After Hours

Clear usage policies protect everyone

Many organizations employ computer usage guidelines, but it is easy to develop a gap between policy and reality. Support pros are likely to discover user transgressions in the course of their work. Do your techs know the role they should play in enforcing policy?

Many organizations employ computer usage guidelines, but it is easy to develop a gap between policy and reality. Support pros are likely to discover user transgressions in the course of their work. Do your techs know the role they should play in enforcing policy?

-------------------------------------------------------------------------------------------------------------------

Every workplace these days should have a portion of their computer usage policy addressing digital media and copyrighted material. Bare minimum, by publishing appropriate guidelines your company protects itself against liability and informs employees of the expected behavior. So, if you don't have a usage policy in place, you should get one!

Wait! Don't go off to write that policy just yet. One thing I think that IT pros should think about while writing their policies is how those rules will be enforced. In too many offices, there is a stated policy that does not jibe with reality. Consider how far your organization wants—or needs—to go in enforcing the rules, and make those measures explicit.

My experience with usage policies, especially as they relate to digital media and copyright infringement, is that they are paper tigers. Organizations will make a big show of disallowing things in their policy documents, but many will never actively look for infractions. That is because looking would mean actually having to do something about violations that are certainly present.

I empathize with this situation. As an IT manager, I've had to write usage guidelines and policy documents, and as a help desk pro, I've found things that probably shouldn't be on office computers: commercial DVD rips, MP3s of copyrighted songs, dirty pictures. The support techs in the office see exactly what is going on with the computers on the network. They will be the first people to see the evidence of any misuse of your company's property. When they do see misuse, their expected role in the enforcement process should be crystal clear. If you are going to go to the trouble of writing usage policies, make them explicit for your users and your techs. Don't put your support staff in the awkward position of deciding whether someone's ripped CD should be considered a "fair use" of copyrighted material. Your policies should leave no doubt for your techs or your employees what the response will be to any situations covered by the policy.

I think most IT policies are written in hopes that they never have to be tested. I know I used to think that as long as I didn't see anything wrong there wasn't a problem. That never lasts. Sooner or later somebody will always see something wrong. Good policy documents will provide guidance for everyone involved on how the problem will be resolved.

I am not a lawyer, and nothing I say should be taken as legal advice. If you are also not a lawyer, you might want to talk about your usage policies with appropriate legal counsel.

15 comments
dogknees
dogknees

To have any chance of being effective and enforcable, you need buy-in from the executive level. The way to get this is to point out the costs of breaches of the policies. Once you explain about additional support time, lost productivity, breached network security, and the like, it's not usually difficult to get their attention. Then it's a matter to making sure employees are aware of the policies. It's not enough to get a signature on a document when they commence, you need to remind people of the rules on a regular basis, the costs of breaches to the business, and the fact that they will be enforced. Repeat when there's a new threat or you see a rise in phishing attacks for example. Finally, it's usually most effective if people are given a chance to do the right thing. Unless it's a particularly egregious breach, allow them one warning. Explain the situation, remove the offending material, and let them know this is their only warning. At the end of the day, IT staff need the backing of management. If this is in place, they shouldn't need to act as the cops. It should be as simple as reporting the breach to the HR department and letting them do their thing.

brianmilke
brianmilke

From my experience at school, I have learned three things that will put me in hot water with someone at my job in the future. 1) Honesty - Giving up the goods may be supported by the management, but you still have to face the fire from the peers you busted. 2) Doing the right thing, no matter how right it is, still makes you out to be the bad guy in the eyes of the people doing the wrong thing. 3) If you snitch once, the management and your peers will be looking for you to do it again. In this, I mean that management will expect you to continue to blow the whistle. At the same time, your peers will treat you as someone they can not trust because you did spill the beans before. All in all, being placed in this very exposed position does place you in the light of beeing seen as trustworthy and honest by the management, and those are the people I want to impress and wow. Having management on your side when a job comes up means you are looked at first above the others when evaluations are done. Will I ever be able to ask for a letter of reference from one of my peers? Probably not. But which looks better; a letter from your boss or his boss, or a letter from one of your peers? It's so much fun being at school...I can't wait to get out into the workforce. (not)

hig
hig

yeah right. Sorry, in practice, in most orgs, this makes the lowly helpdesk monkey the bad guy. Do you seriously expect us wage earners to rat out the vp's? NO! So, if it gets done at all it only gets done to the other wage simians. The biz HAS to handle this. This is an employee discipline issue not an IT issue. Just my $.02, ymmv

williamjones
williamjones

In my latest blog, I address a shortcoming I see in most usage policies: guidence for the support techs who discover infractions. In my experience, policies are very explicit about what may be disallowed, but very vague about the correct course of action for the individual who notes the violation. I'd hope that most techs are trained about what to do when they encounter the really inappropriate material, but what about more benign situations? Does your policy detail the appropriate action for a tech that discovers that a user has been ripping CDs to his office computer? How would you handle a situation like this? As a tech, would you confront the user directly, or would you escalate the matter to a supervisor? What are the digital media policies in your workplace?

hig
hig

Just remember that those peers are climbing the ladder too and some of them will one day be managment. The butt you kick going up may be the butt you have to kiss coming down. Best of luck in your studies, it's not as bad as all that out here in the workforce and the money is definetly better than being a student.

Coss71
Coss71

The company I work for now, has a 3 line paragraph that was written 12 years ago by a company lawyer addressing Internet and email usage. It is stated in the employee manual that is handed out after you hire on. It is so vague it's a joke. It basically says, "company computers are not supposed to be used for anything personal. Disciplinary actions can be taken if any violations are found". That's it. They never had a true IT department until I was hired 6 years ago. Small company, 23 offices, 500+ employees. And yes, I am the IT department. I do have a part time helper, but that's it. I have been pushing to the owner since the day I hired on to create a new policy. I have found sooooo many violations it would make you cry. In some cases, I will report it to their managers. Sometimes I will just delete it, and not say anything. Other times I will report it, and go to their staff meetings and bring it up. I also set rules in the firewalls, GPO's and any other way I can block what is going on. Seldom is anything said to me, and no, I'm not going to be voted Most Popular by any of the end users any time soon. It's just so frustrating. I have kept a log over the years of all of the offenses, and what was said or done at the time. Because I know, sooner or later, it's all going to explode. And I don't want to see it come crashing down on me. And yes, I agree with the Dr. statements other people have stated. I used to SysAdmin for a company that did medical transcriptions. One Dr.'s attitude describes it all. He said, "I just expect people to be as good as me, and show the same effort that I do. So far in my life, I have never met anyone that is, or does". His dictation ID# ? 1 License plate on his car? PERFECT

csmith.kaze
csmith.kaze

I agree, I work in a place where Doctors own the company and trying to tactfully admonish your "bosses" about the 20 GB of baby pictures, DVD's, and music that they put on company property is not fun. But I also think that the regular employees should be held to the same standards. If I find anything wrong where I work, I pass the information and proof on up to my boss who decides what to do with it. I am not a cop, just an analyst.

Amnezia
Amnezia

People ALWAYS try to get around computer usage policies - even if it's in a small way. Each employee is responsible for their own actions. If I'm stupid enough to keep specifically unauthorised material on my work PC, then I can't squeal/moan/grizzle or otherwise articulate if I'm discovered and disciplined. IT'S MY FAULT!! Similarly, if the policy gives specific details of what is NOT permitted, (and this is the way most UPs seem to be worded); who's responsible for policing the UP, and the ramifications of doing so - then there should be no issues. If the UP is NOT specific, then a series of emails to managers is a good way to find out - AND keep your neck intact. One I saw allowed "work-related material" to be stored on the network share, but limited (size specified here) amount of local storage for "temporary use". This amount was stated and set by GPolicy. Every Friday a script deleted the contents of the local folder. This UP also stated that "random checks" would be made by the technical department of each user's home and each PC's local folder for "non-authorised" material - and detailed what was "non-authorised", and what action would be taken should such stuff be found. This site created a lot of multimedia and audio files, and the IT Manager was always being asked for music and video to use in these productions. In talking to him, he said there were some issues, but since they had been resolved, no further trouble resulted. There were a lot of MP3, WMV files on local shares during the week, but once staff realised what was happening, they burned stuff to CD/DVD and stored it somewhere else. This staff usage policy was well detailed - one of the better ones I've seen. As a result staff were happy and knew the boundaries.

Grimshiire
Grimshiire

There will always be someone unhappy with any policy that involves Internet access usage. I try to block access via DNS, but with so many Proxy sites, it is a full time job! I have a different take on the Dr's & lawyers: How about working for a Japanese (HQ in Japan) or Jewish (Family Owned) company? All employees, regardless of race, must following all usage policies except for the ex-pats or Japanese born and the synagogue cruizers and other associated J-Crews. I am speaking from experience in this instance. I treated everyone professionally. BUT, I was treated like a second class citizen in my own freakn country! When it comes to matter, there are definitely 2 different rules. For policy implementation to work properly, it needs to come from and needs to be continually enforced from the top. The execs are supposed to "Lead by Example". I see more of "Greed for me, screw everyone else" as the example.

jax_cracker
jax_cracker

Strict training done annually on the subject of policies and enforcement--then SIGNED STATEMENTS filed with H.R.annually too--THAT is how you maintain acceptable use policy. If your company isn't willing to do that (mine is) then they have no teeth and should not expect techs to be Net Gestappo. I think many managers would rather be more bark than bite on this issue, leaving enforcement up to supervisors with a "so long as work isn't affected" guideline. That's lame, but that's people in management positions who don't grasp what happens when a copyright infringement lawsuit comes home to roost or bandwidth is decimated by joyriders streaming their favorite music or videos...and malware crashes the network party. Start a scrapbook of sorts with clippings from disastrous events at other companies and usage stats on where the bandwidth for your company is going. When people ask why the network and internet access is so slow all the time, whip out the clippings and ask them if they'd like to speak alongside you at the next company staff meeting on the subject. Chances are, they might just be part of the problem and will pass on the offer.

JaredH
JaredH

If you want to enforce a use policy, then use windows policies or some other software to restrict the machine to be in accordance with the business use policy. Don't allow users to install CD ripping software. Yes, user complain but my response is this is company policy, talk to the board of directors if you want it different. They make policy, I just obey it.

TheProfessorDan
TheProfessorDan

I agree with a lot of what is being said on this topic. I have had the fortune to work for numerous organizations and I have seen both sides of the coin. I have seen organizations where the management stands behind their staff when the heat comes down. I have also worked in organizations where the management staff caves faster than a trailer in a tornado. The reality is that policies have to start at the top. In most companies, a tech?s words mean nothing if their manager does not ?stand up? for their staff. On another note, I have supported all kinds of users and I can say this. Doctors are the worst period.

a.techno.geek
a.techno.geek

Even though I am in IT now, I was not always. I worked part time for a city in Metro Detroit as a Park Security Guard (worked under parks and Recs). People would ask me to bend the rules for them (needed to be a resident to obtain entry into the park). My fall back was I had to go according to "the city ordinances written (IT policy/Procedure)" and if they wanted to have the city policy's changed to accommodate them, they talk to their respective city councilmen (change of policy of IT? Talk to the directors/management for change, do not have a low paid Tech to put their job in jeopardy). If the the policy got changed in writing I would accommodate, otherwise I had to follow written policy/procedure. This how it should be with IT as well. In writing, adhere to it and report any variances. Then stick to the written policy.

csmith.kaze
csmith.kaze

Amen to that last sentence. I have worked for teachers, mechanics, lawyers, and doctors. Doctors and lawyers take the cake compared to all the rest and doctors edge out lawyers just barely as the worst to work for. The only thing worse, I have heard, are politicians, but I have never personally worked for one. My boss will stand behind me for the most part and has saved my ass a few times when butting heads with a dr. I agree that management has to make most of the calls for what is right and wrong, though some places have management doing worse than most of the rank and files.

Editor's Picks