Doing more with less in information security.

At RSA 2009 this year you hear vendors talk over and over about automation is a necessity now.  No kidding.  IT budgets are shrinking or non existent.  Staff cuts.  Yet regulation, compliance and governance requirements increase constantly.  Auditors seemed surprised and act like IT and Security people are stupid or incompetent when things are not done fully.  Maybe they can fund the necessary resources.

Still we have to deal with the reality of the situation.  My tactic is to bake in doing the right thing into IT staff.  I strive to present things in a way that makes it easy for them to do it right the first time.  That may mean making a screencast on how to perform certain activities.  It might mean checklists with self calculating dashboard.  

I tell them I take this point of view.  Shaggy and Scooby Doo are my heroes.  They get the bad guy every time and doing it the most lazy easiest way possible.  Once I told this to one of my twitter friends, @illumikate.  She loved the strategy, but coined a great phrase to describe it.  

She said I was just striving to be “efficiently effective” not lazy.  Bake in doing the right thing as best you can.  Provide scripts, tools, etc anything to automate or make it easy on IT to comply.  This is what I really consider “doing more with less.”

Employee Privacy

I previously posted about having to make sure we have something in place to protect employees from misuse of the new surf control deployment. Here is a sample of what I went with.

Employee records and data which includes, but not limited to, telephone use,
cell phone use, computing resource, video surveillance and Internet use, are
to be handled with the extreme sensitivity and confidentiality. Management,
or others requesting access to this type of information, must submit their
request to the Human Resource Department location for which the employee in
question is based. All HR-approved requests must be then be also approved
by the Corporate Security Officer. The appropriate local IT Department must
provide all requested data to the local Human Resources Department, who in
turn will provide this data to those initiating the information request.
In reviewing all data and record requests, the HR department must assess the
appropriateness for the individual requesting the data, as well as the
relevance of the data being requested.

There are occasions where employees are unavailable (e.g. vacation) and a
manager assigns a stand in. In these instances where no investigation is
involved the manager must submit a notification with duration or access
required to the Human Resource Department location for which the employee in
question is based. Human Resources will review the appropriateness of the
temporary access. HR-Approved requests will be sent to the local IT
Department. The IT Department will send notification of access change to HR
and the requesting manager. Access must be removed at the end of the
assigned duration and confirmation sent of the removal. If the requesting
department is HR then they must obtain approval of the Company Site manager.
If any information is discovered that relates to policy or legal violations
it must be immediately brought to the attention of Human Resources and the
Corporate Security Officer notified.

There are occasions where managers may request site entry and exit logs of
their employees for use in time and attendance tasks. This is accepted by
Company as a standard tool to ensure employees receive proper compensations.
Each site may determine its own policies concerning requesting and receiving
this information.

Awareness Posters

I am a firm believer in you have to set clear expectations before you can enforce a policy. As I told a store manager once, if the employee is going to be surprised you are firing them (not necessarilly surprised they are in trouble) then you should not fire them. You did not properly manage the expectations.

I made an Email Policy and a Media Device Policy awareness poster. They are in Apple Pages format for both English and Spanish. On the top right you can place your own company logo, replace the word company with your employer’s name, Modify the policy number/reference in the middle to match your documentation. Lastly on the English poster since we have a mechanism for reporting spam I had a screen shot of dragging an email into a new email to send to the Spam Abuse address. I took it out due to some visible internal names. Feel free to put your own shot in that blank space.

You can download the zipped Pages files here: Policy Awareness