The Clinton e-mail Scandal as a Failure of IT Governance
This isn’t about partisan politics or law. It is about good, common sense IT Governance. The ongoing revelations of the Clinton e-mail scandal demonstrate a total failure of IT Governance at the highest levels of the US Government. Not only is no IT Governance in evidence, the situation has displayed astonishing hubris, casual disregard for information security, and a massive sense of entitlement of all the parties involved. Common sense, good judgement and even a basic understanding of handling sensitive information seem to be completely absent. Where were all of the tens of thousands of security professionals employed by the federal government? Who was keeping an eye on the ball while all this was going on?
Having served for four years in Army intelligence, I can assure you that had this situation been perpetrated by minions and peons in the military, the culprits would already have been behind bars facing long sentences in military prison. Were similar revelations made about highly regulated corporations required to comply with regulations such as GLBA and SOX, we would have already seen dozens of executives and managers doing perp walks and making plea deals to stay out of prison.
We can’t easily fix what goes on in Washington, but you can take steps to ensure that your organization does not suffer this kind of embarrassment. I hope you are using this as a lesson and an opportunity to review your Acceptable Use, e-mail and information security policies and procedures. Make sure that all your policies, processes, and procedures comply with best practices, applicable regulations, and common sense. And make sure your staff receives annual training on these policies and procedures.
In general, large corporate entities tend to have strict policies because of the enormous quantity of regulatory compliance issues they face. However, many municipal and county organizations have elected or appointed officials who use personal e-mail addresses for conducting official business. There is absolutely no reason for this. E-mail is a dirt cheap commodity and a strict policy on e-mail is likely to prevent embarrassment, civil litigation, or criminal indictments down the road.
Here are some tips for e-mail usage and your policies:
- Never, never send confidential information in an unencrypted e-mail. E-mail is not a secure method of transmission.
- Never put anything in an unencrypted e-mail that you wouldn’t want the entire world to see. Even if it is encrypted, the recipient may decrypt it and accidentally (or purposely) forward it to EVERYONE. This happens all the time. Moreover, if your e-mail is FOIL’ed or subpoenaed you may find yourself in an embarrassing situation.
- Everyone on your staff should be using business e-mail for business purposes, and personal e-mail for personal purposes. Don’t cooperate with bad actors by communicating about a business issue to a personal e-mail account.
- Consider an e-mail archiving solution and have it configured to comply with all applicable regulations affecting your operation.
- Consider whether or not a DLP (Data Loss Prevention) solution would make sense for your organization.
If you require assistance determining appropriate e-mail and acceptable use policies, send me an e-mail at firstname.lastname@example.org.
Read more about IT Governance issues at http://blog.e-volvellc.com. If you are snowed in and want to read about hubris and entitlement with a real sleaze factor, pick up a copy of Tom Wolfe’s Bonfire of the Vanities.
Copyright © Jeffrey Morgan 2016