IT Manager's Handbook: Getting Your New Job Done (57 page)

PIPEDA
is a Canadian law that regulates the collection, use, and disclosure of personally identifiable information.

Under PIPEDA, information has to be collected with the individual's consent (and only for reasonable purposes), used only for the purpose for which it was collected, properly safeguarded, and available for inspection and correction. Organizations, including corporations, individuals, and associations, are generally subject to the privacy requirements of PIPEDA if they collect, use, or disclose personal information in the course of a commercial activity.

Privacy and Electronic Communications Directive
(European Union)

The European Union's Directive 2002/58 covers many aspects of electronic communications. Some of the significant provisions that focus on the security of data and networks and guaranteeing the privacy of communications cover:

•
Security of networks and services

•
Confidentiality of communications

•
Spyware and cookies

•
Traffic data (information about a person's electronic activities, such as websites visited)

•
Location data (data that identify individuals’ whereabouts)

•
Public directories

•
Unsolicited commercial communication (i.e., spam)

•
Caller ID

•
Nuisance calls

•
Emergency calls

•
Automatic call forwarding

This directive was amended by Directive 2009/136, sometimes called the “Cookie Directive,” since it included a number of changes, particularly regarding prior consent to allow for cookies to be placed on workstations when navigation the Web.

Data Protection Directive
(European Union)

The European Union's Directive 95/46/EC is a component of the EU's human rights and privacy laws and for the protecting of individuals’ personal data. The directive has three major principles:

•
Transparency.
The individual has the right to be informed when his personal data are being processed, by who, the intended purpose, and the recipients of data. The transparency principle ensures that data may not be processed without the individual's consent.

•
Legitimate purpose.
Personal data can only be processed for specified explicit and legitimate purposes.

•
Proportionality.
The processing of data must be in proportion and related to which it is needed. This essentially defines issues of accuracy, retention, etc.

8.7 How to Comply with the Rules

The previous pages only touched the surface of some of the rules and regulations that exist for corporations in general, and IT in particular. There are many more, and if you're in a heavily regulated industry (e.g., health care, pharmaceuticals, financials) there are yet other layers to deal with.

Obviously, it's beyond the scope of this book to provide step-by-step guidance for ensuring compliance. In fact, even among the experts there is considerable debate as to what are the best ways to address the requirements. When regulations are replete with words such as “adequate,” “sufficient,” and “reasonable,” they're clearly open to some interpretation.

However, there are some common practices that can help get you where you need to be:

•
Document the policies

•
Identify control mechanisms

•
Educate your employees

•
Maintain evidence

Each practice is discussed in more detail in the sections in this chapter.

It can also be difficult to know when “enough is enough.” When it comes to security and controls, there's always more that can be done. Also, sometimes it's easy to lose sight of the fact that the regulations are usually focused on specific areas. For example, Sarbanes–Oxley is focused on the integrity of financial reporting. Yet, in many organizations it's often used as the impetus for change in things that have only the remotest relationship to financial reporting.

Document the Policies

Unfortunately for all those ITers who hate writing, documentation is becoming more and more a fact-of-life requirement in IT. Happily, many of the IT policies required for compliance are often rather short. As the heading to this section implies, your focus should be on stating the policies, not writing how-to-manuals.

For example, a backup policy could address items such as:

•
How often backup is run

•
What types of backup are executed (e.g., full, incremental, differential)

•
What is being backed up (e.g., servers, databases, e-mail, workstations, remote sites)

•
What process is employed to ensure that the backup tapes were created successfully

•
What tools are used (e.g., backup software, tape library, tape-drive format)

•
What happens to the tapes after backup is complete (e.g., sent to off-site storage facility)

•
Any encryption that is used

•
How long the backup tapes are retained before being recycled or destroyed

•
What records are kept (e.g., logs from the backup software)

A document like this might just be a few pages long but it can turn out to be very valuable. Before publishing the document, get as much input and comment as possible. Often that input and comment will only be from other ITers. In other cases, you may want to review with Legal or HR.

There are some key items that every policy document should have:

•
Date it was published

•
Name(s) of the author(s) and approver(s)

•
Some sort of revision and review history

As a general rule, it's a good idea to review all policies at least once a year. Even if there aren't any changes, you're at least showing your auditors that it's checked and updated periodically as needed.

Finally, the policy should be publicly available to everyone who needs to know. An intranet site is an ideal location for this document to be stored.

Identify Control Mechanisms

Too often, policies are created and then universally ignored. With compliance, you want to have processes to confirm that the defined policies and procedures are actually used. A control mechanism provides the appropriate checks and balances.

For example:

•
If your policy defines that only duly authorized individuals are allowed to have access to the data center, you could review the access-card logs to the data center periodically to see if any unauthorized individuals have entered.

