Policy Enforcement

Getting Your Employees To Comply With IT Rules

As time passes, new threats and new technologies can be developed to compromise a computer system or network. Annual training can address these new threats and can provide reinforcement of the details of a policy. This training should be informative, educational and if at all possible, fun. It should never have a tone of, “These are our policies, you must comply with them, or else.”

Demonstrate some of the risks of inappropriate computer use. Show how easily a virus can be installed, generate some code or a program that produces interesting results when the “click here” button is depressed. If you are going to provide training with the help of a PowerPoint presentation, be sure that you do not put your audience to sleep with a collection of slides with nothing more than “bullet points.” To learn some tips to liven up your presentation, download and read “PowerPersuasion,” by Craig Ball, at http://www.craigball.com/PowerPersuasion_April%202006.pdf . Craig creates some of the most interesting and entertaining presentations I have ever seen.

In addition to outlining various policies, rules and guidelines, the training can include topics such as: identifying virus or Trojan indicators, phishing scams and social engineering attacks; identifying “safe” file types – executable files vs. “user created files” such as Word, Excel, PowerPoint and Adobe Acrobat files; and the risks associated with peer-to-peer networking tools.

Bringing it Home

While training is helpful in protecting an organization's computers and infrastructure, it is also information that is helpful to employees when they use a computer at home for personal reasons. Recognizing that employees use computers at home can generate some goodwill with users, if the training includes some computer-related training that is not work-related. An example would be to provide some insight into Internet safety for children. Numerous resources exist such as “The Top 20 Internet Acronyms Every Parent Should Know” (http://www.netlingo.com/top20teens.cfm) and the FBI's “A Parent's Guide to Internet Safety” (http://www.fbi.gov/publications/pguide/pguidee.htm). If the IT department is seen as a resource instead of an “enforcement agency,” they are more likely to gain support and compliance with policies.

Take Away Their Options

Even with great training and well written policies, if users are given a choice regarding policy compliance, users will not choose wisely. To avoid problems and confusion on the part of the user, take away as many choices as possible. As an example, if a user can choose between creating a complex and secure password as opposed to a short and easily guessed password, they will choose to create a short password. If the computer policy requires complex passwords, configure the server to allow users to only create passwords that comply with the policy. If users are not allowed to install software, restrict this capability using the technical mechanisms at your disposal. If user intervention is required to install virus signature updates or security patches and they can choose to “update later,” they will always choose to “update later.” Force patches and updates to be installed automatically.

John Mallery is a managing consultant for BKD, LLP, one of the ten largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. He can be reached at jmallery@bkd.com.