Home > Uncategorized > Security Gone Awry

Security Gone Awry

A very good friend of mine over the years just lost his job. He was a deputy program manager with a very large corporation that has a well-advertised computer usage policy that does not allow files that are not business-related to be on any of this corporation’s computers. My friend was on vacation for a while, and during this period he transferred several attachments sent to him by a family member to his USB storage device. When he went back to work several weeks later, forgetting the contents of this device, he used it to make a “sneakernet” file transfer from his computer to another. This corporation has implemented a mechanism such that starting the instant a computer connects to its network, all files in that computer’s file system are immediately backed up. Unfortunately for my friend, the USB storage device had the files that his family member had sent him, and so these files were also backed up. Soon thereafter someone identified these files as non-business-related, triggering a swift termination procedure for my friend.

If what happened to my friend were the only story of this kind, I would not have taken the time to write a blog entry on this subject. Unfortunately, however, I have become aware of numerous incidents involving unduly harsh punishments meted out to unfortunate employees who have not intended to violate an organization’s information security policy. In one case, an employee got into a lot of trouble because this person’s organization forbad the use of corporate email for personal reasons. Using his best judgment, while on the job this employee responded to a message that was borderline in its content—in some ways it appeared to be business-related, but in other ways, it did not. A technical staff member whose responsibility was to monitor the content of email traffic flagged the message as non-business related. At an ensuing hearing, management backed the technical staff member’s judgment and subsequently issued a formal reprimand that went in the employee’s personal folder, thereby limiting that employee’s career growth potential from that point on.

In yet another ugly episode that occurred nearly ten years ago, a system administrator launched a set of vulnerability scans within the portion of the network for which he was responsible. Unfortunately for him, the scans were not configured 100 percent correctly. A few hosts within the purview of another system administrator were thus also scanned, something that triggered an alarm. My suspicion is that very little would have resulted from this mistake if not for the fact that one of the machines that was accidentally scanned was the computer owned by a high-level manager. This machine was vulnerability-riddled and so badly misconfigured that it constituted a major security hazard, something that was apparent to all who inspected the scan results. The manager threw the book, so to speak, at the system administrator, charging him with unauthorized access to his computer as well as other security-related misdeed. After a dreadfully long and painful process, the system administrator was for the most part, but not completely vindicated.

The point of these depressing accounts of employees being nailed for marginal infractions of information security policies is that security does not exist for the sake of security. Blindly applying the provisions of (and especially prescribed punishment therein) such policy leads to incredible injustice. Information security must be reasonable. Creating an information security policy, something that I have discussed in previous blog entries, is very important, but enforcing the provisions of a policy in a reasonable manner is just as important.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.