Policy Enforcement

When computers consisted of black screens with white text, users considered them “tools,” something to be used to accomplish a particular task related to their job. Computers were often only available at work; few people had them at home. They were impersonal pieces of equipment, had limited capabilities, and it was difficult for employees to get themselves or their employers in trouble by using a computer.

But with the development of the graphical user interface, broadband connectivity to the Internet, large storage capacities and the low cost of ownership, nearly everyone has at least one computer at home, and the skill sets necessary to cause problems for their employers. In an effort to protect their interests, businesses have taken steps to try to minimize the impact of improper computer usage by establishing computer-related rules, guidelines and policies that employees are expected to follow. While many excellent policies have been created, trying to get users to comply with them is challenging at best. What are the issues surrounding the lack of adherence to these policies?

Grouping Users

When analyzing the problem it is easy to see that there are two groups of users that fail to follow policies. The first group consists of the “uneducated users.” These are computer users that have no understanding of the how their systems work or the consequences of their actions. These types of users have been lulled into complacency because their computers no longer feel like tools, but have been personally customized so that they feel like “toys.” Desktop wallpaper consists of personal pictures of family members, pets and vacation photos. Screensavers have been installed that represent their favorite hobbies. They can now play games like Solitaire and Freecell, download and play their favorite music, collect and distribute their personal photos and research topics of personal interest on the Internet. The icon that has appeared on the desktops of personal computers for years, “My Computer,” has helped foster the idea that people can do what they want with a computer. In addition, the personalization of computers has caused users to forget the true power of the systems they are using.

Twenty users ago, systems with the computing power of our desktop computers would have filled a large room. These types of users do not understand the impact of their actions when they do not comply with computer use policies. They feel that keeping systems secure and “up and running” is someone else's responsibility.

The other type of user that does not comply with policies is the “arrogant user.” This group of users feels that they are too important to comply with policies. Policies are for everyone else, they feel they are more powerful, intelligent and sophisticated than everyone else, so they can do what they want on corporate systems.

Both of these groups will open attachments to emails from unknown senders, they will succumb to phishing scams, they will download and install unauthorized software on systems, they will visit non-work related sites while in the office, they will play illegal copies of songs on corporate systems and they will attempt to bypass every rule, policy and security mechanism put in place. This behavior can be stopped with proper mechanisms and policies. It is important to remember that even the user with the best intentions will violate computer-related policies if given an opportunity.

Enforcing the Policy

The first step to employee computer policy compliance is that the policies must be enforced. And they should be enforced consistently and fairly across all levels of an organization. If policies are not enforced, they will be ignored, which is the equivalent of not having a policy in the first place. There are several steps to enforcement. The first step is that employees (or anyone that may use a computer within an organization) must know and understand the policy, and must acknowledge that they have read and understood it. This is often accomplished by having the employee sign a copy of the policy to show they have read it, understood it and will comply with it. The second step of the enforcement process is to place a signed copy of the policy into the employees personnel file. Now it becomes important to document all instances of non-compliance with the policy. This documentation should then be used during the annual review process as one of the criteria for awarding raises, bonuses or promotions.

Here is an example of an enforcement scenario from my book, Hardening Network Security :

* First offense – Verbal warning, with documentation added to the employee's personnel folder.

* Second offense – Written warning, with documentation added to the employee's personnel folder. Written warnings in a personnel folder will cause a reduction of any bonuses or raises for one year after the infraction.

* Third offense – Employee is placed on probation for a specified period. If the employee violates any company policy while on probation, they are terminated immediately. No raises or bonuses for one year after the infraction.

* Fourth offense – Immediate termination.

Some individuals reading this example might consider it harsh, and could create an unpleasant work environment. And if presented to employees in the wrong manner, it certainly could be considered harsh.

When seeking to gain compliance with any policy, employees should be told the reasoning and logic behind the policy. Violation of computer acceptable use policies can cause an organization lost productivity as systems are slowed or stopped due to virus or Trojan outbreaks. Lost productivity means lost revenue and added expense, as the IT department has to take time to remove the “infestation.” Proprietary data could be lost due to theft by hackers or unintentional distribution to a competitor. Once again, this could mean lost revenue as a competitor gains an unfair market advantage due to their new knowledge. Lost revenue means that there could be less money available for raises or bonuses. If you tell users that non-compliance directly impacts their wallets, they will be more likely to comply. They will also be more likely to report the non-compliance of other employees.

