Subject: Re: tweaking PC setups
Date: 03 February 1995 08:23
This is something of a bureaucratic question for the policy wonks out there.
>> You could use [Restrictions] in PROGMAN.INI and not allow the users to
>> change their icons, position, to install new one, take the File Menu
>> (Program Manager) away, no MS-DOS prompt, no File-Manager, and get
>> them directly into Windows, without break I am using in that way with
>> Trumpet Winsock etc.
>And any knowledgable user/student will know how to take those limitations
>out of their PROGMAN.INI.
If one of my corporate users went to such lengths, intentionally removing
the protections placed on their configurations, I'd be making a formal re-
quest for an administrative reprimand. When their actions have the poten-
tial to toast the entire net, the network manager's word should be law.
Which, of course, brings me to my question:
Do your responsibilities as 'the network guy' or 'the security
guy' extend this far? Do you have the authority to deliver an
administrative (read: personnel file) reprimand to users who
ignore your policies/procedures?
Should such authority be part of a developing firewall policy? It's
often been said, in this forum, that the technology is only half the
battle; the *people* are the other half. Frankly, I should want some
sort of recourse for the person who insists on a clandestine modem,
mucking with his config, et cetera...
Given that our responsibilities as 'network folks' span the bureaucratic
maze, affecting virtually every department of our organizations, it would
seem that we need some authority that crosses those borders.
Of course, we could always just cut off that segment of the network until
the recalcitrant user sees the light (or has it shown to him). 8)
Wes has covered some of the key fundamental issues of risk management.
Unfortunately, most enterprises ignor them completely.
Risk management is just like information management. If an enterprise has a
number of people working in individual pockets with no one having clear
executive control, the (well intentioned) actions of one person can screw up
for everyone else. Very often, the actions are entirely selfish.
There are some clear steps to solution which we all claim to be familiar
with. First we identify the issues and develop an approach to a solution.
Then we produce a specification vendors can bid against. Having procured a
system we implement (including training the users), then we maintain it. At
least thats the theory and some folk are better at it than others.
Many people may fail at each step to some degree because they are working
with inadequate budgets or dont know how to measure cost and price. They may
also have inadequate authority.
The most common failing is in maintaining a system after it has installed.
There are many possible reasons for this, but the most common one is that
the person charged with the nominal responsibility does not have the time to
monitor or the power to ENFORCE. In many cases that lack of personal power
is made more dangerous because there is no clear reporting route to someone
who does have the power.