Chief information security officers are frequently called upon to draft information security policies. But who polices the security executives? One CISO in Santa Clara County, Calif., is about to find out.CISO Peter Ekanem was put on administrative leave after an internal investigation concluded he had violated the county’s IT policies. In many cases, the rules that Ekanem is accused of breaking are ones he wrote.Among other things, Ekanem allegedly used his e-mail account to transfer copies of county contract proposals to a former employee in Ghana. Those documents contained detailed information on the county’s information technology “footprint,” which hackers could have used. In addition, Ekanem allegedly used his county-supplied cell phone as a contact number for tenants in property he rented, and his county-supplied computer to pursue a master’s degree online during work hours.The district attorney’s office is still reviewing the facts of the Ekanem case. The district attorney determined that the 44-year-old’s actions violate Section 502 of the California Penal Code, which makes it illegal to copy, use, send or disseminate internal county information outside the network. What is still up for debate is whether administrative or criminal sanctions will be imposed. “The real question is: Was the material something that should have been property of the county and not shared? And how much damage was done by disseminating it?” says Jim Sibley, head of the High Technology Crime Unit at the Santa Clara County District Attorney’s Office. According to allegations, Ekanem violated many of the information security policies he drafted for the county, including one stating that all information handled by county employees, regardless of form or format, belongs to the county and should be protected as an asset. If allegations are true, Ekanem also betrayed policies he drafted that prohibit the use of the county’s Internet connection or e-mail system for personal profit, including outside business transactions.“These policies are common sense and widely recognized as best practices in the industry,” Sibley says. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe