Give the IT department a helping hand
When it comes to e-mail and instant-messaging security policies, IT departments often face the worst of both worlds: they bear most of the responsibility for creating and enforcing basic security policies, while most of the need for these policies involves information that is unrelated to IT, such as the protection of confidential financial or personnel information.
When it comes to e-mail and instant-messaging security policies, IT departments often face the worst of both worlds: they bear most of the responsibility for creating and enforcing basic security policies, while most of the need for these policies involves information that is unrelated to IT, such as the protection of confidential financial or personnel information. For example, in a recent survey we conducted on messaging security, we found that IT management is “involved” or “heavily involved” with the creation of basic e-mail and IM security policies in about 90% of organizations, while in fewer than 30% of organizations is HR this involved and in fewer than 20% of organizations are line-of-business managers this involved with the creation of these policies. However, our survey found that IT departments would really like a lot more involvement from other parts of the organization in creating and managing policies. For example, as part of the study we asked IT people the extent to which they agreed with the following statements: - “Our IT function would like technology that could help them engage other parts of the organization in policy creation and enforcement activities.” - “Our IT organization would like a way to enable other parts of our organization to manage the enforcement of policies for acceptable use and regulatory compliance.” More than 50% of the IT people we surveyed either agreed or strongly agreed with both statements. What this means is that IT departments have been charged with the primary responsibility for not only creating, but also managing and enforcing policies that really should be the primary responsibility of the functions within the enterprise that own the protected data. In other words, while IT should be charged with the implementation of technologies that help create and manage policies, other functions need to have a greater role in creating and managing the policies that protect their own information and practices.
Reproduced from an article published by NetworkWorld Fusion
© NetworkWorld Fusion
The original article can be viewed here:
http://www.nwfusion.com/newsletters/gwm/2004/0726msg2.html
Permalink Bookmark Digg this story
