To enforce or not to enforce.
Once in a while a discussion comes up about enforcement—sure, we have all these policies, but how much are we expected to enforce them, and with what Louisville Slugger?
There’s a school of thought that says that in a relationship governed by a contract, whenever you find yourself having to refer to the contract, it’s a sign that the relationship is in trouble. I think that’s a pretty valid point. If you’re quoting the prenup at your spouse during the honeymoon, it’s a sign that either you or your spouse should RUN. If your employee is quoting HR rules at you, it’s a pretty good sign that they’re not going to work out. If you’re having to quote HR rules at your employee, ditto.
So yeah, we have security policies in writing, and sometimes they’re for awareness purposes (did you know you’re not supposed to install your own software? Now you know), but a lot of times they’re there as a last resort if you have to take what are known in the trade as Adverse Employment Actions. They’re Grounds For Getting Fired When There Were Plenty of Other Good Reasons For Firing You But This One Is Legally Defensible Because It’s Written Down. For the most part, they’re not enforced the way most people define the word, because you shouldn’t have to go that far.
My other favorite saying is Always Wait to Escalate. It’s better to start out slowly, and you can always kick things up a notch if the person in question chooses not to cooperate.
Sometimes a very light touch with the “enforcement” will produce the needed results. It’s often enough if I just call an employee into my office and say brightly, “Say! Can you explain to me what ‘anal violation’ means?“ They turn beet red and stop downloading the pr0n to their laptop. Or I call them and say, “We’re seeing some strange traffic from your machine that looks to our IDS like P2P traffic. Could I send someone over there to have a look at it tomorrow?“ They always say yes ... and if we find in the meantime that the traffic has mysteriously died down, it’s achieved the same end and it’s fine with me.
I do keep stronger measures on tap, of course, if someone really gets out of hand. We can slam the system door shut on them fast. (And I have a trigger-happy deputy who is just itching to take someone down, bodily.) But that really depends on their own behavior, and in most cases, they got all the way up to hysterical without any help from anyone else. In my experience, if you have someone who tends to blame everyone else for their problems, that’s the one who is most likely to launch an insider attack. The personality profile works pretty well as a threat indicator.
So I tend to use the blunt end of the policies as tools of awareness, and try not to use the sharp end unless I’m really going for the kill. This may be completely different from the way other security people use enforcement, but it works for me.
on 06/21 at 07:58 PM:
Well, I’ve already done the Mother’s Day Security thing, so I don’t think there’s too much more to add. Except that yes, you do have to deal with temper tantrums, and screaming back at the users generally makes it worse ...
It certainly depends on where the “ethics” of the company rest. If there is a strong managerial and top-down presence, like my current job, you can get away with having IT simply be the informers, and leave all the more ethical decisions up to senior mgmt and HR. Email violations? Sure, we’ll give you (HR) the tools to see those violations and take whatever measures you deem fit. I think IT is often the “new kid” on the block in corporate rooms, and discipline/ethics enforcement is something people tend to easily and quickly hand off anytime they can. Hand it to the new kid, IT, since they obviously are the ones who can monitor most things anyway…
I like your approaches, and I prefer a bit of subterfuge myself. A denied website or connection here and there when someone is pushing the boundaries and you can do some good conditioning without getting into anyone’s face too badly.
I’m surprised you didn’t liken subtle security enforcements to be a lot like parenting. Gently herding the playing kids away from the open grill…positive conditioning…the fear of just being found out more important then the discipline afterwards…