CIOZone.com - Professional Network for CIOs and IT Professionals

CONTROLS REQUIRED

The consensus seems to be that in today's environment, where corporate networks are increasingly exposed to insider and outside threats, companies must protect their data by putting controls, policies, and systems in place to monitor activity.

But if you accept it as a necessary evil, how do you go about putting systems and policies in place, and making sure employees, partners and suppliers abide by those policies?

"When we hear people tell horror stories, so often the breakdown is in the area of communication," says Robin Ruefle, a member of the technical staff at the Carnegie Mellon Software Engineering Institute Computer Emergency Response Team (CERT).

"The right people didn't get told in the right time frame, the information didn't get to the right people who could effect change, people didn't know what the right policies or procedures were . . . there's a breakdown in process." Ruefle's team is involved in developing security best practices for organizations, including creating Computer Security Incident Response Teams (CSIRTs) to respond to security incidents as they happen.

"A lot of people think it's just about technology, but really, developing and having the right processes in place is critical," says Ruefle. "It's about being prepared. What's your plan? Who's involved? Do they know what to do when something's happened? Do they know what the policies and procedures are? Do they know how to escalate?

"Having those processes in place, along with the right education, is key."

Zweig, the associate professor of organizational behavior with the Rotman School of Management at the University of Toronto, says while monitoring may be a necessary evil, companies should resist the temptation of putting in systems that go beyond what is necessary.

He says there is a line that can be drawn between benign monitoring and intrusive, and Wal-Mart has crossed that line. "If you have to use a stick, make sure the stick is in relation to the behavior you're trying to stop," says Zweig. "People are going to rebel against the constant monitoring, and you know, Wal-Mart is going to reap what they sow."

CIOZONE SERIES TO CONTINUE. REGISTER NOW!

—THURSDAY: Creating a security organization. Who's in charge and what is the CIO's role?

Comments (1)

	1. 14-01-2008 17:48
	It looks like Wal-Mart is upping the level and sophistication of  its internal spy racket, according to this  article on CIOZone. And plenty of other companies are doing it,  too.    From the story: "It is not unusual for Fortune 500 companies to  hire law enforcement or intelligence experts for their security  departments, but Wal-Mart actively recruits those with military or  intelligence backgrounds. Last March it posted ads on its Web site and  on sites for security professionals for "global threat analysts" with  backgrounds in government or military intelligence.    "Like most major corporations, it is our corporate responsibility  to have systems in place, including software systems, to monitor  threats to our network, intellectual property and our people,"  Wal-Mart spokeswoman Sarah Clark said in a statement in April.  Following the Gabbard firing, Wal-Mart said it conducted a review of  its monitoring activities. "There have been changes in leadership, and  we have strengthened our practices and protocols in this area," Clark  said. Registered

Mike Beeferman

Write Comment

Please keep the topic of messages relevant to the subject of the article.
Name:
E-mail
Comment:
Code:*
	I wish to be contacted by email regarding additional comments