IT Data Governance and the Insider Job

In many years of working in IT, I've witnessed several cases of criminal activity within companies. I've seen, for example, developers escorted off the premises for sabotage, and data theft, and seen several senior managers disappear off to Open Prison. I'm always surprised when young developers express shock and surprise that database security has to reflect this, but maybe this sort of crime doesn't grab the headlines. In fact, most cyber-crime is an 'insider job'. Most studies quote figures near 80%. There is, of course, an enormous range of activities included in the total. Criminal offenses can include terrorism, fraud, bribery, espionage, sabotage, embezzlement, corruption and extortion. Of course, if you include malicious activities that can be regarded as civil offenses, that includes violations of copyright, negligence with classified data, unauthorized access to financial, or private personal information. In most cases, the companies are only too willing to resist reporting the frequency with which this happens, especially when it involves their own staff.

IT Governance bears the brunt of the battle to keep data properly locked down. Developers are generally uninterested in such work because it is so invisible and involves no heroics. It is one of the more tedious jobs in IT, and requires meticulous care. One of the most frustrating parts of the job is trying to explain to one of the more inexperienced developers why you are insisting on a whole lot of complex logs, audit-mechanisms, encryption systems, scoping, intrusion systems, alerting, access-control systems and the like. For them it is unreasonable, over-cautious, and seems to be designed to prevent them meeting their targets. You, the data governance guy, cannot explain why without seeming vague, because your information is company-confidential and you are under legal constraints that prevent you from being at all explicit in explaining the nature of the threat. It is a distasteful subject.

Good IT data governance is about crime-prevention as well as crime-detection. It delivers us from temptation to commit fraud or other civil offense, and induces those with criminal intent to find another easier victim. It also means that the organization can avoid the tedious, resource-sapping task of engaging in legal action. Legal action runs war a close second as being one of the more futile and debilitating of human activities, so prevention is always better. IT data governance should never be an afterthought.

Phil Factor

One Milly-yon IOPS - Database Weekly (Sept 1, 2008)

by Steve Jones

SQLServerCentral.com

Editorial

IBM is testing a new hardware disk array that vastly outperforms any current arrays. What does this mean for the database world?

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2008-09-01

227 reads

Discuss

Solid State Replacements - Database Weekly (August, 18, 2008)

by Steve Jones

SQLServerCentral.com

Editorial

New SSD (Solid State Device) hard drives are infiltrating enterprise servers more and more, but are they a good fit for database instances? Steve Jones comments a bit on some news from this past week.