Real World Problems Caused by Missing Information Security Policies:

The following are specific case problems designed to give you an idea of how adopting specific security policies can help you avoid problems in various industries:

At a Government Agency...
A clerk spent a great deal of time surfing the internet while on the job. Because there was no policy specifying what constituted excessive personal use, management could not discipline this employee. Management later discovered the clerk had downloaded a great deal of pornography. Using this as a reason, management fired him. The clerk chose to appeal the termination with the Civil Service Board, claiming that he couldn't be fired because he had never been told that he couldn't download pornography. After a Civil Service hearing, the Board ordered him to be reinstated with back pay.

At a Law Firm...
The manager of data processing took a job with a competing law firm. Because his former employer had nobody who could do the job that he did, they kept him on as a contractor. On a part-time basis, he would perform systems management tasks. In order to do these tasks he needed full privileges on the former employer's network. One day the former employer learned that the manager's new employer was opposing them in a high-visibility lawsuit. Could the former data processing manager gain access to the shared legal strategy files for this case on the network? The answer was yes, but nobody knew whether the manager had exploited these capabilities because no data access logs were being kept. This situation could have been avoided if the former employer had policies about conflicts of interest, system access privileges, and keeping logs.

At an Oil Company...
An oil company computer technician compiled a list of jokes about sex. Proud of his list, he broadcast this list on the internet, appending his company electronic mail address to the end, just in case the recipients happened to have heard any new ones. Management was able to have the posting deleted from several discussion groups, but was not able to control copies that had been made. Around the same time the same technician had printed a copy of his list, and when distracted by something else, had left it in the hopper of a departmental printer. Women in the department objected that they had been subjected to sexual jokes via email that they didn't want to read. They pointed to the internet postings and the printer output as examples. The pending sexual harassment lawsuit was settled for an undisclosed sum. A policy about permissible use of the internet, as well as a policy about representations made using the company name on the internet were noticeably lacking.

At a Local Newspaper...
A local newspaper had no policy requiring the termination of user-ID and password privileges after an employee left. A senior reporter left the newspaper, and shortly thereafter, the newspaper had trouble because the competition consistently picked-up on their exclusive stories (scoops). An investigation of the logs revealed that the former employee had been consistently accessing their computer to get ideas for stories at his new employer.

At a Midwest Manufacturing Company...
A virus hoax sent by email through the internet indicated that if people receive a message with the heading "Join the Crew" they should not read it. The hoax went on to state that this email would erase a hard drive if ever it should be displayed. Thinking that they were doing others a favor, 10% of the staff at a large manufacturing company broadcast the hoax to all the people they knew. Because no policy defined how they should handle these warnings, they flooded the company's internal networks with email and caused a great deal of unnecessary technical staff time to be wasted.

At a West Coast Manufacturing Company...
Because it had no policy requiring employee private data to be encrypted when held in storage, a large manufacturing company found itself facing a public relations problem. A thief made off with a computer disk containing personal details and bank account information on more than 20,000 current and former employees. The press speculated that this could be used to facilitate identity theft, including application for credit cards in the names of other people. The event precipitated a massive notification process including recommendations on changes to bank account numbers.  The notification process and identity theft protection services to employees cost the company over $2, 000, 000 for the loss of one unencrypted disk.  

At a Major Online Service Company...
A Navy enlisted man registered with an internet online service company and filled out a profile form which indicated that he was gay. An employee at the service company, after an inquiry from the Navy, shared this profile information with the Navy's "top brass." Based on this information, the enlisted man was given a dishonorable discharge. The enlisted man sued the Navy for violating its own "don't ask, don't tell" policy, and won an honorable discharge with retirement benefits as a result. The online service company publicly stated that its employee had violated "the privacy policy," but this policy had been violated on multiple occasions before including top management's publicly stated intention to sell customer home telephone numbers to telephone marketers. At least the service firm now admits that it has a policy.