Thanks for nothing PineRidge.....LOL

   / Thanks for nothing PineRidge.....LOL #21  
Inspector,
May I ask if you are a unionized employee or management?
 
   / Thanks for nothing PineRidge.....LOL #22  
</font><font color="blue" class="small">( I find this statement to be unacceptable, to say the least. )</font>

</font><font color="blue" class="small">( <font color="red"> You will be advised of Technology's response to your request. </font> )</font>

I have been down this road before. That is why I suggested to you the undeniable proof it was you at your computer.
Without knowing your IT policies and procedures these are assumptions on my part.
1. Without biometerics and programs/procedures/policies to enforce them "properly" there is NO way they can prove your driving the machine at some time.
2. Time itself can be altered
3. Machines can be remote controlled
4. Your entire IT infrastucture could be comprimised and they don't know it
5. Your IT staff is following some trail program, but has not the knowledge or research available to see the bigger picture
6. Are the policies and procedures defined as monitoring/corrective action available to see as you are using your computer?

Please feel free to send me a PM and I can give you some personal accounting of a similar situation.

People are presumed innocent until charged guilty.

-Good luck.
-Mike Z.
 
   / Thanks for nothing PineRidge.....LOL #23  
</font><font color="blue" class="small">( I have been down this road before. That is why I suggested to you the undeniable proof it was you at your computer.)</font>
Mike.. That is what I was saying in my post above. In all of my policies that I write, it doesn't matter. Most companies with a good IT/IS staff and fully fleshed out security policies are the same way. To put it bluntly... if person A is able to do something and make themselves look like person B, then person B is still at fault (possible firing offense if passwords were freely given to another person, but still requiring disciplinary action even if the user legitimately lost a password due to writing it down or something).

</font><font color="blue" class="small">( 1. Without biometerics and programs/procedures/policies to enforce them "properly" there is NO way they can prove your driving the machine at some time.)</font>
Whether it was or wasn't shouldn't be the issue... see above response. What was done and how it was done are the only two issues.
</font><font color="blue" class="small">( 2. Time itself can be altered)</font>
Not with properly configured domain security. Take for instance, our users are standard users only. They cannot install software, change settings or do much of anything other than what the defined use for that PC is. In our entire organisation, there are only 3 computers that regularly run with anything higher than standard user priveleges. When good security practices are followed, there is a defined use for a computer. The computer should be configured so that it will function ONLY for the defined use. This single item is the biggest saving grace for a company with tight security. In most cases a computer cannot be infected with a virus even if there were no antivirus software installed. The virus trys to gain hold and write itself all over the PC but can't because it has to get a foothold with the same authority as the user (who basically has none). There is only a VERY small subset of viruses that use Operating system flaws as the entry point, probably less than .5%. Those still require traditional anti-virus software and diligent patching of OS and applications to protect the PC. In a typical corporate environment with tight security, spyware also is a non-issue. It cannot install itself because of the tight security configuration.
</font><font color="blue" class="small">( 3. Machines can be remote controlled)</font>
Only by administrators, and all allowed remote control programs installed in a domain should create logs.
</font><font color="blue" class="small">( 4. Your entire IT infrastucture could be comprimised and they don't know it)</font>
Only if it is run by a ragtag band of wannabes or people with no real world experience (paper education only).
</font><font color="blue" class="small">( 5. Your IT staff is following some trail program, but has not the knowledge or research available to see the bigger picture)</font>
This one is entirely possible.
</font><font color="blue" class="small">( 6. Are the policies and procedures defined as monitoring/corrective action available to see as you are using your computer?)</font>
I can't comment on that one because I'm not quite sure what you are talking about.

Don't get me wrong with any of the above. From everything Inspector has told us, it sounds like he has nothing at to worry about if the IT staff if any good. But with the above, I'm just saying that the arguments you are presenting won't really matter (due to the points I mentioned) if there is a really strong and fleshed out IT security policy in place.
 
   / Thanks for nothing PineRidge.....LOL #24  
</font><font color="blue" class="small">( Don't get me wrong with any of the above. From everything Inspector has told us, it sounds like he has nothing at to worry about if the IT staff if any good. But with the above, I'm just saying that the arguments you are presenting won't really matter (due to the points I mentioned) if there is a really strong and fleshed out IT security policy in place.
)</font>

I might have read Inspectors post wrong, but to me it sounded like they were collecting data on his person and presenting it to authoritative sources for possible action.

