Intranets have grown to be thousands and even millions of pages of content. Given their size and scope, they present challenges that are similar to those common in external sites. There has also been a tendency for intranets to become dumping grounds for obsolete and irrelevant content. The result can be unforeseen privacy and security risks, wasted employee productivity and unnecessary cost burdens. Although media and management attention is focused on protecting external-facing sites from security threats, identity theft and other online vulnerabilities, intranets should not be overlooked. These sites can easily be compromised, and government IT executives are now realizing the need to expand security and privacy practices to agency intranets.
Government intranets are growing in size as agencies seek to provide better services to the public. Only by understanding the intranet environment — the domains, Web sites, directories, content, Web servers, technologies in use, and the policies and standards in place — can agencies ensure that they have adequate control of this information and its delivery. The first step is to conduct an agency widewide to evaluate the size and complexity of the intranets. By conducting a thorough assessment agencies can effectively evaluate risks. Managers can then make informed decisions about risk mitigation as well as server and application consolidation.
Infrastructure inventory is imperative for a thorough security assessment. By identifying systems and servers that are not up to date or otherwise not conforming to IT standards, agencies can update or remove material that may pose security risks. Content inventory will also identify orphaned files and allow agencies to clear out unused pages and clutter, improve efficiency and lower infrastructure costs.
Agencies should also evaluate precisely what sensitive and insecure content is available on their intranets. Intranets host many applications that house confidential information on employees, agencies and citizens. These sites need to be monitored regularly for vulnerabilities. It is also essential that agencies evaluate their intranet operations for regulatory compliance with relevant federal regulations.
What steps can leaders take today? Consider the following to effectively manage the compliance risks and costs of managing agency intranets:
- Conduct an inventory of internal Web properties to better understand the Web environment. Knowing how many sites and servers you have, the technologies in use, and the technology policies and standards your agency employs will create a more secure and productive intranet environment.
- Scan your intranet with an automated solution to identify vulnerable areas, including forms that may be inconsistent with internal privacy policies or may lead to information leaks.
- Understand what employee and citizen information is being collected and published on the Internet and intranet. The intranet is used to publish sensitive information, including human resources forms and employee health care information. Full knowledge of all online data-collection methods is critical to effectively managing Web privacy.
- Understand exactly who has access to this sensitive information. Proper technology and security controls will allow employees to see only the information required to do their jobs. Often, contractors are granted access without careful consideration for all the information they may have access to.
- Consider applicable security, privacy and accessibility legislation such as the 2002 Federal Information Security Management Act, the 2002 E-Government Act and the 1998 Rehabilitation Act amendments.
Agency intranets continue to grow rapidly, and because intranets in general tend to be content dumping grounds rather than efficient resources, the risks are increasing. But an agency’s intranet can be one of its most valuable and efficient information tools. Understanding and proactively assessing intranet risk is an important way to preserve the value for employees and the public.
Autor: Peter McKay
Quelle: Federal Times, 09.09.2005
