Match Your Filtering to your Corporate Policy - and make sure you have a corporate policy!
Wednesday, September 14, 2011, 6:20 PM
I work as a programmer and try my best to stay out of anything that hints at being anything other than technical. If something comes my way that smells in the least like a corporate, marketing, human resources, or other nasty untechnical topic, I am the first to hide under my desk or run the other way. But like taxes, bullies, and Mother-in-laws, sometimes you can't run or hide from this unsavory subject if the ball rests in your court because you are the technical person in IT who has to administer the infrastructure for internet use.
In previous lives at other companies I was sometimes in the position to handle some aspects of internet monitoring, even during the early days of the internet. You might have expected a lot of potholes in corporate internet usage guidelines and IT implementations enforcing those guidelines ten or twelve years ago (and there were), but not now with all the publicity and horror stories of lawsuits since that time. Alas, that is not always the case, at companies large or small.
In my experience as a technical person in a cubicle, I was not the person to make the policies for internet use; that was the domain of the people in offices with doors and windows. But I learned, sometimes painfully, what you monitor, record, and filter needs to match what your policy demands. Too much, or too little, on the technical side as compared with the policies is not good. That is how I came up with "Ye Olde School of Hard Knocks Guide to Covering Your Technical Tail":
- Locate your Corporate Internet Policy
If you can't find it, and you are responsible for implementing it based on hearsay and executive hand-waving, you have found your first pothole. And it could swallow a metro bus. If you are responsible for a non-existent policy, get the Powers-That-Be to make one. There are many resources for creating an Acceptable Use Policy" found on the Internet, and there is not a one-size-fits-all; each company needs to tailor one for their own circumstances, culture, and environment.
- Read it, and understand it
I find a few problems with this one, other than the obvious, "It's so boring I can't read it without drooling, or doing a face-plant on my keyboard." My biggest problem is the policy which has no basis in reality, therefore everyone ignores the policy. If the policy can be proven to be ignored, or is not properly communicated to the employees, there is no policy, in my estimation. If there are problems with the policy, get them addressed, clarified or corrected.
- Identify your part in the implementation
If it is determined your duty is to setup, or administer some portion of the policy, clearly identify what those criteria are, whether filtering, data retention, data security, etc. Also, make it clear the settings of the solution match the policy, for example, some filtering products have great flexibility in specifying filtering levels for different individuals, groups, or departments within the company. Verify with the policy makers that they are in agreement with what you have setup.
- Monitor your implementation's effectiveness
It does nobody any good if you spend a lot of time and money on a solution, only to find out months later it has not been doing what you thought it was. Some products have significant reporting and notification features, but you must make sure you have it configured correctly and monitor for continued proper operation.