In modern business circles, it's all too easy to develop an "us vs. them" mindset, with the network security professionals on one side and the regular users on the other. This is particularly true when it comes to establishing and enforcing network security guidelines, doubly so where remote access or telecommuting is involved. Everybody really is in the security game together, though, and IT can help do its part by explaining clearly what's off-limits and unacceptable for employees to do at work, and by enabling users to do everything else with minimum muss and fuss. Hence, our top-ten list of things IT can do to help users without compromising its own mission statement:
1. Publish a clear, readable acceptable-use policy (AUP) and let users know what, when and whether it's OK for them to use company computers for personal activities. Anything strictly forbidden should be stated as such.
2. Establish clear, readable guidelines for what employees must do to keep their notebooks and mobile devices safe and secure: install updates, keep antivirus and anti-spyware current, and so forth. Set up decontamination/quarantine areas on your networks, and make employees check through them whenever they bring a machine in from the outside (yours, theirs or somebody else's -- it doesn't matter).
3. If you're monitoring employee activity, tell them in advance, and remind them periodically that you're doing so, warning them of the possible consequences of infringement of the AUP.
4. Offer general encryption tools and encourage their use when sending attachments via email, or files through a Web transfer service or FTP.
5. Offer a list of safe or acceptable Web-based services (IM, file transfer, and so on) along with information on when and how these may be appropriately used at work. If no such services are allowed, state this clearly in the AUP, and provide frequent reminders.
6. Provide security training materials and make training part of new-employee orientation, plus an annual refresher. Warn people about the risks of using anonymizers and proxies to bypass content controls.
7. Provide clear, readable guidelines on when it's acceptable and when it's not acceptable to use file search or sharing software -- for example, search across multiple computers at Desktop.Google.com -- and what kinds of information may not be accessed using these tools. Explain relevant risks, rules and mandates that do not permit such access to occur or that levy major costs and consequences should breaches happen.
8. Provide clear guidelines for use of online-storage services for on-the-road or out-of-the-office file access, and explain when and how encryption should be used to render potentially sensitive or dangerous material unreadable. Provide security tokens or smart cards to secure such access so that losing a laptop doesn't mean losing control over important data.
9. Provide secure remote access to company email, applications and files to employees on a need-to-access basis that's approved by management, via a Web interface (Microsoft OWA, for example) or via VPN connections. Teach employees how to use these tools properly, offer online tutorials and help files, and be ready to help them make this technology work.
10. Be flexible, understanding and polite when it comes to employees dealing with home life at work. It happens, and the best way to minimize interruptions and frustration is to acknowledge the importance of both and to do your best to make sure employees can get work done when they need to do so while feeling free to work outside normal hours to make up for occasional bumps in the road of life and work.
By supporting users and helping them do what they must at home and at work, you will limit their temptation to work around, bypass or ignore AUP requirements.
About the author:
Ed Tittel is a full-time freelance writer and trainer who specializes in Windows, security and networking technologies (and likes to combine all three as often as possible). He's also the author of more than 100 computer trade books, including the forthcoming Windows 2008 Server for Dummies (Wiley Publishing, February 2008).
