu

rrou

nd

ing

prot

ectio

nof

PII,

but

focu

sin

gpr

imar

ilyo

nth

atis

sue

can

lead

toa

fals

ese

nse

ofs

ecur

ity

ifot

her

mor

eim

port

antr

isk

ar

eas

are

give

nle

ssa

tten

tion.


Area

ofC

once

rn

Resp

onsi

ble

Pers

onne

l

Polic

yan

d/or

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

san

dal

soc

anp

etiti

onfo

rre

lativ

es

The

Verm

ontS

ervi

ceC

ente

ris

im

plem

entin

gse

para

tion

ofd

utie

sfo

rpe

rfor

min

gfu

nctio

ns#

1an

d#2

ab

ove

(gra

ntin

gno

nim

mig

rant

st

atus

and

mov

ing

som

eone

from

no

nim

mig

rant

sta

tus

top

erm

anen

tre

side

ncy)

so

that

one

USC

ISa

djud

ica

tor

alon

eca

nnot

take

an

appl

ican

tfr

omu

nlaw

fult

ope

rman

entr

esi

dent

.Th

ese

two

func

tions

will

be

perf

orm

eda

tdiff

eren

tphy

sica

lloc

atio

ns2

9m

iles

apar

t.

The

Verm

ontS

ervi

ceC

ente

rhas

not

ha

dan

adj

udic

ator

who

per

form

ed

both

func

tions

#1

and

#2fo

rth

esa

me

appl

ican

t.

This

dec

isio

nde

mon

stra

tes

that

le

ader

ship

att

heV

erm

ontS

er

vice

Cen

terr

ecog

nize

sth

esi

gni

fican

tris

kof

cre

atin

gle

gal

citiz

ensh

ipd

ocum

ents

fori

llega

lal

iens

and

ista

king

ste

psto

m

itiga

teth

atr

isk.

How

ever

,our

in

side

rth

reat

ass

essm

enth

as

unco

vere

dot

her

issu

esth

at

coul

dbe

add

ress

edto

miti

gate

th

atr

isk.

Aga

in,a

form

alr

isk

anal

ysis

wou

lde

nabl

eU

SCIS

to

thor

ough

lye

xam

ine

the

issu

es

and

prio

ritiz

eco

unte

rmea

sure

sus

ing

afo

rmal

pro

cess

.Fo

rex

am

ple,

an

alte

rnat

ive

toth

eph

ysic

alm

ove

coul

dbe

toim

pl

emen

tan

audi

tmec

hani

smto

lo

okfo

rad

judi

cato

rsw

hop

er

form

edb

oth

func

tions

#1

and

#2

for

the

sam

eap

plic

ant.

Ente

rpri

seW

ide

Com

mun

icat

ion

USC

ISL

eade

rshi

p

No

evid

ence

pro

vide

d

Ther

eis

no

cons

iste

ncy

ofc

ontr

ols

from

one

ser

vice

cen

ter

toth

ene

xt.

We

wer

eto

ldth

eye

ach

oper

ate

fair

ly

inde

pend

ently

.

USC

ISw

ould

ben

efit

from

ong

oin

gco

mm

unic

atio

nsa

bout

ris

kba

sed

issu

esb

etw

een

the

ser

vice

cen

ters

.Fo

rin

stan

ce,

com

mun

icat

ions

con

cern

ing

prob

lem

s,e

ffec

tive

coun

ter

mea

sure

s,m

odifi

catio

nsto


Area

ofC

once

rn

Resp

onsi

ble

Pers

onne

l

Polic

yan

d/or

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sbu

sine

ssp

roce

sses

,or

idea

sfo

rco

unte

ring

incr

ease

dri

skc

ould

le

adto

an

impr

oved

ris

kpo

stur

efo

rth

een

tire

USC

ISe

nter

pris

e.

Cont

inua

lSec

urit

yPr

oces

sIm

prov

em

ent

USC

ISL

eade

rshi

p IS

SOs

Dat

aO

wne

rs

Info

rmat

ion

Tech

nolo

gy

The

USC

ISC

onvi

ctio

nsT

ask

Forc

eis

an

exc

elle

ntfo

rum

for

anal

yzin

gpa

st

crim

inal

cas

esa

ndd

eter

min

ing

mea

sure

sth

ats

houl

dbe

inst

itute

dto

pre

vent

sim

ilar

crim

esin

the

fu

ture

.

Ther

eis

no

proc

ess

for

follo

win

gup

on

ac

ase

afte

rthe

Off

ice

ofS

peci

al

Inve

stig

atio

n(O

SI)f

inis

hes

anin

vest

iga

tion.

Th

eCo

nvic

tions

Tas

kFo

rce

isth

eon

ly

proc

ess

we

foun

dfo

rfor

mal

trac

king

,an

alys

is,a

ndp

roce

ssim

prov

emen

tba

sed

ona

ctua

linc

iden

ts.

