Indonesian Political, Business & Finance News

IT security procedures -- are they being implemented?

| Source: TEDY DJAJAWINATA

IT security procedures -- are they being implemented?

Tedy Djajawinata, Contributor, Jakarta, tedy.djajawinata@csindonesia.co.id

Many companies spend long hours and excessive amounts on
consultancy fees in developing IT security procedures for
different reasons.

Some are genuinely keen on protecting valuable information
assets, while others are responding to issues raised in audit
reports.

Regardless of the motivations and the energy spent in
producing these procedures, are they actually being properly
implemented?

It is not surprising to often hear, "Not exactly", as the
answer to this question. It is indeed a very challenging job for
an IT Manager to ensure that these procedures are effectively
implemented by his staff.

And, it is a fact, IT staff in turn have numerous excuses for
not implementing them. However, some practical insights could
help the IT manager address these issues:

"We are not aware of any procedures related to what I do"

Ensure that all procedures are published and disseminated to
your staff, and your users when appropriate. If necessary,
include these in their job descriptions. Have the designated
champion for each procedure explain it to the rest of your staff.

Everyone should know who does what and how. Use the same
opportunity to get feedback from your staff on potential issues
relating to the implementation of the procedures.

"I don't really understand the procedures. They are too
complicated"

Ensure that your procedures are concise and easy to
understand. Use the language understood by your staff. For
example, use Bahasa Indonesia if necessary. Also, develop very
practical, yet effective and well-structured procedures clearly
describing who does what.

Complex and wordy procedures usually discourage people from
implementing them. Remember that the main audience for your
procedures is your staff, not your auditors.

"There is no way we can do this here (in this organization)"

Recognize the objective of each task. If necessary, use a more
practical alternative method for your organization to achieve the
same objective. Ensure that your procedures are well suited to
your IT environment.

Simply copying and pasting them straight does not help.
However, bear in mind that some objectives can only be achieved
by changing the way certain activities are conducted by your
staff and users. Additional tools and skills may be required to
achieve these.

"Users complained to us about the bureaucracy"

It is commonly understood that, from the users' point of view,
it is always easier and faster to get things done without having
to go through the procedures. In this case, it is important that
the validation as well as the necessity for changes are well
communicated to your most senior management and eventually to
your users to gain their full support.

"I don't do this because it's not yet on the procedure"

Ensure that you keep the procedures up to date and in line
with the changes to your environment. These updates must be
immediately communicated to affected staff. Ensure that your
staff keep only the most current version, and only one version.

"What's in it for me?"

It may be a disturbing but nevertheless common question from
the IT staff. It may not be easy to establish, but one of the
most effective tools to address this is to use consistency in
executing the procedures as one of the Key Performance Indicators
(KPIs) of your staff.

Remember that their performance is also your KPI.

"How am I doing?"

Perform periodic audits on each procedure. If available, also
ask your internal audit team to perform periodic internal audits
on your team. Immediately address any issues raised in and during
the audit.

And finally, congratulate your staff on having fewer IT-
related issues raised in your organization's audit report.

The writer is a principal, information system services, at PT
Consulting Services Indonesia

View JSON | Print