Corporate Internet Policy 6

[schase]

Hi folks,

We are a relatively small company computer wise - 20 odd workstations, which will in a span of a few months, grow to about 35 workstations.

Up to this point, it has been mostly managers who have been utilizing the computers - non-managers have an installed security software that prohibits browsing to any website other than the ones on an allowed list - but this is on a pc by pc basis.

With this new growth, comes the availability for virtually any employee to utilize a computer. And going the pc by pc basis mentioned above lends to a very heavy administrative tasks.

We are leaning towards aquiring an appliance content filter which will filter out most - but I am very much aware we need to install a corporate internet policy.

While on one hand, I have no desire to be *big brother is watching*, I also recognize the need for the company to protect itself, incase an employee instigates a lawsuit by using a company email address, etc.

Does anybody have experience in implimenting one of these from the ground up and give me pointers?

Thank you


"Never underestimate the power of determination"

Stuart

 

[Kjonnnn]

If you're just talkn about a policy its really not complicated. If your company already has some type of phone usage policy, you can start with that and modify it to say what you want.

1. State what is allowed. (e.g. for conducting the business of the company)
2. State what is not allowed. (e.g., Surfing to nonbusiness site, personal emails, downloading pictures, games, etc.
3. State the consequences for having broken the policy.
4. Have each employee confirm that they have read, understand and will comply with the policy by getting they're signature.
5. File each acknowledges in the individual personnel files.

The policy won't necessarily stop people for using the net, but its ammunition for the company if you chose the use the policy in a disciplinary matter.

 

[mac9]

Stuart,
I went through the same process a few years ago with my company.
First, with the blessing of the owners, I developed the computer and internet usage policy. Then as the company grew, we installed 'Webblocker' for content filtering. I made it very clear that we were going to start monitoring and blocking and why. No surprises.
Everyone is required to read the computer / internet policy, and we verbally restate that 'these are company computers and everything you do is the property of the company and therefore subject to monitoring. There is NO implied right to privicy on the company computer network.'

I didn't want to be the 'Computer Cop' but as IS Manager its become a small part of the job.

Michael Chase
Senior IS Manager

 

[cian]

Sorry to break off on a tangent but I find companies attitudes on this interesting.
In my last job I had no internet access and wouldn't dream of asking for it. I was lucky just to have email!

In my current job (in a different country) things are different. We a hundred PC's with net access and there doesn't appear to be any kind of strict filters in place, although certain ports are blocked, and it's likely they are monitoring use.
Actually they even have a workstation set up with internet access for workers who have no need of a PC or net access, it's just so they can surf the web during their break time!

One other limitation is that all PC's have an installation block so you can't install any software.

The difference in attitude between companies is interesting, perhaps a more flexible attitude creates a better working environment for all. Having a big brother watching over you is not nice, you can still set-up operations to protect your systems while allowing some degree of freedom.
People are generally sensible enough, a little bit of trust (+freedom) doesn't hurt.





- É -

http://www.ssi-developer.net/elgoog/

 

[Stevehewitt]

Its an interesting view point - one that I haven't really considored. Unfortuntatly I have my own personal policy which states that you can't trust anyone but yourself.

There have been many people in our workplace who look at Ebay for hours and hours of the day, forward 10mb movies to 50 people and generally use work facilities for personal use.
You wouldn't expect to make a phone call to your wife for 3 hours from a work phone during office hours.

 

[cian]

Stevehewitt
Attitudes vary in different countries.
you're from the UK, i'm Irish and I think we have similar working systems. It's one reason why I left Ireland because I got totally sick of the systems there. It seems to be a trait of every company and every department of those companies. For example, it's like getting hit on for been 2 minutes late for work even though you work 3 hours overtime for no extra pay! That regularly happened to me!

Where I am now I can stroll in at lunch time as long as I don't work up too many "minus hours" and I get the work done.
I have easy net access which shouldn't be used for personal use although if they do monitor it they certainly don't act on it.
I repay that freedom and trust by working hard and not over-abusing those freedoms!

Different countries, different cultures...




