A while ago I came across an interesting story on the register where Wikipedia have banned an IP address for posting racist comments - the catch? The IP address belongs to Volvo's IT division.

Wikipedia is a site that I imagine is not blocked or banned in many companies, as it's used as a major source of information by people all through business (the merits or accuracy of which is a discussion for another time).

Volvo aren't the first organization to be caught wikifiddling, when the Wikiscanner was released a few years ago a range of organizations were found to be questionably editing information, including the then-Australian Prime Minister's department and the CIA.

As far as I know the previous organization's 'outed' were mainly revealed to be engaging in pointless vandalism, such as changing Wolf Blitzer's name or adding 'jerk' multiple times to George W. Bush's profile.

A charge of racism is, however, a whole different situation, and one that can certainly bring extremely damaging attention to an organization.

But what to do? Blocking access completely is too draconian for most companies. Policies on blogging and editing online web 2.0 type sites (such as Wikipedia) are a start. Educating the workforce on the type of damage they can do and ensuring they know their access is monitored can act as a proactive deterrent. Combine this with web monitoring/auditing of access to enable follow-up on offenders can allow for quick follow-up in the event of an incident.

It often seems that even 'IT-savvy' staff can completely forget that their actions on the internet can be tracked, traced and may well leave a permanent imprint, especially when it comes to social networking. Adding some general awareness to Information Security education programs along with the usual 'don't click on attachments' may pay off in the long run.

APRA have released a discussion paper and draft best practice guide on the management of IT security risks.

APRA are the Australian financial services industry regulatory body. They oversee banks, credit unions, building societies, insurance and superannuation companies.

While light on specific detail, as a quick guide on what is expected for organizations under APRA's juristiction. It's a neat, concise set of guidelines that's not too jargon heavy - ie: good for Management to give them an overview of what is considered best practice (or 'prudential practice' as APRA call it).

I quite like the recommendation that organizations need to have "an overarching IT security risk management framework, addressing matters including an IT security strategy and a hierarchy of policies, standards, guidelines & procedures; and clearly-defined security principles for this strategy, addressing issues such as defence-in-depth, control diversity, breach detection and denial of unnecessary permissions/protocols."

It's good to see a body such as APRA publishing a document like this, I think it really helps raise awareness about some of these issues that may be lagging here in Australia compared to other parts of the world. My only criticism it that it's only a 'prudential guide' and non-enforcable, but that hopefully may change in the future.

The papers are available here.