RE: Killing Napster and beyond...

["Andy Wigglesworth" <jawiggy () rcn com>]

Policy...Policy...Policy.

The place to start all of this is with the development of corporate polices
for Internet, computer and e-mail usage. The plain and simple fact of the
matter is this... You can throw all the technology you want to at the
problems but all you are doing, without polices in place, is being reactive
to the problem and not proactive.

Most of your end users truly believe that the computers sitting on their
desks belong to them. And since it belongs to them they can load, play, and
do anything they want to do on them. Of course the fact is that that PC
belongs to the company and everything they do with and/or on that computer
reflexes, good or bad, on the company.

With that said, how many of you can tell me when the last time you saw your
policy on Internet usage....how about e-mail usage?...computer usage? How
many of you have set policies on your firewall that isn't put onto a written
policy anywhere. In most companies, if there is indeed any type of policy at
all, it is hidden away in the back of the employee handbook, sort of as a
afterthought. It is then signed by the employee, given to HR, and thrown
into the employees file, never to been seen again. Do you think that the
employee even read it? I doubt it, in most cases anyway. Sort of like a
licensing agreement for software...it's a click through.  They are not
paying it much mind....just let me sign it and get on with it.

Where most companies fail in policy development is with educating the end
users in regards to the policies. Lets build a little scenario for you.  Joe
in accounting has been going to web sites that the company has decided to be
inappropriate for Joe to go to.  Joe has been warn ( talk to) to stop yet he
has not. Joe is fired. Joe turns around and sues the company for wrongful
termination. The reason, Joe says, is that he was unaware of the company
polices in regard to this. What the courts are going to look for are the
following:

Were there polices in place to begin with....Yes there was
Were there tools put in place to enforce the polices....Yes there was
Were there any form of education for the end users in regards to the
policies beside the company handbook that Joe was given when he was hired.
No, there wasn't

Development of these polices is your first line of defense. Then making sure
your end users are educated in regards to the policies is of equal
importance. Policy education is the missing part of most companies security
outline. I truly believe that if your users know and understand the polices
that 70% of them will do the right thing and follow them. Then it is the
other 30% that you are going to have to take out to the wood shed.

If you want to make your CEO happy...remember this. That in the end, when
the day is done, he is responsible for the actions of his employees. It is
not the name BEFORE the @ sign that will get sued and the name AFTER.

Best,

AW


-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of David Hassilev
Sent: Thursday, October 19, 2000 2:01 PM
To: todd () stipples com; dufresne () sysinfo com
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] Killing Napster and beyond...


 I keep seeing these posts regarding Napster and its ilk. These are NOT
network problems IMHO! Nor does their control need to be pushed out at the
perimeter of the network. Rather, they should be controlled where you CAN
control them, on the desktop!

 This is what change control is all about, standard desktop image
deployments, regular audits etc.. If you have a Firewall and you are serious
about managing it, then you MUST have a security policy! Surely the security
policy prohibits users from installing the likes of Napster on their
desktop. That said, get the tools to monitor or control the desktops, or
simply enforce by policy.

 That should keep the poor firewall slob from beating his/her head against
the proverbial wall every time and application pops up that circumvents the
firewall from the inside out.

 David



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards