On 10/14/12, Karl Auer <kauer@biplane.com.au> wrote:
No-one has said this yet, so I will - why are people working around your normal network policies? This is often a sign of something lacking that people need in their daily work. You can often reduce this sort of While that's no reason to stop looking for rogues... It's a good point that policy and planning there is a crucial element; more important than managing all network devices; or even having antivirus or firewalls.
Because humans are a weak point -- every enterprise has them: there are ways the humans can be exploited unwittingly, humans might sometimes follow an improper procedure, the eventual occurrence of an incident related to human weakness may be inevitable. "Lacking something they need" is not likely. If it's really true that a forbidden thing is needed for their work -- they should be able to persuade their org's leadership to create a variance from the policy, or implement a solution. It's more likely the network user introduces rogue devices because (1) The rule wasn't written down.. E.g. It was actually an unwritten policy never carefully formulated into writing, that nobody may just plug in whatever network device wireless AP, 5 port switch, or Linksys router, even with a "good reason" to; the network users had no document to follow to explain mandatory steps required to introduce a new device. (2) The people don't know what the policy, standard, or directive actually is: They haven't been administered adequate training and been quizzed appropriately on the relevant policies, standards, and guidelines; their role with regard to the policy is not understood properly. (3) The organization hadn't made commitment to the pertinent IT policy clear. For example: The network user do not have high certainty that audit controls and procedures will be in place will detect their infraction and remove unauth'd equipment. If they are made certain a violation will be detected, and receive investigation, the rate of non-compliance could be expected to decrease.
Sometimes it's cheaper to give people what they want than to prevent them taking it. Maybe at least consider that as an option.
That depends on what 'they want'; and what regulations apply to the organization. The feds may force various organizations into saying no, even if network users want it, and the org. would prefer to allow it. If what the network users want is an unmanaged personal device on a corporate intranet, there are security considerations, which have a non-zero level of risk, that might be judged too high. Bandwidth and potentially firewall user licenses for i-devices to have continuous Facebook and Youtube access are not free. The possibility of required incident management for potential abuse cases. Possible SOX requirements to archive Twitter/Facebook "status update" message traffic.... etc. etc.
Regards, K. Karl Auer (kauer@biplane.com.au) -- -JH