The

as

sess

men

ttea

ma

sked

var

ious

gro

ups

ifth

ere

isa

nyfo

llow

up

toin

cide

nts,

fo

rin

stan

ceim

plem

entin

gau

tom

ated

sc

ript

sor

con

trol

sto

det

ectt

hes

ame

inci

dent

inth

efu

ture

.Th

ete

amc

ould

no

tfin

da

sing

lep

erso

nw

hok

now

sof

su

cha

nac

tivity

.

Man

yex

ampl

eso

fem

ploy

eem

isco

ndu

ctc

ited

toth

eas

sess

men

ttea

m

coul

dea

sily

hav

ebe

end

etec

ted

or

even

pre

vent

edv

iaa

utom

ated

con

tr

ols.

In

add

ition

,the

reis

no

mec

hani

smfo

rco

mm

unic

atin

gis

sues

out

side

ofa

In

nea

rly2

5%(9

1)o

fthe

cas

esin

th

eCE

RTIn

side

rTh

reat

Cas

eda

taba

se,t

hein

side

rw

asa

ble

to

carr

you

tthe

cri

me

beca

use

of

inad

equa

tea

uditi

ngo

fcri

tical

pr

oces

ses;

in2

8of

thes

eca

ses,

it

was

bec

ause

ofi

nade

quat

eau

ditin

gof

irre

gula

rpr

oces

ses.

In

29

ofth

eca

ses,

the

orga

niza

tio

nha

dre

peat

edin

cide

nts

ofa

si

mila

rna

ture

.A

utom

ated

sc

ript

sar

ean

exc

elle

ntm

echa

ni

smfo

rde

tect

ing

susp

icio

us

tran

sact

ions

as

wel

las

hone

st

mis

take

s.U

SCIS

sho

uld

cons

ider

a

form

alp

roce

ssfo

ran

alys

iso

fth

eO

SIs

find

ings

and

the

deve

lop

men

tofa

utom

ated

che

cks

impl

emen

ted

natio

nally

.


Area

ofC

once

rn

Resp

onsi

ble

Pers

onne

l

Polic

yan

d/or

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sgi

ven

serv

ice

cent

er.

U

SCIS

Em

ploy

ees

are

Pote

ntia

lTar

ge

tsfo

rRe

crui

tm

ent

Hum

anR

esou

rces

Ph

ysic

alS

ecur

ity

No

evid

ence

pro

vide

d

Som

eU

SCIS

em

ploy

ees

inte

rvie

wed

ha

ver

ecei

ved

are

ques

tfor

ass

ista

nce

from

afr

iend

,rel

ativ

e,o

rst

rang

er

seek

ing

top

rom

ote

aca

sefo

rso

me

form

ofa

pplic

ant.

One

adj

udic

ator

sa

idh

edo

esn

otte

llot

hers

who

he

wor

ksfo

r.H

owev

er,t

hed

istin

ctiv

egr

een

park

ing

stic

ker

onh

isc

arc

ould

,in

as

mal

ltow

nlik

eBu

rlin

gton

,VT,

re

veal

the

iden

tity

ofh

ise

mpl

oyer

.U

SCIS

per

sonn

ela

reth

eref

ore

unus

ual

lyv

ulne

rabl

eto

sol

icita

tion

byo

ut

side

rs.

Twen

tyn

ine

perc

ento

fthe

in

side

rsin

the

CERT

Insi

der

Thre

at

Case

dat

abas

ew

ere

recr

uite

dby

ou

tsid

ers

toc

omm

itth

eir

crim

es.

USC

ISs

houl

dco

nsid

er

incr

easi

ngth

ese

curi

tya

war

ene

sstr

aini

ngp

rovi

ded

toU

SCIS

em

ploy

ees

and

cont

ract

ors.

The

tr

aini

ngs

houl

dbe

con

tinuo

us,

incl

udin

gpo

rtio

nsin

tend

edto

ra

ise

awar

enes

sof

the

pote

ntia

lta

rget

that

USC

ISe

mpl

oyee

spr

esen

t.A

llem

ploy

ees

shou

ld

bea

war

eof

the

cons

eque

nces

of

par

ticip

atin

gin

frau

dag

ains

tU

SCIS

as

wel

las

how

tor

epor

tso

licita

tions

mad

eto

com

mit

frau

d.

Tran

sfor

mat

ion

USC

ISL

eade

rshi

p D

ata

Ow

ners

In

form

atio

nTe

chno

logy

H

uman

Res

ourc

es

Tran

sfor

mat

ion

isa

larg

ebu

sine

ss

proc

ess

reen

gine

erin

gef

fort

inU

SCIS

th

atis

pri

mar

ilyfo

cuse

don

impr

oved

cu

stom

ers

ervi

cea

ndfr

aud

dete

ctio

n.F

ore

xam

ple,

the

asse

ssm

ent

team

was

told

that

Tra

nsfo

rmat

ion

will

aut

omat

ical

lyv

alid

ate

data

in

CLA

IMS

agai

nsto

ther

ext

erna

lsys

te

ms

(e.g

.,IC

Ean

dFB

I),a

ndth

at

secu

rity

req

uire

men

tsa

ndc

ontr

ols

Tran

sfor

mat

ion

was

men

tione

din

m

osti

nter

view

sfo

rth

isa

sses

smen

t.

