Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: InfoSec Handlers Diary Blog - Advice on Violating Corporate IT Policies from the Wall Street Journal InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Advice on Violating Corporate IT Policies from the Wall Street Journal

Published: 2007-08-01
Last Updated: 2007-08-02 01:47:59 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)

Several ISC readers told us about an article in the Wall Street Journal titled Ten Things Your IT Department Won't Tell You that seems to describe several ways of violating corporate IT policies.

The article points out that often "it's just easier to accomplish certain tasks using consumer technology than using the sometimes clunky office technology our company gives us. ... There's only one problem with what we're doing: Our employers sometimes don't like it. ... To find out whether it's possible to get around the IT departments, we asked Web experts for some advice."

I was troubled by the perspective this influential business publication is taking on IT policies. Surely, many employees know about services such as YouSendIt for transferring files to home systems, web versions of chat clients that don't require installation, web proxies for bypassing website filters and other handy tools that can often violate corporate IT policies. Unfortunately, the tone of the article almost encourages the employees to look for ways of bypassing such policies--an action that can be detrimental to their employers and their careers.

ISC reader Thomas Schmitzer told us he was "amazed at this article." He wrote, "We spend years training our users to follow good security practices and a 'trusted' source of information for executives and management writes this article. ... Yet it ultimately tries to convince our users that forwarding sensitive company information to free web based storage solutions, installing any application, surfing porn, or forwarding your email to a free third party service is perfectly acceptable."

ISC reader Jeff said he was "very surprised that this is published in such a mainstream news outlet.  What's next, an article on how to help terrorists launder money and not get caught?"

The article did list the risks associated with attempting to violate the policies. "To find out the risks, we talked to three experts who make a living helping IT departments make the rules and track down the rogue employees who break them."

ISC handler Swa Frantzen mentioned that the article left out one big risk: Violating the company's policy may be a reason for dismissal. He pointed out that IT staff can use the article as a way of raising awareness for the policies that exist at the companies, and the sanctions associated with violating the policies. He also emphasized the need to develop IT practices that support the mobile nature of the modern workforce. "We will need to evolve from the medieval walled city model we all build with our current security technology to a modern grid pattern city, where the people live in the suburbs and are mobile." (Swa offers a presentation about adapting the IT paradigm to embrace mobility instead of blindly banning it.)

ISC reader P. looked at the article not as a suggestion to subvert IT polices, but rather as a checklist of common symptoms to monitor the IT policies for process improvement. He pointed out that there are "a number of really effective tools that can be implemented that  truly do remove the need for the workarounds in the first place.  "

Was the article a good way to cultivate such a discussion? Was the Wall Street Journal's perspective out of line? Take a look at the article and judge for yourself.

-- Lenny

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com

Keywords:
0 comment(s)
Diary Archives