Computer and Internet Policy in the Workplace
Posted by PC in Security, tags: Information technology, policy, Security, Websense
I have some first hand knowledge of several different ways of handling policy in the workplace. This article is the first in a series that will discuss those, some theoretical ideals, implementation and awareness techniques, and pitfalls to implementation. Policy usually seeks to maintain safety for proprietary company data, employee privacy, public relations/image reasons, and for employee efficiency reasons. Failure to create or implement policy effectively has all the opposite effects.
First case study: The overprotective company.
Most technology people have probably at one time or another have worked at such a company. Typically, but not always, these tend to be smaller companies with inadequate computer and/or legal staff. To compensate they enforce excessively restrictive policy. This usually does not have any direct correlation between government classified or high value proprietary data. It can be as simple a business as a computer store or one you might expect as a bank.
Employees like to browse the web during lunch break. The spike in web traffic during the lunch hour is noticable. There is a danger here that employees will browse sites that are either inappropriate or dangerous to the computer they are browsing from. Employees use times other than lunch breaks to browse personal sites as well. Policy can be implemented to restrict web browsing to keep employees focused on their job. This may reduce or eliminate malware on company PCs, but unless other measures are taken not much is gained. Believe it or not employees found ways to waste time before they had a computer. Watercooler talk for example. If the reason for the policy is to focus employees then eliminating web browsing will not accomplish that in and of itself. If the purpose is to eliminate malware, then eliminating web browsing will only temporarily fix this. I’ve seen instances where users will bring in game software for restricted computers just so they can have their diversion. The users do not want to purchase a separate license for work so they find a cracked version or keygen in order to get it working. Since they do not know what they are doing in those areas they end up putting malware on the PC.
These overprotective policies can also be attributed to causing a company to reduce its security stance. The thought process here is that since there is no threat of malware, why protect against it. The company fails to keep virus software up to date or ignores spyware solutions altogether. Employees are also more creative than you might think about finding ways around the system. Have a user with a personal blackberry or phone with Internet access? They can tether that phone to your desktop for unrestricted access to the Internet. And they will.
It can be argued that it is that it is better to give the employees the ability to do something wrong where you can see it than to make them find ways that you will not be able to immediately detect. The counter argument is that you may be spending so much time cracking down on violations that you can’t detect that those users looking for holes in your system.
Second case study: The timid policy.
The timid policy is different from the irresponsible policy. This is a decent policy in place but a lack of implementation or enforcement. As with an overprotective company this company can tend to have inadequate IT staff, and inadequate backing from HR, Executive leadership, and/or Security.
Policy is only good if it is enforced, but all policy is an inconvenience to some of the users. If you are forced to be behind a Websense proxy as an IT person you know the pain of this. Search for information on solving a security problem and suddenly links are returned as blocked for Hacking/Cracking. Results from sites classified as personal or blogs turn up as Social or Blog sites and you get no information from those either. As an IT person you have a few options: Make an exception to Websense, (which may be a time consuming process if you don’t personally control websense). Go around the proxy. Find an alternative source of information. My solution is usually to go around the proxy since I don’t have time to get an exception made – usually I need the information I am searching for right then, not in a day or two at best. I’d be better off to wait until I got home than try to get an exception.
Now, I’m nobody, but say this happens to one of the executive leaders of the company or a high paid engineer or program manager? Can they complain to someone and immediately get a permanent exemption from Websense? You can substitute Websense for any policy, be it personal email at work, personal PDAs/Laptops, you name it. The first failing of the timid policy is the number of exceptions that are made. The number of exceptions in place may be longer than the policy itself. The second problem is the reversal of policy implementation when it disagrees with someone. IT spends time developing, testing, vetting, and implementing a policy only to have it squashed after it is implemented.
Let us say you want to force a screensaver to appear after 10 minutes and force the user to re-enter their password to regain access to the system after it activates. It is a common policy and a smart idea – if someone does not touch their desktop computer for 10 minutes the system should assume that the user is no longer there and lock down, otherwise anyone walking up can assume the identity of the user who left it unlocked. Say this policy was written but not enforced. Upon enforcement, immediately there was a “large number” (or just a few “important” people) of complaints and the policy enforcement was immediately reversed and the idea completely abandoned.
Part two of this series will deal with the ideal policy. Part three, implementation techniques. Stay tuned. When these articles are ready they will be linked to from this post.
Entries (RSS)
I use Windows 2003 server group policies to comply with workplace regulations. And there’s always been that issue with employees surfing the internet during break time.
Most people abuse the internet at the workplace to be honest.
Try getting your customers to actually implement policies. Very difficult in many acses.
Nice breakdown
Without proper policy’s in place there can be too much to be lost through downtime to lost employee productivity. Some policy must be adhered to in order to avoid company loss.
Being a IT guy, I can with experience give you my take on this article. I want to say that I am for enforcing internet policies. Let me give you one reason. There was a employee who went to their facebook page and they had a friend that recommend a site to look at. Well, without thinking, they went to that website and a hour later their computer monitor was showing a message that the computer hard drive was damage. Sure enough, A worm got past the firewall and Virus programs and affected part of our server. Can I say more. So guys, trust me on this one. Enforce this policy for your protection (and your job) and “Never Trust Employees”. This is in the IT computer handbook.
.-= Computer Repair Memphis´s last blog ..A Quick way to print a Document =-.
Really interesting.. Most people abuse the internet at the workplace indeed. But how can’t you ?
reparatii iphone´s last [type] ..Reparatii iPhone de orice fel
I do a lot of shady stuff at work lol!
well I run a hospital over 500 plus computers and unless you not only have a policy you need to block certain sites cause the will download, vistit and just give you headaches all the time. I just cover my but by implementing new regulations and presenting them to the board so when they ask why do thing happen. I can say I gave you the new policy and you did not approved it! really I belive its a waist of time cause my time could be more productive instead of playing dad to all this users.
Regards
Steve