To enforce or not to enforce.
Once in a while a discussion comes up about enforcement—sure, we have all these policies, but how much are we expected to enforce them, and with what Louisville Slugger?
There’s a school of thought that says that in a relationship governed by a contract, whenever you find yourself having to refer to the contract, it’s a sign that the relationship is in trouble. I think that’s a pretty valid point. If you’re quoting the prenup at your spouse during the honeymoon, it’s a sign that either you or your spouse should RUN. If your employee is quoting HR rules at you, it’s a pretty good sign that they’re not going to work out. If you’re having to quote HR rules at your employee, ditto.
So yeah, we have security policies in writing, and sometimes they’re for awareness purposes (did you know you’re not supposed to install your own software? Now you know), but a lot of times they’re there as a last resort if you have to take what are known in the trade as Adverse Employment Actions. They’re Grounds For Getting Fired When There Were Plenty of Other Good Reasons For Firing You But This One Is Legally Defensible Because It’s Written Down. For the most part, they’re not enforced the way most people define the word, because you shouldn’t have to go that far.
My other favorite saying is Always Wait to Escalate. It’s better to start out slowly, and you can always kick things up a notch if the person in question chooses not to cooperate.
Sometimes a very light touch with the “enforcement” will produce the needed results. It’s often enough if I just call an employee into my office and say brightly, “Say! Can you explain to me what ‘anal violation’ means?” They turn beet red and stop downloading the pr0n to their laptop. Or I call them and say, “We’re seeing some strange traffic from your machine that looks to our IDS like P2P traffic. Could I send someone over there to have a look at it tomorrow?” They always say yes ... and if we find in the meantime that the traffic has mysteriously died down, it’s achieved the same end and it’s fine with me.
I do keep stronger measures on tap, of course, if someone really gets out of hand. We can slam the system door shut on them fast. (And I have a trigger-happy deputy who is just itching to take someone down, bodily.) But that really depends on their own behavior, and in most cases, they got all the way up to hysterical without any help from anyone else. In my experience, if you have someone who tends to blame everyone else for their problems, that’s the one who is most likely to launch an insider attack. The personality profile works pretty well as a threat indicator.
So I tend to use the blunt end of the policies as tools of awareness, and try not to use the sharp end unless I’m really going for the kill. This may be completely different from the way other security people use enforcement, but it works for me.
Posted by shrdlu on Tuesday, June 19, 2007(3) Comments • Permalink •
