It is my firm belief that someone must be watching the security chief who has been tasked and empowered with monitoring employee computer activities because this person may have access to some of the most intrusive security software for collecting and reading every employee email conversation, internet chat, and other activities which we will cover shortly. Some information security groups are more powerful than others because of their staff size, quality of staff, budgets, tools, and the trust placed in the person running the group to protect the company. Although, I believe that all elements described above must exist to have an effective information security group, I do not agree with blindly trusting a security individual or group to have full access to employee activities without watching the security team who can abuse the granted privileges. After all, they are also humans and if they happen to be smart with a big ego, they can cause some serious damage some of which may not become known for many years.
It is expected that the information security folks must have needed access to various systems to do their job which may include granting access to employees, removing users, running system vulnerability scans, etc. But, what took me many years to realize is that the security folks in some companies are extremely powerful for many reasons. First, they may have a huge budget to spend on all kinds of security monitoring tools, and most importantly, there may be no one to watch them because of the trust and credibility placed on them to protect the company. This practice is even more probable in large organizations because everyone is too busy to think about, let alone watch the security chief. In my opinion, the risk of misuse by the top security person increases the longer he or she retains the position. Companies must be watching the security chief even more as he stays longer in that position.
What each employee and executive must realize is that their every move on the computer may be recorded and viewed by the security folks or those who have illegally installed security software which is less likely. It is more likely that an information security employee will install and use security monitoring tools than someone outside of the information security team because of the software installation restrictions and detection systems. Once these security monitoring tools are installed which by the way are not transparent to the computer user or illegal with proper employee notification, employees must realize that all their online activities including business emails, files viewed on the computers including budgets and salaries, personal emails, bank accounts, passwords, tax information if prepared with company computers, sites visited, time spent on websites, documents sent to others, and anything else they do on their computer may be recorded and viewed. Although most information security experts are ethical, nothing stops them from abusing the collected information inside or outside of the company while employed or after their employment ends unless they know they are also being watched. Some security folks may even collude with others inside or outside the company to achieve a specific joint objective or they may pursue personal gains by selectively using and sharing information. Often, the collected computer information and even voicemails are not misused until an opportunity and justification arise due to circumstances which may entice the information security folks to contemplate misusing the powerful information they have in their possession. Although, the head of information security likely watches the information security staff, no one is usually watching the security chief who can pretty much focus in on some specific targets within the company to collect enough information for curiosity satisfaction or other personal gains. Most employees, management members, board members and executives are not aware of the possibility that someone in the company may have the means to snoop on them as long as their computer is facing a wall, but the truth is that fully loaded spyware installed on any employee computer is like having an invisible person standing behind a computer user and seeing everything the person sees on the computer or types on the computer keyboard. Even the passwords which are masked on the computer screens with stars can be revealed by the monitoring capability of these security tools which log the computer keyboard activities.
To understand and address the risks in this area, management and auditors must question all the information security staff including the security chief regarding the tools installed as well as computer data collection, storage and security practices. If using spyware is part of the approved information security program, then auditors or anyone assigned with the task of guarding the guardian must ensure the software is being used in accordance with the prescribed procedures. And if using spyware is not part of an information security program, then continuous monitoring procedures must be in place to detect and remove any unauthorized installation of spyware until such practice is approved. Auditors may typically audit the information security group once or twice a year, but this may not be sufficient to fully understand and validate the security tools used by the group. Purchase order reviews, whistle blower hot line, and other techniques to detect the installation and use of purchased software or freeware must be implemented to assess the risk on a continuous basis.