Insiders pose a real threat to any digital environment due to their knowledge of and access to internal systems and information.
Stripe's Insider Threat Common Controls Framework (ITCCF) is a crucial component of insider risk management. It serves as a roadmap to identify gaps and areas for improvement, and to prioritize investments and plan future work effectively.
This framework is benchmarked against industry standards and best practices (for example, NIST, ISO, NITTF, CISA) and tailored to a given environment.
The ultimate goal of the ITCCF is to identify areas of significant exposure and prioritize investments that will strengthen the collective ability to prevent, detect, respond to, and mitigate the impact of an insider threat. The aim is to move foundational areas to more established or advanced maturity.
Within the ITCCF, specific controls are evaluated against five defined maturity levels:
The capability may be entirely non-existent or applied so inconsistently that its effectiveness cannot be relied upon.
The control capability is unpredictable and reactive. There is no formally defined process or consistent application. The control capability is managed at a basic level, but it often operates in a silo and may not be consistently applied across the entire organization. Implementation is mostly reactive.
The control capability is proactive and standardized with formalized processes, policies, and tools. There is wider understanding and application of the control across the organization, though there are still opportunities for optimization and wider adoption.
The control capability is measured and data-driven. The organization uses statistical and other quantitative methods to measure the performance and effectiveness of the control. Performance is predictable, controlled within defined limits, and data is used to drive objective decision-making and performance improvement.
The control capability is stable, flexible, and focused on continuous improvement and innovation. The organization uses the stable foundation from Level 4 to proactively identify, evaluate, and deploy innovative improvements that incrementally and continuously improve performance. The focus is on preventing future problems, adapting to change, and pushing the boundaries of what is possible.
The framework is broken out into three pillars: Prevention, Detection, and Response.
Each pillar contains the following elements:
Control #: A unique identifier for each high-level control (for example, P-1, R-5, D-2). This is the main security practice being assessed within the pillar. Some controls are similar across pillars; However, they should be assessed in respect to the pillar they pertain to.
- Below each control name row in Evidence tabs, current and target control maturity is placed based on the least mature piece of control evidence aggregated across sub-controls.
Sub-controls:
- More granular items under a main Control # (for example, P-1.1, P-1.2). These break down the broader control into specific pieces. The overall control maturity assessment is an aggregate of the sub-control assessments and evidence mapping. These are accessible via the nested dropdowns on the left-hand side in combined views.
Evidence artifacts (to be added by assessor):
-
Under each sub-control you can add evidence artifacts supporting the maturity assessment of that sub-control. Artifacts should be listed corresponding to the maturity assessment they match.
-
Using the maturity definitions, you can assign a maturity level (1–5) to each Sub-control based on the evidence. Under each sub-control, you can list evidence artifacts to provide the rationale for that sub control rating. If multiple pieces of evidence vary in maturity, document why the chosen level was selected (use the “least mature evidence” approach for the parent control).
-
The assessor should aggregate sub-control ratings to determine the overall Control # maturity. By default, use the least-mature sub-control (conservative approach) and document any deviations or weighting decisions.
