What are you doing about Web 2.0 and formal acceptable use policies? As a blogger from a state known to be a leader in the use of technology in government, I get that question a lot. The answer: quite a bit right now.
In Michigan, we are in the process updating our current statewide accepable use policy policy, which you can read at: www.michigan.gov/pcpolicy. We hope to have a new policy in place by this Spring (2009).
Meanwhile, Federal Computer Week (FCW) just ran a few good articles on this topic. The first one was called: A new take on personal-use rules. Here's an excerpt:
"...But the proliferation of Web 2.0 technologies and the evolving regulatory compliance landscape have compelled many agencies to re-examine their acceptable-use policies. Security executives point out that many of the acceptable-use documents in use today predate the advent of blogs, wikis and social-networking sites. Policies may also fail to reflect the requirements of such regulations as the Payment Card Industry Data Security Standard and the Health Insurance Portability and Accountability Act."
I must admit that I am a bit shocked by a statement from an expert at the National Institute of Standards and Technology (NIST). Here is the quote: “From a technology perspective, we don’t do Web site blocking or content filtering,” Szykman said. “We do perform network monitoring, but it’s done to monitor how people are using our network in order to help IT management and operations, and to help ensure security.”
So NIST doesn't block websites that are downloading malware or known porn sites? If that is true, I think they have set themselves up for some major problems. I am concerned if this is the filtering example (or best practice) for the federal government - but that's for another blog.
A related article from FCW discussed: The limits of technology. What is clear to me from these and other recent articles on Web 2.0 and employee behaviors, is that we need to offer training and additional cultural change as we role out new acceptable use policies that allow Web 2.0 and also accountability.
What are your thoughts?
"So NIST doesn't block websites that are downloading malware or known porn sites? If that is true, I think they have set themselves up for some major problems. "
Did you actually mean this? Websites dont download malware. People do it and technology exists to block them from doing it.
If you want to limit access to sites because of decreases in work or ability to post sensitive corporate data is one thing but to claim you need to block sites because you believe they download malware then you have a major problem.
Acceptable use policies are needed and are often seen as restrictive but they can also be educational. They can be written and presented in such a way that the user is educated why something is blocked and how blocking this can protect the company and the user personally.
Blocking alone will result in curiousity and that will result in work arounds.
Once people are taught why things are blocked there will still be those who will break the rules and those people need to suffer the consequences. So remember this when you are writing your policy:
Policies and procedures are great but truly mean nothing unless they are enforced.
You must include the consequences inthe policy and you must include a true and logical enforcement methodology.
Thanks for commenting.
Regarding your comment: "Websites don't download malware." Yes, some websites have been compromised.
See these articles as a start (there are many others):
'Legit' website compromises reach epidemic proportions
"Over the last year malware authors have moved away from direct attacks — attacks in which they directly interact with victims, via social engineering for example — to indirect attacks accomplished through compromised websites," said Mary Landesman, senior security researcher at ScanSafe."
Tackling the threat from compromised websites
In addition, we block advertisements with web filters in Michigan and reduced bandwidth use by over 30%
Thanks again,
Dan
I thing you are mis-reading my comment.
A website can not force a user to download malware.
The user has to agree to the download or have left their system open to allow the downoad to occur.
bad guys know tht people are often stupid and thus compromise legit sides (that were left exposed for what ever reason) and then rely on users to ok anything pushed at them.
For every filter put in play there is a way around it.
You want to win the war you need to educate users rather than just allow them to remain ignorant of the threats.
This is the problem with information security professionals. To many rely on the technology rather than on education.
We have told people the technology can protect them and then we wonder why the technology is vilified wen someone gets compromised.
Do you give a kid a car without first educationg them on the rules of the road and the workings of the car?
When that kid runs the car into anothe car because he was looking at a perosn walking down the street do we then blame the car for the accident or the car maker? No because the kid knows it was his fault.
You can have the strongest outer shell but the soft center known as the users will always be your biggest threat.
You can filter all you would like until someone realizes what you are doing and then sues you for censorship or discrimination or some other trumped up issue.
We were doing it to protect you is not a defense.
We were doing it to protect ourselves? Then the question will be justification for limiting some peoples access while not others.
Its a slippery slope.
Malware and spyware can get downloaded silently, do not need user's permission, this is century 21...things are getting automated , :-)
Post new comment