Ita

ppea

rsth

atU

SCIS

isr

elyi

ngh

eavi

ly

upon

Tra

nsfo

rmat

ion

toc

orre

ctm

any

ofth

epr

oble

ms

resu

lting

from

lega

cy

syst

ems.

How

ever

,iti

sun

clea

rw

heth

erin

tern

alp

erso

nnel

sec

urity

an

din

form

atio

nse

curi

tyc

once

rns

will

bein

clud

edin

this

pro

gram

.

This

rel

ianc

eon

as

ingl

eef

fort

m

akes

the

effe

ctiv

enes

sof

this

ef

fort

ver

yim

port

ant.

USC

IS

shou

ldc

onsi

der

the

Tran

sfor

ma

tion

proj

ectf

rom

an

ente

rpris

ew

ide

pers

pect

ive.

Iti

sim

port

ant

for

itto

use

afo

rmal

req

uire

m

ents

gat

herin

gpr

oces

sin

or

der

toe

ffec

tivel

ym

itiga

teb

oth

inte

rnal

and

ext

erna

lthr

eats

.


Area

ofC

once

rn

Resp

onsi

ble

Pers

onne

l

Polic

yan

d/or

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sha

veb

een

iden

tifie

dby

cur

rent

C3

LAN

dat

aow

ners

.

Read

ing

the

Tran

sfor

mat

ion

requ

ire

men

tsd

ocum

enta

tion,

itis

not

cle

ar

that

insi

ders

are

con

side

red

inth

ese

curi

tyr

equi

rem

ents

for

prev

entio

nan

dde

tect

ion

offr

aud

orn

atio

nal

secu

rity

inU

SCIS

sys

tem

s.

Pers

onne

lsec

urity

sho

uld

be

incl

uded

,as

wel

las

info

rmat

ion

secu

rity

,to

ensu

reth

atth

eap

pr

opri

ate

inte

rnal

con

trol

sar

ein

pl

ace

tor

educ

eth

eri

skp

osed

by

mal

icio

usin

side

rs.


Trai

ning

and

Aw

aren

ess

Itis

ess

entia

ltha

tsec

urity

aw

aren

ess

trai

ning

be

cons

iste

ntly

pro

vide

dto

all

empl

oyee

sto

ens

ure

that

sec

urity

pol

icie

san

dpr

actic

esa

rein

stitu

tio

naliz

edth

roug

hout

an

orga

niza

tion.

Man

ytim

es,c

owor

kers

and

sup

ervi

sors

are

the

first

peo

ple

too

bser

vec

once

rnin

gbe

havi

ore

xhib

ited

by

mal

icio

usin

side

rs.

Failu

reb

yco

wor

kers

or

othe

rsin

an

orga

niza

tion

tor

epor

tcon

cern

ing

beha

vior

was

ap

rim

ary

reas

onin

side

rsin

the

CERT

In

side

rTh

reat

Cas

eda

taba

sew

ere

able

tos

etu

por

car

ryo

utth

eir

atta

cks.

USC

ISs

houl

dco

ntin

ueto

pro

vide

sec

urity

aw

aren

ess

trai

ning

toa

llem

ploy

ees

and

cont

ract

ors

acro

ssth

egl

obe.

Thi

str

aini

ngs

houl

dbe

con

sis

tent

lya

pplie

dto

eac

hsi

te,w

itha

con

sist

entm

essa

geo

fsec

urity

ofU

SCIS

peo

ple,

sys

tem

s,a

ndd

ata.

Iti

sim

pera

tive

that

all

USC

ISe

mpl

oyee

sbe

re

spon

sibl

efo

rac

hiev

ing

the

mis

sion

ofU

SCIS

and

pro

tect

ing

the

criti

cala

sset

sto

the

high

este

xten

tpos

sibl

e.

Are

aof

Con

cern

Resp

onsi

ble

Pers

onne

l

Polic

yan

d/or

Sec

urit

yM

easu

re

Polic

yor

Pra

ctic

eG

aps

Sugg

este

dCo

unte

rmea

sure

sTr

aini

ngo

rSk

ills

Requ

ired

ofT

hose

in

App

oint

edS

ecu

rity

Rol

es

USC

ISL

eade

rshi

p

USC

ISh

asa

trai

ning

pro

cess

thro

ugh

anin

Documents

Examining Insider Threat Risk at the US Citizenship and Immigration