- É -

http://www.ssi-developer.net/elgoog/

 

[Stevehewitt]

I completely agree. Unfortunatly not every employee has that attitude - which is why some of these systems need to be in place (IMHO). I couldn't agree more with the example of working hours, and although I have a policy against non-business use of Internet access - I realise that people do use it for personal stuff, but people still get their work done, its doing no harm; so why bother clamping down on people and making them unhappy and me a hate figure!

I would recommend having it in a policy which people agree to just on the basis that if they do go too far then you have some ammunition for that "Just in case" scenario.

Steve.

 

[cian]

Oh yeah, a system or policy definitly needs to be in place, unfortunatly there's wasters in every company

Do you think the aim of these policies is to control the amount of time users spend online or is it more of a network security thing?


Apologies Stuart for staying from your question a tad...




- É -

http://www.ssi-developer.net/elgoog/

 

[Stevehewitt]

Well if you ask management its nearly always the first. If you ask IT Pro's then its the latter.

I have to allow access to web based email. I hate it. I have no idea if there is an attachment being downloaded from them (as the company is too tight to pay for the software) and I can't see if people are sending out data they shouldn't.
People get a joke email, go to the site only to get 100 cookies installed of company property.
And of course - the killer: Web pages with embedded viruses. I get told off if I disable Javascript and ActiveX controls as users don't get the "most" out of the Internet. Don't worry about the little IT guy who has to spend the next 3 days without food or sleep to remove the ActiveX virus that came with your hillarious joke webpage.

(Um, sorry! Rant over! )

Steve.

 

[schase]

Thank you everyone for your responses - and like I said, I do not wish to be big brother here, and allow a good portion of freedom in what they wish to do.

Not having internet is not an option as we are transitioning to a web-based system for our main programs.
This is what caused the concern. There has to be internet access in adition to email. And its really not just lost productivity if someone plays a game of cards. I do believe in allowing someone to configure their computer in a manner they are comfortable with - minus the obvious ones (like a nude desktop picture).

Here are some of the concerns that pop to mind when you think of easy access.

-What if an employee was sharing music files over the internet and it got caught, we as the provider would be also targeted.
-Say an employee gets mad at his girlfriend and uploads a nude photo while at work. - he's still using the company internet access.
-Say an employee sends a threatening letter to a federal politician - we really wouldnt want that type of examination.
-Say an employee downloaded child porn - again we would be liable.

All of the above are of course hypothetical situations, but all possible all put the company at great liability.


"Never underestimate the power of determination"

Stuart

 

[Stevehewitt]

You need a content filter. Child Porn will damage the company big time.
Again, never, ever allow P2P software on it. Allow freedom for your employees if you wish, but ensure that they cannot install their own software.
Regarding email - I have a disclaimer as such:

"This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of insert company name here. In no way is insert company name here liable for the content of this message. If you are not the intended recipient, be advised that you have received this mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited."

This gets put onto all mails by our ISP automatically. Although I am sure fellow members can point out holes in it, the disclaimer covers most of the main points.

If you don't want to control users too much, but want to stay on the safe side then the only thing to do is get them to sign an agreement which states in black and white what they can and can't do - and log everything. This way you give them plenty of access so they feel that you trust them but as soon as you think they are abusing it you can prove it by logs and take the appropiate steps.

Steve.

 

[Kjonnnn]

Believe it or not you already have policies that cover the incidents you mentioned.

What if an employee was sharing music files over the internet and it got caught, we as the provider would be also targeted.
-Say an employee gets mad at his girlfriend and uploads a nude photo while at work. - he's still using the company internet access.
-Say an employee sends a threatening letter to a federal politician - we really wouldnt want that type of examination.
-Say an employee downloaded child porn - again we would be liable. (The porn could be a book in his/her desk instead of the compute)

I'm willing to bet all these are coverd under some other policy you already have. The Computer just happens to be the tool for the violation.


You can have a strict policy but be lenient in the enforcement. Our policy here is strict, but its has only been enforced in the case of a couple employees who were not doing there work. That's where your managers come in.

Managers should know the output of their employees. If an employee isnt producing anything, and the manager doesnt see in output, the manager should be able to call the employee on his WORK. Most often, if people are wasting time, be it computer, phone usage. etc, it shows up in the quality of their work. Its here it falls into the manager's lap, but it seems to be easier to slap filter on.

When I was a admin asst to a General Counsel, she didnt care what I did (thats how I learned computers), but everything I need to do for her was done in an effective and timely manner.

