Yesterday I ended a post about new GRC technology with a reminder that people are part of the GRC equation as well. Sometimes it doesn't matter what kind of technology is in place. Some employees just have a natural bent toward risky behavior.
On the other hand, sometimes it seems even the least sophisticated technology could have helped organizations avoid a lot of things. Take, for instance, the mess the National Science Foundation is cleaning up these days. In September, The Washington Times reported that the number of employee misconduct cases investigated at the National Science Foundation in 2008 increased to six times the number of investigations opened in 2007. Many of those investigations involved NSF employees looking at pornography on government-issued computers during work hours.
Washington Times writer Jim McElhatton shared the circumstances of one of the misconduct cases this way:
Another employee... was caught with hundreds of pictures, videos and even PowerPoint slide shows containing pornography. Asked by an investigator whether he had completed any government work on a day when a significant amount was downloaded, the employee responded, "Um, I can't remember," according to records.
Investigative records also revealed that one "senior executive" spent an estimated 331 days looking at inappropriate sites, McElhatton said.
Are they kidding? This is the kind of stuff that makes my stomach turn. Yes, NSF representatives quoted in the story do say the foundation has taken the necessary steps to correct the problem, both in terms of technology and in employee training on appropriate behavior. That's good. But I don't understand how the problem became so pervasive in the first place. If some employers don't allow their employees access to Facebook or other social sites because it stymies productivity, it should be a given that Internet filters and blocks are also in place to prevent employee access to illegal and inappropriate sites.
And even if they weren't already in place, how did they not go up as soon as the first case was discovered? How did it go unnoticed or ignored for two days, let alone 331? There must have been significant holes in the foundation's risk management strategy. It's a prime example of what not to do.