As an IT person, the approach you should have is compliance with company policies. Of course, it is hoped that company policy was written to comply with any relevant legal requirements like HIPAA, or SEC regs, state privacy laws, etc - if not, you may have to step into more of a compliance role than just strict IT. Not everyone can (or should) do this, but it's like anything else - you do your best to advise management and then get commitment to compliance.
After that, you ensure that you have the necessary tools (technological and/or process-based) to achieve compliance, and then you (or someone else) works on user education and perhaps some form of auditing. If there is a legal or compliance team, you had better be working with them. Find out why people are not following the processes that exist and they have been educated on. Are the processes and tools not easy to use (something for you to fix) or are they bad workers taking risky shortcuts (something for HR and management to fix.) I don't really think its up to you, as IT, to handle much triage and prioritization. Obviously, IT needs to have its own house in order, so DO THAT FIRST (it's probably your job to do so), and then write a report of findings with associated risks for management to analyze and assign priorities to. The only thing I think that you can assign weight to is the risks portion; management/ownership are the people who accept the risk or assign resources to fix the problems. On Tue, Feb 17, 2015 at 8:42 AM, Edward Ned Harvey (lopser) < [email protected]> wrote: > I see a lot of people and businesses out there, that just don't care > about their own privacy. They email passwords to each other, W2's with > salary and social security information, photocopies of drivers' licenses > and passports to be used by HR to complete I-9 forms... > > > > As an IT person advising a business to be more responsible, what areas do > you advocate securing most urgently? IT admin credentials? HR records? > Financial records? Other stuff? Simply everything, bar none? > > > > Email is obviously a huge area of insecure information sharing. Do you > also see a lot of people storing information that should be secured in > other non-private services like Dropbox, Google Drive, Box, etc? > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
