We bet your firm doesn't stick to half of these 10 top IT admin tips IT is perceived in mixed ways by users. Some look on the amazing stuff it does and think there must be witchcraft going on in there somewhere. Others think that because they configured their Wi-Fi printer and Sky box at home, they're a genius of computing. If you're to preserve order, security and governance in the use of your …
In some places, security (and H & S) is used as an excuse for not doing anything. "I can't send you that data ... it might not be secure" "I can't do that for you ... you're not authorised". "I can't access that ... I haven't been given permission".
The first tenet of security is to allow the right people to have access and for everyone who needs to, to know who those people are. After that, comes the need to deny those who shouldn't be allowed.
Actually first you have to properly secure and control access to the information appropriately so you CAN give the right people access, that's normally why people become overly paranoid about data, because thought never went into where and how to secure it initially.
For example a manager may need to see everything on the system, but a secretary only information for one part, if the way the data is store doesn't allow segregation of the data into parts, in other words it's "all or nothing" then that's not much bloody use.
A lot of systems are like this, allow anything to be entered, but allow far too much to then be seen, or even worse seen and no record of it being viewed.
The first tenet of security is to allow the right people to have access and for everyone who needs to, to know who those people are. After that, comes the need to deny those who shouldn't be allowed.
No, the first principle of security is to set up a policy which describes who does what, as that describes the do and do-not boundaries of activity, the risk tolerance of the organisation in the areas where this cannot be defined with precision and the authorisation process to change the policy or sidestep it and accept the risk that creates.
That was, by the way, the original definition of a firewall as well: a device that implements a security policy.
Yep I work for a government department (now as a contractor) and my favourite saying is "Security is also providing access to those who should, as well as denying it to those who shouldn't". It's both BTW, not one first then another.
I do manage to get on well with the local security administrator, who is prepared to find a way to follow the rules but provide the access in a reasonable manner. Just lucky, I guess.
my favourite saying is "Security is also providing access to those who should, as well as denying it to those who shouldn't".
This is really important. Actually I could even make an argument that in almost all cases, proper access is more important than data security. Unless of course your data has real life-and-death implications. For two reasons:
Firslty - you're probably trying to do something. If you can't do that something (whatever it is), then your whole organisation is rendered pointless.
Secondly - if you over-secure everything, so that people can't get their work done - then they'll just break the rules. And then your security it toast.
Obviously this is all subject to sensible risk assessment. Sometimes the risk of the right thing not getting done is less than the risk of the data being leaked or damaged - in which case your security needs to be more inflexible, people need to understand why this is and know they'll get hammered if they break the rules.
This is possible though. You can get people to agree to quite unreasonable procedures, so long as everyone agrees that the risk is high enough to justify the pain. And extra effort, and resources, are dedicated to helping the people on the ground to get their work done.
I give an example. My Mum works with vulnerable children. But as an outside consultant for a very well known charity, seeing as she's retired. They've got their network wrapped up nice and tight. So tightly in fact, that she's been working for them since she retired ten years ago - and only got issued a mobile phone this year. So sure, they can now remote delete this data, and enforce a password on her. But before that she had all the details on her personal phone, with no password.
She wasn't allowed to remote connect to their network (or even connect in the office) until she'd done several of those shitty online courses. But you couldn't get onto those online courses, without access to the network! Ahem. So she had to drive 60 miles to the nearest office, only for some shitty online video course thingy - that was a total bureaucratic waste of time. So because she was unable to connect to their secure (so secure you can't access it) data system, she was emailing stuff to her boss to upload, from her personal email account in the clear. And IT were no help, and just followed their procedures.
Sadly many of these big charities seem to have swallowed all the bureaucratic crap of big corporations and government - mostly I suspect by hoovering up all the crappy middle management types that are unemployable elsewhere - because they pay too many staff.
Chaos would be bad. This information is in some cases very sensitive. But just finding the names and addresses of families with disabled kids is easy - there'll often be stories in the media and charity press releases with names, that you can cross rereference with the phone book. I'd suggest that helping them is probably more important than hindering your frontline people - and there's an argument for keeping the sensitive notes in paper form, and never committing them to computer. But if you must, then you need to commit much more IT resources to the necessary hand-holding.
@I aint Sparticus,
It is also an argument for something pretending to be an organisation to get organised and recognise the needs it has and deal with processes the right way. Your Mum cannot possibly be the first case of her situation, so there should be a secure, agreed process sorted out to deal with such cases and avoid the run around that is apparently needed. Sending file(s) encrypted would be a start! Providing the tools for the job would also be 'useful'.
