Applied Frameworks

Insider Risk Standards Hub

Insider risk programs operate across several overlapping bodies of guidance—from cybersecurity controls and GRC frameworks to privacy regulations and industry mandates. The Insider Risk Capability Framework™ (IRCF™) is ITMG’s structured capability model for organizing, assessing, and improving insider-risk programs. It draws from relevant public standards, control frameworks, and insider-threat guidance and translates them into a practical operating model for program capability, maturity, ownership, and measurable improvement. This hub organizes those source standards and maps them directly to corresponding IRCF™ capabilities.

Standard Families
4 Core Domains
Detailed Frameworks
24 Industry Standards
Cross Comparisons
3 Side-by-Sides
Alignment
100% IRCF™ Capability

Framework Coverage Matrix

Expand to search and explore which cybersecurity, GRC, and compliance frameworks cover specific insider risk outcomes.

Cross-Framework Comparison Guides

Compare the specific capability structure of the Insider Risk Capability Framework™ (IRCF™) directly against general standards such as NIST CSF 2.0, CISA guidelines, and the CERT Common Sense Guide.

Standard & Framework Reference Library

Select a standard family to browse and explore detailed insider risk reference mappings.

Cybersecurity & Control Catalogs

NIST Cybersecurity Framework 2.0 and Insider Risk

NIST CSF 2.0 provides a common language for governing, identifying, protecting, detecting, responding to, and recovering from cybersecurity risk. For insider risk, it helps connect trusted-access exposure to enterprise risk management and executive communication.

Primary: GovernanceReviewed 2026
Cybersecurity & Control Catalogs

NIST SP 800-53 Rev. 5 and Insider Risk

NIST SP 800-53 Rev. 5 provides a broad catalog of security and privacy controls. Insider risk programs can use it to identify control families that reduce exposure across access, audit, personnel, incident response, privacy, and data protection.

Primary: Oversight and ComplianceReviewed 2026
Insider-Risk-Specific Guidance

CISA Insider Threat Mitigation Guide and Insider Risk

The CISA Insider Threat Mitigation Guide provides comprehensive, scalable guidance for establishing or enhancing insider threat prevention and mitigation programs across public and private organizations.

Primary: GovernanceReviewed 2026
Cybersecurity & Control Catalogs

CISA Insider Risk Mitigation Program Evaluation and Insider Risk

CISA IRMPE is a self-assessment resource for evaluating insider risk program maturity and identifying program improvement opportunities.

Primary: Risk Management and ReportingReviewed 2026
Cybersecurity & Control Catalogs

CERT Common Sense Guide and Insider Risk

The CERT Common Sense Guide provides insider threat mitigation best practices informed by CERT research and insider case analysis. It is useful for program design, monitoring governance, privacy-aware practices, and organizational resilience.

Primary: Personnel AssuranceReviewed 2026
Cybersecurity & Control Catalogs

NISPOM / 32 CFR Part 117 and Insider Risk

NISPOM / 32 CFR Part 117 establishes requirements for organizations participating in the National Industrial Security Program, including cleared contractor insider threat program obligations.

Primary: Oversight and ComplianceReviewed 2026
Cybersecurity & Control Catalogs

ISO/IEC 27001 and ISO/IEC 27002 and Insider Risk

ISO/IEC 27001 defines requirements for an information security management system, while ISO/IEC 27002 provides guidance for information security controls. Together they help structure insider risk governance, risk treatment, controls, and continual improvement.

Primary: GovernanceReviewed 2026
Cybersecurity & Control Catalogs

SOC 2 Trust Services Criteria and Insider Risk

SOC 2 evaluates the design and operating effectiveness of controls relevant to security, availability, processing integrity, confidentiality, and privacy. Insider risk is especially relevant to service organizations that handle customer data, privileged access, or sensitive systems.

Primary: Oversight and ComplianceReviewed 2026
Cybersecurity & Control Catalogs

CIS Controls v8.1 and Insider Risk

CIS Controls v8.1 provides prioritized safeguards for cyber hygiene. Insider risk programs can use CIS Controls to strengthen asset visibility, identity control, data protection, logging, monitoring, vulnerability management, and incident response.

Primary: Data ProtectionReviewed 2026
Cybersecurity & Control Catalogs

MITRE ATT&CK and Insider Risk

MITRE ATT&CK describes adversary tactics and techniques based on observed behavior. For insider risk, it helps detection engineering and investigations describe cyber-enabled misuse, credential abuse, persistence, discovery, collection, exfiltration, and impact.

