IT security procedures -- are they being implemented?

IT security procedures -- are they being implemented?

Tedy Djajawinata, Contributor, Jakarta, tedy.djajawinata@csindonesia.co.id

Many companies spend long hours and excessive amounts on consultancy fees in developing IT security procedures for different reasons.

Some are genuinely keen on protecting valuable information assets, while others are responding to issues raised in audit reports.

Regardless of the motivations and the energy spent in producing these procedures, are they actually being properly implemented?

It is not surprising to often hear, "Not exactly", as the answer to this question. It is indeed a very challenging job for an IT Manager to ensure that these procedures are effectively implemented by his staff.

And, it is a fact, IT staff in turn have numerous excuses for not implementing them. However, some practical insights could help the IT manager address these issues:

"We are not aware of any procedures related to what I do"

Ensure that all procedures are published and disseminated to your staff, and your users when appropriate. If necessary, include these in their job descriptions. Have the designated champion for each procedure explain it to the rest of your staff.

Everyone should know who does what and how. Use the same opportunity to get feedback from your staff on potential issues relating to the implementation of the procedures.

"I don't really understand the procedures. They are too complicated"

Ensure that your procedures are concise and easy to understand. Use the language understood by your staff. For example, use Bahasa Indonesia if necessary. Also, develop very practical, yet effective and well-structured procedures clearly describing who does what.

Complex and wordy procedures usually discourage people from implementing them. Remember that the main audience for your procedures is your staff, not your auditors.

"There is no way we can do this here (in this organization)"

Recognize the objective of each task. If necessary, use a more practical alternative method for your organization to achieve the same objective. Ensure that your procedures are well suited to your IT environment.

Simply copying and pasting them straight does not help. However, bear in mind that some objectives can only be achieved by changing the way certain activities are conducted by your staff and users. Additional tools and skills may be required to achieve these.

"Users complained to us about the bureaucracy"

It is commonly understood that, from the users' point of view, it is always easier and faster to get things done without having to go through the procedures. In this case, it is important that the validation as well as the necessity for changes are well communicated to your most senior management and eventually to your users to gain their full support.

"I don't do this because it's not yet on the procedure"

Ensure that you keep the procedures up to date and in line with the changes to your environment. These updates must be immediately communicated to affected staff. Ensure that your staff keep only the most current version, and only one version.

"What's in it for me?"

It may be a disturbing but nevertheless common question from the IT staff. It may not be easy to establish, but one of the most effective tools to address this is to use consistency in executing the procedures as one of the Key Performance Indicators (KPIs) of your staff.

Remember that their performance is also your KPI.

"How am I doing?"

Perform periodic audits on each procedure. If available, also ask your internal audit team to perform periodic internal audits on your team. Immediately address any issues raised in and during the audit.

And finally, congratulate your staff on having fewer IT- related issues raised in your organization's audit report.

The writer is a principal, information system services, at PT Consulting Services Indonesia