Personal Concerns

As a system manager, security manager, or a corporate officer, you face issues of personal risk. More and more corporate officers are being held liable for the failure of their organizations to adequately protect the integrity, confidentiality, and availability of automated information systems. If you are not actively taking steps to protect your data, you are not protecting yourself from lawsuits.

These suits are generally from three sources: violations of the law (criminal charges), violations of due care (stockholder suits), and violations of privacy (employee suits). The risk of all of these can be reduced by appropriate policies and procedures. These policies must include the topics of software piracy, appropriate use of licensed software, disaster plans containing security-based disasters ” the greatest cause of data unavailability ” and personnel policies concerning appropriate use of corporate computer resources, specifically addressing e-mail and usage monitoring. These policies must be adhered to by the corporation on a consistent and continual basis.

Violations of the Law

In addition to just using the computer as a tool for committing a crime, violations of the law also include very specific computer crimes. The most common of these is software piracy. Many companies, both large and small, are guilty of software piracy. This is generally the possession and use of an unlicensed software and making illegal copies of software. Most software licenses allow for only one backup copy of the software. If you are doing automated backups and appropriate backup retention, it is likely that you have more than one backup copy of the software. You need to have a current, and preferably automated, software inventory for all your systems, PCs in particular.

Violations of Due Care

How much security is required for due care? Ultimately, that is for a court of law to decide. However, there are some things that are certain. Any of the following would be considered a lack of due care: not installing a security patch, not heeding suggestions put forth in general security advisories, or not having a security policy in place.

As in all business matters, business decisions determine how much to spend to ensure that you have taken due care with the assets of the company to reduce the risk of stockholder suits. A company should implement what are considered standards of diligence for its industry.

Violations of Privacy

There are two areas of privacy that are a concern to the information technology organization. The first is the privacy of customer information and the second is the privacy of employee information.

Customer privacy is an issue of a company's having confidential information about its customers. It may have this information because of the type of business it conducts, such as doctors having patients ' medical records, or financial institutions having their customers' financial records, or companies that have relationships with their customers to the point that they share confidential information. This will often require a nondisclosure agreement that any information that is considered confidential will not be disclosed to any third party. This requires that the company do all that is prudent to keep the information confidential.

Employee privacy is a sticky situation because it is an employee relations issue. When a person becomes an employee, he or she gives up some rights to the company. However, he or she does retain certain rights. It is best that these rights be spelled out when the employee is hired .

The best defense is a good offense, that is, a good ongoing employee awareness program is important. Your employees must know what privacy they have, what privacy they do not have, and what the benefits are of giving up this privacy. The two biggest areas of concern are privacy of personal files/e-mail and electronic employee monitoring. The amount of privacy will vary depending on the years of service with the company. It is expected that new employees will be monitored more than experienced employees . This is an area where policies and procedures are most important.

Appropriate behavior, ethics, and employee privacy should be covered under current personnel policies. Just because a computer is involved does not mean there should be a difference in the employees' rights and responsibilities. If employees' paper mail is not read, their e-mail should not be any less private.

It is also likely that you have a wealth of information about your employees on your computer systems. The company has a responsibility to its employees to maintain the privacy of this information. Depending on the type of information, the company may have a legal responsibility to keep the information private.