The privacy/freedom debate brewing in the UK is providing IT
departments with new and tough challenges. How far can they go to
protect data? Can companies play Big Brother, violate employee
privacy and monitor employees in order to protect data? What if the
act of violating employee privacy actually protects the privacy of
many more? For example, what if monitoring nurses protects the
privacy of patients' healthcare records?writes Dominique
Levin, vice-president for marketing and strategy atLogLogic.
Some may argue that ethics are absolute and you cannot violate
the privacy of employees, even if monitoring of staff would result
in "greater good". But others may have chosen the "greater good"
and sacrificed the privacy of few, consenting, employees (you can
always go work somewhere else) to protect the privacy of many.
There has to be a balance. I wouldn't want to encourage snooping
on personal details, but companies must safeguard and protect
intellectual property, customer service lists and other sensitive
data. Gartner analyst John Pescatore agrees and says the key word
to think about is how "closely" to monitor employees. In other
words, it's not about watching every employee's every move, but it
is fair to protect an organisation's crown jewels, and it is
perhaps even mandatory to protect the personally identifiable
information entrusted to an organisation by its customers.
There are no specific standards or frameworks telling you how to
create reports which analyse which employees have access to
high-risk data or what other information to include. Regulatory
frameworks indicate only that this type of review in general should
be defined by each organisation and put into place. Whether it is
daily, weekly, or monthly reports, and what exactly it includes,
will be up to each organisation, compliance officer and CISO,
depending on its businesses and risks.
To help, here are some of my considerations for specifying these
reports:
- Define "high risk" information for your organisation.
- Identify the "data owner" for each category of "high risk"
information - the executive who will review the lists of privileged
users and their actions.
- Locate database tables and directories with "high risk"
data.
- Audit user accounts with access rights to this data. Who should
have access to "high risk" data? You may want to reduce the list to
a manageable number. Also, you probably want to generate a report
specifically showing any new privileged account creations and
privilege modifications to ensure these are authorised.
- Audit access to database tables and directories with "high
risk" data. Create automated daily reports to be sent to the data
owner. Individuals accessing the system should be aware that access
is monitored and reports are reviewed. Ideally, individuals who
access controlled systems should not have access to update or
modify the scripts and/or software the produces the security
reports.
- Include all changes to "audit" status. Don't forget to also
generate a report that will tell you whether in the prior 24 hours
audit logging was turned on or off.
The need to monitor the digital footprint of employees in order
to preserve the confidentiality and integrity of data and monitor
privileged user activity is becoming increasingly important. It is
critical organisations implement a workable, secure solution and
that they not only act upon it, but that they maintain processes
and stay up-to-date with access controls. Protect your assets and
you're your bottom line.