Convergence Q&A

IT Policy Compliance


This month’s column is prompted by feedback from collaborations between physical/corporate security departments and IT departments regarding compliance (or lack thereof) with corporate IT policies that apply to the handling of secure data. The IT departments in most medium and large organizations (and even some small ones), have three critically important policies that directly impact security departments:
• Computer and network use policy — What is and is not acceptable use of the organization’s computers and networks;
• Information systems security policy — Typically requiring anti-virus and other computer and network security be applied to computers and networks; and
• Data classification policy — How data is categorized based on criticality and sensitivity (such as confidential, private and trade secret), to facilitate its protection.
The names for these policies can vary. Some examples are: “Acceptable Computer Use Policy” or “Electronic Media Use Policy”; “Data Security Policy,” “Information Security Policy” or “Network Security Policy”; and “Data Classification Security Policy” or “Data Classification Standard.”
There are many reasons why it is important for security directors and managers to study and understand these policies, as they apply to all computers and networks owned by the organization. Many policies forbid copying organizational non-public data (that would include video stills and clips) to USB memory sticks and other media. The policies also make the manager of a department responsible for policy enforcement.
Data classification and information systems security policies usually establish the concept of “data owner,” “data steward” or “business owner of data” — meaning the data owner is responsible for identifying all of the data that is generated and/or used, and collaborating with a designated person in IT security to correctly classify the data and establish appropriate protective measures. For example, some security investigations material falls into the category of private employee information. Many policies mandate that such information is handled in very specific ways, for both electronic and paper information.
Here are some of the stories from security managers:

Q:

Have any unexpected outcomes resulted from your physical security and IT department collaboration?

A:

According to IT policy, the data generated by our security systems is classified as “Sensitive Information and Critical.” Critical information, by policy, is required to have high-assurance storage (such as RAID hard drives) and specific data backup procedures. Here we had been trying to sell management on the need for upgrading our access control and video front-end systems, and all along there was corporate policy mandating that we upgrade them!
— Security manager, Global high-tech company

A:

We have been sharing video clips with production area managers to support their safety and quality investigations. We recently learned that, according to company IT security policy, the CDs are supposed to be labeled with our company name and the words “Sensitive Information.” We are supposed to have a log of the CDs we issue, and we are also supposed to have written procedures established for destroying the CDs after a certain amount of time. Had any of the information been misused (for example, posted on You Tube), I — the security manager — would have been culpable for non-compliance. Our DVRs store about 30 days of video, and old video is overwritten, so although we didn’t have a written policy covering data destruction, we did in effect have a general 30-day policy.
— Security manager,
Global manufacturing company

A:

This content continues onto the next page...