Posted by: David Scott
acceptable use, acceptable use policy, business plans, business policy, CISO, content management, cyber security, cybersecurity, data breach, data theft, Deloitte, IT plans, IT security, NASCIO
It’s being reported that state budgets, increasingly in the red, are impacting cybersecurity – and not in a good way, as you may have suspected.
A NASCIO/Deloitte survey finds that many Chief Information Security Officers are reporting increased reliance on outsourced services – with a resultant difficulty in securing state data environments and associated content, including personal information.
However, the problem is not funding alone: Some of this risk is being engendered by an associated lack of control as experienced by these CISOs: A lack of “visibility and authority to effectively drive security down to the individual agency level” according to Deloitte.
There is something that CISOs can do, in the absence of their ability or direct authority in leveraging security – we’ll get to that. But first, in my own fact-finding and consulting, I’ve discovered something rather interesting: Most organizations’ Acceptable Use policies have a security hole (You may wish to visit, or revisit, “Check Your Acceptable Use Policy: Is this missing?”. They do not make mention of social networking liabilities; after all, many people avail themselves of social networking from organizational resources (workstations, connectivity, company time, etc.). It is definitely inappropriate and counter to any AU policy to make damaging remarks on company time, but personnel should understand that doing that at any time is counter to their good standing – work problems and conflicts have sanctioned channels for disposition: supervisory, supervisory chain, and Human Resources. ALSO: Ensure personnel understand to not post aggregious material elsewhere: Comments to blogs, news articles, professional sites such as LinkedIn, Monster, and entertainment areas such as YouTube, and so on. It’s a Wild (Cyber) World out there – move abreast of and ahead of potentials.
Further, there is no “Watch what you do in the name of our domain” type of warning in any of these policies I’ve looked at. In other words, don’t post internal proprietary information, inflammatory opinions, rants, etc., under the aegis of JohnQPublic@OurCompanyName.com.” (Check “Social Networking and the Blended Environment: What is Being Done in the Name of Your Domain?”).
There is an alarming number of policies that don’t even address data’s portability, with associated best practices for securing that data against loss: portable drives, flash drives, CDs, laptops – even the carrying of official data on personal phones, etc!
Perhaps the biggest liability: Absense of a User Agreement form at the end of these policies. The form should indicate that personnel a) understand the policy, b) agree to adhere to the policy, and c) are willing to sign their name, indicating understanding and intention of complying. As importantly, this forces an opportunity to ask questions so as to be fully informed and qualified to at least know how to adhere to policy: Expectations and requirements are fully understood by a fully educated and informed employee, contractor, outside solutions partner, value-added remarketer, etc.
Back to those CISOs that are feeling vulnerable and what they can do: They should get the ear of their governance. Establish a protocol: Everyone should read and sign an AU policy, and any other cautionary/controlling policies as appropriate, in ensuring a united security front. A regularized schedule of training should also be considered, for necessary updates to security awareness and practices.
One area that many organizations may wish to check today: Call your insurer. Data breaches are estimated to cost many organizations between $100 and $180 per record. Ask about protections should your organization suffer a data breach, with resultant lawsuits and loss to the business. Make sure you understand your organization’s obligation under relevant policies so as to be qualified for reimbursement should you ever file a claim. Recognize too; money that you consider spending on an insurance plan might be better directed toward security itself. Today’s organizations must qualify themselves for evolving practices and discussions.
But first priority, and as stated before: Most organizations enjoy security as a matter of luck; everyone must be a mini-security officer these days. Evaluate every action and activity through security’s prism.
September 30th: On this day in 1960, The Flintstones premiers. It is the first prime-time animation show.