Maybe some progress at last.....

Well, well.... Maybe we’re getting somewhere. If you’ve read my previous posts you’ll know that there isn’t much support at my company for InfoSec in general let alone any specific requirements and I’ve been trying to find alternative ways of getting educating people. It looks like some of it has struck home.

The HR bod in charge of the company’s weekly newsletter has asked me to write a piece on “that InfoSec stuff you keep going on about” for the newsletter. I’ve agreed (obviously) and have said I’ll do a personal profile as well. Most of the directors have written profiles in the last few weeks so I’m jumping on that bandwagon!!!

Next, the company recently employed a Service Delivery Manager (SDM) to work within the IT department. This was a major step in the right direction as far as I was concerned as under the previous IT Director, there was no understanding of “service” at all. In the past, the IT department appeared to have an attitude of “we’re allowing you to work” rather than “we’re enabling you to work”. The SDM have been making quite a number of good changes not least of which was the identification (after a little prompting from me) that our corporate data had no owners. Network directories and folders were used and abused by anyone and everyone. People were added to email distribution lists and given access to “restricted” folders etc. etc. without any sort or authorisation process.

So, the SDM has kicked off a process to review the way access permissions are requested, authorised and granted and has invited me and the Support Manager to a meeting to discuss it.

This is progress. Hurrahh!!

I just wonder why people have accepted his statements that such measure are necessary but rejected my previous statements along the same lines. I’m not going to complain about it, it just interests me why the difference in response.

I suspect it’s a question of him being on the “inside” of IT and me being on the “outside”. If that’s the case, I just have to find other “insiders” to educate with a view to them raising issues for me, without them realising it, of course.

Data ownership

I read Rob Newby's post about "data classification" with interest as the implementation of such a process has been on my "to do" list for a while. To paraphase my comment to him, "I think Data Classification is one of the fundamental first steps in a good InfoSec programme". The point is, until you know how important the data is, how long it needs protecting for and who should have access to it it is impossible to get the data security environment set up correctly.

And therefore, protect your data adequately.

So, on to my particular issue. I have discussed data classification schemes in the past within The Company and not had much interest. Despite using the obvious scare mongering tactics and some pretty internally high profile snafus, no one really gave a preverbial.

So, how do I make people take notice?

Well, a while ago, I found out that our directory access control settings were all over the place. People had access to stuff they didn't need and in some cases, didn't even know about. After investigation, it appears that to be given access permissions to a certain directory, you just had to "fill in a form". The process of authorisation didn't really exist.

Although strictly speaking this isn't "data classification", it is linked.

It sparked a debate where I suggested that the IT department should review the process of assiging access permissions and improve it. They misunderstood and said it was not their responsibility to decide who has access to what. Of course it isn't, but they have a responsibility to ensure that the requests are properly authorised and that the environment is maintained correctly.

So, where are we now? Well, The Service Delivery Manager is involved and we have agreed to raise it at the next IT User Group Meeting with a view to getting buy-in from the business.

Here lies the core issue. In previous discussions, it's been a case of "it's not my responsibility" from both IT and the business units. The process of breaking that down is one of enlightenment. Once both "sides" understand where they fit into the whole picture, they "should" agree to take ownership a lot easier.

Now to the link between "data classification" and "access control". Once the business units have accepted responsibility for specifying who can access what directories / folders, it should be a far easier "sell" to get them to accept responsibility for determining who should see what specific data. That being true, the subject of "data classification" springs up, as if by magic!!!!