Both HR and network security experts agree that even the best safety systems can be compromised, inviting lurking intruders. Naturally, the HR department needs to play an active role of driving the implementation of the security policy. According to Verma, "While it is essential that organization’s security policy is able to address the needs of the business, it should also follow the age-old KISS (keep it simple, stupid) principle in order to be understood and supported by the management. A top down approach is the best in the case as employees tend to forget any policy that does not directly affect them. This approach would enable the organization make its people realize the importance of information security and follow the drill seriously."

A good security policy also needs to accommodate all activities, including the organization’s non-business peculiarities and culture. It should be implemented in a phased manner such that the manpower is able to absorb it without actually feeling uneasy about it. "In fact, it should be administered in small doses, like that of vaccination, but then you also need to understand your human resource better. Security policy should not make them feel as if their privacy is being compromised as this may spread unrest and make the process counter productive," suggests Verma. The human resource factor should never be ignored while developing a security policy—in fact, it should be the first issue as they are the ones who would implement it and may also cause breaches.

Another issue that businesses need to confront is the changing nature of working arrangements and the workers themselves. One good thing about the old economy was that people managing and using data processing facilities were very few and were often around for years. Hence any information or network security breach would have had very few suspects. This itself was a big deterrent to network security breaches.

Points out Verma, "High employee turnaround ratio, particularly amongst the IT professionals also increases the danger manifold. How do you maintain trust when the most-tenured employee has been on board for a year? What this means is that the HR department should also look into these issues while recruiting people, particularly in case of IT and security employees. The issue should also be looked into while drafting the security policy." What’s more, many companies today outsource several of their key functions, including network management and maintenance. This also means that there may be several temporary workers or those from the service providers working in the organizations and having access to vital information. Care should be taken while handling such people, who may or may not be involved in the breach.

"These gaps can, however, be plugged by providing proper training and creating awareness amongst the users," says Verma. According to the KPMG information security survey, however, 77% of the Indian organizations surveyed do not have a formal program for security education and training for employees. This also results in low security awareness amongst users and makes the organization prone to attacks. Experts believe that enterprises, irrespective of their size, share the same problem. "Security is not a profit center and hence whenever there is a reason to cut cost, and that is what modern management techniques suggest, security gets the biggest blow," he adds.

The HR department can also utilize its rich database, which contains information about every employee to find a trust-worthy person who could be handed over the ultimate responsibility of network and system security. According to network security experts, it is important that there is only a single security administrator. First, because if a crisis should occur, one person should have the authority to act immediately without having to call a committee together or wait for approval from someone else. Second, the person should be ultimately responsible for clearing employees for various levels of security. "If too many people have the right to make security clearance decisions, the security of the entire system is definitely going to be jeopardized," says Sohrab.

Finally, the plan should rely on the expertise and experience of your employees for success. An organization may have hardware and software in place to help monitor security, but it is ultimately the employees who use the system that know where its weaknesses are. A typical HR initiative could be to consider pay incentives for employees who help identify and fix weaknesses in the system and for those who help catch break-in attempts. Suggests Verma, "If you turn your employees into the system’s police force, with real rewards for doing their jobs well, you will help transform them
from the biggest threat to your institution’s security to its greatest protective force, turning the institution’s greatest security liability into its greatest security asset."

SHUBHENDU PARTH
in New Delhi

Page(s)   1  2