wenwilder
07-31-2004, 12:36 PM
By Michael Osterman
When it comes to e-mail and instant-messaging security policies,
IT departments often face the worst of both worlds: they bear
most of the responsibility for creating and enforcing basic
security policies, while most of the need for these policies
involves information that is unrelated to IT, such as the
protection of confidential financial or personnel information.
For example, in a recent survey we conducted on messaging
security, we found that IT management is "involved" or "heavily
involved" with the creation of basic e-mail and IM security
policies in about 90% of organizations, while in fewer than 30%
of organizations is HR this involved and in fewer than 20% of
organizations are line-of-business managers this involved with
the creation of these policies.
However, our survey found that IT departments would really like
a lot more involvement from other parts of the organization in
creating and managing policies. For example, as part of the
study we asked IT people the extent to which they agreed with
the following statements:
* "Our IT function would like technology that could help them
engage other parts of the organization in policy creation and
enforcement activities."
* "Our IT organization would like a way to enable other parts of
our organization to manage the enforcement of policies for
acceptable use and regulatory compliance."
More than 50% of the IT people we surveyed either agreed or
strongly agreed with both statements. What this means is that IT
departments have been charged with the primary responsibility
for not only creating, but also managing and enforcing policies
that really should be the primary responsibility of the
functions within the enterprise that own the protected data. In
other words, while IT should be charged with the implementation
of technologies that help create and manage policies, other
functions need to have a greater role in creating and managing
the policies that protect their own information and practices.
I'd like to get your views on this issue from both sides - IT
and business management. Please drop me a line at
<mailto:michael@ostermanresearch.com>
When it comes to e-mail and instant-messaging security policies,
IT departments often face the worst of both worlds: they bear
most of the responsibility for creating and enforcing basic
security policies, while most of the need for these policies
involves information that is unrelated to IT, such as the
protection of confidential financial or personnel information.
For example, in a recent survey we conducted on messaging
security, we found that IT management is "involved" or "heavily
involved" with the creation of basic e-mail and IM security
policies in about 90% of organizations, while in fewer than 30%
of organizations is HR this involved and in fewer than 20% of
organizations are line-of-business managers this involved with
the creation of these policies.
However, our survey found that IT departments would really like
a lot more involvement from other parts of the organization in
creating and managing policies. For example, as part of the
study we asked IT people the extent to which they agreed with
the following statements:
* "Our IT function would like technology that could help them
engage other parts of the organization in policy creation and
enforcement activities."
* "Our IT organization would like a way to enable other parts of
our organization to manage the enforcement of policies for
acceptable use and regulatory compliance."
More than 50% of the IT people we surveyed either agreed or
strongly agreed with both statements. What this means is that IT
departments have been charged with the primary responsibility
for not only creating, but also managing and enforcing policies
that really should be the primary responsibility of the
functions within the enterprise that own the protected data. In
other words, while IT should be charged with the implementation
of technologies that help create and manage policies, other
functions need to have a greater role in creating and managing
the policies that protect their own information and practices.
I'd like to get your views on this issue from both sides - IT
and business management. Please drop me a line at
<mailto:michael@ostermanresearch.com>