Trust, But Verify

Technology combined with integrity is powerful, helping government organizations to fulfill their missions and civil servants to create, collaborate and explore.

Unfortunately, technology in the absence of integrity also is powerful. And its misuse at the hands of information technology and non-IT professionals alike captures an ongoing bevy of press attention: databases compromised for financial gain, privacy rules ignored and IT needs overstated to dupe wide-eyed buyers.

IT ethics — rightfully so — are then going to be called into question.

That’s where you come in. How well your organization combines technology and integrity is up to you. You set the standard for how IT power gets wielded among your employees, your internal customers and ultimately their customers — the taxpayers.

Many security experts believe that it won’t be long before IT professionals with access to systems containing sensitive, private or confidential information are required to verify the security of their systems and data. This would complement, not supplant, signing legally binding organizational policies that do the same.

Think about the fallout of the accounting scandals of a few years ago. The results: federal regulations requiring executive officers to verify the veracity of financial results coupled with severe financial and criminal penalties for misrepresentations.

CISO, Step Forward

Certifications and regulations may help separate the ethical wheat from the unethical chaff because numerous organizations teach IT ethics as part of the certification process. But oftentimes, this isn’t enough. Enter the emerging prominence of the chief information security officer.

A CISO not only looks at perimeter defense and long-term IT security strategy but, increasingly, also is tasked with operational work (meaning tactical execution) and enterprise policy development.

Yet, as Kansas CISO Larry Kettlewell cautions, policy development needs to go hand-in-hand with technical development of the network and what’s happening in the organization on a daily basis. (See story on Page 24.) In working terms, that means knowing who touches sensitive data, why and when. You also must determine each user’s ethical responsibilities regarding data access and combine employee education with technology tools that can monitor and control access to each agency’s systems.

Get In The Know

Knowing who has access and who has accessed a system are critical to determining the risk exposure level. This step, followed by regularly occurring independent audits, is key for any organization serious about IT.

When your staff members have access to nonpublic personal information (NPPI) about customers — basically any information beyond what’s available in a phone book — it’s essential. Call it IT insurance. It’s a step that IT organizations can’t afford not to take.

“It removes the monkey off your back,” says William Cook, a partner and security expert at Chicago law firm Wildman Harrold. “It shows that as an IT professional, ‘I am exercising due diligence and being honest and meeting security standards. Check me out.’ ”

But what piece is most important: the policy, the technology or the audits? All of them help. None, however, replaces communicating to your employees the high ethical standards that you expect of them.

The onus is still on government to address essential security and privacy concerns with thoughtful insight as well as an enforceable mandate — and not just to look for a place to lay blame. When it comes to privacy and security, people hold the ultimate responsibility. Indeed, IT is too powerful and important to do otherwise.