divulging sensitive information to unauthorized personnel. In
            some cases, the IT staff was not even aware that this was a
            violation of the law, company policy, or ethics. The IT staff
            erroneously thought that since they had access and managed the
            email system (for example), that they were entitled to read
            emails as part of maintaining the system.

            This is an important distinction - the gap between ownership and
            custody. IT maintains the systems on behalf of the owners, and
            no changes should be made without the knowledge and consent
            of the owners. Even vendor patches to an application should go
            through a formal approval process before being implemented. A
            practical example of ownership is the current movement to put
            IT services on the "cloud." The business can decide to outsource
            their IT services and function and disband their entire IT
            department. This shows in a genuine sense how much ownership
            IT really has over the systems and technology of the
            organization.



            Users

            Users are the reasons that we have IT systems!! As much as
            users can be a problem, risk, and source of many issues, the
            systems are built for the users to accomplish their tasks and get
            their job done. Users need to understand and follow the rules,
            policies, and procedures of the organization. Users must know
            who to call or report to in case they encounter any system issues
            or problems. Users need regular training and awareness sessions
            to ensure that they are aware of corporate policies and
            procedures, and that they know how to use the systems
            correctly.