Some vendors already offer products to automate the task of provisioning new employees to ensure that they have access only to the right directories. For instance, information on new hires automatically flows from PeopleSoft's systems to network directory management protocols such as LDAP, an industry standard. In general, technology has aided many of the routine tasks for getting new employees quickly to work. "Instead of the recruiter hiring someone and checking the policy manual, the systems have automated intelligence built into them," says PeopleSoft's Averbook.
Yet it's not enough to make sure that employees have access only to the right directories. Since corporate data often resides in databases, policies have to be enforced on a record-by-record basis.
Using Oracle's database technology, a regular employee looking at the employee database "might get access to only one record in that table, his own employee record," says Mary Ann Davidson, chief security officer, Oracle Corporation (Redwood City, Calif.), "whereas a human resources person accessing the exact same data using the exact same tool or application, or even using a different one, would see more records based on the fact that this person's an HR user."
Several new technology solutions have been designed to prevent the theft or unwitting disclosure of proprietary information. One approach is to scan the information that an organization wants to protect, and then watch for anything bearing the same "signature" leaving the organization. "We take the original data that they want to protect, and we create a 'secure data profile,'" says Joseph Ansanelli, CEO of Vontu (San Francisco). "That allows us to very accurately detect, in real-time, when any of that data's going out the door."
Liquid Machines (Lexington, Mass.) takes that concept to the desktop level, with data security software resident in the operating system that scans information being transferred either between or within individual applications, such as Microsoft Word, Microsoft Excel and Adobe Acrobat. "We actually become the security layer between those applications," says Ed Gaudet, vice president of Liquid Machines.
Microsoft Office 2003 builds security into the documents themselves, using its digital rights management system. "You can put rights on that file, so that [the recipients] have only 'read' permission," says Mark Horvath, director of security, commercial sector, Microsoft (Redmond, Wash.). "They can't forward the mail, they can't copy the mail and put it into another document, and they can't print the mail." (Horvath offers more insights into Microsoft's approach to security for financial services in this issue's Executive Q&A on page 20.)
Taking a slightly different tack, Sun Microsystems advocates elimination of the desktop computer wherever possible, such as at the bank branch. "Those desktops can be replaced with a simple appliance device in an environment that's easy to maintain, secure, low-cost, and free of troublesome bugs, viruses, worms and those illegal operations flags that flash up from time to time," says David Moore, global retail banking manager, Sun Microsystems (Palo Alto, Calif.). "It's a technology that can, in fact, be applied to retail branch environments."
Using SunRay terminals, users need a smart card to access just the requisite applications and data for their tasks. The applications and information are stored and users have only the bare essentials-namely, the screen, mouse and keyboard, all of which are activated by a smart card. Everything else gets locked away in a server closet or at a central server off-site. Furthermore, since the devices have neither external device ports, internal hard drives, or any other means of physical access to data, the theft of proprietary information would require somewhat more creativity.
It hasn't been all headaches for banks' HR departments, however. The Sarbanes-Oxley Act has provided a golden opportunity for HR. Since organizations must now demonstrate stronger policy enforcement for regulatory reasons, it has become relatively simple to layer on top of that policy enforcement in line with HR requirements.
"As soon as you have the ability to produce what we call a policy compliance report, you see a list of every single end-user machine that's out-of-compliance with the policy," says Payne of Preventsys. "If someone has to go over and physically de-install [AOL] Instant Messenger from a machine, you can darn well bet there are repercussions for the employee."
In the past, companies kept sending people e-mails telling them to do this, but now they have the ability to go out and audit each machine, adds Payne. "Now you have the SVP who's being treated the same way [as a junior staffer] for a policy violation that he bullied his way into getting."
Indeed, some of the more popular Internet applications pose a real threat. "People are often unaware when they join these peer-to-peer networks to download music, that their system becomes available for the rest of the world to access and participate in this file-sharing activity," says Marc Willebeek-LeMair, CTO of TippingPoint (Austin, Tex.), a provider of intrusion prevention systems.
Also threatening are laptops that may have been infected outside of the bank with harmful code such as viruses or keystroke logging software. The response is containerization. "Think of it like a submarine," says Willebeek-LeMair. "If there's a leak in one of the chambers, you can seal the rest of the vessel so the leak doesn't go through the entire ship."
In many instances, HR adjudicates the policy violations that are turned up by either compliance officers or people within the operating units themselves. "The business owners that own the applications unique to their operating units would be in the strongest position to recognize 'appropriate' from 'inappropriate' activity," says Bill Rudolfsky, chief information security officer at Blue Lance (Houston), which supplies software installed on all computers in a network to enforce policy compliance. "A centralized monitoring team would be at a disadvantage, because they wouldn't necessarily know the value of the information."
Once something does raise a red flag, then it's time for the HR department to step in. "Human resources departments typically are involved to make sure that the investigation is progressing in a fair manner and that the data is being properly interpreted," says Rudolfsky.
But not every violation should raise the red flag. "Organizations have to avoid a zero-tolerance approach," Rudolfsky says. "Most companies have a mature view that there is some level of acceptable use."
Since there are negative repercussions resulting from security failures, how might a bank's HR department set up incentives for users who practice good security? "You don't," replies Microsoft's Horvath. "You have to make it unavoidable. Security which is optional is a failure."
CHANGING THE CULTURE
Aside from the technological fixes, HR managers have plenty of approaches that can work on the human side. "The best security organizations are those that have figured out how to change the culture of the company so that everybody's job is part of security," says Vontu's Ansanelli. "You have to make it part of the review and management process."
For instance, "social engineering" still claims its unwitting dupes. "People are subject to things that they think are legitimate. People still click on attachments. People still fall for phone calls," says Bill Wall, chief security engineer at Harris Corporation (Melbourne, Fla.), a provider of security threat avoidance technology and vulnerability reports.
But information security can't just be a memo from HR. "The message has to come from the top-that security is serious," says Frazzini from iDefense. "An HR department needs to evangelize a comprehensive, user-friendly security awareness policy and program, whereby security is made a part of the educational cycle."