I was offering comment to attack this possible action head on by raising issues related to policy and procedures that most likely would put the onus back on IT. (I.E. you accused me, well let me see, where do we start, bring a bigger club to the conversation)

A persons reputation is at stake because of a computer log? Give me a break.

</font><font color="blue" class="small">( To put it bluntly... if person A is able to do something and make themselves look like person B, then person B is still at fault )</font>

Your kidding right? Did you see that court case against some teenager against a port authority, DOS attack? I think THAT is reality.

-Mike Z. /forums/images/graemlins/grin.gif
 
   / Thanks for nothing PineRidge.....LOL #25  
You are talking about home users. Completely different scenario. In a corporate environment, things are and should be different.

Absolutely... if person A is able to use person B's credentials in a corporate environment, then the person B is at just as much fault as person A. For that to happen, person B will have had to violate a well written security policy in some say shape or form. Either they wrote their password down and someone picked it up (disciplinary offense), they walked off from their PC without either logging off or locking the console (disciplinary offense), or they typed their password in with someone watching, in which case if they immediately go somewhere in private and change their password, they are OK. If they do not change it and someone uses their credentials, they are still at fault.

Now I'm not saying that the above is the way it should be "out of the blue". But in a corporate setting where users are trained on a security policy BEFOREHAND (as they are in my shop), then absolutely... both user A AND user B will be receiving disciplinary action.

All that above is statements purley dealing with the scenario "someone got my credentials". Now assuming that person A listed in the logs truly is person A, then the IT department absolutely must use the log to determine usage patterns... not JUST the links that show as hits. A user cannot and should not be held accountable for linked items that are out of his control. As I said in a previous posting, even if he did willingly browse to a bad site, the log should show how long he stayed and what he did while there. If there is obviously just enough time for the user to see the site and realize he shouldn't be browsing there on company time, then he has done good and should not be put through this stress.
 
   / Thanks for nothing PineRidge.....LOL #26  
</font><font color="blue" class="small">( A persons reputation is at stake because of a computer log? Give me a break. )</font>

ABSOLUTELY!!!! A corporate environment is NOT EVEN CLOSE to a home user scenario. Send child **** from a corporate computer? It will make your head spin how fast the police/feds are in there gathering logs. The information in those logs will be used to do alot more than just tarnish a persons reputation. If they show the accusations are true, the person would be lucky if those logs don't wind up making them someone's sweet thang in prison.

I'm not even going to start trying to explain logging as it relates to complying with the Sarbanes Oxley act.

Or mandatory email logs. A corporate entity MUST maintain email logs basically forever. If a corporate entity is ever subpoena'd and cannot produce logs and/or the actualy email, then they are in deep "you know what".

You better bet, in a corporate environment, logs are LAW.

Welcome to the world I live in every day.
 
   / Thanks for nothing PineRidge.....LOL #28  
</font><font color="blue" class="small">( Ordered Pizza lately? )</font>

Yep. That about sums it up.

-Mike Z. /forums/images/graemlins/frown.gif
 
   / Thanks for nothing PineRidge.....LOL #29  
Public education is a good thing. The National ID system if it ever takes flight, just like the DRM that I mentioned above puts too much power/knowledge in the hands of the corporations and government. They both can have some very very good and helpful uses, the sad fact is that it is far to easy to abuse the power that those technologies provide to the corporation or government.

Even though I touch on DRM above, it was to show the flip side of the coin. i.e. National ID system/DRM/Tracking = too much power in the hands of corps/government. People should be able to use a computer as they see fit in their own home... and do it complete and utter privacy. In a corporate network, those aren't valid issues... it is the companies computer. It is their data and their programs on that computer. The corporation, not the person sitting in front of the computer, has 100% right to say how the computer is used and 100% right to anything stored on that computer.... in many cases they have 100% right to anything created on that computer.

Even though they are similar in concept, the national ID example and the main topic of this thread are 100% opposite sides of the coin.
 
   / Thanks for nothing PineRidge.....LOL #30  
Riptides and Shoppingtractors... here is the main point of the issue.

The computer ***OWNER*** has complete control over his own computer and should have the "right" to do anything he pleases with it (of course as long as that doesn't involve breaking some other law)and also should have complete say in how that computer is used. It doesn't matter whether that owner is a person or a business.

It is hypocritical to say that you think you should be able to do as you please with your home computer, and then to think that the company can't do the same with theirs... up to and including logs and monitoring software that verify that the systems are being used in a way that conforms to their policy. This really is a black and white issue.

If logs and monitoring software ARE used though, it is imperative that they are used fairly.. and that is what this thread is about.
 
You must log in or register to reply here.
 

Footer Links 1

Top