Security Basics mailing list archives

RE: in-to-out security

From: "Jordan.Dallas" <Dallas.Jordan () SunTrust com>
Date: Tue, 28 Mar 2006 10:50:43 -0500
Joe, 
  I do believe you were definitely right to suggest drafting a security
policy to begin with. It is very important to inform ALL employees of
the possibilities of their online actions being monitored.  There can be
certain legal consequences if they are not informed up front.  I believe
there have been instances when there was no policy in place to inform
users of monitoring going on and when someone was caught doing
inappropriate things, it came back to screw the company.  If it is not
stated up front that ALL employees are subject to monitoring, then the
one you catch can claim you singled them out for "such and such" reasons
or you were out to get them in particular.  I also think that drafting
up the policy and getting upper level management buy in is critical to
the effectiveness of the policy.  If upper management doesn't buy in and
support these efforts, how can any consequences for inappropriate
behavior really be enforced?  

-----Original Message-----
From: Joe George [mailto:j.george () conservation org] 
Sent: Tuesday, March 28, 2006 9:33 AM
To: security-basics () securityfocus com
Subject: in-to-out security

Dear all,
 
I hope you're all doing well.  A colleague of mine does technical
support for some charities on the side.  One of his clients is a person
who is the CTO of a 400+ person, non-profit organization.  This CTO
asked my colleague what was the best way to (a particular application or
training method) to get his 400+ staff in-line and keep them from doing
inappropriate things on the network such as downloading rogue
applications, and inadvertently installing apps which can attack the
network and other networks.  He's looking for an in-to-out solution.
This CTO feels he and his team would be able to secure the network from
intrusion from outside rogue users by implementing necessary firewall,
IDS, etc.  I suggested to my colleague that this gentleman can not
adequately secure external/internal intrusion and attacks without
implementing an acceptable use or some kind of written policy with the
assistance of his HR department.  I informed him that end-users should
have the right to know that their activity is being monitored by the IT
staff (which is what I presumed he meant by an application/training
method to keep his staff in-line).  This CTO fellow, feels that any kind
of policy is not a viable option.  I told my colleague a written policy
will protect the organization and the employees and allow the security
team to build and design a security countermeasures, not to mention get
the best use of expensive security appliances.  Besides rogue
applications, I mentioned that other issues such as disgruntled
employees, corporate espionage, maintaining data and company integrity
are just a few reasons to start off with written policy.  My colleague
mentioned that his CTO client is not uninformed, but rather too scared
to bring up a very controversial solution as written policy to his
superiors and the end-users. My questions to you are these:
 
1.      Was I right to suggest this rather than help my colleague look
for an app/training solution?
2.      How would you convince an obviously passive CTO to do the right
thing?
3.      If such an application/training exists, can you suggest
something? 
4.      Is it legal to implement user-monitoring without informing the
staff?  This is where I think policy 
 
Thanks in advance.
 
Take it easy,
 
Joe 

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting
experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity
Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
--- 
  
  
  
LEGAL DISCLAIMER 
The information transmitted is intended solely for the individual or entity to which it is addressed and may contain 
confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in 
reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have 
received this email in error please contact the sender and delete the material from any computer. 
  
Seeing Beyond Money is a service mark of SunTrust Banks, Inc. 
[ST:XCL] 
 
 
 
 

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Current thread:

in-to-out security Joe George (Mar 28)
- Re: in-to-out security ilaiy (Mar 29)
- RE: in-to-out security David Gillett (Mar 29)
- Re: in-to-out security Kenton Smith (Mar 29)
- <Possible follow-ups>
- RE: in-to-out security Jordan.Dallas (Mar 29)
- RE: in-to-out security Beauford, Jason (Mar 29)
- RE: in-to-out security Joe George (Mar 29)