Computers & Security, 8 (1989) 487-492

The Employee’s Role in Protecting Information Assets Belden Menkus

I ndividuals with computer security responsibili- tics appear to share one problem in common.

They report very consistently that employees are reluctant to treat the organization’s information holdings as assets that should be protected. This attitude is reflected in incidents of reported employee indiffcrcncc to the damage created by some computer viruses and by the apparent resurgence of business espionage. The latter problem is highly likely to result from employee willingness to share-and even to sell-sensitive information that actually belongs to the organiza- tion for which this person works.

Apparent employee unwilhngncss to protect an organization’s computerized information assets seems to be heightened by an idea propounded by some microcomputer networking enthusiasts. These people contend that everyone who works for an organization should have unlimited access to all the information that it possesses. This practice is supposed to improve job performance. However, it is more likely to lead to increased friction bctwcen individual employees, as well as between some employees and the organization’s management And, the unauthorized exposure of sensitive infor- mation can lead to greater problems with both Government regulatory agencies and competitors engaged in the collection of business intelligence. There may be some information about individual job performance or a person’s exposure to certain

0 1 Y8Y, Helden Mcnkus

hazards in connection with being an employee that an individual may have a relatively unqualified right to have access to. But, unlimited employee access to all of an organization’s information assets is not considered a basic condition of employment. An organization’s management does not appear to be obligated to provide any or all of its cmployccs with such access.

The cmploycc’s protection of an organization’s information assets is a critical issue in computer security. It is pointless to attempt to secure an asset when those who ordinarily would use it arc unwilling to protect it.

The Employee’s Obligation

It is generally agreed that one of the basic respon- sibilities of an organization’s management is to take prudent and reasonable mcasurcs to protect all of its assets. That responsibility extends to its informa- tion assets. In many instances-including govern- ment, insurance, and banking-the organization’s information holdings have become its largest and most valuable asset. Employees commonly arc held to share in this asset protection responsibility. This stems from the classic le (employee) was

al concept that a servant obligate ! to safeguard a master’s

(employer’s) possessions. Specifically, he or she was not to give or sell any of them to others, or to convert them to his or her own use. This general asset protection obligation has been supported in the United States in numerous court cast and labor arbitration proceedings.

0167-4048/89/$3.50 0 1989, Elsevier Science Publishers Ltd. 487

B. MenkuslProtecting Information Assets

Unfortunately, in most organizations this obliga- tion to protect its critical information assets has not been established as part of the standard conditions of employment. Thus, for example, where that has not been done in a structured fashion, an organiza- tion’s professional and technical employees feel they are free to share unlimited amounts of its sensitive-and even proprietary information-with others in their particular profession. This informa- tion transfer increasingly is occurring by sharin database contents on diskette copies or throug % microcomputer-to-microcomputer transfers. The unauthorized transfer of information assets also occurs when one of these employees moves to a position in another organization and retains personal copies of database content in which a personal interest is asserted. This latter practice is justified, it seems, by a belief that the future of the individual’s work must rest upon the artifacts of that person’s prior work. This data is considered to be an important part of those artifacts, even when it belongs actually to the former employer.

Information is an Asset

The concept of treating information as an asset is still relatively new. Neither the law nor the corpo- rate culture has significant experience in dealing with this idea. The exposure to compromise and loss through the accumulation of massive amounts of information in an erasable and easily transport- able form is complicated by several other factors.

(1) Information assets are intangible. Most people con- tinue to find it difficult to envision bits and bytes. They can understand, however, marks on pieces of paper that can be touched and read. This explains why so many people continue to insist on working with paper copies of files and reports, even when the same information is available readily in elec- tronic form.

(2) Information assets do not appear as identij?able items on the organization’sproJt and loss statement. Unfortu- nately, it continues to be assumed that what cannot be seen has no value. It appears to be assumed

further that since the investment made in accumu- lating information does not appear on this statc- ment that there is no residual value in these holdings. This idea explains, for example, why casualty insurance underwriters and organizational risk managers typically limit the value of computer files to the relatively modest blank stock replace- mcnt cost of the magnetic media on which they reside.

