Re: [lopsa-tech] Personal use of company IT equipment
Kate Harris wrote: You then use the corporate legal policy to create an IT policy that 'conforms', i.e., personal data will not be tolerated (or backed up and restored) on company laptops. I'm not sure I want to go so hard on personal data, but... if the policy exists it doesn't have to be fully enforced all of the time, just if needed. It has to be enforced consistently, or else it can be held to be unenforceable. You can't fire user X over doing un-allowed-activity-A, where users Y and Z do it and get away with it. -- -- John E. Jasen ([EMAIL PROTECTED]) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring ___ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-tech] Personal use of company IT equipment
And this is where I'm hitting a problem; wise-assed users and a problem with lots of personal files being stored on company laptops (I don't just mean a letter to the local council; I'm talking GBs of... This is where a talk with HR and legal is *definitely* appropriate, as they can set the kinds of policies that you need to fix the problem. At $WORK, it's a simple policy that states that no copyrighted material or software not licenced by $WORK is to be put onto company computers (servers/desktops/laptops). This includes software and materials for which the individual may have purchased personally. Definitely a detail I should clarify in the AUP; it currently only mentions unlicensed software. The reasoning - $WORK can get into serious legal problems with the licence and copyright holders, which can result in expensive lawsuits. Ohyes! You then use the corporate legal policy to create an IT policy that 'conforms', i.e., personal data will not be tolerated (or backed up and restored) on company laptops. I'm not sure I want to go so hard on personal data, but... if the policy exists it doesn't have to be fully enforced all of the time, just if needed. You'll still get the occasional laptop with pictures from the employees' digital camera, and personal documents and letters, but the bulk of the junk will now be fair game for removal, and you can then reset expectations for other personal data stored on the machine by including a policy that the company is not responsible for such data on laptops, and standard service measures may cause it to be deleted. the company is not responsible that's the jobbie. Thanks. It helps if you also provide good backup mechanisms for the data that really should be on the machines, Ah. Therein lies a little problem in that the software we use is awful, but it's been paid for so there's no appetite from finance to spend more money there. Ah well. That said, users are not supposed to store data on local drives anyway, so if it's not on the fileserver it's not going to be backed up anyway, so that covers that base. But again, good points, thanks! -- http://www.totkat.org/ ___ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
[lopsa-tech] Personal use of company IT equipment
Hi all, having come into a relatively established small company a little while ago there were a number of big ticket things that needed to be done which took up most of my concentration for the first few months. Now they're done, the tidying up of the corporate systems and facilities is beginning. And this is where I'm hitting a problem; wise-assed users and a problem with lots of personal files being stored on company laptops (I don't just mean a letter to the local council; I'm talking GBs of iTunes, movies, photos etc.) along with a culture that people treat company laptops as if they were their own. While I see no problem with a little reasonable personal use, 40Gb of movies on a laptop including the odd little trojan on funny video clips is causing problems for my desktop staff when they're supporting users (especially when said users expect/demand that all of their personal stuff to be copied onto any new machine they get during rebuilds). Obviously I need to have a chat with HR and legal about this before kicking off communications to the whole company along the lines of stop taking the mickey, people, but having never done this kind of thing before (I'm a pointy-end operations person by experience, not corporate IT which came as an added bonus in this job) I'm not sure how to go about the whole culture change on use of laptops. My gut feeling is to go in hard and say stop it or we'll delete it all for you, but I know that's not going to win hearts and minds. The other thing is that whichever tack I take on this, there are a good few users will argue and poke holes and try to find ways to circumvent whatever is mandated/requested. There is something in the AUP, but it is quite permissive Employees are responsible for exercising good judgment regarding the reasonableness of personal use.. Anyone here have any advice to offer on good ways to get the ball rolling without causing a riot amongst my users? K -- http://www.totkat.org/ ___ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-tech] Personal use of company IT equipment
Anyone here have any advice to offer on good ways to get the ball rolling without causing a riot amongst my users? Without creating a riot amongst the users? That's easy -- you ignore the problem and hope it goes away. Tempting... You pretty much have to get HR and legal involved as step one. Just as IT, you pretty much have no enforcement power Indeed and thankfully HR are very much on board with supporting (metaphorically) slapping people for breaking policy and I had legal check the policies (AUP, password, general security, VPN and server) when I first wrote them, so they're happy and on board as well. I took note of other peoples' experience in small companies like this one as well as my own in other companies, and made sure of HR, legal and top management buy-in before communicating policies. It is probably one of the key things for internal IT to create and maintain a good relationship with HR, legal and finance and, oh boy, has it helped me here so far. and will make a lot of enemies attempting to get some. If the people with enforcement power (read: HR and legal) won't make a policy and actually enforce it, then you're back to the easy method above -- ignore it and hope it all goes away. Totally agreed. I feel sorry for people responsible for corporate systems who don't have the backing of HR/legal/finance. -- http://www.totkat.org/ ___ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-tech] Personal use of company IT equipment
