Computerworld - Over the last couple weeks, we've had some interesting security challenges here at my company. Policy compliance has been keeping me busy, and if that weren't enough, we've been having more fun with viruses.
I've developed a bunch of security policies, and have had good success with getting executive sign-off. That's the good news. But rolling out new security policies can be a challenge because they represent change, and change can be hard for companies. Fortunately, many of the things our policies say are things we are already doing, but there are some things that we will need new tools, technologies or processes to do.
One change that is particularly controversial is an automated screen lock on our Windows systems. I know what you're thinking: How could that be controversial? Isn't it something that everybody does? Not in my company. Here, people aren't used to having to type in a password when they want to use their computer. Now I'm telling them they will have to if they've left their computer unattended for 10 minutes. In my mind, that's plenty of time for someone casually walking by to gain access to anything on the computer. In fact, a few people in my company agree and have suggested that five minutes would be more appropriate. But others think 20 minutes is better, so 10 minutes is the compromise.
The main resistance is from our salespeople. They don't want their screens locking during PowerPoint presentations, fearing that the delay and inconvenience could cost sales. Personally, I think the lockout would make a good impression on customers, showing how diligent we are about security. But not everyone agrees. And in the Windows world, it's one setting for all users. It's not possible to make exceptions or to provide different settings for different groups, and it's also impossible to change or disable this setting while a PowerPoint presentation is in progress.
So, I'm moving forward with enforcing the 10-minute timeout policy, and we will have to deal with the difficulties. I prefer that my security decisions have a minimal negative impact on the business, but sometimes we have to make trade-offs. I guess the sales staff will just have to move the mouse once in a while.
I'm making a lot of progress here, but have been slowed down lately by viruses. I recently wrote about an outbreak of Conficker, which caused havoc on our computers. Since then, our IT team has made great progress in patching our end-user systems and making sure antivirus is installed and up to date everywhere. So, imagine my surprise when we got hit again - this time by a zero-day outbreak!
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
