Author : Donna Johnson Edwards
"What do you mean I can't download … fill-in-the-blank?" As IT managers we are constantly berated by users because they want to do something on their company computer that we know they shouldn't. But getting users to conform to reasonable standards is a real challenge for most IT departments. We live in the information age and with the benefits of technology come the associated risks and liabilities. The same tools that allow productivity gains have the potential to diminish worker productivity and to expose the company to harmful content as well as regulatory and legal liabilities.Many business executives do not yet grasp the importance of protecting Information Technology assets from liabilities and need to focus on the legalities surrounding IT as well as the use of IT systems by employees. If you take a moment to read any newspaper you will likely find several instances in which either by ignorance or design, employees have used company IT assets in a way that puts the company at risk, or worse: gets them in serious hot water.So why aren't companies focusing on these risks? In my experience a large part of the problem lies in staff not knowing how to begin writing acceptable use policies for IT systems. Then add to that hurdle the facts of constrained budgets, limited staff and that a typical IT manager will likely assume the company legal department will advise of any need to change policies or the management of IT assets. And at the same time, management is occupied with running the business and assumes that IT and legal will manage any issues related to these assets. Unfortunately, the legal department typically understands the broader laws but does not necessarily focus on day-to-day IT operational issues.Liabilities will be reduced if the focus of IT, legal and the business side of the house are pulled together, to put into place reasonable and effective policies, procedures, disciplinary standards and company-wide educational programs. In addition, in doing so will give IT managers a defendable position against those users who berate them! Policies and procedures are a critical first step in protecting the organization's vital enterprise IT assets. These same policies, while protecting assets and assisting IT staff in managing user "problems," are also used as a defense against potential legal liabilities.A legally compliant IT department must address several areas of concern, such as software license compliance, the appropriate use of the Internet and e-mail, data protection, privacy and more.Though proper software licensing is the most frequently considered topic of IT compliance, companies face other equally important IT asset liability issues. Inappropriate use of e-mail and the Internet is as widespread a problem as copyright violations (software piracy). Bandwidth abuse and lost employee productivity are two additional areas of concern for most employers. Not only should a policy cover appropriate use but inappropriate use as well.E-mail content filtering has become a popular solution for blocking documents containing obscene, racist, offensive or explicit words and phrases as well as for virus prevention. Another benefit of e-mail content filtering is the reduction of leaks of confidential company data. Statistics reveal that most security breaches originate from within the organization, therefore an organization must also monitor what files are leaving the network.Significant case law supports the verity that e-mail and Internet monitoring is legal when a company provides the systems on which the employee uses these products. An employee does not have a "reasonable expectation of privacy" when using these tools. However, it is essential that the employee be advised of the company policies on these issues and that the policies are clear, well disseminated and supported company-wide.Privacy and other forms of data protection are another big area of concern for businesses. Fines from regulatory bodies and loss of competitive data have continued to push organizations to increase control over these assets, to reduce associated liabilities and risks.The way to efficiently educate users is to adopt, implement and enforce policies and procedures detailing the "Dos and Don'ts" of computer conduct and explaining how the organization deals with the complete lifecycle of its IT assets.Regardless of the size of your organization, start by creating a project team to administer the implementation of an IT compliance program. The size of the team will vary from one company to the next, but regardless of the size, the organization will need to commit appropriate resources, both human and financial, for the project to be a success.The project team should consist of a senior member of the IT department, to provide top-level exposure; of human resources, to ensure no policy violates existing regulations and to ensure that there are appropriate steps in place to discipline violators; of legal counsel, to ensure that policies and procedures drafted by the team are thoroughly reviewed and consecrated; and representatives from large departments, administration, security, training, IT, etc. If more than one physical location exists, be sure to include a member from each site to ensure that their specific needs and limitations are considered as well.Following is a list of the areas that should be covered. (Note: this list may not be comprehensive for every environment and some areas may not apply to every organization):Begin with an overall opening statement by the CEO (or equivalent) of the organization to not only add valuable corporate weight to the policies but also to show that these policies come from the very top and are being embraced by everyone in the organization, including the Board.Then create policies for the following essential areas:Software requisition, acquisition, delivery, installation and license compliance – Explain that software acquisition is restricted in order to ensure that the company has a complete record of all software that has been purchased for company computers and can register, support and upgrade said software.Software and Hardware Disposal – Often forgotten, this policy makes sure that software/hardware is disposed of in a controlled manner. An organization may