Fair and balanced: Enforcing security policies for workstations

* Promisec tool helps support uniform application of security policy

One of the constant problems we face in enforcing policy is consistency. Suppose we find an employee who has unauthorized hardware or software on a corporate computer and apply sanctions - perhaps even termination of employment.

If the employee is so moved, we could find ourselves saddled with protests or even a lawsuit about capricious enforcement of policies and wrongful dismissal. “Other employees have similar violations of policy on their workstations, but management never punished them! This is a clear case of persecution because [fill in some excuse].”

According to the International Labour Organization (ILO), the United States is one of the few countries that still allow dismissal of employees at will. Nonetheless, a growing body of case law supports the view that capricious termination of employment may be subject to legal remedy. Thus, regular, impartial audits of policy compliance not only help maintain security but also make such protests and lawsuits against an employer less likely and less credible in a court of law.

I was interested to receive a press release from Promisec announcing the results of a detailed analysis of 193,000 “endpoints” (defined as corporate workstations) in 32 “large organizations.” The summary reports that:

* 13% +/- 0.15% [I have added the approximate 95% confidence interval for each proportion calculated using the statistical package Minitab] of the corporate PCs surveyed had unauthorized USB devices attached to them, opening the door to data loss and the opportunity for USB-borne viruses and malware to enter the corporate network.

* 4% +/- 0.09 % of corporate PCs had peer-to-peer (P2P) applications installed, such as KaZaA.

* 1.5% +/- 0.56 % of the corporate PCs did not have the latest Microsoft service packs.

* 1.7% +/- 0.06 % had antivirus monitoring and remediation issues.

* 1.2% +/- 0.05 % of the 193,000 audited endpoints were without required third-party desktop security agents.

* 0.82% +/- 0.06 % of endpoints had unauthorized remote control software such as GoToMyPC and a lesser percentage had unauthorized and unprotected shareware.

According to Promisec, their “audit takes less than an hour after implementation of Promisec Spectator for Enterprises, installed on a single enterprise workstation. The software’s ability to perform discovery and provide reporting across all corporate networks produces a detailed synopsis of processes, devices and other activities on the network which may be outside of corporate policy, revealing the current state of internal network security.”

Such a tool can support uniform application of security policy on workstation configurations and can not only increase security, but also maintain fairness and balance in employee relations.

An itemized report of the study is available by contacting Promisec at 212-743-9916 or by sending e-mail.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.