Posted by: David Scott
acceptable use, business policy, business risk, business security, data breach, data exposure, data security, data theft, IT policy, IT security, IT Wars, malware, the business-technology weave
[As necessary, please see the first article and Part II in this series]
Perhaps one of the most egregious problems facing the agency is network performance and security. The workstations frequently lose their wireless connection to the server, and internet access drops. Work is frequently lost – sometimes a lot of work: clients can lose most of an online application; they can lose a resume they’re creating; they can lose letters; they can lose access to search windows with important job leads – the list can go on.
The wireless network is unsecured. Anyone can hop on from inside or outside the building. Yet, clients are advised that no hardware, such as laptops or thumb drives, is allowed in the room. Are there violations? Yes. Is there any policy or other formal means, perhaps periodic announcements, indicating any sort of acceptable use for the room and its resources? No – there is no Acceptable Use Policy. Frequently, thumbs are found sticking out of the front of PCs… forgotten by clients. It’s quite a potential for malware.
There are no regularized trainings or meetings of staff. There is nothing to establish staff’s currency for the present business-technology environment, nor for coming and quickening future challenges.
Worse: IT Governance, from the titular authority at the agency, on down through various department heads and managers, has an almost adversarial relationship with best practices –even common practices. Disciplines and methods that have been around for decades – well-established and vetted practices –that serve in a critical capacity to the weave of business and technology are either poorly understood, or held in abeyance through ignorance. And that, happily, is where I come in: I’m in a capacity to advise, negotiate, and institute some best-practice disciplines that are long overdue and sorely needed.
But there’s nothing new here: I’ve seen similar environments. We all know they’re out there. Many of you labor in them. I would be very interested in hearing your story. A note of caution: I DO NOT want to know the name of your company or agency, and please do not share details that might expose your job security. My entire thrust here is to make jobs safer, environments more secure, and to bring efficiency and accountability to security.
At the agency I presently counsel, I present assessments for solutions, with an evaluation of risk versus both cost of securing an area or issue, and cost of a potential bad outcome (such as breach, outage, exposure). If Business – IT governance – turns down a proposed solution… if they minimize an assessment of genuine risk… they sign a statement indicating they’ve been advised of a particular situation, and present their view of it. This is a meritorious way of protecting yourself while documenting known conditions – and a business’s decision to either make a change or dismiss a change as unnecessary or inadvisable.
If you’d like, please comment in the Comments section: Perhaps I can advise and help. I am always interested in the course of challenges within IT’s support to Business.