To be fair to them, the original charity got eaten - due to running short of money/competence. She was taken on as an anomaly, a consultant with considerable (and probably unique) expertise and experience. So our new heroes had no place in their multitude of procedures for a non-employee who was non-office based with a completely random level of caseload. They solved some of that by employing her, but all other procedures seem to have broken down.
That's a problem the article fails to address. The author calls for all procedures to be rigorously enforced on everyone, and exceptions added to procedures. Unless you're a very simple organisation, that's almost bound to fail. Once you get a few cases of it failing, then people will be sharing and writing down passwords - sending emails to and from their own accounts and squirrelling data away heaven knows where.
Your procedure needs to designate certain people who can override the rules quickly, but are capable of doing so with an understanding of the risks, consequences and IT capabilities. And deciding to do this as a one-off, update the procedures to cover this from now on, or to do something as a short-term stop-gap with better secured replacement to follow.
No-one has the resources, or foresight, to get procedures totally correct - and keep them current with changing circumstances. Anyone who claims otherwise is delusional. And while they think they have the best systems in the world, will almost certainly find that they've been circumvented massively at lower levels in order to get stuff done.
Oh, and any IT management who enforces monthly password changes that can't re-use any major elements of the previous one should be beaten to death with their own rulebook. Their inability to understand basic human nature and abilities has rendered them unfit to manage.
Passwords are rubbish anyway. But if that's all the budget allows for, then for God's sake at least engage your brain as to how normal users react to passwords. I know very few people who can remember more than one or two passwords (if even that). In my previous corporate life I had 4 different ones for building access, email, Oracle accounts and the AS400 stock/sales stuff. Some had to be regularly changed - and the AS400 stuff I only used every couple of months, so had no choice but to write down. It wasn't on a post-it note on the monitor though.
"and there's an argument for keeping the sensitive notes in paper form, and never committing them to computer."
It must be a bad argument! The consequence would be anybody who feels they really must have access to them will photocopy them and then there'll be uncontrolled copies around the place. Uncontrolled because there'll be a ban on copying them so all the copies will be sub rosa.
Yep. This isn't fundamentally security, its a simple cost/benefit thing.
Given an exception like this you can either put in the systems , processes, monitoring, staffing and everything else required so that every now and then people don't have to drive 60 miles, or else you accept that every now and then people do.
Guess which one tends to work out cheaper for a small organisation? Its just the money. If you're a small organisation on a tight budget then gonzo level sophisticated systems just don't pay for themselves, and of course the more complicated the security the higher the risk, so the more attention it needs and so it snowballs.
Given efficient admin, business processes etc. a really well managed organisation would work it out so that when the need comes to drive the 60 miles there are a whole raft of useful things they do to make the trip worthwhile, not just a single damn video, but again that's nothing to do with security.
Thanks to HIPAA, I now get content free emails from my doctor and pharmacy, reminding me of an appointment (withholding the date and time), or prescription renewal reminders (withholding name of the medicine).
I ask you, what purpose do these emails serve? Mind you, I have expressly opted in and agreed to a lengthy pile of legalese in order to get them. Yet, apparently, "email is not secure", so names of medications and time of appointments must be withheld, even if I have requested them to be sent to me.
Idiots. And expensive as well.
> "email is not secure"
It could be that HIPAA has something other than your convenience in mind. For example, what if email processing is outsourced to an organisation which has a financial interest in collating what drugs you are taking, or Google starts selling information about your medical history or medicinal usage?
HIPAA is going to look at all data under an organisation's control and if it is going to be controlled, it is controlled, no excuses.
Encrypted email would seem to be the obvious answer, but that's too hard to roll out universally - emailing links to hosted encrypted appointment web pages is probably the best way to go, but far more trouble than sending a vague prompt.
" what if email processing is outsourced to an organisation which has a financial interest in collating what drugs you are taking"
There's a simple answer to that. DON'T DO IT.
Apart from any immediate security issues there's the longer term one. If email purports to come from one organisation but actually comes from another you're training recipients to blindly trust that what it purports to be. In short, you're training them to be phished.
We really need to have signing as a required part of the email protocols. No wonder email isn't secure.
Unfortunately, policies are great until you try to apply them to the senior execs. I've only worked for one company where word came down from the Presidents office that the policies were to be followed by everyone, or else.
