Re: Security Policy
From: Mark Gordon (spamtrap@flash-gordon.me.uk)
Date: 02/06/03
- Next message: William Johnson: "Re: Win2K / Netware networking question"
- Previous message: Curtis Anderson: "Re: Tracking Down People and Businesses"
- In reply to: Jim: "Re: Security Policy"
- Next in thread: Ron Ruble: "Re: Security Policy"
- Reply: Ron Ruble: "Re: Security Policy"
- Reply: Jim: "Re: Security Policy"
- Reply: Jim: "Re: Security Policy"
- Reply: Jim: "Re: Security Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Feb 2003 16:29:28 +0000 From: Mark Gordon <spamtrap@flash-gordon.me.uk>
On Thu, 6 Feb 2003 10:38:40 -0500
"Jim" <jim@nospam.net> wrote:
> Hi Ron, thanks very much for taking the time to reply. I have posted
> some further comments below.
>
>
> "Ron Ruble" <raffles2@att.net> wrote in message
> news:v43660slh97gfe@corp.supernews.com...
> >
> > "Jim" <jim@nospam.net> wrote in message
> news:fqc0a.3635$io.138047@iad-read.news.verio.net...
> > > We are in the process of implementing a new network access and
> > > security policy for the company. One of the things on the new
> > > policy states that
> all
> > > new software installations must be approved before installation
> > > can take place. I am getting resistance from the Engineering
> > > department because
> they
> > > feel they should be able to install anything they want to without
> > > authorization. Now this mainly pertains to the software developers
> > > that develop software for our end products.
> >
> > There is some validity in the developer's point of view.
> >
> > It is trivially simple, and disturbingly common, for a
> > company to _cripple_ their development efforts
> > with a policy such as you describe.
> >
> > By the way, I do _not_ favor developers operating
> > without restrictions; I am simply aware of the fact
> > that incompletely thought out restrictions are
> > a source of more trouble than they solve.
> >
> > > They constantly receive MSDN updates
> > > and need to run an XP environment for testing. The rest of the
> > > network
> is
> > > 2000. My feeling on this is that if they want to do it this way,
> > > then
> they
> > > should be in a development environment that is not physically
> > > connected
> to
> > > the network and then they can do what they want.
> >
> > Is is actually possible for them to run in a detatched
> > network, or do theur duties require network access
> > to complete the software?
>
> Since the development is for a stand-alone product, then yes it is
> possible for them to do that on a seperate network.
Do they also need access to standard network services, such as email? If
so, development will need more PCs than people and the desk space to use
them. Your company has to consider the cost implications of this.
> > > What do other companies out
> > > there do? We are a fairly small company but growing. I would be
> interested
> > > in the opinions of others on this topic as well as if there are
> > > any particular resources on this subject that I can look at to
> > > determine if
> this
> > > is the best way to handle this.
> >
> > First question: _why_ was the policy instituted?
>
> > Is it due to a concern for network security wholly, or
> > based on a combination of security and support concerns?
> >
> > Is it based on incidents, or general fear?
>
> It's probably a combination of everything you stated. There have been
> incidents of software installs that have caused me to reformat and
> re-install an os. There is concern because most of our developers are
> contractors and network security might not be important to them
> because they are only here temporarily.
If you can't trust them with your network, how much can you (or rather
your company) trust them with your application?
> Installing unlicensed software
> is another issue which has already happened and you know the
> ramifications of that. This policy addresses other things as well to
> protect the company. You cant have someone viewing objectional
> material on their computer then someone walks by and takes offense to
> it, next thing you have is a lawsuit. We currently have a policy in
> place that states to notify IT that you installed something, but that
> is being ignored. So a committee was formed and a more strict policy
> is being presented.
<snip>
If people are ignoring the existing policy, they will ignore a more
strict policy as well. Isolating the development network won't help with
law suits for inappropriate material or use of unlicensed software.
Technological solutions can help (locking down PCs, auditing software
etc), but the policy needs to include disciplinary measures and for
these to be used where appropriate. It is very difficult to stop
developers from being able to do dodgy things without preventing them
from doing their jobs.
-- Mark Gordon Paid to be a Geek & a Senior Software Developer Currently looking for a new job comutable from Slough, Berks, U.K. Although my email address says spamtrap, it is real and I read it.
- Next message: William Johnson: "Re: Win2K / Netware networking question"
- Previous message: Curtis Anderson: "Re: Tracking Down People and Businesses"
- In reply to: Jim: "Re: Security Policy"
- Next in thread: Ron Ruble: "Re: Security Policy"
- Reply: Ron Ruble: "Re: Security Policy"
- Reply: Jim: "Re: Security Policy"
- Reply: Jim: "Re: Security Policy"
- Reply: Jim: "Re: Security Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
