This is, for some reason, a particularly widespread issue in the US (the whole “can’t trust anyone” approach to employee management, not just the super-idiot epidemic). I have worked in Norway, Denmark, Holland, and many other places in Europe and, as EuroCoder says, things are different. People are expected to use their best judgment and discretion in doing their jobs effectively, and in exchange for this are actually allowed to do so. Those who are not skilled enough to work in an office with functional, open PCs around without endangering the company or its assets are not expected to without more training and experience. An individual’s sense of responsibilithy for his own actions — to himself, fellow employees, the company and the community — is all the security that is needed to more or less eliminate the risk of someone jeopardizing the company’s property when they are not sure if it is safe. The integrity an employee would show by going to the IT department to ask if using an MP3 player is safe is rewarded with being allowed to (even helped to) if it actually is harmless.

In the US, anyone that went to an IT department anywhere and asked, “Is it safe to use this MP3 player?” would be told either: that it is a policy violation; that the MP3 player is not on the list of approved devices; that his manager would have to review and approve it after it was sent off and returned from 9 xray scans and a complete de-soldering; or (the worst answer possible but also the most frequent) “I’m updating our virus data…. Uhhh, I won’t be able to do anything until I fix the Exchange server that got broke in the update, and then reboot the WebSense server that got broke because the system virus scanner deleted the WebSense blacklist and then the AV scanner got shutdown and maybe broke by the firewall because it looked like it tried to access port 25 but it didn’t and now the AD server has broke because it thought the AV scanner violated domain policy and….” Genetically-modified idiot. If there is any one crop that Europe should continue to ban importing from the US, it is the GM-idiot.

Why are Americans so afraid of everything? Afraid of IT security, afraid to take a walk at night, afraid of guns, afraid of not having a gun, afraid of unbottled water, afraid of water bottles, afraid of lying, afraid of being really honest, afraid that any non-English language is just a trick to talk about us and hatch plots, afraid to leave home, afraid to stay home (with or without a gun), afraid of killer bees, afraid of anything unpasteurized, afraid that e-coli is a micro-terrorist, afraid of paying living wages to meat-handlers to help avoid e-coli epidemics, afraid of meat-handlers. If someone can answer that question, the question of IT security will be answered, also.

If anyone knows of a programmatic way to lock down USB ports, or to auto A/V scan new drives as they are mounted (preferrably before users are allowed access), I’m all ears. I am stuck with Symantec unfortunately. Currently user/group policy prevents devices from being installed without admin authentication, which works 80% of the time. However some of our users have identical devices at home PDAs etc., and policy lockdown does not differentiate between home/work devices. Once that PDA is installed, any other handset will connect without needing authentication.

You can hide behind rules and regulations all you like, but it’s behaviours and attitudes that will work in the long term.

There are ways to do PC lockdown with 3rd party tools or with Windows Group Policy or both. Any competent firewall admin is already blocking most outbound ports anyway.

One of the worst things MS ever did for corporate security was to have an icon named “My Computer”. At work, its not your computer, its the company’s computer and they can do what they want with it.

In most companies I’ve worked for, listening to music was a definite no-no. I hated it, when I was out in the general pool office, sitting there listening to 6 different MP3 tracks at the same time, all played through headphones, way too loud! It is a real concentration breaker and productivity sapper.

Most companies I’ve worked at allowed mobile ‘phones, but only if they didn’t have a camera in – company policies in place since before mobile ‘phones or digital cameras banned all photographic equipment. This was an important security precaution for most of the big companies, especially in the R&D departments, so if you were fool enough to get a mobile with a camera, you had to expect leave it in the car or hand it in at reception, when coming on site.

To be honest, I find it harder to work in the office which are more “liberal” in their attitudes to things like mobiles and music players than in a traditional office atmosphere…

where draconian policy does work – in workplaces where safety is paramount – it is self evident that it’s a good idea to use the guard when operating the industrial lathe and so on. perhaps, becuase the example set by gov’t and big business in relation to data security is so lax, people are less inclined to believe in the importance of IT security? could that be it?

They pay my salary, and in return I get the job done. The rest of the time I expect them to respect my privacy. If I can’t trust the company not to snoop my browsing, time use or email I’m one step closer to leaving and taking whatever I consider my intellectual property (experience, code, whatever) with me… The company wants employees they can trust, but also the employees need to trust the company to play fair. Every inch towards a 1984 workplace makes me seriously consider going contractor.

If a company exposes high-risk data to employees who cannot be trusted and then expects a PC/data lock-down would help, they should seriously rethink their HR hiring principles/policies.

Bottom line… spending the time and effort in properly educating employees about security issues and values in the work place is the best way to ‘tech-proof’ the IT Security policies.

I guess I should get back to my work now!

Software and hardware need to be based around real assessed confidentiality threats, not around reactive bottom-up self-management principles.

“In a world where about 50% of managers never obtained an MBA and don’t know how to take accurate performance metrics…Websense based guilt tripping has become the new metric.”

http://en.wikipedia.org/wiki/Theory_X_and_theory_Y