Start the process of implementing insider threat controls in your organization by classifying critical information by confidentiality, integrity and availability with associated impact ratings. NIST SP 800-60 provides sample information categories and impact definitions.
Now that your data has been defined and classified by CIA rating, identify system boundaries. Boundaries should include systems, data flow, networks, people and hard copy printouts.
INSIDER RISK MANAGEMENT GUIDE
Introduction: Insider risk management guide
Baseline management and control
Implementation of baseline control
Risk management audit
Risk management references
This was first published in August 2006