- Security personnel
- An interdisciplinary information-security committee, which is responsible for the coordination of the entire IS program.
The information-security committee comprises representatives from HR, security, and select managers and staff from each area in the firm from which proprietary information emanates. It should also include representatives from the legal department, records management, MIS and audit.
Among its many duties, the information-security committee should have primary responsibility for both developing and administering the various information-security components of the training and development programs, and other key HR functions. This is crucial over the long term because it enables HR to maximize its contributions to the information-security effort without the burden of an extra layer of administrative work.
At Cupertino, California-based Tandem Computers Inc., this is exactly the kind of support the information-security committee provides. Called the Information Security Council, it's responsible for designing and administering information-security policies and education programs companywide. It also directs the necessary resources to areas in which the security risks are greatest.
Working a program that truly has been designed from the bottom up, the Information Security Council relies heavily on the efforts of its foot soldiers, the information-protection coordinators (IPCs)-groups of employees from each of the major business functions selected by the company to serve as information-security representatives in their respective departments.
The IPCs begin their service by attending special workshops conducted by Michael John, Tandem's manager of corporate security, and his security staff. They learn about the difficulties of protecting information. War stories illustrate the magnitude of the potential problems they face. Coordinators receive a set of security guidelines as a means of tailoring information-protection procedures to the unique needs of their own departments. They receive training in the methods by which both they and their co-workers identify and classify the various types of confidential information in their departments.
The other roles of Tandem's Information Security Council include:
- Companywide communication:
The council communicates security-related information throughout the organization through company newsletters, the Tandem TV network and an online bulletin board devoted exclusively to security-related issues. The bulletin board in particular is a centerpiece of the Tandem security program. It provides employees with:
- A comprehensive listing of answers for virtually any security-related question
- A full rundown of company security policies, such as ongoing responsibilities under nondisclosure agreements, document classification procedures, proper document disposal methods, and so on
- A set of specific guidelines for giving information to suppliers, contractors, distributors and all other outside sources, and for handling sensitive materials entrusted to the company by outside sources.
The council sends fliers to employees, outlining timely security news, posts displays in prominent locations and passes out assorted novelty items-such as posters and rubber stamps-emblazoned with security slogans.
The council addresses security-related issues and problems as they arise and is quickly accessible through a special security hot line.
The council is responsible for ensuring that employees discard confidential information properly. Its job also involves monitoring and equipping each security area with special-confidential information disposal bins. Once they're collected, the employees should shred and re-cycle these materials.
In conjunction with organization auditors, the council helps maintain oversight on all outside organizations with which the firm does business. It ensures that vendors adhere to the company's security requirements.
Information security is by no means only a big-corporation issue. If anything, the need often is greatest in smaller business, for which a single information leak can be extremely harmful, if not deadly. Nor is information security something that only the larger company can afford.
The steps described above show that a company, large or small, can institute an effective information-security program. An organization can perform this process inexpensively, especially in comparison with the more elaborate physical-security apparatus that may be in place, which still doesn't keep most competitive-intelligence operatives out of the company.
Personnel Journal, May 1993, Vol. 72, No. 5, p. 47.