How far should IT managers go to protect corporate data?

The privacy/freedom debate brewing in the UK is providing IT departments with new and tough challenges. How far can they go to protect data?

The privacy/freedom debate brewing in the UK is providing IT departments with new and tough challenges. How far can they go to protect data? Can companies play Big Brother, violate employee privacy and monitor employees in order to protect data? What if the act of violating employee privacy actually protects the privacy of many more? For example, what if monitoring nurses protects the privacy of patients' healthcare records? writes Dominique Levin, vice-president for marketing and strategy at LogLogic.

Some may argue that ethics are absolute and you cannot violate the privacy of employees, even if monitoring of staff would result in "greater good". But others may have chosen the "greater good" and sacrificed the privacy of few, consenting, employees (you can always go work somewhere else) to protect the privacy of many.

There has to be a balance. I wouldn't want to encourage snooping on personal details, but companies must safeguard and protect intellectual property, customer service lists and other sensitive data. Gartner analyst John Pescatore agrees and says the key word to think about is how "closely" to monitor employees. In other words, it's not about watching every employee's every move, but it is fair to protect an organisation's crown jewels, and it is perhaps even mandatory to protect the personally identifiable information entrusted to an organisation by its customers.

There are no specific standards or frameworks telling you how to create reports which analyse which employees have access to high-risk data or what other information to include. Regulatory frameworks indicate only that this type of review in general should be defined by each organisation and put into place. Whether it is daily, weekly, or monthly reports, and what exactly it includes, will be up to each organisation, compliance officer and CISO, depending on its businesses and risks.

To help, here are some of my considerations for specifying these reports:

  • Define "high risk" information for your organisation.
  • Identify the "data owner" for each category of "high risk" information - the executive who will review the lists of privileged users and their actions.
  • Locate database tables and directories with "high risk" data.
  • Audit user accounts with access rights to this data. Who should have access to "high risk" data? You may want to reduce the list to a manageable number. Also, you probably want to generate a report specifically showing any new privileged account creations and privilege modifications to ensure these are authorised.
  • Audit access to database tables and directories with "high risk" data. Create automated daily reports to be sent to the data owner. Individuals accessing the system should be aware that access is monitored and reports are reviewed. Ideally, individuals who access controlled systems should not have access to update or modify the scripts and/or software the produces the security reports.
  • Include all changes to "audit" status. Don't forget to also generate a report that will tell you whether in the prior 24 hours audit logging was turned on or off.

The need to monitor the digital footprint of employees in order to preserve the confidentiality and integrity of data and monitor privileged user activity is becoming increasingly important. It is critical organisations implement a workable, secure solution and that they not only act upon it, but that they maintain processes and stay up-to-date with access controls. Protect your assets and you're your bottom line.

Read more on IT risk management