have additional disposal requirements and/or options.Shareware, Freeware, Public Domain, Games, Fonts, Screensavers and Wallpaper – This policy is important, since users often think that because software is "free" or on evaluation, it falls outside the boundaries of the organization's software policies, and they are unaware of the licensing issues surrounding these types of software. In many cases, these are copyrighted materials and may be used only in accordance with the license agreement of the publisher.Passwords, Security, Viruses – This policy must detail the importance of passwords, how they are administered, how often they are changed and of what characters they should consist. Stress the importance of user's keeping their passwords safe. Detail how the organization protects itself against virus attack. The omnipresence of the Internet and web-based applications can open backdoors to the corporate IT infrastructure. Employees can either willfully or by neglect expose the organization to rapidly spreading viruses or other malicious and harmful code by accessing or downloading files of unknown origin.Data Protection – Detail the importance of your organization's data. Also, cover how employees must treat specific types of data, such as customer information, research material, legal documents and records, etc. Because each organization will guard particular information based upon the type of business, explore each topic in detail within the organization.Internet, Instant Messaging, P2P Software – Most organizations in today's business climate will have some type of Internet policy likely covering areas such as pornography, picture and media files (GIF, BMP, PCX, JPEG, MP3, etc.), personal use and more. Companies must also be concerned with the ease of obtaining software of all types from the Internet.E-mail – As with the Internet, there are many liabilities surrounding e-mail use. Companies should be aware of the pitfalls of improper data protection, defamatory comments, inappropriate bandwidth usage, viruses, etc. Increasingly, subject matter considered inappropriate for consumption or distribution within an organization is received, forwarded, mishandled, etc. The type of website content that is inappropriate within an organization is also unsuitable content for an e-mail.Auditing and Monitoring – This policy alerts users to the fact that regular monitoring of and audits on company IT assets are conducted. The policy must contain a statement that indicates that the user should have "no reasonable expectation of privacy" for any file, message, or content on all company systems.Mobile, Laptop and PDA Users – Mobile devices are a difficult group of assets to control because of the device portability and the fact that they may rarely connect to the corporate network. Because of this, laptop users often believe that they fall outside the boundaries of the software policies. It is essential that appropriate policies as well as unique procedures are created to address this elusive group of users.Backup and Maintenance of IT Systems – Be sure to define who is responsible for system backup and how these tasks are completed. This policy is important, because organizations rarely look at licensing, retention and destruction, e-discovery and privacy issues when creating backup procedures. It is essential to address these issues before having to retrieve from backup because of an unforeseen problem or because of litigation.Disciplinary Procedures – Policy statements can be a waste of time if they are not reinforced with disciplinary procedures for those that breach them. Your organization may already have procedures in place and these must be included in any set of technology policies.Policy Review – It is important to review and update policies and procedures when needed. The team or a subset of the initial compliance team will need to review the policies and procedures on an annual basis (or more frequently, if needed) to respond to changes in the business environment and the larger legal environment. Users must be told how new policies will be communicated.Furthermore, additional policies not included in this list will likely be required in some organizations. For example, financial institutions and hospitals are regulated by outside bodies that require specific situations be handled in the manner specified. Ensure that the company's legal representatives ascertain the requirements made by other regulatory agencies and incorporate those demands into the policies and procedures.Policy statements should be short and to the point. Procedures can be long and detailed. Use a standard format for all of the policies, including the policy area to be covered, the reasons for the policy and a procedure specifically adapted for your organization.Lastly, but of great importance — make sure your users are trained on the policies. I can't tell you how many organizations miss this essential step! The policies will not be defendable or, frankly, enforceable unless users are made aware of them. For the best results, have your internal training department (or other suitable group) develop a system to train users as well as track the training and to collect a written agreement to follow the policies from every employee.Make sure all new employees receive training and sign an agreement. At least once per year conduct follow-up training which need not be as comprehensive, but should serve to remind users of the company's commitment to compliance.I promise you, the effort you put forth developing company-wide IT policies and procedures will pay off multifold — this isn't an IT problem; this is a company problem and the solution needs to be addressed company-wide.Donna Johnson Edwards has more than 20 years' experience implementing and managing IT projects for companies including the Federal Judiciary, IBM/Lotus and Hamilton Beach Proctor-Silex, where she was the senior member of the New Enterprise Technology Team.Her clients include Fortune 100, 500 and 1,000 companies as well as not-for-profit entities. Her background includes both the technical and the business aspects of IT projects.
Keyword : it compliance,it asset management,it compliance policy,software asset management
สมัครสมาชิก:
ส่งความคิดเห็น (Atom)
ไม่มีความคิดเห็น:
แสดงความคิดเห็น