The Government's new bill regulating the interception of communications means IT departments should clean up their security policies as soon as possible.
The Institute for the Management of Information Systems (IMIS) said IT directors should consult its guidelines regarding disciplinary offences over any data held on staff PCs to ensure that when the Regulation of Investigatory Powers Bill becomes law later this summer, they are in compliance.
The Bill incorporates the old part III of the Electronic Communications Bill, which regulates the measures that police and security agencies in the UK are legally entitled to use to eavesdrop on the general public.
The most controversial aspect of the Bill is the recommendation that law enforcers be given legal power to confiscate the keys required to decrypt encrypted communications.
IMIS also urged users to push the Government to ensure that a system is in place to guarantee that criminal organisations do not use forged warrants. Such measures would prevent criminals from gaining access to encryption keys to carry out industrial espionage. IMIS wants to see an online scheme whereby authorised personnel could validate any document presented at any time by law enforcement officials wanting access.
Philip Virgo, strategic adviser to IMIS,said IT directors should ensure there is no data on systems for which they are unable to issue plain text decryption under the terms of the Bill.
A failure on specific users' behalf for the company to be able to provide plain text from their systems should be an explicit disciplinary, even sackable offence, he said.
Any encrypted material held by users without satisfactory explanation, and explicit approval should also be an offence, Virgo said.
IMIS security guidelines:
- Review which members of staff need access to the Internet. Make it an explicit disciplinary offence to use corporate facilities to access, produce or disseminate unauthorised material.
- Introduce strict rules against the introduction of unauthorised software to protect against fraud, virus attacks, prosecution for copyright theft and other risks.
Rules to monitor security might include:
- The installation or use of any unauthorised (encryption) software by employees on systems owned by the employer or used for corporate work should be an explicit disciplinary offence.
- Unauthorised Internet access and transmission or receipt of messages on systems owned by the employer, or used for corporate purposes, should also should be an explicit disciplinary offence.