Rules and knowing them
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Rules and knowing them

  1. #1
    Member
    Join Date
    Oct 2002
    Posts
    30

    Rules and knowing them

    Ok, so you have written a nice set of rules (and what can happend with an employee that doesn't follow them) to further improve the security on your company and the CEO has approved them. Quite satisfied with yourself you attach the document with an E-mail and send it to every employee on the company. How many do you think will read it and, most important of all, remember them? 5-10 % at the most?
    The idea of this post is for everyone to share their best trick for getting people to remember and hence having a better chance of following all the fancy rules people like me and you set up.
    Iíll go first:
    In addition to sending them via mail you can, if there arenít to many rules, print them on the mouse pad so people see them every day. That way they also know where to look for them if they forget some rule.
    Another one, which I quite like myself, is to put them up in every toilet. Just think about it, can you honestly say that you wouldnít read the only paper with text on it while you're sitting there?

    Iím sure some of you guys have a lot of good ideas on this subject so come on, letís all share.

    PS. Please disregard any misstakes in my spelling, English is not my native language
    [shadow] Nobody\'s perfect, but I\'m damn close...[/shadow]

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Posts
    111
    I would say that it really varies in what type of environment this company is in. I know with the company I work for, we force the rules upon people. Which is almost what you have to do, in order to get everyone on the same page. Things such as:
    -file sharing over email
    -password lengths
    -downloading files
    -installation of applications/games
    -playing games
    -access to certain files
    -access to internet sites

    Are all controlled by myself and the other net admins (this is a large company). We've found that the best way to communicate them however, is through our corporate intranet site. Everybody's browser is set to goto the website on startup, we've set rules so that the user cannot change this setting, therefor, anything new as far as policies or company news are viewed everyday by the users as soon as they open up the internet browser.

    But even before that happens, we have meetings with some of the corporate bigwigs, to see if these are acceptable to each respective department, and then our own internal meetings for brain-storming the best way to deploy and manage these policies.

    In my opinion, the best way to make a user obey the rules, is to take away the choice of breaking them. (although they still try ) But we all do sometimes....

    Cheers
    Creating further mindless stupidity....through mindless automation.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    A lot depends on your local law, but a pretty universal rule is that they have to SIGN the document infront of a responsible official of the Company (responsible = ability to contractually commit)

    The rules must also be incorporated in terms and conditions of employment, and agreed by trade unions/labour representatives where applicable.


    just my £0.02

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    AlKazaa: In concert with Discord's

    the best way to make a user obey the rules, is to take away the choice of breaking them
    .... there is nothing that grabs the attention of the users like a quick "public" firing for breach of computer policies and a regular letter to everyone making it quite clear that you monitor and log their every move......

    Another little tactic I really love.... .... is seeing someone doing something just a little out of line like getting blocked trying to get to their AOLMail and doing a little net send saying:-

    I should probably tell your supervisor that you have nothing to do but your personal mail. What do you think?
    Word gets around when you do little sh1t like that.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Do a presentation..

    I am currently doing a lot of migrating of resources to one server..
    Adding features (CVS etc) so I am allready working on the presentation I'll be doing the day of the switch..

    I think the presentation will do a nice cut in the "Stupid questions" department !!
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  6. #6
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Make a bitmap image of the rules and make it everyone's wallpaper...then "I didn't know" is out of the question as an excuse.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  7. #7
    Member
    Join Date
    Oct 2002
    Posts
    30
    Ok, Iím back for some more tips and comments. You have all suggested some good ways of getting employees to follow your rules, however, alot of them seems to be about threaths and fireing people. This isnít something Iím very fond of. I dont know about where you guys come from but here in Sweden itís hard to fire people and the union always gets involved.
    Some other ways I fancy to get people to follow your rules are;
    Rewards and contests.
    1. Rewards Ė Say for example that youíve got a rule saying that all people should wear a ID-badge all the time. You, as a security geek, stand in the entrance in the morning to check how many actually do this. If someone doesnít wear their badge you ask them why and tell them to be so kind to do this tomorrow. To the people that wears their badges you give some praise and a little something for beeing good employees, say for example a snickers bar, a fancy badge holder. Just some trinket to make them feel that they have done something good.
    2. Contests Ė Announce that you will have a contest for the most secure password of the company sometime during the following month where you will use a password cracker and see whoís password takes the most time to crack. The winner getís a bottle of vine, a dinner for two at a nice restaurant or something else. The good thing about this is that many people will change their password to something harder and thus increasing the security. Even if they write down the password they will eventually learn it by heart and you have increased you security at a small cost and without too much work.

    Any comments on these ideas?
    [shadow] Nobody\'s perfect, but I\'m damn close...[/shadow]

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I've actually heard recent reports (I think it was in one of the security journals) that positive rewards work far better at getting people to comply than negative reactions. Certainly you need some type of consequence on behalf of the company if things become serious but to encourage positive activity, positive rewards work.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Alkazaa: IMO, this is a reflection of society and it's slide downhill........ Rewarding people for doing what is expected of them is sometimes a nice little gesture but to make it the norm ends up being self defeating and costly.

    Couple that with having no consequences for people who do not follow policy is ludicrous. There are rules to life and if one is not prepared to follow those rules then one should probably go and find their life elsewhere. Policies are put in place for the protection of _both_ the employer and the employee and if the employee decides that the policies do not apply to them then they place one, the other or both at risk. By bringing risk into the equation you don't necessarily threaten yourself, you may be threatening others which is unacceptable.

    As far as the union is concerned - if the policy is written, if everyone signs as having read it, if the consequences of failing to abide by the policy are laid out in the policy document and the employee clearly breaches the policy then the union doesn't have a leg to stand on and can be told to mind their own business.

    Sorry, but this constant, "bleeding heart", "you can't punish" attitude is becoming quite tiring.

    "Rules are for the guidance of wise men and the obedience of fools"...... Unfortunately, our species is breeding the fools at an exponential rate and almost seems to have ceased breeding the former........ Time to throw some more bleach into the gene pool!!!!!
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi AlkAzAA

    You will notice that I am from England. I saw your flag and made a point of mentioning unions and labour representatives. Our American colleagues have far less protection than we do, for example it is not uncommon to start with an American company and only get one or two weeks vacation............here you get 4 weeks plus public holidays minimum..........when you get to be an old fart like me you get 6 weeks (I need the rest)

    OK, joking apart, you really have an education task on your hands. The workers have to "buy into it", and the best way for this to happen is for them to UNDERSTAND what the rules are there for.

    "Our Company is under attack.................your job is under attack"

    Get an old Pentium with a 56.6 dial-up and load ZoneAlarm (or something pretty easy to understand). Hook it up to a data projector in the staff canteen so they can see the alerts. Post a message every morning of the number of viruses caught in your mail server? That kind of thing.............make them a part of it (or, at least feel a part).

    You should make them change passwords frequently. Once a month would be the minimum, I would have thought, and you need to educate them as to what constitutes a "secure" password. It would do no harm to have a little presentation and actually show them a password cracker at work.......I do not know your business, but I would bet that 90% of your colleagues don't even know that such things exist?

    You should set up an "IT co-ordination group" with each department/section providing a representative. Meet once a month, the Company should provide the food and drink If you make someone feel responsible you will need "fewer eyes in the back of you head".

    Just a few thoughts

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •