Lax e-mail and document retention policies, unsecured servers and inadequate backup plans can land an administrator in the unemployment line, on the witness stand or even in jail. Avoiding such a fate means knowing the basics of compliance.
Christopher Byrne, of the Assurance and Compliance Practice at The Cayuga Group LLC, gave administrators several tips for staying ahead of the game during a breakout session on the first day of Admin2005, the Notes/Domino education and training event in Boston.
Obvious compliance issues stem from regulations like the Sarbanes-Oxley Act, Basel Capital Accord (Basel II), Health Insurance Portability and Accountability Act (HIPAA) and privacy laws, which differ depending on which continent you do business on.
However, Byrne said, compliance also involves internal policies governing the use of instant messaging, Web mail and music files. If an employee is fired for spending too much time in personal e-mail, even though the "no Web-based e-mail" rule is rarely enforced, there could be trouble -- especially if the admins themselves break that rule. "In this current environment, your management will not tolerate it," Byrne told a group of about 50 admins from both public and private companies. "You may think you have great policies in place, but you don't."
The first step toward achieving compliance is risk assessment. "Risk assessment is a subjective process. There's nothing objective about it. It should always be the first thing done," Byrne said. "Risk can never be totally eliminated." He divides risks into threats (financial loss, blackmail, sabotage and disclosing confidential or embarrassing information) and vulnerabilities (compromised passwords, ill-defined policies and a lack of end-user training).
An internal system audit, involving every department within an enterprise, will identify threats and vulnerabilities, Byrne said. Create a user survey on topics like e-mail use, then use the results to build or amend your policies and save them in a Notes database. Even if management knows the risks are there but opts not to do anything about it, Byrne said that's better than not knowing the risks exist at all.
Byrne recommended http://www.auditnet.org as a good source for risk assessment process documents. AuditNet is a Web portal for auditors.
Another important step toward achieving compliance involves control frameworks, the best of which is COBIT (Control Objectives for Information and related Technology). More information on COBIT is available at http://www.itgi.org. "[COBIT] is the only standard generally accepted by auditors across the board," Byrne said. "It gives you a reference framework for management and users [as well as the] IS audit, control and security practitioners."
Byrne said there's no shortage of examples of what happens when control frameworks are missing -- payroll data ends up on the external Internet, the wrong people get access to Social Security numbers or steamy e-mail messages between adulterous colleagues go public and embarrass the entire company.