SPED- Insider Threat
Which Insider Threat Hub operation are you performing if you observe a behavior or activity that may indicate an individual is at greater risk of becoming a threat?
Detect
Ease of movement within a facility is an appropriate justification for obtaining a security clearance eligibility.
False
Foreign relations do not play a part in how our national security is defined.
False
Insider Threat Hubs must make sure to follow policy releases, updates, and modifications but must wait to incorporate the changes until the courts ensure there is relevant case law.
False
Leadership will always approve recommendations made when analytic tradecraft is used to support conclusions.
False
Insider Threat Analysts are responsible for
Gathering and providing data for others to review and analyze c. Providing subject matter expertise and direct support to the insider threat program d. Producing analytic products to support leadership decisions.
What are examples of governance?
Implementing banners telling users their activity is being monitored b. Establishing privileges and special rights
According to the minimum standards, which activities are appropriate for an insider threat program to conduct in regards to classified network monitoring?
Monitor system activity b. Monitor individual user activity c. Establish policies and procedures to protect the organization's information systems and networks
What are examples of user activity monitoring?
Monitoring user search activities d. Monitoring downloads
Which Insider Threat requirements would you refer to if your organization is a cleared defense contractor?
NISPOM
What process can be used by the Insider Threat Program to prevent the inadvertent compromise of sensitive or classified information?
OPSEC
When developing your data collection protocols, what criteria must your threat indicators meet?
They should use consistent data collection methods b. They are observable, from a reliable source, and gathered in accordance with laws and regulations c. They should be valid, reliable, relevant, and considered in context
Which are examples of system activity monitoring?
Tracking system restarts and shutdowns Monitoring logon/logoffs
Analytic thinking can be thought of as a step in the critical thinking process.
True
Delayed reporting may weaken your organization's ability to integrate data from multiple sources.
True
Each indicator should measure only one thing but may be combined with other indicators to identify risk.
True
Foreign Intelligence Entity (FIE) is defined in DoD Directive 5240.06 as "any known or suspected foreign organization, person, or group (public, private, or governmental) that conducts intelligence activities to acquire U.S. information, block or impair U.S. intelligence collection, influence U.S. policy, or disrupt U.S. systems and programs. The term includes foreign intelligence and security services and international terrorists."
True
If the Media is waiting where a sensitive DoD program will be tested, this could be a Security Anomaly.
True
Improper handling of insider threat matters may reduce vigilance and reporting in the workforce.
True
Insider Threat Programs must be careful to distinguish between unauthorized disclosures and whistleblowing activities and ensure that their actions do not impede the exercise of free speech or constitutional liberties.
True
Lisa's insider threat program does not have the capability to monitor user activity on classified networks. The program is not meeting the Minimum Standards.
True
Jane's organization is establishing an insider threat program. What are additional considerations it should take into account?
Who are our key agency stakeholders b. What resources do we have available? c. What capabilities do we already have in place?d. How will we incorporate subordinate entities?e. How will our program apply to contractors?
In a records check, the Insider Threat Program finds that Louis was educated at the University of Paris and owes a substantial amount in student loans. Is this a potential risk indicator (PRI)?
Yes
Which law protects Federal employees from actual or threatened unfavorable personnel actions or actual or threatened withholding of favorable personnel actions for making or preparing to make protected disclosures?
a. 10 USC 1034, Protected Communications b. Whistleblower Protection Act Incorrect c. The No Fear Act d. The Freedom of Information Act
If an individual files a complaint alleging an organization conducted an unlawful search of their personal vehicle while it was in the organization's parking lot, which Constitutional amendment would this complaint fall under?
a. 4th Amendment
Which describes how audit logs support continuous monitoring?
a. Audit logs run in a privileged mode and record all user activities such as unauthorized activity, access attempts, and modifications to folders, files, and directories.
Which Insider Threat team role involves identifying, describing, and documenting the types of risky behavior and conduct that an insider analyst looks for?
a. Behavioral Science Specialist
How do the Intelligence Community (IC) Analytic Standards protect individual privacy and civil liberties in analytic products?
a. By ensuring objectivity, timeliness, relevance, and accuracy of personally identifiable information.
Which are examples of countermeasure used to guard against suspicious network activity via cyber intrusion, viruses, malware, and backdoor attacks?
a. Conducting frequent audits b. Not relying on firewalls to protect against all attacks c. Reporting intrusion attempts d. Avoiding responding to unknown requests and report them
What must you do when reporting information?
a. Consider the classification level of the information b. Protect the individual's privacy d. Transmit the information securely
Which type of Insider Threat Program is required to report to the DoD Insider Threat Management and Analysis Center (DITMAC)?
a. DoD Insider Threat Programs
Which best describes the considerations for formulating an insider threat mitigation response?
a. Establish a goal, acknowledge assumptions, seek alternative viewpoints, ground claims
Which issues must be referred to counterintelligence and/or law enforcement?
a. Foreign intelligence entity (FIE) activity c. Criminal activity d. Physical or cyber breaches
Which are possible negative impacts of a disproportionate mitigation response?
a. Hesitancy to report b. Reduced vigilance c. Disgruntlement
Jose's organization is establishing an insider threat program by setting up a Working Group. Which stakeholders should he include?
a. Human resources b. Security c. Information assurance d. Office of the General Counsel (OGC)
Which type of information must DoD Insider Threat Programs report to the DoD Insider Threat Management and Analysis Center (DITMAC)?
a. Imminent threats of harm or violence b. Destruction or compromise of resources c. Behavior or activity that meets the DITMAC reporting threshold
Jack is in charge of his organization's insider threat program. He is receiving push-back from some personnel who feel that the presence of an insider threat within the organization would be obvious, so a formal program is unnecessary. Jack should explain that the challenges to detecting insider threats include:
a. Insiders may operate over a long period of time b. Employees often fail to report suspicious behavior c. Unwitting insiders can also inflict serious harm d. It can be difficult for individuals alone to distinguish malicious actions from legitimate ones
With respect to the insider threat, what does the national policy established in Executive Order 13587 require?
a. It requires government agencies to establish their own insider threat programs.
Analytic products must accomplish which of the following?
a. Make accurate, clear, and precise judgments based on available information with acknowledgment of information gaps, timing, and the nature of the outcome or development. c. Properly address uncertainties associated with major analytic judgments. d. Describe the quality and credibility of underlying sources, data, and methodologies.
What types of data sources are available to DoD Insider Threat Programs?
a. Open source data b. Federal records c. The DoD Insider Threat Management and Analysis Center (DITMAC) d. The organization's records
Insider Threat Programs must avoid infringing on an individual's rights and liberties as well as the perception of profiling or targeting individuals based what?
a. Other protected status b. Ethnicity c. Religious conviction
Which Insider Threat team member(s) is/are responsible for protecting Personally Identifiable Information from unauthorized release?
a. Program Analyst b. Program Managers c. Hub team members
How can Insider Threat Programs corroborate information and determine the validity of discrepant information located during records checks?
a. Rely on primary sources whenever possible b. Use multiple data sources
Which type of source is a news article?
a. Secondary source
During a records check, you find that Marco's employment application from three years ago reflects a college degree that Marco did not list on the SF-86, Questionnaire for National Security Positions that he completed a year ago. What should you do with this information?
a. Share the information with your Insider Threat Program
How can Insider Threat Programs protect classified information?
a. Transmit classified information via secure channels c. Contact the entity to receive the referral for requirements d. Mark classified information properly
Cyber Vulnerabilities to DoD Systems may include:
a. Viruses b. Weak passwords c. Illegal downloads d. Disgruntled or Co-opted employee
What is the catalyst for Insider Threat Program mitigation responses?
b. A detected potential risk indicator (PRI)
Analytic products should implement and exhibit which of the following?
b. Accurate judgements and assessments
Which best practice ensures that any best practices incorporated in your program are within your authority and do not impinge on privacy or civil liberties?
b. Consult with legal counsel
This tool can undermine and show weakness of the primary view.
b. Devil's advocacy
A brainstorming technique that lets ideas build upon another, without judgment so that they can be clustered and winnowed to select promising ideas.
b. Divergent/Convergent Thinking
Which describes how configuration management controls enable continuous monitoring?
b. Ensures information security c. Supports organizational risk management d. Ensures protection features are implemented and maintained
Thomas must establish an insider threat program for his organization. Where can he find the standards his program must meet?
b. Executive Order 13587
Analysts should produce analytic products that accomplish which of the following?
b. Express judgments as clearly and precisely as possible.
What rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing?
b. HIPAA Privacy Rule
When analysts ensure their analytic assessments are not distorted or shaped by advocacy of a particular audience, they are applying which analytic standard?
b. Independent of Political Consideration
An internal referral to human resources or security is an example of which type of response?
b. Individual response
To meet the Minimum Standards, what kind of insider threat training must Allen's organization provide?
b. It must provide specific training for insider threat program personnel and awareness and reporting for cleared personnel.
What organization activities may increase the risk of an insider threat incident?
b. New computer software/systems c. Deployments d. Hiring waves / Layoffs
When requesting records outside of your organization, which of the following must you do?
b. Provide a Privacy Act advisement to the records custodian
Which are benefits of integrated risk management?
b. Provides operational integration and interoperability c. Supports organization-wide risk awareness and operational resilience d. Ensures traceability and transparency
Which term matches the definition? The facts and circumstances are such that a reasonable person would hold the belief.
b. Reasonable belief
Which are considered benefits of creating and maintaining auditable records of your program's actions?
b. They identify trends and other patterns useful for evaluating risk c. They help justify funding for your program d. They are required by policy for internal audits
You have observed suspicious behavior and need to report the incident. To whom do you report the information?
b. Your supervisor and your Office of Security
Which statement best reflects how analysts can avoid common analytic mistakes?
c. Apply structured analysis before considering potential solutions or coming to conclusions.
When analysts address critical information gaps before providing a judgment, they are applying which analytic standard?
c. Based on Available Sources of Intelligence Information
What are rules of Divergent Thinking
c. Build one idea upon another. All ideas are accepted Don't evaluate the ideas
How do Insider Threat Programs ensure their actions are not based on legally protected behaviors or activities?
c. By adhering to accepted potential risk indicators
Which type of record may contain information about bankruptcies, divorces, and probate?
c. Civil court records
Which statements describe critical thinking?
c. Critical thinking analyzes and evaluates various sources of information to make a holistic judgment.
The national policy in Executive Order 13587 defines insider threat programs to include what?
c. Deterring cleared employees from becoming insider threats
Which is a legal principle that excludes from introduction at trial any evidence developed as a result of an illegal search or seizure?
c. Fruit of the poisonous tree doctrine
What must Insider Threat Program actions be based on in order to maintain an even-handed approach?
c. Insider Threat Policy
Which allows the Insider Threat Program time to plan a response, ensures the privacy of the individual, and preserves potential evidence?
c. Keeping the individual unaware that they have been identified as a potential insider threat
Which organization's reports may offer some insight into the types of recommendations they make to protect civil liberties in pending policy and law?
c. Privacy and Civil Liberties Oversight Board
What should you do if you are having trouble obtaining information because employees, supervisors and/or managers are afraid of getting in trouble for sharing information or that the person they are reporting on will have their rights violated?
c. Remind them that Insider Threat Program personnel may lawfully access information by virtue of their position
In the critical pathway model of insider threat, personal predispositions and stressors often emerge as:
c. potential risk indicators (PRIs)
Who is responsible for working with an organization's senior leadership to determine a hub's resource and staffing needs?
d. ) Insider Threat Program Senior Leader
Who sets the potential risk indicators (PRIs) used by DoD Insider Threat Programs?
d. DoD Insider Threat Management and Analysis Center (DITMAC)
Necessary privacy and security safeguards, including role-based access to data and oversight of program personnel and system administrators, falls under which tenet of the Principle of Confidentiality?
d. Fair information practices
Which Insider Threat team role is very familiar with employee assistance programs and the protection of Personally Identifiable Information?
d. Human Resource Specialist
Which discipline may be able to offer criminal threat briefings?
d. Law Enforcement Correct
Insider Threat hub operations include activities to deter risks associated with the insider threat. Which deterrence activity are you conducting when you disseminate insider threat vigilance materials?
d. Train and exercise the workforce