Primary: AnalysisReviewed 2026
Cybersecurity & Control Catalogs

Insider Threat Matrix and Insider Risk

The Insider Threat Matrix(TM) is an open framework maintained by Forscie Limited for computer-enabled insider threat investigations. It provides investigation language across motive, means, preparation, infringement, and anti-forensics.

Primary: InvestigationReviewed 2026
Cybersecurity & Control Catalogs

NIST Privacy Framework and Insider Risk

The NIST Privacy Framework helps organizations identify and manage privacy risk. It is relevant to insider risk where monitoring, analytics, case management, workforce data, and personal information are used to detect or investigate risk.

Primary: Oversight and ComplianceReviewed 2026
Cybersecurity & Control Catalogs

NIST AI Risk Management Framework and Insider Risk

NIST AI RMF helps organizations manage risks from AI systems. Insider risk programs can use it to govern employee AI use, AI-assisted workflows, model access, sensitive prompt data, AI copilots, and AI-enabled data leakage.

Primary: GovernanceReviewed 2026
Cybersecurity & Control Catalogs

NIST SP 800-61 Rev. 3 and Insider Risk

NIST SP 800-61 Rev. 3 provides incident response recommendations aligned with CSF 2.0. Insider risk programs can use it to integrate insider events into preparation, detection, analysis, containment, recovery, and improvement.

Primary: InvestigationReviewed 2026
Cybersecurity & Control Catalogs

CMMC / NIST SP 800-171 and Insider Risk

CMMC and NIST SP 800-171 are central to protecting controlled unclassified information in defense supply chains. Insider risk is relevant wherever users, contractors, developers, administrators, or suppliers can access CUI.

Primary: Data ProtectionReviewed 2026
Cybersecurity & Control Catalogs

ISO 31000 and ISO/IEC 27005 and Insider Risk

ISO 31000 and ISO/IEC 27005 help organizations structure risk management and information security risk analysis. Insider risk programs can use them to connect scenario analysis, treatment, risk acceptance, monitoring, and executive decision-making.

Primary: Risk Management and ReportingReviewed 2026
Cybersecurity & Control Catalogs

COBIT and Insider Risk

COBIT provides governance and management objectives for enterprise IT. Insider risk programs can use COBIT to align board oversight, management accountability, controls, metrics, assurance, and IT governance processes.

Primary: GovernanceReviewed 2026
Cybersecurity & Control Catalogs

FAIR and Insider Risk

FAIR provides a model for quantifying information and operational risk in financial terms. Insider risk programs can use FAIR concepts to frame risk scenarios, loss event frequency, loss magnitude, and executive decision tradeoffs.

Primary: Risk Management and ReportingReviewed 2026
Cybersecurity & Control Catalogs

CSA Cloud Controls Matrix and Insider Risk

The Cloud Security Alliance Cloud Controls Matrix provides cloud security control domains. Insider risk programs can use it to address SaaS, cloud administrators, managed service providers, cloud data exposure, and shared-responsibility controls.

Primary: Data ProtectionReviewed 2026
Privacy, AI & Regulated Data

PCI DSS and Insider Risk

PCI DSS applies to environments that store, process, or transmit payment card data. Insider risk programs can use PCI concepts to reduce access, logging, monitoring, and data-handling exposure in cardholder data environments.

Primary: Data ProtectionReviewed 2026
Cybersecurity & Control Catalogs

HIPAA Security Rule and Insider Risk

The HIPAA Security Rule establishes safeguards for electronic protected health information. Healthcare insider risk programs can use it to address snooping, unauthorized disclosure, access misuse, and workforce security.

Primary: Oversight and ComplianceReviewed 2026
Cybersecurity & Control Catalogs

GLBA Safeguards Rule and Insider Risk

The GLBA Safeguards Rule requires financial institutions to protect customer information through a written information security program. Insider risk programs can use it to address access, encryption, monitoring, vendor, and incident response controls.

Primary: Oversight and ComplianceReviewed 2026
Cybersecurity & Control Catalogs

SEC Regulation S-P and Insider Risk

SEC Regulation S-P addresses privacy notices and safeguards for customer records and information for covered financial entities. Insider risk is relevant to unauthorized access, misuse, and disclosure of customer information.

Primary: Oversight and ComplianceReviewed 2026

Frequently Asked Questions

Review common executive and practitioner questions regarding how industry standards, cybersecurity guides, and compliance protocols align to insider risk capabilities.

Strategic Exposure Analysis

Translate Static Standards into Prioritized Action

Use RiskTKO® or an ITMG® Guided Exposure Assessment to translate applicable standards into an insider risk exposure view, maturity priorities, and executive-ready evidence.