TECHNOLOGY: Results of Audit Assessing Company Controls to Protect Information Systems and Data from Insider Threats

Like other organizations, Amtrak (the company) faces the inherent cybersecurity risk that employees or contractors are “insider threats”—that is, that they could maliciously or unintentionally use information systems or data in a manner that harms the company. Insider threats may cause more harm and are more difficult to detect than external cyber‐attackers because individuals within an organization already have access to systems and data. Amtrak Office of Inspector General’s (OIG) recent investigations identified company employees and contractors who misused or took advantage of their system access and exposed sensitive company information. Accordingly, our objective was to assess the effectiveness of company controls to protect its information systems and data from insider threats. Given the sensitive nature of the report’s information, we are summarizing the results in this public version of the report.

Our assessment of the company’s controls to protect information systems and data from insider threats resulted in five recommendations. In commenting on a draft of this report, company executives agreed with our recommendations and identified actions that the company plans to take to address them.