How to improve data security and privacy.
A Pennsylvania school district made headlines recently with accusations that two of the district's IT employees were spying on students and took "thousands" of pictures of students in their homes without their knowledge, using the cameras in their school-supplied laptops. The school district contends that the ability to remotely take pictures was a security feature used solely to help locate lost or missing laptops. The situation came to light when the school district accused a student of selling drugs based on pictures taken remotely via the laptop that was assigned to the student, although it had not been reported lost or stolen.
The incident could start making everyone wonder about information technology's role in protecting data and privacy. It begs the question: Who watches the watchers?
IT has the keys to all the sensitive data in your company. This includes not only payroll and personnel records, but also financial records, trade secrets and intellectual property, data regarding pending acquisitions, product launches or other strategic decisions. A rather scary thought if you don't trust your IT folks.
Fortunately there are a number of things IT leaders can and should do to show they take this role seriously and are handling it properly.
The first and most obvious is that not everyone in IT needs to be able to access all of the data. Limit access to sensitive data to only those who need it to perform their duties. People with the ability to see payroll data shouldn't typically also have access to financial records.
IT leaders need to recognize that this also applies to them. Just because you're the chief information officer and your people need access to sensitive data doesn't mean you do. Resist the urge to be the "mighty and all-powerful Oz" with access to everything as a way to boost your importance. Set the right example and make sure you limit your own access.
If possible, add a formal security role. This job isn't just about limiting access and changing passwords. It involves looking at all of the processes from the user side as well as within IT. It is important that this role audit compliance and educate users and IT alike about security issues.
Remind employees that they work in the IT department, not the police department. Unless they've been given specific security duties, IT people should not be independently looking for wrongdoing or trying to catch people at something. If in the course of their duties they discover something suspicious, they should alert the appropriate supervisor and not try to investigate it themselves. Going off on your own to check someone's Internet usage is more likely to get you fired than the person who wasted too much time surfing the Internet.
All information technology employees should know the importance of security and privacy and that their actions can significantly affect the effectiveness and reputation of the department. Company-wide, employees need to know that they can trust IT to protect their data and to not snoop out of idle curiosity.
One way to do this is to formalize all of these concepts in a data privacy policy outlining how IT employees are to handle data and privacy concerns. Rather than writing a policy that is filed away, have your IT employees sign a statement annually that they have read the policy, understand it and agree to comply to keep it fresh in their minds and to reinforce the importance of the issue.
We have to not only secure users’ data and privacy but ensure that they know it is secured and they can trust us to keep it that way.
"Laptop Looking" photo by Trouthout.org / CC BY 2.0
This article is also posted on Forbes.com. Feel free to join in the discussion either on this site or at Forbes.com
If this topic was of interest, you might also like these:
- The IT Security Balancing Act
- Identity Protection Goes Beyond Technology
- Security In The Cloud
- Or the posts in the Security category
Recent Comments