Ryan Pugatch wrote:
> So, here's what I propose to you as a solution:
>
> Rather than writing out a long list of rules, regulations, etc that your
> employees will ignore, focus instead on education.
>
> Example:
>
> Policy: Your password must be at least 8 characters long and include
> letters, numbers, and a minimum of one punctuation (!...@# etc).
>
> -versus-
>
> Education: It's important to have secure passwords to prevent
> unauthorized access to protected data. Secure passwords are at least 8
> characters long and have a mix of letters, numbers, and punctuation.
>
> With policy you are just barking out orders. However, with education
> you are informing the people best practices and (more importantly) WHY
> it is a good idea they follow these practices. You're communicating the
> same information but in a more useful way.
Education only goes so far. You still need the policy. In fact the two
go hand in hand. There should be a policy, with the education on why
the policy exists and how to follow the policy.
In the end, you will need something to enforce. You always end up with
chronic abusers. Having a policy will allow something to be done about it.
Unless the business owners do not care about the business or it's
Intellectual Property, you need enforcible security.
This is not just IT, this also goes with physical security. Must always
have badge. Must not allow people to tailgate into building. (Company
I used to work at has had a big issue with that. People walk onto
campus, tailgate in the door and walk out with notebooks. Big policy
plus education steps being taken.)
--
END OF LINE
--MCP
_______________________________________________
Discuss mailing list
Discuss@lopsa.org
http://lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