Where information assets arc not valued properly it may prove difficult, for example, to secure suffi- cient funding for post disaster data processing recovery provisions. It may even be impossible in such an environment to apply conventional cost justification standards to necdcd computer security measures, because the value of the asset to be protected has been set at an unreasonably low figure.

(3) An inadequate distinction is made between conven- tional employees and contract “outsiders”. This situation is an outgrowth of the rapidly increasing use of specialized consultants-particularly in marketing and engineering, as well as in the organization’s data processing activity. In particular, contract programmers, computer and telecommunications hardware servicers, and the representatives of both hardware and software vendors are often given almost unlimited access to all sorts of highly sensi- tive information assets.

Often these outsiders develop long-term relations with an organization and begin to be trcatcd by all concerned as though they were among its regular employees, particularly in terms of having access to the organization’s information assets. Unfortu- nately, they are not employees and they have no clearly defined obligation to protect those assets, unless they are obligated as part of this ongoing relationship to protect them. Usually this is done by incorporating into the contract or agreement governing this relationship an obligation to comply with the organization’s policy statements on data security maintenance and non-disclosure of con- fidential information.

488

Computers and Security, Vol. 8, No. 6

Two conclusions may be reached about this situa- tion. First, management’s failure to define policies such as these can lead to an open season for the theft of the organization’s secret data. Secondly, it is unrealistic to expect to discipline effectively, to dis- charge, or to take legal action against either a regu- lar employee or a person engaged under contract if the action appears to bc arbitrary or is not backed

UP by evidence that the offender understood management’s policy.

Establishing Formal Protection Policies

The three policy documents to be discussed arc models. Their contents should be mod&cd to meet both local legal requirements and the organiza- tion’s own operating needs. The final versions of thcsc documents should bc reviewed by the organi- zation’s legal counsel before they are issued.

Each policy should bc supported by some sort of document in which the individual involved acknowledges that the contents of its statement arc understood and that their application to his or her work is recognized. This acknowledgement might be developed as a standard form with at least four copies. In addition to the copy retained by the person signing the acknowledgement, other copies might go to the organization’s personnel depart- ment or contract administrator, to the data security administrator as the basis for adding this individual to the registered user IDjk, and, when appropriate, to the employer of a contract programmer, con- sultant, or other outsider involved in this process.

Contract programmers, consultants, equipment service representatives, and others in a similar rela- tionship to the organization should be required to sign individual acknowledgements, rather than to have a blanket version of the document signed by their employer. It may be necessary to amend standard contract forms to require that this acknowledgement be signed as an integral part of establishing a relationship with the organization. The existence of such an acknowledgement pro- vides a basis for enforcement of that particular policy.

Management’s response to a violation of one of these policies will be determined by the perceived severity of the compromise of the information in question. This reaction may bc nothing more than a simple administrative reprimand, involving, for example, retraining or reassignment of the indivi- dual in question to other duties. However, in the case of repeated policy violations or an extremely significant compromise of sensitive information immcdiatc dismissal may bc called for without payment of severance or termination monies. The organization may even dccidc to initiate legal action against this person.

Data Security Maintenance Policy

This policy relates generally to the duties of an employee and should bc applied only to those information assets that can be demonstrated clearly to be critical to the organization’s economic survival or competitive well-being. It is neither realistic nor legally feasible to attempt to protect every piece of information that an organization may hold. When challenged, the way in which this policy is implemented should be able to meet the legal test of reasonableness. Generally, the informa- tion assets to which this policy will be applied will fall into two categories. The first covers that infor- mation which clearly is sensitive or proprietary in nature and whose unauthorized disclosure, loss, or compromise would affect adversely the continuity of the organization’s business activities. The second category relates to those unique bodies of informa- tion whose creation or accumulation reflects a major investment of organizational funds, and whose re-creation would require an equal-or, most likely, even greater-investment.