One of the aspects of enforcement that is often overlooked, is the concept of “positive reinforcement.” This means that employees that consistently comply with policies, rules and guidelines should be rewarded to reinforce this positive behavior. This can be as simple as a gift certificate or it can include a higher-than-normal raise or bonus during the annual evaluation process.

Layering for Compliance

As with other security implementations, there needs to be more “layers” to gain compliance with policies. Users often do not comply with policies because they may not like or respect the IT staff that has drafted it. Unfortunately, the IT industry does not have a good reputation. IT professionals are often seen as arrogant, poor communicators and a little odd. Whether this is true or not, in this case, perception is reality. IT professionals should take steps to change their image. If IT professionals work on developing a more professional image, it can be easier to gain employee support for new policies.

Another layer to add is to remove as many temptations as possible. Filtering mechanisms can be implemented to prevent employees from going to inappropriate or non-work related Web sites. Blocking access to racial hate sites, gambling sites, peer-to-peer networking sites, social networking sites, pornographic sites, etc. can reduce the risk of virus, Trojan and rootkit installation, and can remove the possibility of an HR-related claim should someone see offensive material appear on co-worker's computer. However, it is important to recognize that filtering is not enough. Filters that rely on lists of inappropriate sites will never be complete. New sites are created on a daily basis, and no one can keep up with them all.

Annual Training

Because of the constantly changing environment, it is important to include annual training for computer users. Many organizations provide training during the orientation process for new hires and consider that enough; however, new hires are usually inundated with information during the orientation process and are not likely to remember all of the details of a computer policy.

As time passes, new threats and new technologies can be developed to compromise a computer system or network. Annual training can address these new threats and can provide reinforcement of the details of a policy. This training should be informative, educational and if at all possible, fun. It should never have a tone of, “These are our policies, you must comply with them, or else.”

Demonstrate some of the risks of inappropriate computer use. Show how easily a virus can be installed, generate some code or a program that produces interesting results when the “click here” button is depressed. If you are going to provide training with the help of a PowerPoint presentation, be sure that you do not put your audience to sleep with a collection of slides with nothing more than “bullet points.” To learn some tips to liven up your presentation, download and read “PowerPersuasion,” by Craig Ball, at http://www.craigball.com/PowerPersuasion_April%202006.pdf . Craig creates some of the most interesting and entertaining presentations I have ever seen.

In addition to outlining various policies, rules and guidelines, the training can include topics such as: identifying virus or Trojan indicators, phishing scams and social engineering attacks; identifying “safe” file types – executable files vs. “user created files” such as Word, Excel, PowerPoint and Adobe Acrobat files; and the risks associated with peer-to-peer networking tools.

Bringing it Home

While training is helpful in protecting an organization's computers and infrastructure, it is also information that is helpful to employees when they use a computer at home for personal reasons. Recognizing that employees use computers at home can generate some goodwill with users, if the training includes some computer-related training that is not work-related. An example would be to provide some insight into Internet safety for children. Numerous resources exist such as “The Top 20 Internet Acronyms Every Parent Should Know” (http://www.netlingo.com/top20teens.cfm) and the FBI's “A Parent's Guide to Internet Safety” (http://www.fbi.gov/publications/pguide/pguidee.htm). If the IT department is seen as a resource instead of an “enforcement agency,” they are more likely to gain support and compliance with policies.

Take Away Their Options

Even with great training and well written policies, if users are given a choice regarding policy compliance, users will not choose wisely. To avoid problems and confusion on the part of the user, take away as many choices as possible. As an example, if a user can choose between creating a complex and secure password as opposed to a short and easily guessed password, they will choose to create a short password. If the computer policy requires complex passwords, configure the server to allow users to only create passwords that comply with the policy. If users are not allowed to install software, restrict this capability using the technical mechanisms at your disposal. If user intervention is required to install virus signature updates or security patches and they can choose to “update later,” they will always choose to “update later.” Force patches and updates to be installed automatically.

John Mallery is a managing consultant for BKD, LLP, one of the ten largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. He can be reached at jmallery@bkd.com.