2008/11/10 John Jasen [EMAIL PROTECTED]: Kate Harris wrote: You then use the corporate legal policy to create an IT policy that 'conforms', i.e., personal data will not be tolerated (or backed up and restored) on company laptops. I'm not sure I want to go so hard on personal data, but... if the policy exists it doesn't have to be fully enforced all of the time, just if needed. It has to be enforced consistently, or else it can be held to be unenforceable. You can't fire user X over doing un-allowed-activity-A, where users Y and Z do it and get away with it. Oh indeed. Once the seal is broken on severe punishments for transgressions consistency must be applied. But there are degrees of transgression in this case - a letter to a solicitor accidentally saved to a laptop and forgotten about vs. GBs of copyright material which was not legally purchased. Reasonable and proportional response is implicit in the policies at the moment with the wording may be subject to disciplinary action, up to and including termination of employment where disciplicanry action may start with a stern word from a line manager which doesn't go on file. -- http://www.totkat.org/ ___ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-tech] Personal use of company IT equipment
2008/11/10 Ski Kacoroski [EMAIL PROTECTED]: It is critical to get full buy-in from the top (CXX folks). In fact, they should be the ones that break the news to the employees (you can draft it) and they should set an example (e.g. I made this change and this is why). If employees see the CXX types not following the policies, then it is very, very difficult to get the rest of the folks to buy into the policy. I have been at several companies where it went both ways and the times when the CEO made the announcement with a personal bent made all the difference. Absolutely. The first set of policies went out from the top of my line management tree (the COO) in an email I'd drafted; and I fully intend this one to as well. Like you say, leading by example from the top is the way to go. I just have to explain it once to the COO in terms that make sense to him, then Bob is, as they say, my uncle. Good luck, Thanks! -- http://www.totkat.org/ ___ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-tech] Personal use of company IT equipment
2008/11/10 Jack Coats [EMAIL PROTECTED]: I agree. You need to get with management/hr and design an appropriate WRITTEN policy. They might want legal to draft it, so it will 'stand up' especially during transition of cultures. Indeed. Given that we have the luxury of a few lawyers here, I always run stuff like this past them. I would suggest that folks be warned that if they want files saved, they need to back them up because only a 'standard system image' can be loaded. This keeps you from having to try to copy things off possibly infested laptops. If they are company related files, the USERS should copy them to the server. If a 'random audit' then finds 'inappropriate material' on the server, then the policy about that should be invoked (only company licensed materials are allowed on servers). Current policy is that all data goes on the fileserver and not on local drives (that said, all laptops are whole disk encrypted in case they go walkies, but that doesn't help us with actual data loss) , but human nature being what it is... a reminder is probably overdue and the special exception below for special users needs to be in place first. And you only backup servers. Not hard thing to say because it's true :o) If you have real 'road warriors' (sales droids that stay on the road 90% of the time or so) then you may need a 'special' policy for them that includes remote backup software that only backs up a 'business' directory, other than that the image should be 'standard', and antivirus / spyware/ etc and other security measures should be implemented by default. I'm thinking that's a pretty good idea. We do have a few people like that and the rest don't need to keep stuff locally, so we could ditch the awful desktop syncing software generally and get a few licenses for somethign a lot more suitable for the guys who are out of the office the majority of the time. Any suggestions on something Windowsy for syncing that's not hideous? Just some thoughts I have had to help implement. ... It's all useful stuff; thanks! -- http://www.totkat.org/ ___ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-tech] Personal use of company IT equipment
On 2008 Nov 10, at 18:36, [EMAIL PROTECTED] wrote: legitmate reasons to care are (in my opinion): 1. no space to install stuff that they need 2. you are backing up more stuff and it's costing you. 3. you are worried that they have illegal things on there and that you will get in trouble over it. 4. The IRS is making noises over personal use of company-owned resources (we got dinged over cellphones by this; we no longer get cellphones as a result). You need legal and HR involved in this case. -- brandon s. allbery [solaris,freebsd,perl,pugs,haskell] [EMAIL PROTECTED] system administrator [openafs,heimdal,too many hats] [EMAIL PROTECTED] electrical and computer engineering, carnegie mellon universityKF8NH ___ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/