May 17, 1999
How Much Should Employee Computer Usage Be Controlled?By Steven L. Telleen
Q:How workable are the following policies? To protect our systems from viruses, all disks or software downloads must be scanned for viruses by the Data Processing department before they are loaded onto our system. And to restrict unlicensed software from our computers, the Information Systems department must approve the purchase of all software.
A: My first reaction is that I hope your central IS group has a lot of resources and a compliant user base. I have not seen anything quite this restrictive in any organization. One pragmatic reason is that unless your organization is quite small, you are not going to be able to enforce your policy. Perhaps more important, though, the policy is faulty, since there are other methods that can provide better protection in a world in which many workers do not follow IS policies to the T.
In order to protect against virus infestations, most organizations with which I am familiar use a two-pronged approach: a virus checker on their proxy or gateway server, and also a virus checker on each user's computer. This is supported by a policy that states how often users need to update their virus patterns from the vendor's Web site and cautions users to scan all incoming files.
As for approving all software purchases, this is a policy I have generally seen put in place to simplify support issues, and not as a way to thwart illegal use of software. There certainly needs to be a policy about using software illegally, but enforcing it with central approval may not be the best approach. One school of thought says it may increase liability, because by taking on responsibility for approval and monitoring of all software on an individual's system, your organization is now liable for anything the IS people miss.
Alternatively, if you have a policy with clear direction and sanctions, but you don't monitor, you may have more protection against liability in the event that someone gets caught violating the policy and you then invoke the sanctions specified in your policy. Also, consider that application programs are not the only software protected by copyrights; content is protected as well. In a networked environment, attempting to centrally authorize all content saved to an individual's hard drive is an impossible task.
I generally am opposed to overly controlled systems. While they make the people who implement them feel more in control, they frequently cut back on productive use of the expensive infrastructure, are often solving problems that can be solved in other ways, and usually are not enforceable without crippling the benefits of this technology.
The world is not a safe place--but we still let our children play with other children, even though they could get hurt or contract a life-threatening virus. We still get in our cars and drive, although a drunk driver could hurtle into us at any moment. I would take a serious look at the need for the kinds of restrictive policies you've mentioned. Do you really have a situation that warrants this type of resource expenditure, and a lack of confidence in your users to do the right thing?