Problem solve Get help with specific problems with your technologies, process and projects.

Do personal issues within a company pose a risk to the enterprise?

In this SearchSecurity.com Q&A, security management expert Mike Rothman unveils how to manage and address a potential risk within your corporation.

Does a personal bankruptcy of a member of the senior financial staff pose a significant risk to the enterprise? What policies should be in place to deal with such a scenario?
Any personal issues create potential risks in an enterprise. The employee could be distraught; he/she could be in desperate financial straits and do things to endanger your enterprise. This isn't as much of a security issue as it is an HR issue. Let's discuss the HR issues first. Consider getting the employee counseling. Of course, you don't have to, but you should. In fact, unless you are small corporation of less then 25 employees, an employee assistance program should be a standard benefit. Employees are the lifeblood of a business, and the enterprise needs to support them -- especially in times of need.

From a risk management standpoint, assuming the person is stable, it would be advisable to keep a relatively close eye on what they are doing for a period of time. Again, desperate times tend to result in desperate measures. You never want to assume that people (especially senior people) are going to do the wrong thing, but you need to be cautious and have checks and balances to rule out any foul play.

What should be done exactly? Examine the Sarbanes-Oxley Act, which focuses on strong financial controls. Now, I'm not saying go and get fully SOX compliant when there may be no need to do so, but make sure you have adequate controls in place and a proper separation of duties. It's also a good idea to close the books for a period of time every month to make sure you don't have disappearing assets. Doing an off-cycle audit is another precaution that can prove to be beneficial. Maybe some of these things are overkill, but the point is to make sure you have the proper instrumentation in place to know when there's a problem.

From a policies standpoint, it's about communicating company expectations to employees. I don't see any need for action here, since your employee handbook and other policies should spell out acceptable behavior and ramifications for violations.

What can't be minimized are the softer issues of employee support. A personal bankruptcy is one of the most stressful things that can happen to a person. If you can head off any issues at the pass by proactively offering support and counsel, small costs now will pay huge dividends later as these kinds of actions really engender a lot of loyalty on the employee base.

For more information:

  • Improve your ability to measure information systems risk with these three techniques.
  • Learn why metrics are the key to measuring security.
  • This was last published in June 2007

    Dig Deeper on Risk assessments, metrics and frameworks

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.