Or: How far should IT managers go to protect corporate data?

By: Dominique Levin
VP Marketing & Strategy

A conflict is brewing in corporate America that rivals the ethical debate between philosophers such as Immanuel Kant (footnote a) and James Stewart Mill (footnote b). How far can companies go to protect data? Can companies play “Big Brother”, violate employee privacy and monitor employees in order to protect data? What if the act of violating employee privacy actually protects the privacy of many more? For example, what if monitoring nurses protects the privacy of patients’ healthcare records?

Immanuel Kant might have said that ethics are absolute and you cannot violate the privacy of employees, even if monitoring of employees would result in ‘greater good’. James Stewart Mill on the other hand might have chosen the ‘greater good’ and sacrificed the privacy of few, consenting, employees (you can always go work somewhere else) to protect the privacy of many.

In a April 28, 2009 Network World article, appropriately titled “Can you no longer avoid closely monitoring employees?” one IT manager speaks openly about the delicate balance of real-world information protection. "There's a balance," says Max Reissmueller, senior manager of IT operations and infrastructure at Pioneer Electronics USA Inc. in Long Beach, Calif. "I wouldn't want managers coming to me to keep an eye on a particular employee, wondering what they are doing every minute." At the same time, Pioneer is determined to protect its intellectual property, customer-service lists and other sensitive data." I don't want a disgruntled employee trying to take a bunch of information," Reissmueller says.

Gartner Inc. analyst John Pescatore agrees and says the key word to think about is how "closely" to monitor employees. In other words, it’s not about watching every employee’s every move, but it is fair to protect an organization’s crown jewels, and it is perhaps even mandatory to protect the personally identifiable information entrusted to an organization by its customers.

Sarah Cortes is a former senior security executive at a financial services firm with $500 billion in assets under management and over 20,000 employees. In her blog “Database logging and privileged access control” of April 21, 2009 she recounts that each morning, she would take responsibility for reviewing lists of accounts with privileged access to high-risk data. This means reviewing the lists of people with access to “High Risk” data such as customer balances and account values.

She reminds us that ship captains have long started their days by initialing log entries.

If the task of reviewing lists of privileged users and their access patterns sounds daunting, then perhaps you have given too many people access to sensitive information. Sarah has some very simple rules of thumb:

Even at an enormous firm, the number of privileged IDs with access to high-risk data should be short enough for a busy executive to personally review

The number of people with write access to “High Risk” data should be between zero and three and you should know those people by name very well

It is both feasible and reasonable for senior executives to personally review this information and record that they have done so

There are no specific standards or frameworks telling you how to create these reports Sarah is talking about or what to include. Regulatory frameworks indicate only that this type of review in general should be defined by each organization and put into place. Whether it is daily, weekly, or monthly, and what exactly it includes, will be up to each organization, compliance officer and CISO, depending on its businesses and risks.

Here are some general considerations for specifying these reports:

1) Define “High Risk” information for your organization. Start small by defining only the most sensitive information.

2) Identify the “Data Owner” for each category of “High Risk” information. The data owner is the executive who will review the lists of privileged users and their actions.

3) Locate database tables and directories with “High Risk” data. This is more difficult than it sounds, but new technologies make it easier.

4) Audit user accounts with access rights to this data. Who should have access to “High Risk” data? You may want to reduce the list to a manageable number. Also, you probably want to generate a report specifically showing any new privileged account creations and privilege modifications to ensure these are authorized.

5) Audit access to database tables and directories with “High Risk” data. Create automated daily reports to be sent to the Data Owner. Individuals accessing the system should be aware that access is monitored and reports are reviewed. Ideally, individuals who access controlled systems should not have access to update or modify the scripts and/or software the produces the security reports.

6) Include all changes to “audit” status. Don’t forget to also generate a report that will tell you whether in the prior 24 hours audit logging was turned on or off.

Foot notes:

(a) Kantian Ethics. Immanuel Kant encouraged choosing the right, moral path regardless of the consequences. Even in circumstances that would render negative consequences as a result of pure intentions, Kant argues that one should adhere to pure intentions and that their maxims should always reflect those intentions.

(b) John Stewart Mill’s Utilitarianism. Stripped down to its essentials, utilitarianism is a moral principle that holds that the morally right course of action in any situation is the one that produces the greatest balance of benefits over harms for everyone affected.