This series looks at monitoring programs across industries, including the privacy consultant, healthcare, IT, finance, government and telecom.
JC Cannon, CIPP/US, CIPT, is a leader in privacy and IT. He is the founder of Assertive Privacy, a Washington, DC-based consulting agency and recently retired from a 16-year career at Microsoft, where he spent 12 of those years focused on privacy. He is the author of Privacy in Technology: Standards and Practices for Engineers and Security and IT Professionals and Privacy: What Developers and IT Professionals Should Know, and he contributed to the books Writing Secure Code and Windows Security Resource Kit. In this installment of the series, focused on IT, I spoke with him about how to decide what to monitor, key points to hit and pitfalls to avoid.
The Privacy Advisor: Why is developing a monitoring program important?
Cannon: Monitoring is important to help ensure ongoing compliance and validate past compliance with corporate rules, legislation and self-regulatory commitments. Monitoring also helps to mitigate the risk of employee misbehavior, inappropriate use and sharing of information, breaches of sensitive data and attacks from hackers.
Having comprehensive rules, training and procedures in place is not as important during an audit as being able to prove that they are working. Many of the IT incidents occurring in the news were the results of processes that weren’t working or rules that weren’t being followed. Proving that appropriate rules are in place will mitigate the risk of a breach and the fallout if a breach were to occur.
The Privacy Advisor: How should people determine what to monitor?
Cannon: The first impulse will be to want to monitor everything. However, the resources to deploy monitoring across a global company for every scenario as well as reviewing logs and events from monitoring systems can be overwhelming. A regular risk assessment should be performed to prioritize IT risks and determine which ones will be monitored and how.
The Privacy Advisor: How should they document their monitoring program and the results of any monitoring that they are performing?
Cannon: Documenting monitoring programs is important to validate to auditors and regulators that a company is working to mitigate risks. It also works to educate employees about the program and the proper way to administer it. Compliance and IT departments should have a consolidated view of monitoring programs along with details of individual programs, which should include a step-by-step procedure of how each monitoring program is deployed and administered.
The results of monitoring programs should be documented in a way that provides a simple and effective status of the program. This can be done using Harvey balls, charts and graphs. There should also be a detailed description of each area explaining why certain areas are out of compliance and the plan to bring them into compliance.
The Privacy Advisor: What are three key tips that you would give to someone developing a monitoring program?
Cannon: First, perform a risk assessment before deploying a monitoring program to make sure the most important areas are being addressed. Second, make sure all employees are aware of the risk areas so they can assist with monitoring. And third, go over monitoring results on a regular basis and create a plan for addressing areas that are out of compliance.
The Privacy Advisor: What are pitfalls to watch out for and how should those be addressed?
Cannon: Organizations should be committed to compliance and monitoring. They are often reluctant to invest in preventative measures. However, it’s similar to investing in car insurance. While people don’t expect an accident to happen and have faith in their driving abilities, it is rare that they would operate their vehicles without insurance. A data breach or attack on systems could cost an organization millions of dollars, loss of customers and a damaged reputation.
Organizations will do a good job of monitoring for inappropriate access to data and systems but forget to focus on the employees who have legitimate access to data. Frequent audits should be done to validate that accesses are appropriate.
In addition, organizations often underestimate the importance of training. Having great procedures and monitoring in place are a waste of time if employees aren’t aware of them and how to execute on them. Training should be repeated on a regular basis to catch new employees and update veteran employees on changes to the training.
Start with Staff and Then Track Progress
Cannon offers fantastic advice that translates across industries. When developing or implementing your monitoring program, start with ensuring that staff is trained on the proper procedures. Perform a risk assessment to identify what to monitor; document the outcomes of your monitoring processes, and identify corrective actions for anything found to be out of compliance. Finally, it's essential to track results and keep leadership informed on status by using simple tools such as Harvey balls, charts and graphs.