Cyber Security Awareness Month - Day 28 - Role of the employee

Published: 2010-10-28
Last Updated: 2010-10-29 16:08:01 UTC
by Tony Carothers (Version: 1)
4 comment(s)

Today’s topic for the CyberSecurity Awareness Month is the Role of the Employee.  Almost everyone reading this today will create some form of stored data which is significant to them.  Thus is the role of the user.  And, basically, every employee with an IT system is a user of some form or other.  Recently I had the opportunity to discuss a very similar topic with some friends at  .  The discussion centered on personal responsibility in regards to security.  This was a very productive discussion that yielded many of the same questions and conclusions I will discuss today.  The role of the employee is essentially the role of the user which always led to 3 questions:

“What data have I produced?”

“How do I get this data back, so I may continue, when all else fails?”

Once you have addressed these questions to the data you have created, whether 2 presentations or 200 emails, you will find the long road ahead much easier.   The third question is a bit more difficult, and is topic for another day….

“What data, other than my own, am I ultimately responsible for today??”

I would like to talk about the first 2 here a bit more.  Of course discussions or comments are always welcome and encouraged. “What data have I produced today?”  This question hopefully leads everyone to ask a number of questions about backup, restoration, and possibly even continuity of operations in regards to their jobs and data.  One common question is “how do I keep going after a (insert disaster here i.e… fire, flood, etc)?  If you are reading this then most likely we, in both our professional and personal lives, create some form of data each day.  In the workplace this may be several proposals or presentations.  In the home, it may have been a weekend of pictures downloaded to the home computer.  So what happens when the workplace is flooded?  God forbid a fire to the home?  Is the data created on a computer any less priceless than the letters from 2 years ago?  No. You would hopefully plan and protect these electronic artifacts the same as you would the physical artifacts.
“How do I get this data back, so I may continue, when all else fails?”  To completely answer this question the answers to question number 1 have to be answered.  Essentially once you have identified who is responsible for the backup and restoration, then ask the question “where is my data so I can get it back when everything else fails?”  Sometimes this is a question we have to ask of ourselves about personal data we’ve created, in the form of contact lists, email archives, and personal data.  In the data realm we are producers, provisions, consumers, and sometimes all three.  Anyone in the role of the first two needs to understand completely the role they play in today’s CyberSecurity world.

tony d0t carothers at isc d0t sans d0t org

4 comment(s)


Too narrow a focus if only looking at availability and only data created or directly used. To me the topic title begs for defining the employee's role so that the employee has a clearer idea of their responsibilities in cyber security. I think awareness is lacking in the confidentiality aspect more than availability. The scope of data responsibility extends to all data the employee can access not just that which they generate or use. The employee should feel they share responsibility protecting all data within this scope. There should be a presumption of confidentiality because once the cat is out of the bag' it is awfully though to get it back in. Availibility also is a resposibility particularly for new or modified data of the employee. It is the employee's responsibility to ensure such data is included in a protected backup scope.
Another question should be "Where did I take this data, and what would happen if I lost it there?" We certainly let a lot of data roam free on laptops and smart phones without the least bit of protection, and without properly educating employees on the risks of transporting that data. I'd guess few employees and execs really consider how much insider/confidential/business critical information they have in their pocket every day. Even fewer consider how the 'inconvenience' of a device password or FDE could really save their bacon (and the company) when they lose that data....
I have found that when approaching this topic to the average user in a company, if I use the word "data" I get glazed over looks, and they stop listening. I guess that "data" is considered a computer/IT guy word. When I use the word "information" it has a broader appeal and I loose less people to the this-is-boring-get-me-out-of-this-mandatory-meeting haze.
IMO, the only questions employees should have to ask are... "What did I do? What security policies pertain to what I do? What am I doing to make sure I comply with all these security policies?"

I'm not so sure employees should be the ones worrying about "get the data back" or asking these questions. Company policies should tell the employees where to save their data; and company security policies need to tell the sysadmins how to backup the data.

The average employee cannot be expected to anticipate all possible risks on how they might come up with their own availability strategies.

"What data have I produced?"
Hm.. someone's answer might be something like "a spreadsheet of customer orders, with their credit card numbers, SSNs, and other personal details"

"How do I get this data back, so I may continue, when all else fails?"
hm... "I'll save a copy to the shared drive, FTP a copy up to an offsite server, and e-mail myself a copy to a hotmail account, just to be sure."

That's an example of bad answers that might seem OK to the average person.

Instead; the answers ought to be "Company policy says I should save this information directly into the ordering system, so I do that. The system operators are responsible for getting that back if information is lost in the system."

Diary Archives