Home » Magazine Archives » June 2007
Security Technology Executive
Most Read
Most Emailed
E-mail Article
Print Article
Policy Enforcement
Getting Your Employees To Comply With IT RulesThe Latest from SIW
Mace to launch dealer program, acquire central station Basics of establishing an employee ID badging system The security week that was: 1/02/09 The top 40 security stories of 2008 Homemade bombs force evacuations in Aspen, Colo. Toronto wraps up municipal surveillance pilot project
By John Mallery
Security Technology and Design
When computers consisted of black screens with white text, users considered them “tools,” something to be used to accomplish a particular task related to their job. Computers were often only available at work; few people had them at home. They were impersonal pieces of equipment, had limited capabilities, and it was difficult for employees to get themselves or their employers in trouble by using a computer.
But with the development of the graphical user interface, broadband connectivity to the Internet, large storage capacities and the low cost of ownership, nearly everyone has at least one computer at home, and the skill sets necessary to cause problems for their employers. In an effort to protect their interests, businesses have taken steps to try to minimize the impact of improper computer usage by establishing computer-related rules, guidelines and policies that employees are expected to follow. While many excellent policies have been created, trying to get users to comply with them is challenging at best. What are the issues surrounding the lack of adherence to these policies?
Grouping Users
When analyzing the problem it is easy to see that there are two groups of users that fail to follow policies. The first group consists of the “uneducated users.” These are computer users that have no understanding of the how their systems work or the consequences of their actions. These types of users have been lulled into complacency because their computers no longer feel like tools, but have been personally customized so that they feel like “toys.” Desktop wallpaper consists of personal pictures of family members, pets and vacation photos. Screensavers have been installed that represent their favorite hobbies. They can now play games like Solitaire and Freecell, download and play their favorite music, collect and distribute their personal photos and research topics of personal interest on the Internet. The icon that has appeared on the desktops of personal computers for years, “My Computer,” has helped foster the idea that people can do what they want with a computer. In addition, the personalization of computers has caused users to forget the true power of the systems they are using.
Twenty users ago, systems with the computing power of our desktop computers would have filled a large room. These types of users do not understand the impact of their actions when they do not comply with computer use policies. They feel that keeping systems secure and “up and running” is someone else's responsibility.
The other type of user that does not comply with policies is the “arrogant user.” This group of users feels that they are too important to comply with policies. Policies are for everyone else, they feel they are more powerful, intelligent and sophisticated than everyone else, so they can do what they want on corporate systems.
Both of these groups will open attachments to emails from unknown senders, they will succumb to phishing scams, they will download and install unauthorized software on systems, they will visit non-work related sites while in the office, they will play illegal copies of songs on corporate systems and they will attempt to bypass every rule, policy and security mechanism put in place. This behavior can be stopped with proper mechanisms and policies. It is important to remember that even the user with the best intentions will violate computer-related policies if given an opportunity.
Enforcing the Policy
The first step to employee computer policy compliance is that the policies must be enforced. And they should be enforced consistently and fairly across all levels of an organization. If policies are not enforced, they will be ignored, which is the equivalent of not having a policy in the first place. There are several steps to enforcement. The first step is that employees (or anyone that may use a computer within an organization) must know and understand the policy, and must acknowledge that they have read and understood it. This is often accomplished by having the employee sign a copy of the policy to show they have read it, understood it and will comply with it. The second step of the enforcement process is to place a signed copy of the policy into the employees personnel file. Now it becomes important to document all instances of non-compliance with the policy. This documentation should then be used during the annual review process as one of the criteria for awarding raises, bonuses or promotions.
