I'm all in favour of generally having a policy of "reasonableness" rather
than out-and-out prohibition, and as far as the Internet is concerned I too
often use the telephone as an analogy. Most people appreciate that an
occasional local phone call is OK, whilst a 10-minute call to an Australian
pen-pal every morning would most definitely not be. Similarly, I think a
reasonableness measure can be applied to Internet and email use.
This being so, I don't like promulgating policies which don't actually say
what the policy really is. Thus I don't advocate a policy which says "Thou
shalt not do x" when the culture is "Thou canst do x in moderation, but
we're watching you, and don't abuse it." In my experience, a mixture of
responsibility and monitoring achieves the desired result. I am aware
however of people that disagree with me, particularly from the IT Audit
fraternity!
The real issue imho, and this is just as appropriate to the subject for
which the list was established, is internal education. If folk realize what
the risks and issues are, they are rather more likely to do what we want. We
need people to understand, for example, why they should not be mooching
around in their "own" customer database, or why the marketing department
can't just "borrow" the personnel list for a mailshot, just as much as we
need them to understand why they shouldn't visit dodgy Internet sites. It's
no good just saying "Don't do it" - if the risk/issue is not appreciated,
the problem won't go away.
--
Tim Wright
IT Security Manager
Fuji Bank, London
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|