Shel Holtz has launched a campaign to resist the blocking of employee access to online content such as blogs and social networking sites like Facebook. As an internal communications professional who recently had to deal with IT’s blocking of the MyRagan social networking site (but, interestingly, not Melcrum’s The Communicators’ Network site), I sympathize with the stop blocking campaign.
I work in the financial services subsidiary of a global automotive manufacturer, where the issue of access to external sites isn’t as clear-cut as Shel and some others might suggest. Federal auditors come regularly to inspect the company’s procedures, processes and information security. My company is serious about maintaining the privacy of its customers, and it leans toward measures that improve data security rather than increasing unfettered employee access to information.
Many times, I’ve gotten upset or shaken my head when I learned about the latest decision regarding what access to block within the company. For the most part, I have access to anything that I need to do my job well. It sometimes required me to jump through a hoop or two, to get IT to restore access to something. For example, next month, most people within my company will not be able to use the USB ports on their computers to transfer data.
That decision was based on an audit finding. When the new policy was announced via broadcast email, I started to “see red”–until I read a portion of the email that provided information on how to retain access to the USB drives.
It took a couple of conversations with our information security team, but I was able to easily and calmly explain why I need to be able to transfer digital camera images, graphic files and audio/video files. It helps that I don’t have access to sensitive customer data, so my PC and network connections are not the same security risk as a customer service representative or someone in our Credit and Funding Department.
Anyone in my company who wants to retain access to the USB ports on their PCs must follow an agreement that spells out what is proper and improper use of the USB ports. I’ve summarized the main points below to show that they are common-sense, and not draconian.
Removable Media Agreement
• Use only company approved and supplied devices for writing to removable media.
• Take all reasonable steps to assure the security of removable media and all data on removable media.
• Under no circumstances transfer ANY customer or employee private information to removable media.
• Do not put confidential information on any form of removable media without manager’s approval.
• Do not use removable media to introduce or remove any software from any company system.
• You will be responsible for the introduction or removal of data from any company system via removable media.
• Do not use any company data for personal or commercial use or gain.
Violating this policy may result in disciplinary action up to and including termination of employment.
What do you think about limiting access to the USB ports of employee PCs? Is that done in your company?
Entries (RSS)