Do You Care About Security?
-
Bruce Schneier, a respected security researcher, especially by me :), posted something very interesting on his blog. It was a stunt in London and I'm happy to report that Integration Services guru, Jamie Thomson, didn't get caught in it.
However it's an interesting point that Schneier makes: "Employees care about security; they just don't understand it."
I tend to agree. Too often people see rules and regulations as a hassle and unnecessary, but they don't understand or think about the implications of their decisions. It's easy to install every service or scheduled task as administrator. It works and things get done quicker, but it also means that you are increasing your risk of problems.
This is kind of funny, coming right before this debate on switching a college from desktops to laptops. Much of the debate is nonsense, but there are quite a few interesting posts about the security risks and issues associated with allowing people to control their laptops and many more from the die-hards that want to run their own OS, their own way, on their laptop.
I hate draconian IT groups as much as the next person. But I also understand the reasoning and benefits of having that control. You have to develop a balance that controls the environment to ensure standards are upheld and risks are lowered with allowing users to get their work done at their pace.
I'm not sure I completely agree with Schneier's analogy of the heating system. After all, do you want your business waiting around on a two hour window for a serviceman who often doesn't come?
Steve Jones
-
You could just remove local drive access to the machine and then have everyone store everything on one of the DC's. Make everyone store their files on a few network drives. A friend of mine hacked a medical transcription company, they forgot you can start run commands from within the local copy of word on the client pcs. They fixed the issues in a later release .. But thorough testing of GPO and tight rights on a domain will solve most problems... Then the rest can be solved by auditing incoming and outgoing traffic. Might be just after the fact sort of sitiuation.
These types of situations make a strong arguement for virtual desktops, citrix and the like.
As with most places you are there to do work not screw around.. and you shouldn't be surprised when you catch sh!t for it.
Good HR always helps as well. And treating your employees probably never hurt either.
Advanced thought like putting a few 'open' but off the same subnet' pcs for people use at lunch time for personal correspondence would probably go a long way.
Cheers
Viewing 2 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply