On Tue, 22 Feb 2005, ArkanoiD wrote:

> Ok, the bottom line is: i prefer implemented and working security policy
> over "ideal" one that is being constantly violated. And - accessing

If your policy is constantly being violated, you have larger problems-
changing to a more "popular" policy won't fix the underlying issue.

> external email server with proper content inspection in place implements
> exactly the same filtering policy local server does, so i doubt the risk
> is higher, and it brings a feature to separate corporate email from
> personal, which is often useful.

This depends on your environment- in most U.S. corporate environments, the
risk is higher, because people tend to get things in personal mail which
aren't appropriate for the workplace, and which may contribute to a
hostile workplace claim.

> Non-performance issues. Hah! You really do think someone will work more
> efficient if you just prohibit him from spending work time on
> non-business issues? I say plain NO. Any decent book on managing IT

No, I think that being able to show that they're not spending company time
on non-work issues is significantly easier when they're not allowed to
access personal computing resources, I think that monitoring for
compliance becomes significantly less tricky in regards to privacy issues,
and I think that if you do have a problem, being able to fully investigate
the problem without having to file lawsuits to get to the information is
much, much simpler- and fraught with less murky gray areas in regards to
privacy, competition, appropriate usage, exposing employees to a hostile
environment, etc.

> projects states it works exactly reverse.

Terminating someone for non-performance is much different than having an
employee who doesn't perform. What you can look at, under what
circumstances you can investigate, and how you measure policy compliance
all change significantly when non-company resources come into play.
There's also the open question of third-party privacy and liability
concerns- if I'm taking action against someone for non-performance based
on personal e-mails (say running a side business from their desktop- since
I've seen that one in practice)- now I'm suddenly potentially exposing the
third parties who e-mail them to investigation, while they're assuming
that the communication is between them and the individual who's account it
is- depending on the circumstances, that can be a _huge_ problem.

However, I will categorically state that the places I've been where folks
don't allow personal access and where they do monitor for compliance have
significantly less "recreational" activity going on during business hours.
But then those places don't have issues with non-compliance because they
don't change the policy if it isn't popular, they change the employee if
they can't comply.

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
firewall-wizards mailing list