Lawrence M. Walsh
Published: 01 Mar 2004
Public executions are necessary for enforcing company information security policies, says Dr. John Halamka.
"There's no second chance if you violate trust," he explains.
As CIO of both Boston's Beth Israel Deaconess Medical Center and Harvard Medical School, Halamka is charged with enforcing the policies and procedures that ensure the security of 9 million patient records and 70 terabytes of data.
Most people would think that medical professionals working in a world-class hospital and university would be above the temptations of records surfing, unauthorized downloads and abuse of computer resources. They're not. Each year, Halamka says, three or four doctors -- ranging from green residents and interns to well-weathered practitioners -- are fired for violating security and acceptable use policies.
Sometimes, doctors are looking up medical histories of their competitors to embarrass them or to gain a business advantage. Other times, they're simply curious about a famous patient and look up his lab tests. On occasion, they're caught releasing confidential records or billing information to unauthorized parties. And, of course, there are the porn surfers, online gamblers and cyberstalkers.
"You run into two kinds of folks: those who will accept the consequences and those who deny everything and must be presented with the preponderance of the evidence," says Halamka. "That's why you need public executions to reinforce good behavior and to protect resources."
Most organizations take pains to hide or downplay employee dismissals due to policy infractions. As with hacker incidents, enterprises fear that public disclosure of policy violations will damage their reputation and open them up to action.
That's changing, however. Regulations such as HIPAA and the California Security Breach Notification Act are making rigid policy enforcement an imperative. An even greater driver, though, is the maturation of security and IT in the workplace. As these groups gain more cachet, they're able to drive their agendas beyond the data center and into HR and legal groups. Enterprises are recognizing the need for strong policies and enforcement standards -- and the occasional public execution.
"It's not the name before the '@ sign' that's going to get in trouble; it's the name after [it] that will," says Michelle Drolet, president and CEO of ConQwest, a security assessment and integration firm.
Employers want to trust their employees, who have access to everything from facilities to strategic plans, coffeemakers to databases. Trust is part of what makes a business function.
But increasing awareness about the risks resulting from unchecked trust is resulting in stronger, more visible security policies. Rather than allowing acceptable use policies and nondisclosure agreements to dictate consequences for inappropriate actions, companies are drafting policies that specifically list misuse of computer equipment and data as an offense that can result in punitive actions, including termination.
"There's an evolutionary development where things that were once isolated, stand-alone turfs (HR, legal and IT) are coming together to create encompassing security policies," says Rickie Banning, principal of the HR consulting firm Advanced Organizational Development Inc.
Creating a security policy is the first step in protection and enforcement. While it may seem excessive, enterprises need to define which assets users are entitled to access and under what conditions, as well as which resources and applications are prohibited. Especially important is establishing individual accountability. Beth Israel Deaconess' security policy details everything from the protection of confidential information to large file transfers, misuse of software, protection of passwords and malware prevention.
Long gone are the days when a security policy could sit in a three-ring binder on a shelf collecting dust. Policies are now found in employee orientation packets and on lunchroom bulletin boards and corporate intranet sites. Many enterprises are requiring employees to sign their security policies, acknowledging that they've read and understood them.
"That's the last thing they leave training with, and we expect employees to follow the policies," says Brad Hillebrand, manager of enterprise technologies at office accessories company Fellowes.
"If we don't want people to violate the policies, they have to know their boundaries," he adds. "How can we terminate a user if they don't know what the policies are?"
HR and security experts say employees need to be exposed to a security policy five times before they assimilate its meaning and importance into their work routine. That means making policies easily accessible and conducting periodic awareness training.
At Beth Israel Deaconess, Halamka knows policies are in front of users' eyes every time they access restricted patient records. Trust is a necessity in health care, and it's dangerous to restrict potentially life-saving data from doctors, so access control to records isn't granular. However, doctors are given a warning when they're accessing records and are required to provide justification for the requested data. For instance, auditors can see whether a doctor accessed an actress's drug abuse history out of clinical necessity or sheer curiosity. More routinely, Beth Israel Deaconess will electronically distribute portions of the security policy, such as the section on maintaining patient confidentially, and have users provide a digital signature to acknowledge the refresher.
"It's kind of like having a Reader's Digest version that you have to sign every 90 days," Halamka explains.
Ultimately, well-established security policies serve two purposes: setting expectations and consequences, and acting as a deterrent to those who may think about doing inappropriate things.
"I do not proactively search the log files for evil-doers, but I do make it known that we are logging everything people are doing," says Gary Lee, director of global IT infrastructure at PerkinElmer, a manufacturer of medical and pharmaceutical research instruments.
ConQwest's Drolet says she discovers unauthorized applications, hacker tools and spyware on the vast majority of users' desktops she evaluates. During one security assessment, she discovered an employee was hosting a swingers club Web site on his company's network, and routinely sent out invitations with nude pictures of himself and his wife via the company's e-mail server.
Everyone has heard tales of those who violated -- intentionally or unintentionally -- security and acceptable use policies. The content filter and traffic monitoring vendors will tell stories of the CFO caught surfing porn sites half the day, or the sales rep nabbed for leaking a contact database to a competitor. These types of abuses hurt business in terms of productivity and competitiveness and open the door to legal liabilities from downstream attacks, pirated copyright materials and sexual harassment.
But not all violations warrant termination. Drolet says smart enterprises take a measured approach, using a combination of policy awareness, discreet monitoring and, as a last resort, punitive action.
"Companies are stepping up and creating policies with teeth, but the punishments vary depending on the severity of the violation," she says. "Most organizations aren't Draconian. They put the policies and enforcement technologies in place, but most want to continue the honor system and only start enforcement when they have to."
For instance, a person caught gambling online at work will receive a verbal warning for the first offense, a written reprimand for the second and termination for the third.
Enforcement doesn't have to be confrontational. Enterprises have a number of options for discreetly enforcing acceptable use policies. For example, if IT discovers someone is viewing porn sites or chatting through IM all day, they can use firewall rule sets, router blacklists and content filters to block the prohibited activity. This keeps the violation quiet and preserves the person's employment.
"What happens is the employee can't complain that the Playboy Web site is unavailable, so it quietly goes away," Drolet says. "A lot of companies are still very open. They don't want to be Big Brother, but they do want the technology to enforce policies when they have to."
Companies like PerkinElmer use content and e-mail filters and URL blockers to keep incidental policy violations to a minimum. "Our policy isn't intended to keep people from doing their jobs, but we do have technology in place to protect the innocent from the porn and hate sites," Lee says.
Likewise, enterprises should implement good security practices to prevent the theft and leakage of intellectual property, such as restricting access to sensitive resources, locking down file directories and configuring desktops and laptops to prevent the installation of unauthorized applications.
Despite all the preventive measures an enterprise can take, users will find ways to violate security policies. Beth Israel Deaconess' Halamka isn't skittish about firing an errant lab tech who can't keep from peeking at an ex-girlfriend's test results. Nor does Lee hesitate to dismiss an admin who persistently surfs XXX sites. Confidentiality, integrity and availability come first, they say.
Is there such a thing as too much enforcement? Advanced Organization's Banning says some people will be made examples of as more enterprises adopt stronger policies and enforcement postures. But most IT and security managers say people should know and understand their security policies and expect the punishments that come with violations.
"It's all a waste of time and money, but it's something we have to do," says Lee. "I have dollars in my budget I wouldn't have to use if people would just behave."
About the author:
Lawrence M. Walsh is executive editor of Information Security.