Cyber Security vs. IT Police/Harassment where's the balance?

This is an interesting and sensitive topic and I will readily admit there probably isn't a "one size fits all" answer. With that in mind, I wanted to relate my thoughts based on experiences with both balanced and unbalanced cyber security programs with respect to playing big brother instead of defending their enterprise.

A good cyber security program must be able to respond in a timely fashion when personnel incidents occur. The logging and tracking of data is essential in order to prevent scenarios where verbal opinions are pitted against each other (he said/she said). These situation are quite unreliable since emotion can be injected into the scene. As an example let say you have two employees, employee1 and employee 2. If employee 2 approaches the designated representative with allegations of wrongdoing by employee 1, the designated representative should be able to use a clearly defined process to obtain the evidence required to investigate the incident. This process should have adequate separation of duties, accountability checks, and safeguards that prevent any one individual ( or single group within an organization) from misusing or abusing this ability. This speaks to "who is watching the watchers" within your organization. I once sat in a meeting where a group member stated "Once a month I run a script on instant message chat logs looking for dirty words." While I agree that I am not to use company resources for things like that, my response to that statement was "why?" Unless someone is complaining about productivity or harassment, that evolution seems like a waste of time and the attempt to impose your moral stance on others. I later learned that many others had nicknamed this person "the hall monitor" and the comment made much more sense.
In a perfect world, this monitoring would not be possible without initiating an investigation into alleged behavior and no one individual should have access to "police" the IM logs. So, how does this work with social media? Your employer absolutely reserves the right to observe what you post in a public forum in order to assess how your thoughts and actions can potentially impact their business. Additionally, a clear policy (from HR not IT) should be in place defining what is acceptable and what is not. Now we get in to the HR side of things. Your HR department exists to make your organization better by finding the right personnel for your organization. Additionally, they may define certain policies concerning the interaction of personnel within your organization. In some cases, HR departments have become an overarching group responsible for any type of internal governance or policy. I believe this is a mistake and that the governance of a resource should be under the purview of the resource owner. For example, IT resources should be governed by the CIO, financial resources should be the CFO, etc.. This governance is compromised and ineffective if the c-level personnel are not reporting to the heads of the enterprise or the governing body of the enterprise. I point this out having observed a few instances of IT security personnel handing over volumes of data to HR personnel in the past. Handing over web proxy data, when there is NOT an active investigation, would fall under my big brother/waste of money category. I categorize it this way for two reasons; one if the supervisor or other employee has not complained then this is not necessary and you are simply satisfying your curiosities about whether some individuals are on FaceBook as much as you are at work (they are). Two, HR personnel are unlikely to be aware that the HTTP protocol is stateless and those statistics are somewhat meaningless. I know the company that sold you that proxy software or device told you differently, but that was probably the sales dude while the technical guy sat silent. Without completely observing netflows, keystrokes, clicks, and the registry key "TYPEDURLS" you are doing a bit of guessing. An HR person is possibly doing a lot of guessing if the proxy stats alone are handed over. The job of IT/Cyber security should exist to defend an enterprise against threats (internal/external) in cooperation with other groups (IT, HR, ???). This defense can include the analysis of evidence collected from various sources some of which are not under the purview of your security personnel. This separation of duties allows for a balance of power within your organization. The security team should NOT be responsible for "spying" or observing behavior on an individual basis when there is not an active investigation. While this is a delicate balance I believe you can sum up your role with the following statement: "How does make safer from internal and external threats?"  followed by "Are there loopholes negating causing to actually be less secure?" I will follow with my tried and true removable media example observed in multiple environments:

" does not allow external (privately owned) removable media to be used in conjunction with company-owned assets." This is a good policy yet is just an exercise in writing if there is not some technical control to enforce it. Now this becomes further moot if you have the following:
" users may connect personal assets via the virtual private network (VPN) when working remotely." You have just allowed that removable media to the assets needed by the user. I can already hear "but we have via the VPN to prevent the badness." Outstanding, did you test that, does the user need that capability, why isn't that same mechanism used with your equipment so that the whole policy isn't needed?

How do you restore the balance if your organization is not functioning correctly? Start at the top, someone allowed this to happen and possibly encouraged it. Draw out what the program should look like and the processes that should accompany it. Demonstrate how the technical controls will enforce your policies and make your program better internally and less of a target externally. Ensure your personnel are up to date in their training and skillset. If YOU are not up to date and cannot recommend the correct technical control, GET TRAINING. This stuff isn't rocket science and you are not benefiting anyone by not understanding the full scope and impact of your position. Cyber security is a constant learning process; that's why the best conferences are training where the individuals give and take from each other in open forums trying to understand the gaps in what they have tried. Best of luck finding the right balance for your organization.

No comments:

Post a Comment