Policy Content

The policy itself should have at least these provi- sions.

(1) The policy applies to every location at which the organization’s data are stored and processed. It covers all of the data terminals, microcomputers,

489

B. MenkuslPro tee ting lnforma tion Assets

network servicers, and associated equipment at these locations. It includes, but is not limited to, system and application software, and its associated documentation; user IDS, passwords, and similar access codes and devices; datafiles, magnetic and optical data storage media, and paper output from any of these.

(2) The policy applies to any regular or contract employee, consultant, or scrvicc-provided repre- sentative, who has regular authorized access to the organization’s information assets. The provisions of this policy must be acknowledged in writing before someone to whom it applies will be allowed to have access to those assets. This acknowledgement must be reaffirmed in writing on the anniversary of the day on which this person was employed or engaged.

(3) The organization accumulates and uses certain information that it considers to be significant assets with an identifiable value. Some of this informa- tion it may hold and USC under license from the firm that creates or accumulates it. The organiza- tion intends to protect this information to the extent-and with the vigor-that it protects all of its other significant assets.

(4) All regular and contract employees arc expcctcd to participate actively in safeguarding these infor- mation assets. As an integral part of this participa- tion, they will not deliberately do the following.

l Modi or delete any part of this information, if doing so will misrepresent their own actions, the actions of others, or events or conditions associated with those actions.

l Disclose any part of this information to anyone not authorized specifically to have access to or knowledge of it. Regular and contract employee access to the organization’s data processing facili- tics, including the program and documentation libraries, databases, microcomputers, terminals, and documents associated with them, will be on a strict need-to-know basis.

l Compromise or circumvent controls and procc- dures designed to protect this information. This will call for such things as not revealing to, or sharing with, others passwords or other access codes, abiding by the physical circulation controls applied to data processing and telecommunications sites, and ensuring that vendor rcprcscntativcs and other authorized visitors to these sites arc escorted during the entire time that they arc within these premises. In particular, this will call for avoiding efforts to prevent the routine identification and recording of access to-and use of-the information assets covered by this policy.

Employee Non-disclosure of Sensitive Information Policy

This policy provides that a regular or contract employee will do the following.

(1) Create, modify, install, maintain, or delete certain sensitive, confidential, or proprietary programs or database content only under the direct supervision of an authorized rcprescntativc of the organization’s management. And, this material will not be copied or modified without the specific authorization of that reprcscntative.

(2) Keep the content of these programs and data- bases strictly confidential throughout-and for at least 24 months after the end of-the individual’s scrvicc with the organization. Most proprietary, insensitive, or confidential information loss occurs within such a period. In those instances where the useful life of such information may extend for a longer period of time, this exception should be specified in the employee’s acknowledgement of this policy.

(3) Safeguard all workpapers and reference materials, whether in paper, magnetic, or optical media form, associated with the use of these infor- mation assets against disclosure to persons or organizations without a clear need-to-know their contents. And, transfer the custody of these work- papers and reference materials to an authorized

490

Computers and Security, Vol. 8, No. 6

rcpresentativc of the organization immediately upon the end of active work on, or responsibility for, a particular program or database.

(4) Dcclinc to assert any copyright, trade, or scrvicc mark, or trade secret or patent interest in, or right to, any of the materials crcatcd, modified, installed, maintained in the course of using this information asset.

