> From: Elizabeth Schwartz [mailto:betsy.schwa...@gmail.com] > > how did this go? If you feel like writing about it, I'm wondering how > you went about introducing the idea of IT policy and how it went down. > > (thinking the idea of introducing a sketched-out policy and then > inviting some discussion was a good one)
Perhaps my situation is unique because I work at a tech company. But I don't think so. I think, whether you work at a university, a finance firm, or whatever, users care about what restrictions they have placed on them, and what they're not permitted to do. They think up situations you didn't think of, and ask, "How am I supposed to _____?" Within the first 24 hours, 50% of the company joined the mailing list. I will guess around 80% eventually joined. I started out with the software policy. Because formerly users were trusted to simply download and install anything they want. Most companies do things like ... simply blocking all software downloads, and sometimes disallowing admin priv on your computer, and so on. I wanted to find some middle ground. The discussion focused on the goals to accomplish: Users must comply with terms of use, and some other rules such as "must be legal" and "no malicious software" and so forth. If we could accomplish these goals, then we have no need to forcibly restrict access to downloads and so forth. We got into a lot of important details, such as, some users are contractors and use their own laptops. Some users have commercial software they licensed personally. And so forth. In the beginning, I proposed a very lenient rule: Users must email every time they install something, with a summary of terms of use and intended use. "This product is GPL, so it is permitted for unlimited free use, but there are restrictions on modification and distribution. Our intended use is for as-is internal use, and no intent to modify or redistribute. So there is no conflict between our intended use, and the permitted use." People were willing to go along with this. But another IT guy thought we could do better. It would be really tough to lookup every license for every package you install ... let's say ... yum, or macports, or fink, or CPAN, etc. Also, if you literally send an email every time you install something, you're repeating a lot of effort. It's a small effort, repeated a lot of times. In the end, we settled on: You must read the license, and perform the above email, unless some software has IT preapproval. You can find some IT conditionally preapproved packages in the following location _____. We do not expect to have everything downloaded from the internet, so any software using the following licenses are conditionally preapproved. "Conditional preapproval.txt" accompanies each downloaded file or type of license, and says something like "This is GPL. It is preapproved by IT under the following conditions: You do not intend to modify or redistribute any part of it. If you need to modify or redistribute it, then you require explicit approval." It is also possible to say, "The following yum repository consists of software with the following licenses, all of which are preapproved under the following conditions," and then whole repositories are preapproved. So the end result, I feel, is quite elegant. Somebody has to explain it and show it to you one time (that's what company lunch is for; use it to roll out a new policy etc.) And along with the handbook, introduce new users to it during orientation. But after it's explained once, it's really simple, minimal effort, with no significant workload for either IT or end users. Best of all, it doesn't prevent anybody from being effective at their job. There were many issues like this. Software licenses, passwords, password sharing, locking your computer when you're away from it, encrypting data in your computer, and so on. "No taxation without representation." I feel the end result, because users were involved in the process to create the rules, is a set of rules that are more well designed, and more effective both in terms of protecting interests and enabling people to do what they need to do. People are generally willingly to comply. I don't have to be a Nazi. IT in this company is not "the enemy" as they are so often in other companies. It was a very successful negotiation, on both sides. ;-) I highly recommend "Getting to Yes" to anybody and everybody. By contrast, I work at another company too, where the IT policy is so restrictive, it's difficult for anybody to get anything done. Can't download things, can't install things, can't send large things, email boxes are too small, response time is too slow to request some new software or access to some resource... Everybody complains and circumvents policy, and does anything they can to get their job done without getting in too much trouble. IT is the enemy. And I think this is typical for enterprise IT. You take your laptop to Starbuck's to download the package via SFTP which your customer sent you, because outbound SFTP is blocked by the firewall. I personally don't see the benefit of such rules. _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
