About
Subscribe
  • Home
  • /
  • TechForum
  • /
  • IT needs to form joint security partnership with Human Resources

IT needs to form joint security partnership with Human Resources

Johannesburg, 20 Jul 2000

The Internet has been the source of many corporate legal and HR concerns. Inappropriate Internet and e-mail content are sparking cases of sexual and racial harassment making it necessary for Human Resources departments to work closely with IT to develop proper Human Resources frameworks to address the issues.

Not only do the Internet and enterprise intranets serve as conduits for the exchange of inappropriate information, they also open confidential corporate information to significant risk. Threats to corporate content security include malicious computer code unintentionally set loose in the company network by an employee who has downloaded an infected program or opened an infected e-mail, and malicious code intentionally introduced by a disgruntled employee or ex-employee.

"The Internet is not the only area challenging enterprise security," says Jako Voges, Symantec marketing manager for the Middle East and Africa region. "Surprisingly, many intranet employee self-service (ESS) applications are the source of additional threats."

For example, ESS applications can grant employees access to confidential benefits sheets, or insurance information. ESS applications are three-tiered: the first tier is the desktop PC, where the employee uses a Web browser; the second is the Web server or application server, where the benefits application or other ESS applications reside; the third tier is the back-end system-payroll, HR or other databases that provide data to the Web server.

"Each of these tiers provides a fertile field for enterprise security threats, ranging from data theft to virus propagation," says Voges. "Internet content filtering and management allows organisations to control and focus Internet usage for increased productivity and decreased liability. Content is scanned and filtered based on lists of sensitivities, specific addresses and context."

Creating an Internet Usage Policy

While companies are not legally required to provide an Internet usage policy, Voges maintains that such a policy can help companies maintain the integrity of their systems against malicious computer programs, as well as lawsuits over everything from theft of intellectual property, sexual harassment, invasion of privacy, and wrongful termination.

"Internet law is still very confusing, but enterprises with Internet policies in place can protect themselves from unnecessary headaches. Since people and their abuse of technology are the cause of most network security concerns, HR and IT departments must work together to develop a comprehensive and successful Internet usage policy," he says. "As enterprises become more global, and add new systems and technology, Internet usage policies must be continuously revised to reflect greater collaboration, and changes in political, legal, or physical guidelines."

This sentiment is echoed by Piet Opperman, President of the IT Users Council, and spokesperson for the Information Security Institute of South Africa (ISIZA),. "Companies with clear and sensible policies that are in line with internationally accepted standards are increasingly being differentiated from those who take a 'wait-and-see' attitude," he says. "Those companies which do not have a security policy, or do not enforce it, will eventually be labelled as being vulnerable to virus outbreaks, hacker attacks or leaks of confidential information. Eventually, their customers will start to question their security capabilities and they will begin to lose business."

"An information security plan is not the IT Manager's responsibility, but rests with top management, who must formally commit themselves to a plan that focuses more on procedure rather than a technical solution," he says.

Communicating and Enforcing Internet Usage Policy

The corporate Internet usage policy should be as clear and available to employees as possible. "Make sure they understand who has access to the Web and when," Voges stresses. "They should also understand the company policy on personal e-mail and Internet browsing. Some companies ask employees to sign a form stating that they are aware of the policy."

According to Voges, the role of 'policy enforcer' falls to HR, with IT often acting as 'hall monitor'.

"Since IT managers don't have the time to meter each and every employee's online behavior, enterprises are increasingly turning to products that aid in assessing and regulating employee usage," he adds.

Content Filtering

Policy-based Internet filtering software enables organisations to scan and filter the content to which employees have access, and restrict content to which they do not want employees to have access. "Policy-based Internet content filtering can be tailored to fit in with your corporate Internet policy, even as the policy evolves," Voges continues. "Software can be customised to meet individual requirements, monitor and automatically alert IT when an employee is outside of the parameters set for his or her group.

IT can report to HR, and HR can follow-up with the employee.

"E-mail content can also be filtered. Add that to Internet filtering and good virus protection, and IT is well on its way to protecting network security," Voges concludes.

Share

Symantec

Symantec, a world leader in Internet security technology, provides a broad range of content and network security solutions to individuals and enterprises. The company is a leading provider of virus protection, risk management, Internet content and e-mail filtering, remote management and mobile code detection technologies to customers. Headquartered in Cupertino, Calif., Symantec has worldwide operations in more than 33 countries.

Editorial contacts

Robyn
Symantec
(083) 212 0898