|
Page 4 of 4
CONTROLS REQUIRED
The consensus seems to be that in today's environment, where corporate networks are increasingly exposed to insider and outside threats, companies must protect their data by putting controls, policies, and systems in place to monitor activity.
But if you accept it as a necessary evil, how do you go about putting systems and policies in place, and making sure employees, partners and suppliers abide by those policies?
"When we hear people tell horror stories, so often the breakdown is in the area of communication," says Robin Ruefle, a member of the technical staff at the Carnegie Mellon Software Engineering Institute Computer Emergency Response Team (CERT).
advertisement
"The right people didn't get told in the right time frame, the information didn't get to the right people who could effect change, people didn't know what the right policies or procedures were . . . there's a breakdown in process." Ruefle's team is involved in developing security best practices for organizations, including creating Computer Security Incident Response Teams (CSIRTs) to respond to security incidents as they happen.
"A lot of people think it's just about technology, but really, developing and having the right processes in place is critical," says Ruefle. "It's about being prepared. What's your plan? Who's involved? Do they know what to do when something's happened? Do they know what the policies and procedures are? Do they know how to escalate?
advertisement
"Having those processes in place, along with the right education, is key."
Zweig, the associate professor of organizational behavior with the Rotman School of Management at the University of Toronto, says while monitoring may be a necessary evil, companies should resist the temptation of putting in systems that go beyond what is necessary.
He says there is a line that can be drawn between benign monitoring and intrusive, and Wal-Mart has crossed that line. "If you have to use a stick, make sure the stick is in relation to the behavior you're trying to stop," says Zweig. "People are going to rebel against the constant monitoring, and you know, Wal-Mart is going to reap what they sow."
CIOZONE SERIES TO CONTINUE. REGISTER NOW!
—THURSDAY: Creating a security organization. Who's in charge and what is the CIO's role?
—FRIDAY : Intrusion detection software. More than you may want to know.
|