Businesses Don't Get It What's particularly alarming is that the desire for security compliance doesn't sync with the effort businesses put toward training and education, both within the IT department and throughout the workforce. Monitoring user compliance ranked as the No. 1 security priority in a survey of 966 U.S. companies polled by InformationWeek Research and Accenture. Security policies typically define who has access to data, how it can be used, where customer data can and can't be stored, any potential legislation the company is subject to if the data is breached, and whether data must be encrypted. Still, more than half of U.S. companies surveyed say security technology and policy training would have no impact on alleviating employee-based breaches, a sentiment shared by more than half of the companies surveyed in Europe and China as part of the InformationWeek 2006 Global Security Survey. In fact, most companies surveyed worldwide admit they don't train their employees on information security policies and procedures on a regular basis, preferring instead to deliver ad hoc training. In the United States, the CIO typically works with IT directors, managers, and department heads to set security policies, according to InformationWeek Research. That's different from Europe, where the president or CEO is typically involved in setting security policies along with IT management and security administrators. But while a range of input can benefit security policies, it also results in a long development process, which is why policies don't always materialize ahead of problems. At Brown University, IT security director Connie Sadler is working with the general counsel, internal auditors, faculty, staff, and others to hammer out a policy to manage the downloading and storing of confidential information on laptops and other devices. But since this proposed policy will have a major impact on how people throughout the university work, it exists only as unenforceable guidelines. "Part of the reason we wrote this was to protect our technical staff," Sadler says, adding that she hopes to see these guidelines become policy within a year. "We ask the technical staff to make decisions about protecting data and decide who should access this data, but it's not their job. That's up to senior management." Given the increase in the number of data breaches, businesses can't allow security polices to become hampered by ambivalence and red tape. Next time, it could be your job on the line.
The Next Data Breach Could Mean Your IT Job
Does everyone at your company know what data shouldn't be stored on laptops or removable storage devices? Do they know where they can and can't take these devices? Is there a clear company policy on data that needs to be encrypted?
Having good answers to these questions about security policy doesn't just help safeguard data. For an IT or security pro, it could mean the difference between keeping his or her job and having to explain to the boss--or worse, law enforcement officers and government officials--the reasons for an embarrassing data breach that could cost big bucks to fix. IT professionals involved in enforcing security at places where data breaches have occurred, including the Veterans Affairs Department and Ohio University in Athens, have learned the hard way how alleged lack of policy enforcement can negatively affect a career.
The theft in May of a laptop containing the names, birth dates, and Social Security numbers of millions of current and former military personnel put a spotlight on the VA's poor security track record and stirred debate over whether there was any policy in place that would have stopped an employee from taking more than 26.5 million unencrypted data records home to work on a project. The laptop was stolen during a burglary of the employee's home. By the time it was turned in to the FBI in late June, Pedro Cadenas Jr., the VA official in charge of information security, had announced his resignation from the department, and Michael McLendon, deputy assistant secretary for policy, had resigned.
Rep. Bob Filner, D-Calif., has said that three VA documents indicate that the employee--a data analyst--was authorized to take a laptop and data home, contradicting an earlier statement by VA Secretary James Nicholson. Filner also criticized the lack of any VA security policy to violate and said in a statement, "That's the real negligence--that there were no policies."
Businesses Don't Get It What's particularly alarming is that the desire for security compliance doesn't sync with the effort businesses put toward training and education, both within the IT department and throughout the workforce. Monitoring user compliance ranked as the No. 1 security priority in a survey of 966 U.S. companies polled by InformationWeek Research and Accenture. Security policies typically define who has access to data, how it can be used, where customer data can and can't be stored, any potential legislation the company is subject to if the data is breached, and whether data must be encrypted. Still, more than half of U.S. companies surveyed say security technology and policy training would have no impact on alleviating employee-based breaches, a sentiment shared by more than half of the companies surveyed in Europe and China as part of the InformationWeek 2006 Global Security Survey. In fact, most companies surveyed worldwide admit they don't train their employees on information security policies and procedures on a regular basis, preferring instead to deliver ad hoc training. In the United States, the CIO typically works with IT directors, managers, and department heads to set security policies, according to InformationWeek Research. That's different from Europe, where the president or CEO is typically involved in setting security policies along with IT management and security administrators. But while a range of input can benefit security policies, it also results in a long development process, which is why policies don't always materialize ahead of problems. At Brown University, IT security director Connie Sadler is working with the general counsel, internal auditors, faculty, staff, and others to hammer out a policy to manage the downloading and storing of confidential information on laptops and other devices. But since this proposed policy will have a major impact on how people throughout the university work, it exists only as unenforceable guidelines. "Part of the reason we wrote this was to protect our technical staff," Sadler says, adding that she hopes to see these guidelines become policy within a year. "We ask the technical staff to make decisions about protecting data and decide who should access this data, but it's not their job. That's up to senior management." Given the increase in the number of data breaches, businesses can't allow security polices to become hampered by ambivalence and red tape. Next time, it could be your job on the line.
Businesses Don't Get It What's particularly alarming is that the desire for security compliance doesn't sync with the effort businesses put toward training and education, both within the IT department and throughout the workforce. Monitoring user compliance ranked as the No. 1 security priority in a survey of 966 U.S. companies polled by InformationWeek Research and Accenture. Security policies typically define who has access to data, how it can be used, where customer data can and can't be stored, any potential legislation the company is subject to if the data is breached, and whether data must be encrypted. Still, more than half of U.S. companies surveyed say security technology and policy training would have no impact on alleviating employee-based breaches, a sentiment shared by more than half of the companies surveyed in Europe and China as part of the InformationWeek 2006 Global Security Survey. In fact, most companies surveyed worldwide admit they don't train their employees on information security policies and procedures on a regular basis, preferring instead to deliver ad hoc training. In the United States, the CIO typically works with IT directors, managers, and department heads to set security policies, according to InformationWeek Research. That's different from Europe, where the president or CEO is typically involved in setting security policies along with IT management and security administrators. But while a range of input can benefit security policies, it also results in a long development process, which is why policies don't always materialize ahead of problems. At Brown University, IT security director Connie Sadler is working with the general counsel, internal auditors, faculty, staff, and others to hammer out a policy to manage the downloading and storing of confidential information on laptops and other devices. But since this proposed policy will have a major impact on how people throughout the university work, it exists only as unenforceable guidelines. "Part of the reason we wrote this was to protect our technical staff," Sadler says, adding that she hopes to see these guidelines become policy within a year. "We ask the technical staff to make decisions about protecting data and decide who should access this data, but it's not their job. That's up to senior management." Given the increase in the number of data breaches, businesses can't allow security polices to become hampered by ambivalence and red tape. Next time, it could be your job on the line.
Become a member to take advantage of more features, like commenting and voting.
Register or sign in today!