Comments on: Practical Data Loss Prevention http://blog.securstar.com/2009/09/19/practical-data-loss-prevention-3/ SecurStar - Security at it's highest level Wed, 23 Sep 2009 15:01:02 -0300 http://wordpress.org/?v=2.8.4 hourly 1 By: Michel Curti Rozatti http://blog.securstar.com/2009/09/19/practical-data-loss-prevention-3/comment-page-1/#comment-13 Michel Curti Rozatti Wed, 23 Sep 2009 15:01:02 +0000 http://blog.securstar.com/?p=98#comment-13 There is no way to enforce any kind of security police using only authority and rules. It's all about education and marketing. You have to create a security awareness throught the company. There is no way to enforce any kind of security police using only authority and rules. It’s all about education and marketing. You have to create a security awareness throught the company.

]]> By: Alex G. http://blog.securstar.com/2009/09/19/practical-data-loss-prevention-3/comment-page-1/#comment-12 Alex G. Wed, 23 Sep 2009 14:45:45 +0000 http://blog.securstar.com/?p=98#comment-12 I see both sides of the soft policies. As a user I find it good. Because I'm an intelligent user I think that I can decide for myself which Content I am able to see and which not. At my company we have a strict policy for the internet. Everything with marked content is blocked and logged. It's okay but a few websites contain useful information for me but through the advertisements on the website they are the victim of the proxy and I only get "Access Denied" with the reason why I'm not allowed to see the content. The soft policy or reminders would help me to decide whether it's okay or not. Same for the worktime. If I would be reminded with such information I would think twice whether I browse a bit or do some work. But on the other hand I see the administrative horror. You want to make the best choice between administration, security and freedom. The problem is that you can't do all. Either you give the employees freedom and risk that the systems got abused or infected / damaged from something or you are administrative and don't allow the users to risk to damage something. If you give them the freedom with soft reminders the problem is that you simply can't control the system. I can't share any experiences about a soft policy system but I can say that I'm a normal employee and I see the administrative difficulty to handle that thing correct. Maybe it's because I learn the job as a network administrator and see the things different. For the part of the personal devices I can simply say: No they shouldn't have access or control of them. It's 'just' Work. They don't control my life so they shouldn't control my personal devices. Of course the usage of mobile phones and other stuff like pda's or netbooks is in some cases extreme and not okay but I think that a simple policy should restrict it and that the administrative heads of the company's should act when they see a massive usage of these devices at the worktime. At my company it's allowed to use a mobile phone or the internet for personal use but it is recommended to don't do this and use this only if you have to and can't prevent it. This is okay because everybody is just human and can't work from 8 up to 10 hours (or longer) a day like a machine. In cases of extreme work and litle time you can't cut off the work and use a mobile for a talk to your wife about your marriage. It's simply not okay. If you have work, you have to do it and that's it. Usage of private devices at work should only be okay when you have the time and have done your work. German saying: "Erst die Arbeit, dann das Vergnügen." translated: 'First you have to work work, then you can have freetime / fun.' You want to know how I would enforce such a policy? Well ... I don't really know how to enforce such a thing. Alex G. I see both sides of the soft policies.
As a user I find it good.
Because I’m an intelligent user I think that I can decide for myself which Content I am able to see and which not.
At my company we have a strict policy for the internet.
Everything with marked content is blocked and logged.
It’s okay but a few websites contain useful information for me but through the advertisements on the website they are the victim of the proxy and I only get “Access Denied” with the reason why I’m not allowed to see the content.

The soft policy or reminders would help me to decide whether it’s okay or not.
Same for the worktime. If I would be reminded with such information I would think twice whether I browse a bit or do some work.

But on the other hand I see the administrative horror.
You want to make the best choice between administration, security and freedom.

The problem is that you can’t do all.
Either you give the employees freedom and risk that the systems got abused or infected / damaged from something or you are administrative and don’t allow the users to risk to damage something.
If you give them the freedom with soft reminders the problem is that you simply can’t control the system.

I can’t share any experiences about a soft policy system but I can say that I’m a normal employee and I see the administrative difficulty to handle that thing correct. Maybe it’s because I learn the job as a network administrator and see the things different.

For the part of the personal devices I can simply say:
No they shouldn’t have access or control of them.
It’s ‘just’ Work.
They don’t control my life so they shouldn’t control my personal devices.
Of course the usage of mobile phones and other stuff like pda’s or netbooks is in some cases extreme and not okay but I think that a simple policy should restrict it and that the administrative heads of the company’s should act when they see a massive usage of these devices at the worktime.
At my company it’s allowed to use a mobile phone or the internet for personal use but it is recommended to don’t do this and use this only if you have to and can’t prevent it.
This is okay because everybody is just human and can’t work from 8 up to 10 hours (or longer) a day like a machine. In cases of extreme work and litle time you can’t cut off the work and use a mobile for a talk to your wife about your marriage.
It’s simply not okay. If you have work, you have to do it and that’s it.
Usage of private devices at work should only be okay when you have the time and have done your work.

German saying:
“Erst die Arbeit, dann das Vergnügen.”
translated:
‘First you have to work work, then you can have freetime / fun.’

You want to know how I would enforce such a policy?
Well … I don’t really know how to enforce such a thing.

Alex G.

]]>