Security Basics mailing list archives
RE: in-to-out security
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 28 Mar 2006 09:02:27 -0800
All of these various technical measures are, at heart, policy enforcement mechanisms. If he does not have a policy to guide their deployment, they cannot be considered a "solution". So: the real question here is: Should users be told what the policy is? If users are not told what the policy is, they cannot be subject to disciplinary action for violating it. A secret policy is simply not enforceable. Which may make it kind of moot. David Gillett
-----Original Message----- From: Joe George [mailto:j.george () conservation org] Sent: Tuesday, March 28, 2006 6:33 AM To: security-basics () securityfocus com Subject: in-to-out security Dear all, I hope you're all doing well. A colleague of mine does technical support for some charities on the side. One of his clients is a person who is the CTO of a 400+ person, non-profit organization. This CTO asked my colleague what was the best way to (a particular application or training method) to get his 400+ staff in-line and keep them from doing inappropriate things on the network such as downloading rogue applications, and inadvertently installing apps which can attack the network and other networks. He's looking for an in-to-out solution. This CTO feels he and his team would be able to secure the network from intrusion from outside rogue users by implementing necessary firewall, IDS, etc. I suggested to my colleague that this gentleman can not adequately secure external/internal intrusion and attacks without implementing an acceptable use or some kind of written policy with the assistance of his HR department. I informed him that end-users should have the right to know that their activity is being monitored by the IT staff (which is what I presumed he meant by an application/training method to keep his staff in-line). This CTO fellow, feels that any kind of policy is not a viable option. I told my colleague a written policy will protect the organization and the employees and allow the security team to build and design a security countermeasures, not to mention get the best use of expensive security appliances. Besides rogue applications, I mentioned that other issues such as disgruntled employees, corporate espionage, maintaining data and company integrity are just a few reasons to start off with written policy. My colleague mentioned that his CTO client is not uninformed, but rather too scared to bring up a very controversial solution as written policy to his superiors and the end-users. My questions to you are these: 1. Was I right to suggest this rather than help my colleague look for an app/training solution? 2. How would you convince an obviously passive CTO to do the right thing? 3. If such an application/training exists, can you suggest something? 4. Is it legal to implement user-monitoring without informing the staff? This is where I think policy Thanks in advance. Take it easy, Joe -------------------------------------------------------------- ------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- in-to-out security Joe George (Mar 28)
- Re: in-to-out security ilaiy (Mar 29)
- RE: in-to-out security David Gillett (Mar 29)
- Re: in-to-out security Kenton Smith (Mar 29)
- <Possible follow-ups>
- RE: in-to-out security Jordan.Dallas (Mar 29)
- RE: in-to-out security Beauford, Jason (Mar 29)
- RE: in-to-out security Joe George (Mar 29)