Subscribe to
Computerworld Opinion: Four good reasons for Security to talk to HR
Dogs and cats living together? Yes, but necessarily so
More In Security
- Not where you think they are
- When disaster recovery's down to you
- At the airport, an ID theft takes flight
- Goodbye to the Year of the Fire Pig
- Mixing open- and closed-source, managing risk
- Privacy and piracy: What are we telling the kids?
- Security and the One Laptop Per Child sensibility
- Ghosts in the machine, spooks on the wire
- Find them and fire them: 5 steps
- Hard times on the HIPAA front
- You don't want to hear it: 10 pieces of lousy security advice
- Oh, don't tell me: 10 claims that scare security pros
 The Security Zone
With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones
|
March 18, 2008 (Computerworld) Neither IT nor security managers fire people in most organizations. That plain reality seems to escape some in the industry, where offended security administrators declare that disabling the antivirus program is grounds for demotion or an IT manager finding unlicensed media makes arrangements for someone to make the cardboard box commute.
Too often, security folk are surprised and disappointed when the perpetrator is just slapped on the wrist, or the incident is quietly tabled without reprimand. Why the disjoint? Because they didn't coordinate with human resources, and because there's no clarity about the severity or risk from the behavior, even incidents that ought to garner serious attention don't.
The solution is to get right with Human Resources long before the incident. I know -- like dogs and cats living together, the notion of touchy-feely HR personnel working together with hard and graceless IT security geeks may portend the coming of the End Times. But there are a handful of topics that require collaboration. By addressing them before there's an incident, a lot of pain and frustration can be avoided.
Identity and authentication
The initial establishment of identity for a new hire -- involving driver's licenses and W-2 documents -- is a management task specific to HR. When identity is established, and the person who showed up is sufficiently authenticated as that person, we say that initial identification and authentication or "initial I&A" is complete.
This is never an automated task. This is also never an IT task. If someone shows up at the IT help desk asking for an account and there's no HR record of initial I&A, all sorts of alarm bells ought to go off. Unless there's a specific exception -- perhaps the granting of temporary IDs to vendors when a business unit's contract serves as initial I&A -- IT should never, ever be in the business of determining if a person exists or not.
It's one of the most common errors I see, but initial I&A ought not be confused with the implementation of roles and rights. Only after the management decision to hire someone is processed by HR can a person's online persona be connected to a set of tasks, a specific role, a salary and the other trappings of a job. Confusing these different steps means stepping on HR's toes, after which conflict, confusion and weakened security are inevitable.
Acceptable behavior
IT may be a gatekeeper, but it is not the arbiter of all things ethical. Again, that's HR's job, even if an IT director or security officer authored an "acceptable use" policy under the umbrella of IT policy. IT frequently falls down the rabbit hole of trying to define ethical behavior for an organization in the context of its computer systems and resources.
Today's Top Stories
Resource Alerts
Webcasts
Web Threats Don't Discriminate
The Secure Web Gateway. Mission Critical For Business
Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare
Editor's Picks
Clues point to Jan. 13 release of Windows 7 beta
Microsoft releases Vista SP2 beta
Obama's DHS pick may find support for raising H-1B cap at confirmation hearing
IBM wants info from Apple execs in Papermaster case
License server glitch exposes SonicWall users to e-mail security threats
Report: Former AOL chief exec tries to raise funds to buy Yahoo
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
|
 |
|
Patrick Thibodeau: Satellite images of U.S military bases Which is more important? Helping terrorists or protecting military bases? Answer: protecting Web 2.0 ... [more] |
| White Papers  Read up on the latest ideas and technologies from companies that sell hardware, software and services. | ||||||
|
