Subscribe
About

Regulating human behaviour

Therese van Wyk
By Therese van Wyk
Johannesburg, 17 Oct 2011

A thief planning to remove a physical asset from a company's premises has to factor in alarm systems, guards and fences. Hackers and competitors may find it much easier to whisk away critical information assets.

Company information is also at risk from insiders. Employees insist on access to company systems from their personal mobile devices. USB sticks sprout everywhere in the IT landscape. Less visibly, most database administrators can pull any information they desire out of the systems they look after.

For corporates, implementing an enterprise policy management tool for better compliance is expensive. But it can help create a truce between the CFO and CIO. A good thing too, since the first offenders against information policy enforcement often come from the C-suite and intimidate lowly IT support staff into making all kinds of exceptions.

Ultimately, company policy should regulate employee and contractor behaviour towards information in an enforceable manner. If sensitive data does go walkabout, and the company decides to sue the alleged thieves, court-ready information security policies can save a great deal in legal costs.

No pain, no policy

Walk into any boardroom, and chances are overwhelming the Ethernet cable in there gives easy access to the financial controller's notebook computer on the same network, though the file servers will be secure. Walk into the data centre hosting your company's servers, and you may find it equally easy to patch a cable from another cabinet to your own, despite fancy-looking locks on the computer room.

"I walked into the head office of a company listed on the JSE the other day, and they have none of the standard procedures in place," says Louis Helmbold, business development manager at solution distributor

Axiz Workgroup.

"Companies need to go back to basics. Get the hard-wired infrastructure policy and procedure in place and then look at information policy."

According to Rica, all monitoring is illegal unless the company complies with one of the exceptions.

Lance Michalson, Michalsons

But little gets done about information security policy in most companies - until a competitor launches an uncannily similar product a few months before your company planned to trumpet its new offering. Or the auditors find money going to strange accounts and recommend certain IT steps to make sure it doesn't happen again.

Then panic ensues and the company wants to know who did it - and how to nab them. But nabbing requires proof; legal, detailed proof that a company policy prohibiting certain behaviour existed, that the employee was aware of it and understood it, and that although the company took active steps to enforce it, the employee went ahead and misbehaved anyway.

The available proof may be illegal. Monitoring the heck out of everything an employee or contractor does may well contravene sections five and six of the Regulation of Interception of Communications and Provision of Communication-Related Information Act (Rica).

"According to Rica, all monitoring is illegal unless the company complies with one of the exceptions, such as written consent from the employee to monitor," says Lance Michalson, partner at Michalsons, a practice specialising in information security law.

A one-liner in an employment contract may not be good enough either. "The constitution says everyone has a right to privacy, but that right is not unlimited. Rica lawfully restricts the right to privacy," continues Michalson.

"If an employee gives a company consent to monitor them, the person needs to do so while being aware that they have a right to privacy with certain exceptions."

Executive bonding software

Large listed companies sometimes bite the bullet and implement very expensive enterprise-level information security policy management systems.

The few that do so usually regard the combined risks around governance, risk and compliance and getting sued for breach of compliance high enough. For example, disgruntled ex-employees may insist that safety procedures or warnings about imminent factory disasters were ignored.

These days, the executive committees of large companies get frustrated with the IT department's speaking technical gobbledygook. When IT starts moving towards compliance, the board wants easy answers without having to dirty their hands on technical stuff, says Julian Liebenberg, general manager of services at BCX, a managed services and solution provider.

Making matters even more interesting, accountability for compliance has shifted at board level. IT directors used to be responsible for compliance, and reported directly to their boards. Nowadays, most IT departments report to the CFO instead. The CFO looks after compliance, but needs IT's help to implement.

"Now when the board and the CFO need to be compliant in an environment they don't understand, they put pressure on IT," explains Liebenberg.

"But IT is not excited about reading the King III manual and seeks a quick answer, which is a management tool with policies built in. It is actually a fantastic answer to that impasse between CFO and CIO. Somehow the tool takes care of the different languages the two parties speak. So the tools are becoming quite popular where this kind of pressure exists."

The tools do make life easier, as long as the company uses mainstream applications and avoids open source on the desktop. Now no one has to read up on King III or ISO 27001. Sarbanes-Oxley, ITIL and COBIT compliance is also built in. The better tools provide the option of reporting only, or keeping the company compliant by enforcing policy, for example, by locking accounts with non-compliant passwords.

Escaping from the database

While employees show off their latest mobile gadgets and IT departments sweat over end-point security for these devices (with good reason), another information risk has been lurking for years. A recent development is amplifying this risk.

Some companies are having to deal with an explosion of Internet-driven transactions, which may involve credit cards. The minute credit cards are involved, the company storing card details has to conform to the stringent global PCI information requirements.

Credit card information will most likely be stored in a database along with the customer's other details. In fact, most structured enterprise information is stored in databases.

But database security innovation has generally lagged badly behind development for end-point security, and information breaches are increasing. "Database security is stuck where it was 20 years ago," says Warren Larkin, IBM product manager at Axiz Workgroup.

"Generally, applications control who has access to a database. But there is an anomaly. Administrators can do direct queries against databases they manage, outside of applications, using command line queries. For example, last names and credit card details can be dumped into a file."

Most database information breaches occur this way. IBM's Guardium product won't prevent the query, but will send a notification that it has happened.

"We need separation of duties between the database administrators (DBA) and governance, risk and compliance," says Larkin. "Auditors no longer accept an implementation, where PCI and Sarbanes-Oxley compliance is required, where a DBA is responsible for the setting up of audit trails."

Getting information dues

If an information breach does end up in court, a company may find its case floundering, despite having in place implementable, enforceable, legal information security policies. The company may even be able to prove that all employees were aware of policies and changes, and that everyone understood it all.

Unless the policies are structured in a court-ready manner, the company will find itself paying expensive legal specialists to do tedious, time-consuming fixes while the case is in progress. "When we draft policies, we separate out policies from guidelines from procedures, from standards," says Michalson.

Policies are mandatory, but guidelines are optional. "However, a lot of organisational policies are a combination of these, which makes it very difficult to follow when you try to enforce them in court. Then the lawyers have to work out what is mandatory and what is optional.

"It is difficult to prove someone breached a rule in the first place, which can later turn out to be optional. The opposing lawyers will pick these kind of holes in company policy. For example, the court regards e-mail etiquette as optional."

Implementing information security policy is a classical grudge activity, unlikely to attract volunteers. But the Protection of Personal Information bill adds another reason to start implementing information security policies. It is the first piece of legislation in SA to make information security a legal requirement, says Michalson.

Most companies regard the risk of getting sued as low enough to ignore. In the meantime, though, much company information, including intellectual property and Bills of Material, is valuable enough to steal.

Is it worth locking a door, and then enforcing a locking policy among key holders and others who pass through it? It depends on what's on the other side. The family information jewels may be precious enough to warrant security policy after all.

Share