Opinion: Four good reasons for Security to talk to HR

Computerworld - Neither IT nor security managers fire people in most organizations. That plain reality seems to escape some in the industry, where offended security administrators declare that disabling the antivirus program is grounds for demotion or an IT manager finding unlicensed media makes arrangements for someone to make the cardboard box commute.

Too often, security folk are surprised and disappointed when the perpetrator is just slapped on the wrist, or the incident is quietly tabled without reprimand. Why the disjoint? Because they didn't coordinate with human resources, and because there's no clarity about the severity or risk from the behavior, even incidents that ought to garner serious attention don't.

The solution is to get right with Human Resources long before the incident. I know -- like dogs and cats living together, the notion of touchy-feely HR personnel working together with hard and graceless IT security geeks may portend the coming of the End Times. But there are a handful of topics that require collaboration. By addressing them before there's an incident, a lot of pain and frustration can be avoided.

Identity and authentication

The initial establishment of identity for a new hire -- involving driver's licenses and W-2 documents -- is a management task specific to HR. When identity is established, and the person who showed up is sufficiently authenticated as that person, we say that initial identification and authentication or "initial I&A" is complete.

This is never an automated task. This is also never an IT task. If someone shows up at the IT help desk asking for an account and there's no HR record of initial I&A, all sorts of alarm bells ought to go off. Unless there's a specific exception -- perhaps the granting of temporary IDs to vendors when a business unit's contract serves as initial I&A -- IT should never, ever be in the business of determining if a person exists or not.

It's one of the most common errors I see, but initial I&A ought not be confused with the implementation of roles and rights. Only after the management decision to hire someone is processed by HR can a person's online persona be connected to a set of tasks, a specific role, a salary and the other trappings of a job. Confusing these different steps means stepping on HR's toes, after which conflict, confusion and weakened security are inevitable.

Acceptable behavior

IT may be a gatekeeper, but it is not the arbiter of all things ethical. Again, that's HR's job, even if an IT director or security officer authored an "acceptable use" policy under the umbrella of IT policy. IT frequently falls down the rabbit hole of trying to define ethical behavior for an organization in the context of its computer systems and resources.