In the other businesses, 90% of the infractions were caused by senior staff who were not held accountable for the porn browsing, music / movie storage / download, darkweb crap I had to deal with. Some was ignorance, other would plead ignorance then do it again later on the same day they were cautioned.
> 3. You're responsible for your equipment
I will take no more care of equipment provided than do my employers themselves. E.g., since they've signed up for a "no claims" insurance policy (i.e. cover only for items costing over £2000 each) I wouldn't dream of putting it on my household insurance either.
Companies, especially the larger ones, self-insure on small value stuff (your definition of small may be different to theirs) as the cost/risk is lower than the hassle of paying the premium and making the claim when required.
You don't, and shouldn't, have to insure the company's kit, but you shouldn't be careless either.
.... laptop nicked from the back seat of their car....
Depends how senior the owner is. I know of one who went one better and got his fleet car nicked with the laptop in it. Within a week a new laptop was his and a new Merc on order.
Which was a shame really as a few days later the cops called to say they'd found his car. It was still locked, with the laptop in it, parked about 200 yards from where he thought he'd parked it before getting wankered that evening.....
And, in my opinion, if it's humorous enough (a user once reported the loss of his expensive pager to my team as “We think my three-year-old put it either in the bin or down the bog”) then that's fair game.
No it isn't. Any parent should be aware of keeping important stuff out of a three-year-old's reach.
Children are like idiot savants. The moment you think something is child or idiot proof, it isn't.
My friend's standard technique for getting stuck cds out of the factory car stereo system is to leave the four year old near it for 15 min or so, and he frequently succeeds by hitting the right secret random combination of buttons. It's depressingly reliable.
11. If you use an unattended install or image don't leave the local administrator password in plain text on the hard drive and allow users to access it.
Some may think the above doesn't happen that often but I can assure you there are some big multinationals and some big I.T. suppliers that still do this. One only recently upgraded an office to thin clients that all have the same admin password and what is worse without giving it away it's on the top ten list of most common passwords.
In most offices, someone you know without a badge is more likely meant to be there than someone you don't who has one. Blindly trusting badges is rather like letting in the nice man with the peaked cap who claims he wants to read the meter.
My work issues us with a MacBook Air, after much probing and eventually a f2f meeting with the tech director it came to light that they held us financially responsible for anything, absolutely anything that happened to said piece of kit. When pushed on this I was told that they have a very reasonable insurance scheme to cover for any such damage/loss. I asked if the laptop was necessary for me for my job, they assured me it was, I then suggested that if it was that necessary then they should pay the insurance, they refused and so my MBA currently resides in the bottom drawer of my locked filing cabinet in my office. I use my own laptop.
Well, for one, we lack of context information.
It might well be that the rest of the office is working with beaten off 6 years-old Dells while your department "won" an internal ego contest and got those shiny new MBAs, and the price to pay for that Pirric victory was that insurance fell on your department's head...
Or of course it can be that the company's heads are full of it.
When I worked for EDS I once prevented someone from tailgating. They were very persuasive in their argument as to why they should be allowed through the back door. I explained that as they din't have their pass I couldn't verify that they should be in the building. I was extremely polite to the point of sickly as I explained that they should visit reception and have them allow them entry to the building. I thought nothing of this until I was asked to report to the UK managers office.
Yep, I had prevented the manager from entering her own building. This had made her late for the EMEA meeting as the big directors had visited. They were delighted that I had stopped her, and weirdly I ended up with a gold day for my ruthless door barring.
An anecdote I was told several times over the past year justifying this position. The CEO of a large company, I think it was Target but couldn't be sure, deliberately used to visit the office, and enter the building through the warehouse. If ever he didn't get challenged by the time he made his way into the offices at the other side, he sacked the floor manager.
Had something similar here: Chief Exec wouldn't wear his ID to see who would challenge him. He was pleasantly surprised by the number who did.
He didn't sack anyone for not challenging him, but he did write to their manager to express his concern over security...
An SAS commander in the Malaya emergency supposedly reprimanded the guards at a training camp for not firing on a returning patrol who hadn't properly approached or identified themselves.
He then apparently screwed up in some way himself, and got fired at for his pains. So he reprimanded the guards for missing him...
I've seen this from two different sources, but being a forces story, that has no bearing on whether it's actually true or not...
While on gate guard duty, the RSM took pains to tell us to detain (lock up) anyone who returned to camp in a state of inebriation. They were to be kept detained until the RSM arrived to review the logs and order their release.
Second person to turn up (staggeringly) drunk was... the RSM.
Come morning, he really wasn't happy, but those were his orders...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
