Chief information security officers are frequently called upon to draft information security policies. But who polices the security executives? One CISO in Santa Clara County, California, is about to find out.
CISO Peter Ekanem was put on administrative leave after an internal investigation concluded he had violated the county's IT policies. In many cases, the rules that Ekanem is accused of breaking are ones he wrote.
Among other things, Ekanem allegedly used his e-mail account to transfer copies of county contract proposals to a former employee in Ghana. Those documents contained detailed information on the county's information technology "footprint," which hackers could have used. In addition, Ekanem allegedly used his county-supplied cell phone as a contact number for tenants in property he rented, and his county-supplied computer to pursue a master's degree online during work hours.
The district attorney's office is still reviewing the facts of the Ekanem case. The district attorney determined that the 44-year-old's actions violate Section 502 of the California Penal Code, which makes it illegal to copy, use, send or disseminate internal county information outside the network. What is still up for debate is whether administrative or criminal sanctions will be imposed. "The real question is: Was the material something that should have been property of the county and not shared? And how much damage was done by disseminating it?" says Jim Sibley, head of the High Technology Crime Unit at the Santa Clara County District Attorney's Office. According to allegations, Ekanem violated many of the information security policies he drafted for the county, including one stating that all information handled by county employees, regardless of form or format, belongs to the county and should be protected as an asset.
If allegations are true, Ekanem also betrayed policies he drafted that prohibit the use of the county's Internet connection or e-mail system for personal profit, including outside business transactions.
"These policies are common sense and widely recognised as best practices in the industry," Sibley says.