Although there is a huge responsibility on company directors to ensure governance, risk and compliance policies are implemented, most companies do not have clarity on who manages this critical area of the business.
J2 Software managing director John Mc Loughlin says governance, risk and compliance should be a real priority for company directors, especially considering the liability they face.
"With changing laws and governance procedures, more duty is placed on directors to protect against ICT governance and security risks. Without clear direction and accountability, these companies can be left exposed to a number of risks. There is no space for any ambiguities; the drive needs to come directly from the highest executive level."
Directors of companies have a duty to protect their information and also the personal information of their customers. In many cases, there are simply not enough steps taken to protect against all possible eventualities. Company directors are forced, through these new laws and good governance practices, to make sure they have preventative, quantitative and corrective steps in place to protect their organisation from risk. Non-compliance can have dire effects which include directors being held personally liable, or jailed.
The challenge most companies face is to implement and enforce policies in a non-obtrusive manner; ensuring they cover their legal requirements without preventing their staff from performing their jobs. There are very precise requirements when it comes to ensuring users are aware of the various ICT-related policies within an organisation. Among others, these policies could include acceptable use policies, information security policies, and e-mail and Internet policies.
The company will have to prove that it has taken the necessary steps to inform its users of these policies. It is not just about having employees sign a mass of documentation when they start at the company, they need to cover three distinct steps in this regard. The company must ensure that all users are aware that the policy exists, understand and agree with its contents and they must also accept these terms and conditions.
Mc Loughlin says the most effective and concrete way is to provide an automated click-through method to get the policy out to all users across the network. "The most effective method is to provide the requirements electronically to the users. The solution needs to provide the platform to explain and distribute the policy to all users and then give the user the ability to go over these terms, see it, agree to it and accept it."
This entire process also needs to be recorded and stored for future reporting purposes. It is unacceptable to merely have an OK button, the entire process needs to be logged for future reference. This method is also very effective and saves time when you need to feed changes and policy enhancements to the users.
He says the next step is enforcement of the policy and governance procedures. "Of course, you cannot measure what you cannot see. This means you need to actively track, monitor and control what users do with the resources of the organisation, this gives you visibility. You also need to ensure your rules and permissions are simply and proactively enforced. So you have to be able to define and then enforce what files, folders and applications the users can access and use.
"Finally, you need to control the other areas of risk. These refer specifically to high risk points which are responsible for data loss and will include external, unsecured Internet-based e-mail systems which allow for easy data loss and time wasting; USB devices which can be used for data theft and are also are a big threat of virus infections; SD cards and CD/DVD devices," he explains.
These devices may need to be used in specific instances, but it must be controlled and monitored. Companies need to set appropriate policies for these devices which could mean allowing users to read from the devices, but not copy any information to them or run applications from them. This will ensure one is covered against internal abuse as well as external loss.
He points to SystemSkan as the ultimate solution. "SystemSkan does all of this in a simple and single application which is easy to administer and control. We have been saving our clients time, cutting costs and decreased bandwidth usage by cutting out waste.
"One of our clients cut out social networking problems which was costing the client in excess of 68 man hours a week. This made a massive direct saving to them and amounts to 272 man hours or an additional 34 man days of productivity a month. Another example is an SME client in the property industry, using 25GB of Internet bandwidth a month. After installing and enforcing with SystemSkan, this came down to 6GB. It is a massive saving."
SystemSkan in a corporate or government environment:
* Secure access to files and intellectual property.
* Ensure employees are productive and focused.
* Track and control access to all information.
* Ensure network resources are utilised appropriately.
* Provide access to the Internet for employees with the confidence that access will be managed and that they will not be wasting valuable company time or using unauthorised Web-based mailing systems (eg, Hotmail, Yahoo).
* Control end points and external devices.
* Provide managers with tools to know who is doing what on the network and when.
* Ensure employees know they are accountable for their actions.
For more information, contact J2 Software on 0861 00 J TWO (5896) or e-mail john@jtwo.co.za.
Share
J2 Software
J2 Software is a leading South African information technology security company. While most organisations are now starting to realise the impact of data theft and abuse of IT resources by employees, J2 recognised the need to protect against this activity some time ago. J2 Software was born after the founders identified an opportunity in the information technology market in South Africa and the rest of Africa. It saw a growing need for information security solutions which were comprehensive, simple to deploy, easy to use and good value for money. After tireless searching and investigation, J2 Software was officially launched in 2006.
Shortly after inception, the customer list of J2 Software started to grow rapidly; and this continues to be the case to this day. J2 Software has provided services and solutions to numerous renowned, forward-thinking companies with sites running in South Africa, Angola, Botswana, Kenya, Malawi, Mauritius, Mozambique, Tanzania, Uganda and Zambia.
J2 Software provides solutions and services to various organisations that have a requirement to secure their sensitive information as well as implement, monitor and enforce internal security policies. In recent times, organisations are placing a far higher priority on the security, accountability and control of their most prized asset, their information.
Adding to this is the ever-growing pressure being placed on companies and their directors to maintain the security and control of the sensitive data of their clients, as well as the necessity to conform to various local and international compliance regulations.
With the continued rise of identity theft and confidential data leakage, the need for our product offering is not only an advantage, but an absolute necessity.
Editorial contacts