It would make no difference concerning the computer, its only a TOOL to waste time. The same time could be wasted on the phone or reading the newspaper. Perceived monitoring can be just as effective as "real" monitoring. If they think they are being monitored it could curb behaviors.

I tell people all the time, "I can see everything you do, and know every you go on the web." I DONT, but they think so and it scares some of them.... LOL.

 

[lionelhill]

schase,
I'd just add one thing: it helps to explain to staff clearly, and in a friendly way, why there are limitations in place. In my past I've been quite upset by heavy-handed, unpleasant documents dumped from on high, designed to protect the employer from a misdemeanour I wouldn't have considered committing anyway. It's quite offensive to have implications cast around that, were I not carefully controlled, I'd spend half my working hours cruising porn sites!
Most of us users would actually prefer not to be showered in unwanted pop-ups, adverts for viagra, and don't want to be allowed to blunder into a porn site any more than we want to fall in a hole in the street. We happily tolerate barriers round dangerous holes, because they're good for us. We also like to be able to get on with our work without having to wait an hour to download an important work document because someone else has decided it's more cool to listen to the cricket on internet-radio than turn on their real radio. A simple explanation of Why downloading 100Mb files for personal fun is not such a great idea makes everyone a lot more cooperative.

Please, in addition to implementing all the security measures you need to protect yourself and your company, spend some valuable time telling the rest of the staff how it actually protects them, too.

 

[GlenJohnson]

We've covered ourselves by making users sign the forms. It seems to work out well. The other thing is taking the time to tell people that if they have a program that connects them to the internet at all times, like to get the current weather, and the weather server get's infected, the USER get's infected. Most people don't realize this. I think this was mentioned earlier, (Embedded virus')

Glen A. Johnson
Johnson Computer Consulting

http://www.johnsoncomputers.us

"I only know that I know nothing."
Socrates (47-399 BC); Greek philosopher

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

 

[schase]

Just wanted to thank everyone for their inputs and different points of view.

I already knew what I had to do- just how to start it was where I was lacking. Thank you all.

"Never underestimate the power of determination"

Stuart

 

[Spirit]

EVERY company with ANY computer resource should have a computer policy but this should just be targeted at net access / email etc. YOu should also have that you do monitor (monitoring is only illegal in the UK if they don't know about it!),
acceptable / prohibited use (Encryption SW, Games, Spamming, Illegal Copying, download),
Software / Hardware aquistitions (IT only),
liability for conformance with copyright law is on user (all those lovely pictures on the net? mostly copyright infringement ask FHM, Maxim etc)
System Security (Duty of care, level of expect competance, No expectation of privacy despite passwords, not to share passwords, just because you can see other files doesn't mean you have the authority to read them, hacking / using others' passwords)

Don't forget a section on proceedures, like how to contact helpdesk and when.

Spell out what email is, people often write how they talk in an informal way BUT email is a legally binding document. Spell out that a users connects to the net / has incoming email at THEIR OWN RISK and any thing seen is not controled by the Company nor does the company accept any responsibilty for what they see.

Best tip I can give make it readable (not too much legal talk Snore ZZZZZzzzzzzzzzzzzzzzz)and get senior exec's to agree and make everyone sign and agree it.

This is the second most boring thing I have ever done, second only to blue bar watching

enjoy,

Iain

 

[strongm]

It's worth pointing out that, whilst everbody and his dog seems to be adding disclaimers to their email, "[t]he value of disclaimers is limited, since the courts normally attach more weight to the substantive content of the communication and the circumstances in which it is made than to any disclaimers." Or, at least, that is the position in the UK; other countries may differ.

 

[SF18C]

We use a system called Websense, check it out at

http://www.websense.com

, but be prepared for the price tag. They do the categorizing and and can you block different categories or allow them at different times. We pretty much block all access during the hours from 10AM to 3 PM. The organization realizes that a certain amount of surfing is needed but they try to block it during the "productive" times of the day. Their thought process was most of the work gets done in the morning and by that time the internet block comes on for the most part of the day and then any of those "I gotta check on this site before I go home" is still available.

SF18C
CCNA, MCSE, A+, N+ & HPCC

"Tis better to die on your feet than live on your knees!"