Recent claims that staff productivity is the responsibility of line managers and not security has been assessed.
At the February (ISC)2 conference, Ray Stanton, global head of business continuity, security and governance at BT Global Services, claimed that if companies are blocking access to social networking for productivity rather than security reasons, then the responsibility for managing staff lies with line managers.
A recent discussion on the SC Magazine LinkedIn group asked if social networking is not deemed to be a security risk and most companies are blocking on the point of productivity, whose job is it to monitor and manage that?
Jeremy Orritt, corporate accounts executive at Redstone, said that organisations are increasingly under pressure from their users to allow access to social networking sites due largely to the flexible hours a lot of us now seem to work, so this is a very complex question.
He said: “Of course there is a large security risk by allowing users access to these sites as the asset owners tend to favour openness of communication and do not have the resources to police them. There are however a number of organisations out there who are proactively securing these sites.
“Personally I am in favour of relaxing policies around social networking as these vectors are being used increasingly for business purposes. There is now a large overlap between personal and business usage of these sites, Twitter being a very good example. There are ways of managing productivity with these types of sites by putting blocks in place during core business hours or applying daily usage limits on individuals.”
He concluded by saying that if there is no security risk, it really should sit firmly with in-line management and not IT security, and he strongly agreed with Stanton's comments.
Alex Clayton CISSP, security and continuity service manager at 3i, believed that there were two sides to the story – that there is definitely a security issue for using online services for personal reasons that have no business benefit.
He said: “Security is based upon the three tenets of confidentiality, integrity and availability. The potential unauthorised leaking of information out of the corporate boundary on to services such as Facebook is a confidentiality risk. It is up to each organisation to understand this risk and mitigate it appropriately.
“Some organisations have a very closed policy, e.g. no or very limited internet access and this is how they manage the risk. Other organisations have quite an open policy on social networking sites and their mitigation is to invest in their people to engender a culture of mutual trust. With the advent of solutions such as data loss prevention it is possible to introduce further controls to monitor and block data leaving the corporate boundary.”
He also commented that HR may determine policies for using online services for personal reasons and ensure compliance.
He said: “In this instance, it will be up to HR to monitor and discipline according to their policy. So, the responsibility for managing end users rests with the department that sets the policy. I would suggest that it is possible for an organisation to agree that it is both a security and productivity problem and the HR and security functions work together to agree policy, implement it and track people's compliance to it.”