Dataset Owner Security Responsibilities

Policy

This policy complements the two carlicr ones. It relates specifically to the duties of an cmployce, scrvicc provider, and vendor rcprescntativc who owns or uses a particular one of the organization’s information assets. The policy should define and distinguish between the three categories of person that it applies to. They arc

l Information asset owner-an employee designated as being directly rcsponsiblc for the control of access to, and the authorized or legitimate USC of, an information asset. This person is also responsible for ensuring that this asset is protected against inadvertent or deliberate compromise, manipula- tion, or loss.

l Information asset custodian-an employee or other individual who has been granted authorized access to, and effcctivc control over, an information asset. In addition to the outsiders mentioned earlier, this can also include a commercial data processing or telecommunication service, or a non-data proces- sing supplier or vender operating under an elec- tronic document interchange relationship. The custodian may be authorized in some instances to add to, delete from, or otherwise modify this asset. The custodian assumes the information asset pro- tection responsibilities of the owner. But, that person is not relieved of the ultimate responsibility for protecting the information asset in question.

l Information asset user-an employee who has been granted authorized access to, but not control over,

an information asset by its owner. Normally, this access will be granted to enable the user to dis- charge some job task.

Policy Content

(1) The injbrmation asset owner is responsible for, at least

(a) Identifying the asset’s value and importance in the continuation of the organization’s critical activities.

(b)Df . g h c mmm t c scope and nature of the controls to bc imposed upon access to, or modification of, asset content.

(c) Communicating the nature and need for these controls to systems dcvelopcrs and to the custo- dians and users of the asset.

(d) Reviewing periodically the adequacy and effcc- tivcness of these controls.

(c) Reporting promptly to the organization’s data security administrator and its information systems auditors any evidence of attempts to compromise or misuse the asset.

(2) The information asset user is responsible for com- plying with the already defined employee informa- tion asset protection duties and for reporting promptly to the information asset owner, the or anization’s data security administrator and its in ormation systems auditors any evidence of B attempts to compromise or misuse the asset.

Making These Policies Work

In most organizations it will be easiest to imple- ment these policies with newly hired individuals or with persons entering into new contract rela- tionships with the organizations. These individuals can be introduced to the provisions of these poli- cies as a part of the normal process of beginning their involvement with the organization. However,

491

B. MenkuslPro tee ting lnforma tion Assets

it may prove to be more difficult to bring those already on the payroll into compliance. An educa- tion effort undertaken as a part of the normal cmployec training process may ease rhis situation. It should review the provisions of these policies and how they will be applied to the ordinary work environment. This education effort should also point out that, in effect, thcsc three policies involve a clarification of some already existing aspects of an individual’s continued involvement with the organization.

However, in the final analysis, the key to both types of education efforts as well as to the ongoing

implementation of these policies will be a clear demonstration of management’s commitment to enforcing them. Employees should be rcmindcd periodically of that commitment. Exceptional efforts to comply with these policies should bc commended and persistent refusal to conform to their requirements should be dealt with decisively. The first time that a middle manager is pcrmittcd to refuse to “discipline an employee for violating an information asset protection requirement” the effectiveness of the organization’s effort to safc- guard those assets will be in serious jeopardy.

Belden Menkus has been a full-time

consultant to management since 1968.

He is accredited by the Society of Pro-

fessional Management Consultants

(SPMC) and is a Certiflcd Information

Systems Auditor, a Certified Records

Manager and a Certified Systems Profes-

sional. He writes and lectures exten- sively on various aspects of business

management. Hc is executive editor of

journal of Systems Munagrement and a regular contributor to Software News, Administrative Marraxement, ED13 Auditor and

Business Insurance. In addition, he is a member of the editorial

board of Corporate Crime and Security, and the editor of Data Processing Auditing Report.

He is a Fellow of both the British Institute of Administrative

Management and the American Association of Criminology.

He is a member of the Board of the EDP Quality Assurance

Institute, and the Panel of Arbitrators of the American Arbitra-

tion Association, the Association for Systems Management, the

New York Crime Prevention Council, and the Business Forms

Management Association,

He has twice been awarded the silver medallion of the

American Management Association and has received the

distinguished service citations of both the National Micro-

graph:cs Association and the Association of Records Executives - _ and Administrators. He has been named a life honorary member of the Federal Emergency Management Administra- tion Staff College faculty.

492