Sending a Dunn-ing Reminder

Opinion: The ouster of HP's board chair illuminates enterprise infosec issues.

The impending demotion of Hewlett-Packard board chair Patricia Dunn, wholl step down from that post in January (although shell remain on the board), ought to trigger at least three separate conversations about the roles and mechanisms of information security in the enterprise and in any other organization that handles sensitive data.

First, Dunn got in trouble because she didnt know (giving benefit of the doubt) about things that were being done on her behalf. Dunn is not the first senior executive whose fate has turned on the question, "What did she know and when did she know it?"

Many enterprises might be dismayed to realize how hard it would be to answer such questions conclusively. Media traffic such as e-mail and phone conversations, and matters such as who attended which meetings on which dates, have become the raw material of governance: subject to rapidly expanding requirements for disclosure to the public or discovery during litigation. Any forward-looking IT plan should include a top-to-bottom examination of internal information systems, with an eye toward the audit-ready documentation of key decision-making processes and information flows.

This autumn of Dunns discontent also stems in part from Hewlett-Packards having too much personal information about directors and other corporate stakeholders. HP is merely typical of this problem: Any company that pays its employees, provides their medical insurance and administers their retirement accounts is going to have a critical mass of personal information thats just waiting for the right trigger to make it blow up in the companys face. Rigorous and granular management of access privileges should be a high-priority goal. Governable enterprise systems cannot afford the luxurious convenience of having a simple hierarchy of administrative powers.

Finally, companies should avoid the kind of embarrassment now being suffered by phone companies that were too easily "pretexted" into disclosing customer calling records. The growing sophistication of supply chain partnerships demands a matching growth of knowledge and care about the protection of data held in trust for third parties. Technical management needs a seat at the head table as these issues are addressed.

Technology Editor Peter Coffee can be reached at


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.