•
Similarly, in the backup policy example given earlier, a process of reviewing the backup logs regularly to ensure that that they were executed and completed without errors can serve as a control mechanism.

•
If you have a policy that unused network accounts should be disabled after a defined period, you could regularly run reports to identify when accounts were last used and whether or not they are disabled.

Not only do the control mechanism(s) help you make sure that policies are being adhered to but they are also convenient for your auditors.

Educate Employees

With your policies and control mechanisms defined, you want to make sure that everyone is aware of them. Your department intranet is an ideal place for centralizing the storage of these documents. For simpler policies it may be sufficient to simply e-mail a link to the documents, not only when they are first published, but when they are changed, updated, or when reviewed annually.

For more complex policies, it may be warranted to hold meetings or small classes so that the policy can be discussed, demos conducted, and questions answered. (For a more detailed discussion of this issue, see the sections
“Training Users”
on
page 213.
)

Maintain Evidence

Perhaps the most critical item in your compliance regimen is to make sure that you're keeping evidence of your activities:

•
In the example in this section about access to the computer room, a simple e-mail indicating that the access logs have been reviewed.

•
In the example of notifying employees about a new policy, a copy of the e-mail would serve this need. In the case of the class for more complex policies, a record of who attended the class and the class outline shows that the class was held.

•
In the example about disabling unused accounts, e-mails indicating that the report was run and reviewed and directing which accounts to disable, and evidence that those accounts were indeed disabled.

When the auditors come knocking, they'll be looking to see that you have policies that comply with the various rules and regulations and that you're actually following those policies. The steps defined earlier will put you on the right track.

8.8 Hidden Benefits of Compliance

In terms of effort, compliance is at best a burden and at worst an enormous use of time and resources. You have employees to manage, a department to run, service levels to meet, systems to keep operating, and a company to help keep profitable. All these rules can be seen as just more obstacles to be overcome to accomplish your goal.

Nonetheless, similar to the hidden benefits of disaster recovery in the section
“Hidden Benefits of Good Disaster Recovery Planning”
in
Chapter 9, Disaster Recovery
on
page 261,
compliance activities provide a major hidden benefit:
You can do important, but potentially overlooked, portions of your job at the same time
. You can comply with regulations while simultaneously getting your “real work” done. The following sections explain how you can pull this off.

The Hidden Benefit of Documentation

The first step of compliance, “document the policies,” is a perfect example. Sure, some policies you need to document are obscure, but most are policies that you want a record of in order to do your job better. You should have a clearly documented backup policy—not only for compliance reasons and not only for disaster recovery reasons, but for backup plan efficiency reasons. Also, with documented policies, it increases the likelihood that everyone is following the same policy.

If you (or one of your employees) have the entire backup plan in your head (or, just as bad, have the “real” plan as opposed to the written, outdated plan or the plan no one can understand stored in that manner), the future of your entire company's data depends on the reliability of one person. Becoming compliant may wake you up to that scary fact and cause you to do something about it.

The Hidden Benefit of Control Mechanisms

The benefit to the second method of compliance, “identify control mechanisms,” is similar to the first. Your policies shouldn't be abstract documents in a file somewhere, but living items that positively affect and reflect your department's behavior. Your security policies are an excellent example. Regardless of the legal requirements, you should be monitoring your security procedures aggressively. Control mechanisms will give you (as well as the auditors) the confidence that the policies you worked so hard to define are indeed being applied.

Depending on the level of security and size of your company, that monitoring can be a daily affair. There are many companies where even access to other departments is carefully restricted. If your company isn't one of these, do you need to become one? And how did you answer that question? Off the top of your head or by understanding the latest version (not the one put together last year) of your company's security policy?

The Hidden Benefit of Educating Your Employees

Keeping your employees informed isn't only a required component of some regulations, but it's simply good business practice. It's much easier for employees to comply with the policies if they know what they are.

Many employees were hurt by the global accounting and financial scandals. Employees—and that includes you—as well as investors now want to know much more about what their company is doing. Also, it's your responsibility, as well as the responsibility of your superiors and colleagues, to provide that information proactively. Like many problems, if you approach the issue aggressively before it becomes a problem, you can turn it into an opportunity.

A timely example of keeping employees informed is to let them know the exact financial health of their company. This information, if you work for a publicly held corporation, is clearly available in many locations. As a proactive, concerned manager you can provide that data to your employees and you can provide it in an abbreviated form. Few people want to read the entire 10-K and 10-Q forms, but most want to read a paragraph or two about the financial health of the company and where to get more information if they want to do further research. Your Finance department can either provide you with that data or, more likely, point you to where that data already exist.

If the financial news for your company isn't good that quarter, you'll have happier and more confident employees if you tell them instead of them first hearing it from CNN.

Hidden Benefits of Maintaining Evidence