Search in ISMS Guides


Wednesday, August 29, 2007

Security Policy and Responsibility

By David Lineman

Last month we discussed the security policy problems revealed within the department of Veteran's Affairs (VA) in the wake of the highly public data breach, including the firing of two employees responsible for information security. Over the last month, employees at both AOL and Ohio University were terminated or resigned in the aftermath of data privacy breaches. All of these cases point to some interesting security policy questions for all organizations to consider.

Security Scapegoats?

While termination seems to be an obvious step to attempt to restore customer confidence, in both cases serious questions were raised about the overall security and privacy practices of the entire organization. In the wake of very damaging or embarrassing data breaches, some organizations seem to focus the blame on individuals, rather than on weaknesses of internal policies and procedures.

In the past, similar incidents have resulted in lawsuits for improper termination, since many organizations failed to clearly communicate their data security and privacy policies to all employees. In the case of Ohio University, lawyers have already made statements for the fired employees indicating that they were improperly targeted. Similar statements were made by ex-employees of the VA.

Security Policy Lessons

These incidents and their public fall-out raise some important questions for organizations concerned with policy creation, education and enforcement:

Question: Do your information security policies cover sanctions against employees? Is the language in the policies specific to violation of existing corporate policies?

In neither of these cases did the public statements mention that employees were violating any specific policy, but instead seemed to indicate that the employees should have "known better." AOL CEO Jon Miller in an internal memo stated that "This incident took place because some employees did not exercise good judgment or review their proposal with our privacy team. We are taking appropriate action with the employees who were responsible."

The fundamental question here is whether or not an employee should be fired for making mistakes, especially in areas where there is very little official guidance on how employees can operate safely with sensitive data. While we are not attempting to judge the legality of such actions, evidence suggests that terminating employees without proper cause or documentation will create problems.

During a risk-assessment or policy update phase, organizations would do well to consider what would happen in their own organization if an individual makes a mistake that causes an information security and privacy breach. What should be done if the organizational policies only address violation of stated policy?

Question: Does your organization clearly communicate information security and privacy policies to users based on their role in the organization?

Organizations that wish to terminate employees for violation for company policy should take great care to have their information security and privacy policies clearly documented and communicated.

In the case of AOL, it is not clear if there was a corporate privacy policy that prohibited researchers from using data without consulting the privacy group. But other data casts some doubt. Public statements by AOL suggest that they are now taking a serious look at their internal policies. Public response to the AOL incident included allegations that sensitive search data should be destroyed as part of a regular data destruction policy.

In a separate statement, Ohio University announced a 20-point plan to improve information security at the school, which has about 16,640 undergraduate students and 862 full-time faculty members on its Athens campus.

Question: Are information security and privacy responsibilities clearly documented in job responsibilities?

In the case of the VA and Ohio University, the terminated employees had direct responsibility for information security. Even so, statements from the attorneys of fired employees seem to raise some questions as to which systems the individuals were responsible for.

In the case of AOL, the employees were doing research on web searches. Company statements indicate that there were no official procedures in place for protecting customer privacy, but that the employees "were to consult the privacy team" before posting their research.

While we can only extrapolate from these public statements, the common thread is all of these cases is a poor documentation of information security responsibilities. While have information security policies is critical, they are much more effective when they are tied to specific responsibilities of various job roles. Organizations that take this more structured approach will not only have better security, but will be better prepared for any sanctions.


Information Security Policies Made Easy, Version 10 - A complete library of information security policies, including policies for personnel security.

Information Security Roles & Responsibilities Made Easy, Version 2 - An extensive library of documented information security requirements for various organizational roles.

Privacy Management Toolkit, Version 1 - A complete resource for managing customer and employee privacy based on OECD Fair Information Principles.

No comments: