A surprise from Communications of the ACM

In the usual case I look at the monthly Communications of the ACM fairly quickly because most of the content is so disconnected from reality that it only takes a few seconds per article to classify it as purely tenure seeking and move on. This month's issue, however, is very different.

There's a six piece special section on music information retrieval that doesn't exactly break new ground but does present the field in an organized way. More surprisingly, four of the five opinion columns were interesting and one of the six articles is a real winner.

I'll mention two of the opinion pieces, starting with the most obvious and indirectly most revolutionary one: Mikko Siponen's Technical Opinion column under the title Information Security Standards Focus on the Existence of Process, Not its Content.

What this is about is the nakedness of the process emperors in audit. Since nearly all audit activity is based on process reviews and thus suffers from the kind of reality disconnect that allows a company like Nortel to more or less completely destroy its internal financials and controls during a ten year rolling IT failure while meeting every possible auditor concern, this is revolutionary stuff. It's not new, of course, with lots of people muttering about this all the time, but to see the concern expressed in the specific context of IT security policies and standards in a profesional journal is a bit of a breakthrough and one signal among many that reality based audits will become a market driver some time real soon now - i.e. right about the time the big four firms figure out how to do it.

Number two is the piece I wish I'd written: Disk Wiping By Any Other Name by Hal Berghel and David Hoelzer. What these guys did was wipe an NTFS disk using various tools to see what remained accessible to simple software tools afterwards - and the answer? "It is clear that most disk wipers leave behind a lot of telltale information that may have proprietary or security implications."

Bottom line: if you're watching porn or copying client information using NTFS, don't count on disk wiping to cover your tracks.

The article by G. Daryl Nord, Tipton F. McCubbins, Jeretta Horn Nord: E-monitoring in the workplace: privacy, legislation, and surveillance software is vaguely related to this because it combines an apparent commitment to the idea that employee electronic messaging should be accorded some degree of confidentiality with a legal review showing just how naive this is. Contrast, for example, the last two sentences in this bit with the rest of it:

In a case in which the California Appellant Court ruled in favor of the employer strictly on the basis of a signed electronic communications policy, the court stated that at a minimum the policy should contain a statement that:

 

1. Electronic communication facilities provided by the company are owned by the company and should be used solely for company business.
2. The company will monitor all employee Internet and email usage. It should state who may review the information, the purposes for which the information may be used, and that the information may be stored on a separate computer
3. The company will keep copies of the Internet and email passwords.
4. The existence of a separate password is not an assurance of the confidentiality of the communication or other "protected" material.
5. The sending of any discriminatory, offensive, or unprofessional message or content is strictly prohibited.
6. The accessing of any Internet site that contains offensive of discriminatory content is prohibited.
7. The posting of personal opinions on the Internet using the company's access is strictly prohibited. This is particularly true of, but not limited to, opinions that are political or discriminatory in nature.
8. Although not included in the court's list, the policy should clearly state potential repercussions to the employee for violating the policy.

Legally, these requirements are considered minimum standards that a sound policy should meet. They should be clear and unequivocal, and they should be read and signed by each employee. However, the employer should also remain aware of the employee's normal human desire for reasonable amounts of privacy. Therefore the employer should try to minimize unnecessary intrusion into this privacy expectation in order to reduce the negative impact on employee morale.

Bottom line? Employers should generally respect employee expectations of privacy, but employees should recognize that such expectations will not be honored in court.

Enlightening stuff, and not at all what I've come to expect from Communications over the last few years, so here's hoping they keep it up - that this wasn't a guest editor wreaking havoc but a genuine change in focus.