Ensuring Employee Compliance in IT: A New Direction

Rizwan Mahmood, Director Projects, e-Safe Systems Australia

Rizwan Mahmood, Director Projects, e-Safe Systems Australia

Is trusting your employees enough? I’ve told my staff what they are allowed to do and I trust them! Trust but Verify! A phrase famously used by Ronald Regan to describe the new relationship developing in the disarmament talks with Mikhail Gorbachev. The whole point being that companies make and publish rules, but have no way of telling when the rules are broken or an audit trail to support case if they have been. People say they trust their staff, but implementing blockers is the antithesis of trust. But if you say your staff “I am going to give you complete freedom, but within a clear set of rules, and I will know if you break those rules and have an audit trail as proof” you will effectively deter them from straying outside the boundaries. Trust but Verify!

What’s the problem?

Every organisation is now reliant on IT for its very existence. It is the basis on which we communicate with each other and with the outside world. Without the power of information and communication that IT offers, the organisation would quickly become uncompetitive. However, we learned long ago that there is a dark side to technology. The risks with legal implications are associated – you become RESPONSIBLE for:

Storage and distribution of pornographic material;
breach of confidentiality: violation of PDPA (see the new Personal Data Protection Act)
The use of unlicensed software
downloading of unlicensed music
Risk of employment tribunals for allowing an atmosphere of sexual harassment or
Data storage facilities clogged up with personal jpeg, mp3 music, video, games etc.
The misuse of increasingly expensive energy. Do people “sleep”, “hibernate” or “shut down” their PCs when not in use for prolonged periods or are they routinely left on?

The risk is to SECURITY.

Do you know what staff are saying about the organisation when they are on Facebook, or chat lines? Do you know if unauthorised staff are searching for sensitive documents? What control do you have over what people bring into or take out of the organisation on USB connected devices?What is your current defence against these risks?

To date, it has been normal for all companies to do three things in response to these threats.

Firstly, they publish an “Acceptable Use Policy” (AUP) that all

staff are required to sign in order to use the company network – if you don’t already have one we recommend you rectify this situation immediately. But, the AUP is ‘legislation’ as to what you should do; how do you ensure “compliance”? Are you alerted to violations of the AUP with details of who did what, when and where? Without the ability to police it, an AUP is just a paper tiger and staff generally know it.

Secondly, companies install “firewalls”, “blockers” and “filters” on their network gateway. Again, with the assumption of external threats – via the internet. USBs, CDs/DVDs and other storage and distribution media are now a source of threat. The gateway never sees these. Some organisations have gone as far as physically blocking the USB connection ports with resin. This is certainly effective for that particular threat, but clearlyemasculates an otherwise effective productivity tool for the organisation. Now organisations are choosing to give laptops to their staff to allow for better mobility and flexibility, this gives rise to new challenges as all blockers, filters and other server-based monitoring solutions fail when the laptop leaves the corporate network.

More and more internet traffic is encrypted, therefore the gateway cannot analyse the content because it is only decrypted whenit reaches the end user. Blockers are easily circumvented by going to “anonymisers” or “proxy sites”. The only place to monitor and capture all violations is at the point of use.

Thirdly,organisations often do audit for compliance with the AUP on a regular basis. However, people usually know ahead of time about it and tend to do some ‘house-keeping’ upfront. Plus, audits only offer a snapshot of what is today’s behaviour with no guarantee that everyone will be good tomorrow. So, they cannot ensure compliance to the AUP on an on-going basis.

Steps to be taken:

1. Review your AUP - make sure that it properly reflects the social, productivity and security needs of your organisation; if necessary involve a lawyer

2. Improve the auditing practices by using automated tools. These tools allow for auditing of all resources and maintain compliance on an on-going basis contrary to the traditional audits.The way these tools work is to have an agent installed on each machine that monitors it all the time even off the network, checks any infringement to the company’s AUP and reports it back to the server.

" Every organisation is now reliant on IT for its very existence. It is the basis on which we communicate with each other and with the outside world."

The way - 3-stage process:

Verify the existing audit process and monitoring applications.

Achieved by a roll out of the automated auditing tool in silent monitoring mode in order to generally obtain an idea of the level of effectiveness of the existing practices. By doing this in silent mode ensures a snapshot of the actual environment since the moment people know they are being monitored, they stop doing anything that infringes company policy.

Inform users of the newmonitoring method

Where infringements are detected, it is imperative to inform the users that a new auditing and monitoring solution will be rolled out on a specific date and that they should ‘clean their house’ before then.

Roll out of the new application

Once everyone has been informed the software can then be rolled out. Some software also allows the company to displayits IT Acceptable Use policy when the user logs on. This further informs the user that they will be monitored against any infringement and will be held liable in the event they are reported.