A timely reminder... Why we have network policies.

[Tiger Shark]

As is my personal policy I email the Computer Acceptable Use Policy to all my users every three months to keep them fresh, aware of changes and just remind them that certain things are frowned upon. However, this time I decided to do things a little differently. Being fully aware that some users are more memory challenged than others I decided to request a "read" receipt from everyone to see what the level of readership actually is. (Yes, I'm aware that they can open it and delete it and still send a valid "read" receipt but I figured that getting them to open it is at least a start.... ). Having sent it I created a folder called read receipts in Outlook and waited for my first receipt. When it arrived I created a quick rule to move them to the appropriate folder and forgot about it for the day.

Firstly I was shocked this lunchtime to find the following:-

1. Of some 250 users I am directly responsible for over 180 had already read it in less than 24 hours... I really thought that with the nature of the users and their work response would be a lot spottier than that... Lesson: Email really is a good method of disemminating information quickly to large groups.

2. Of the 180 or so only 5 chose to delete it without reading it.... This is where I fell of my chair.... I really thought that this statistic would be much higher... like in the 50% range.... As it is it is in the 2-3% range.

3. Of the 5 there are two not even on our network and have to comply with the policy of the network at the location they work in, so for them to delete mine unread is perfectly reasonable. They have no computer resources on my network and no login to it anyway.

4. One of the remaining three is an Administrator. She is also the lady I detest the most in the whole organization and have been having on and off wars with for the entire 12 years of my employment here.... Needless to say this wasn't entirely unpredictable but when you give an old soldier ammunition he feels an overwhelming urge to use it.....

In separate emails I re-forwarded the policy to the three offenders copied to their supervisor, their administrator and my boss basically telling them to "please feel free to peruse it at your leisure and get back to me with questions about anything you don't understand".... Along with a couple of other lines for the "administrator" about how "disappointed" I was with an administrator being so "cavalier" with policy, hehe.

This precipitated an email conversation between my boss and myself that started with her asking "What precipitated this" and me responding "the alarming level of short term memory loss amongst our employees when it comes to this kind of thing". The conversation continued as follows:-

You should absolutely have received my receipt indicating that it was opened……..However old chap, if you have time for tracking this across staff of the entire agency, it gives me the impression that you are not busy enough. The bottom line is whether or not people comply - frankly, I don't care to have you invest time in tracking if they read it or not. They are responsible for its contents.

The reference to her receipt was because I didn't get one but she reads this stuff through several different portals that it's quite possible I didn't receive the receipt. Forced into the position of both justifying my action and my work ethic I responded in the following "smartass", (her words after reading it, not mine), way:-

Since we have a good number of people that seem to have incredibly short memories for the finer points of my policy I took the exceedingly time consuming, (5 seconds), of requesting a read receipt and the further, equally time consuming, action of sorting the folder they are redirected to by the little icon that says "Read/Not Read" which brings all three offenders to the top of the list. It might look like an arduous and time consuming thing but luckily you have someone so skilled and efficient when it comes to using computers that he managed to condense a task that should take many hours into one that took less than 3 minutes….. ;-)

Having them being ignorant of the policy yet responsible for it's contents doesn't stop the worm infecting the network because someone who _should_ be aware of the contents connects an infected laptop to the network as we recently experienced. I would much rather spend an hour or two making sure the policy is complied with than chasing around for a day or more cleaning up after the policy is breached. It's the proactive stance in security that pays off much more than the slap on the hand after the fact….. ;-)

Setting aside the "smartass" in the way I deal with my boss.. ... I stopped to think about it and, while I hate to "blow my own trumpet", it's absolutely correct.

Policies are there, in many cases, to adminstratively fill the holes that we cannot technologically fill. As such they are an important part of our layered defenses and, as boring and unintellectually challenging as it may be, they also have to be attended to just as much as the logs and the firewalls we use to protect our company and our user base.

Let's make good policies for our situations, let's apply them, let's enforce them, let's update them and let's remind the users of both the policies and the importance of them regularly.... the computer doesn't forget the Group Policy, but the users do......

[zencoder]

<standing ovation>

Policies do not exist *solely* to help fill the gap's in a comprehensive strategy that technology can't fill. As anyone who works in InfoSec for large corporations (5th year with various Fortune 500 companies...and I am really beggining to wonder why I keep subjecting myself to this hell-on-earth) policy goes a LONG WAY towards protecting the company legally.

Oh, mercy, the latest worm destroyed vast amounts of valuable research data? And our stock has dropped so-and-so many points in response to this loss? And the share holders want blood? Well, it isn't the CEO or President's fault...the proper controls are in place, but a use violated the Acceptable Computer & Asset Use Policy and exposed us. Oh, that user has been fired. Sorry, but we're doing everything we can to protect your investment, but these things happen, and we've fired the party and enacted process changes....blah blah blah

And if you think that whimsical statement is not realistic, wake up and smell the lawsuit. Written signed acceptable use policies may not be fix-all panaceas, but they are valuable management tools for mitigating risk...financial liability risk, not necessarily physical (or technical) risk.

[jm459]

Originally posted here by Tiger Shark
Re: A timely reminder... Why we have network policies

---------> Read

[XTC46]

I believe that response qualifies as a very well placed LART... good show.

[whatthe]

It sad how often a person's opinions, abilities and diligence are crapped on until there's a crisis. They always want you to be proative but only when they don't have to read, learn something new or heaven forbid change a password.

[zencoder]

LMAO!

I wasn't sure what XTC meant by 'LART', and I had just installed the Dictionary Search 0.7 extension. So on a whim, I highlighted it and right-clicked Dictionary search for "LART" fully expecting to get an 'unknown term' sort of reply.

To my great amusement, Dictionary.com not only had an entry, it appears to be the correct one! http://dictionary.reference.com/search?q=LART

I've always preferred M-W.com (Merriam Webster, aka Webster.com) because Dictionary.com just looks kind of cheesy...but now I'm going to have to seriously consider the two, by comparing entries, for thoroughness and breadth of content!

[Tiger Shark]

policy goes a LONG WAY towards protecting the company legally.

...which, after all, is an administrative hole that cannot necessarily be filled by a technological solution. It's that case where you have done what you can technologically to prevent the (L)users doing bad things to the network or to prevent them from exposing the organization to liability knowing full well that some enterprising young hot dog will find a way to break your best plans. That is the point where your lawyer waves the policy at the court to show that the company has done everything it can to avoid the situation but that this (L)user wilfully circumvented the technology and blatantly disregarded the policy in order to create the situation leading to the liability.

[Timmy77]

...And you had to know full well that if your network had been infected by a worm, your boss would have been knocking down your door asking why the computers weren't all protected.

[Maestr0]

Having them being ignorant of the policy yet responsible for it's contents doesn't stop the worm infecting the network because someone who _should_ be aware of the contents connects an infected laptop to the network as we recently experienced. I would much rather spend an hour or two making sure the policy is complied with than chasing around for a day or more cleaning up after the policy is breached.

An ounce of prevention is worth a pound of cure.

-Maestr0