Termination

Information Security Officers and IT Directors don't make the call to fire other departments' staff, at least not in any organization I've seen -- it's just not part of the program. HR will have specific procedures for termination that involve reporting managers. If an organization is unusually together, there may be documented criteria for what constitutes a serious or fireable offense. Sometimes this takes the form of a zero-tolerance policy; other times it's just the historical record of things people did to get themselves escorted from the building by managers or law enforcement. But the ISO or IT role is to document events, not judge them.

Understandably, then, when the ISO shows up demanding that a person be fired for doing something, the HR response is often "Why?" If the response is technical and unintelligible, there's likely to be little or no action. Doing this repeatedly will result in a patronizing attitude from HR, if not outright derision.

First, ask HR whether they have a documented "zero-tolerance" policy or other list of actions that they think ought to result in immediate termination. Ask for a secondary list of things they want to be told about immediately -- their list of troublesome things that warrant an alert. Read both lists carefully. Whomever is responsible for security policy and compliance (usually the security officer) should then cross-reference and consolidate the list so that the IT security events can be communicated in non-technical terms to HR.

For example, "browsing web pages that were flagged by the smart filter policy and then forwarded the images via email to a distribution list" can be expressed in HR-speak as "violated the ethics policy by retrieving pornography on company time using company resources, and violated the anti-harassment policy by sending obscene material to multiple employees." The goal is more than just normalizing policies and language, but to make the consequences of misbehavior more predictable and thus fairer to employees.

Keep the door open

The point is to keep the IT-HR dialog going. Rather than trying to enumerate all of the things that one shouldn't do, IT can open up the doors of technology more fully if HR has already delineated the behaviors that are not acceptable no matter what the venue. The more communication there is, usually the simpler and easier the work of monitoring and enforcement becomes.

With any luck, this will make time for even more interesting conversations between HR and IT, such as the review of executive proxy logs, mutual difficulties with audit, IT's internal access to sensitive HR data and other things best discussed -- together -- over an after-hours beer.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blase, cynical, jaded, content and enthusiastic again. He manages information governance reform for a major refugee aid organization, and continues to have his advice ignored by CEOs, auditors and sysadmins alike.