Admittedly, we all have a little extra time on our hands this year. Hey, so now's the time to take care of those important management details that help govern the operation of your business!

Technology-related policies reflect management's intent to control their information system - the absence of policies usually reflects poorly in court of law and public opinion: if management never communicated a position on a technology governance to employees, customers, or vendors, then "Due Care" obligations could be considered ignored. Thus, it could be seen that management was negligent in their handling of an issue which extends liability, making it difficult to prove that "reasonable" precautions were taken in preserving customer data, securing network resources, or terminating an employee due to cause.

1. Write or revisit your Technology Plan (TP). The TP is a complementary document to your overall business plan and would traditionally be prepared by the executive responsible for technology strategy. It is usually 24 months in scope and identifies how tech spend complements your business strategy. It is an evolving document that lays down principles in how technology will be used and managed within your firm, and how tech relates to your success. This document should help guide your purchasing, management, and deployment of tech indefinitely, and should evolve over time as technology issues continue to shape the macro economy.

2. Write or revisit your Disaster Recovery and Business Continuity Plan (DR/BCP). Think about how critical software and hardware is to the execution of your business strategy. Think about how important the years of electronic data is to your ability to do your job. Now think about this stuff being wiped out in a flood, burned in a fire, or just the victim of bad luck - a hard drive failure. After Hurricane Katrina, more than 20,000 small businesses folded on the Gulf Coast because they didn't have a way to recover their electronic data to resume business operations. Now is precisely the time to revisit how data is stored, how it is backed up, how it is moved off-site, and services would be restored in the event of an emergency.

3. Write or revisit your Acceptable Use Policy (AUP). The AUP is the most critical policy in your Administrative arsenal. It outlines to employees and others who use your electronic resources what rights and obligations they have in using your resources. It is usually the principal document that is signed at the employee hire that outlines what is good and bad behavior in using your resources, and is the governing document allowing employers to terminate for cause. If an AUP doesn't exist, it's difficult to suggest that expectations of behavior was communicated to employees and a wrongful termination defense could be mounted. An AUP should be an evolving document as threats in IT change every 24 months. Now's the time to really take a look at this again.

4. Write or revisit your privacy policy and legal liability towards protecting personal private information (PPI). Your firm may be subject to federal or state regulations governing the security and privacy of electronic information - of patients, consumers, job applicants, or financial records. Fines are usually bestowed on a "per incident" basis, and if you have thousands of records outside of compliance, the liability is enormous. Further, it's best practice these days to communicate to stakeholders up front how you manage PPI and secure it. If you don't have a privacy policy, "Due Care" concerns could be raised that management was negligent in managing the private information of a party, which could result in civil tort for damages.  Over 31 states have individual laws governing PPI; that in addition to the federal laws governing protected classes of information demands a thorough investigation in your compliance obligation.

5. Write or revisit your procedures governing employee terminations and audits. Finally, keep in mind the number one security risk for you during these economic times. It's not hackers, viruses, or malware. It's employees, and specifically, terminated employees who've still access to your confidential intellectual property. Now's the time - if any - to revisit those procedures and verify that employee access restrictions are performed, documented, and reviewed.

Policies, procedures, work instructions, and plans are Administrative Controls that reflect management's _intent_. If management's intent isn't communicated, and technology is governed by assumption and intuition, then management isn't "managing" technology - they are hoping for the best without taking on responsibility to effectively govern it. Now is your chance to reflect upon how your intent is reflected in the workplace and how well you've addressed technology "Best Practices" and regulatory compliance issues as a management team.

R

The 2007 CSI Computer Crime Survey is available for public consumption. Further, an Oct 9, 2007 Webcast is available for viewing.

Interesting about this year's survey:

1. The gradual decline of reported incidents (page 14). All of the usual threat metrics are either in a downward trend or are stable (virus attacks, phishing, IM abuse, telecom fraud, etc.). In terms of reported incidents, what is up this year and quite dramatically are insider (employee) abuses of Internet access.

2. The fact that 74-percent of respondents only spent 0%-5% of their annual IT budgets on IT security this last year (page 8). This number is surprising to me. It suggests that the security problem has either become a non-issue or lacks total priority. If the metrics are any indicator, it would seem that in terms of reported incidents, technical vulnerabilities are being contained in corporate America better than ever before, and this places less emphasis on the security function. Good news for consumers and businesses; bad news for information security consultants and technology professionals. Automation and better-designed products/services are fixing the glaring problems.

3. The effects of SOX on IT security (page 26). This was actually spotted by one of my students - credit where credit is due. The survey would suggest that many respondents do not feel that increased IT governance has improved the IT security problem, nor do they feel that the emphasis has moved away from security to governance. The transparency offered by SOX and better IT governance isn't making a better difference in information security for a bulk of respondents? Eh? Seems contradictory to the academic, but maybe techheads in the field feel that the frontline battles are still fought tooth and nail, and have nothing to do with better oversight or management? This one is a little hard to read and is counter-intuitive, but is interesting nonetheless.

R