This is the draft, of the first email that I plan to send to the list, later today, or maybe tomorrow.
Subject: [it-policy-discuss] Intro to IT Policy Discuss Subject: Intro to IT Policy I have accepted the task to write (the company's) official IT policy. Some parts of it seem like it should be common sense ... no porn, no piracy, no illegal stuff, etc. Some parts must be obeyed: regardless of whether you agree, your jobs may depend on compliance. Other parts can be mutable, as evidenced by the invitation to participate in these discussions. In all cases, it's possible to have judgement and/or consequence upon you, as decided upon by company leadership, human resources, and/or IT. The one common ingredient: It's all for a reason, and you're welcome to participate in forming those reasons. In other organizations, I find IT is often a detriment. I've had IT people blocking traffic, forcing password resets, prohibiting free software, *preventing backups*, disabling USB ports, and all sorts of ridiculous interventions in my work. I recently had to wait 6 weeks for IT at another company to enable me to download a file from an external FTP server, because all traffic must pass through a proxy server which doesn't support FTP. I've worked in companies with locked-down firewalls, and no administration privileges on computers, and various other obstacles. I disagree with such strict IT policies. Security often conflicts with Productivity. It is often difficult to find the best balance between the two. I have a strong tendency to promote productivity and freedom; much more so than most companies. At another company where I work right now, they prevent access to the internet, block downloading EXE, ZIP, MSI, RPM, and TAR.GZ files, so you can't install viruses and stuff like that. They have crazy strong antivirus software, which slows everything down and blocks all sorts of stuff that should be allowed, and can't be uninstalled or reconfigured without the domain admin password. My strategy instead, is to allow you to download and install anything you want, use antivirus that stays quiet and out of your way, and utilize decent backups instead. I wholeheartedly disagree with big corporation policy creation, where users feel there is no channel for feedback, change, or improvement. Corporate structure which embraces management dictatorship. Why create rules to enforce upon users, and choose not to solicit user feedback? I started on the task of IT policy creation for (this company), by collecting the IT policies of other companies, and sifting the good from the bad. I am not joking, one company policy says "encryption software is prohibited," and another company policy says "encryption is required." Neither one explains the ideals behind the policy. I have been witness to an employee being terminated, due to accidental discovery of everyone else's salaries, and subsequently requesting higher salary. I have been witness to an employee being terminated, due to unauthorized entry into our neighbor's premises. I have been hired by a company, whose very existence (all employees' jobs) hinged around a lawsuit regarding software piracy and infringement of software license terms. The disgruntled employees who reported the violations are the same ones who pirated the software, and were terminated for doing so, thus becoming disgruntled, and reporting the company for *their own* illegal actions. None of the other employees were at fault. I have been present in a company which was going Chapter 11, where disgruntled employees began thieving laptops and equipment from the company. Some of these are top executive level employees, literally stealing laptops by tucking them under the coat while exiting. Thank you, video surveillance. I have worked at a company, which was victim of industrial espionage. Literally our designs were leaked by some internal employee to some foreign competitor, and we found ourselves in competition against the Chinese version of our own products. I have had the unpleasant experience, in the early days of remote helpdesk, to remote control a top executive's laptop to help him before some big important meeting, only to see him browsing porn before the meeting. I said, "Ok, are you ready to connect now?" "Yup." "Ok, I'm connecting to your screen now." "Oh, wait a minute while I close some confidential documents." I have even seen personal intimate photos of employees' selves on their laptops. The things that seem like they shouldn't need saying ... They need to be explicitly said. And explicitly agreed upon. As I said, some parts of the policy you'll have no choice about. You'll be required to agree under consequence up to and including termination. Other parts we can discuss in this forum, and possibly shape as a result. There are many forces pulling in different directions. Personal freedom often stands in direct contradiction of some other force, such as state or federal law, or values that are agreed upon by company leadership. Not everyone will always agree. And I have the difficult task of finding the compromise, which satisfies the legal and cultural requirements, without alienating too many of my friends and users. The discussions that I want to engage you in, here in this forum, are particularly the controversial areas, which seem to require corporate change, and/or restriction of personal freedoms. If some freedom must be taken away, or some new rule imposed, I feel you deserve to know why, and you deserve to participate in the logic which reaches that conclusion. And so on.
_______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
