IT Security and Human Resources have to work closely together. In most
corporations, IT Security, unless they work directly for the CEO cannot
direct a manager to take disciplinary action against an individual for
abusing computer systems or productivity losses due to Internet surfing,
execessive personal use of e-mail, etc. Human Resources personnel can
either direct or strongly recommend a user's manager take action.
In our company, the IT Security Department works closely, on an almost
daily basis with HR personnel and it seems to work. We, IT Security,
only identify the internal problems - HR takes it from there.
Johnie Wood
Manager, IS Security Services
"Ryan Reynolds"
<[EMAIL PROTECTED] To: [EMAIL PROTECTED]
m> cc:
Sent by: Subject: Re: Absurdity Continues
(Was: "Re: icq")
firewalls-owner@List
s.GNAC.NET
06/23/2000 10:21 AM
There are two different aspects to this ICQ debate that I think are causing
some confusion in this conversation:
1. ICQ is a network security risk. It is possible to have a host
compromise or a virus issue due to ICQ. This is an infosec issue.
2. ICQ, in most cases, is not directly related to employees' work, and thus
can be considered a waste of company time. Employees are paid to work, not
to chat with their buddies. This is a human resources issue.
To clarify #2 above, imagine instead of ICQ, that an employee brings a deck
of cards to work and plays poker with a few of his/her friends in the
middle of the work day. This is, quite simply, a loss of productivity. It
is not a security issue,
it is a management/HR issue.
Just because something occurs on a company's network, it is not necessarily
an infosec issue. If you have employees that are not working when they are
supposed to be, regardless of what it is they are doing, refer it to
management/HR.
-Ryan
[EMAIL PROTECTED] wrote:
> I would say that computer security does not relate to people wasting
their time
> in the Internet. You can prevent certain types of abuse of Internet
resources,
> but if the fundamental problem is that people spend their time in
something that
> is not productive, you will not solve that problem with "computer
security" and
> you will end up in an arms race against people that seem to have nothing
else to
> do and no boss looking over their shoulder, and you will always lose.
>
> I think you must put some obvious controls, and let people know that they
are
> being logged and that the logs WILL be analyzed. A good report is better
than a
> sophisticated hand-made filter that will always have an interesting hole.
>
> Finally, I agree, HR is no panacea, but I think that the resource being
most
> abused in this case is actually the human resource - am I right? I think
it is
> their job to manage it.
>
> Carlos
>
> "Albrechtas, Adam" <[EMAIL PROTECTED]> con fecha 23/06/2000 11:37:25
>
> Destinatarios: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> CC: (cci: Carlos Moran/LAG/LSR/LAR/CPC)
>
> Asunto: RE: Absurdity Continues
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I would say it has nothing to do with HR since it is strictly a
> computer security issue (or even a QoS, at a stretch). I guess it
> all depends on who is ultimitely responsible for System Security,
> Data Security, and QoS in your organization. It is my belief that HR
> should have nothing to do with computer security since they rarely
> (if ever) have any knowledge in the area.
>
> - -----Original Message-----
> From: D Clyde Williamson [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 23, 2000 10:14 AM
> To: [EMAIL PROTECTED]; '[EMAIL PROTECTED]'
> Subject: Re: Absurdity Continues
>
> "Norman R. Bottom" wrote:
> >
> > RE: "Turn It Over To Human Resources"
> >
> > In difficult matters, fathers say, "See your Mother." Some firewall
> > folks say, "Turn it over to HR.." What a joke ! Anyone who has been
> > involved with security for a year or two, knows that Human
> > Resources is not a friend to good security. Period. :->
> >
> > Blessings,
> >
> > Norman
>
> Dealing with what employees do during office hours is not a security
> matter. Unless, of course,
> they're stealing data or cracking servers. If it is against HR policy
> for users to look at certain
> types of material on the Internet, then it is HR's responsibility to
> deal with that policy.
>
> If your HR dept is not helping you with *security* matters. Then you
> need to get that fixed.
> - -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOVN3DdTbJ7zCVqawEQLpfQCfU+3KgWK6ykAUlD3G8WRM89u2ioQAoOpC
> 29WG3L9aOsE5eX8Aolfm9ufG
> =OKT7
> -----END PGP SIGNATURE-----
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> "E-mail Server" made the following
> annotations on 06/23/00 10:46:56
>
------------------------------------------------------------------------------
> Bestfoods is not responsible for the content of incoming messages which
may
> contain offensive or unauthorized material. Please contact 1-800-462-0562
if
> this should happen.
>
>
==============================================================================
>
> "E-mail Server" made the following
> annotations on 06/23/00 11:05:38
>
------------------------------------------------------------------------------
> May contain confidential and trade secret information of Bestfoods, and
may be subject to the Economic Espionage Act of 1996. For recipient's use
only. If you have received this message in error, please delete
immediately, and alert the sender.
>
>
==============================================================================
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
