RE: in-to-out security

From: "David Gillett" <gillettdavid@xxxxxxxx>
Date: Tue, 28 Mar 2006 09:02:27 -0800

All of these various technical measures are, at heart, policy
enforcement mechanisms. If he does not have a policy to guide
their deployment, they cannot be considered a "solution".
So: the real question here is: Should users be told what the
policy is?

If users are not told what the policy is, they cannot be subject
to disciplinary action for violating it. A secret policy is
simply not enforceable. Which may make it kind of moot.

David Gillett

-----Original Message-----
From: Joe George [mailto:j.george@xxxxxxxxxxxxxxxx]
Sent: Tuesday, March 28, 2006 6:33 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: in-to-out security

Dear all,

I hope you're all doing well. A colleague of mine does
technical support for some charities on the side. One of his
clients is a person who is the CTO of a 400+ person,
non-profit organization. This CTO asked my colleague what
was the best way to (a particular application or training
method) to get his 400+ staff in-line and keep them from
doing inappropriate things on the network such as downloading
rogue applications, and inadvertently installing apps which
can attack the network and other networks. He's looking for
an in-to-out solution.
This CTO feels he and his team would be able to secure the
network from intrusion from outside rogue users by
implementing necessary firewall, IDS, etc. I suggested to my
colleague that this gentleman can not adequately secure
external/internal intrusion and attacks without implementing
an acceptable use or some kind of written policy with the
assistance of his HR department. I informed him that
end-users should have the right to know that their activity
is being monitored by the IT staff (which is what I presumed
he meant by an application/training method to keep his staff
in-line). This CTO fellow, feels that any kind of policy is
not a viable option. I told my colleague a written policy
will protect the organization and the employees and allow the
security team to build and design a security countermeasures,
not to mention get the best use of expensive security
appliances. Besides rogue applications, I mentioned that
other issues such as disgruntled employees, corporate
espionage, maintaining data and company integrity are just a
few reasons to start off with written policy. My colleague
mentioned that his CTO client is not uninformed, but rather
too scared to bring up a very controversial solution as
written policy to his superiors and the end-users. My
questions to you are these:

1. Was I right to suggest this rather than help my colleague look
for an app/training solution?
2. How would you convince an obviously passive CTO to do the right
thing?
3. If such an application/training exists, can you suggest
something?
4. Is it legal to implement user-monitoring without informing the
staff? This is where I think policy

Thanks in advance.

Take it easy,

Joe

--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec
management education and the case study affords you unmatched
consulting experience.
Tailor your education to your own professional goals with
degree customizations including Emergency Management,
Business Continuity Planning, Computer Emergency Response
Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

References:
- in-to-out security
  - From: Joe George

Prev by Date: RE: in-to-out security
Next by Date: Deploying SSL-based VPNs
Previous by thread: Re: in-to-out security
Next by thread: Re: in-to-out security
Index(es):
- Date
- Thread

Relevant Pages

Re: Group Policy Inheritance
... If we set block policy inheritance on the child OU, ... The Norwich University program offers unparalleled Infosec management ... education and the case study affords you unmatched consulting experience. ... Computer Emergency Response Teams, and Digital Investigations. ...
(Security-Basics)
RE: Group Policy Inheritance
... Subject: Group Policy Inheritance ... Domain password policy is domain wide and cannot be blocked. ... Tailor your education to your own professional goals with degree ... Planning, Computer Emergency Response Teams, and Digital Investigations. ...
(Security-Basics)
Problem on DC after modifying restricted groups in DD policy
... a colleague of mine (I swear it wasn't me) have ... modified the default domain policy for making a test and he put under ... DC, modifying policy and, probably, other issues that we haven't discovered ...
(microsoft.public.windows.group_policy)
Re: Liberal NYt Admits Bushs No Child Left behind Success
... Student achievement has increased and test score gaps between white ... Bush signed the No Child Left Behind law in 2002, ... But the study, released yesterday by the Center on Education Policy, ...
(alt.politics.bush)
Liberal NYt Admits Bushs No Child Left behind Success
... Student achievement has increased and test score gaps between white students ... Bush signed the No Child Left Behind law in 2002, ... the federal Department of Education. ... policy achievement. ...
(alt.politics.bush)