Newsletters Welcome, Guest Log In | Register
Blogs:

Ralph DeFrangesco

< Previous | Next >

Subscribe

Sign up now and get the best business technology insights direct to your inbox.

  • Daily Edge
  • CTO Edge Update
  • Business Tools & Templates
  • Aligning IT & Business Goals
  • Maximizing IT Investments

0

Don't Forget About The Forgotten Software Policy

Posted by Ralph DeFrangesco Oct 22, 2009 7:50:11 PM

This is the final post in my series on IT security policies. The other two posts examined good e-mail and Internet policies. Today, I look at the software policy, which I call "the forgotten policy" because every time I have had to talk to an employee about downloading unapproved software, I hear, "Oh, I forgot." Every policy I have read has said something about not loading unapproved software. But, most employees consider this to mean only software that they download from the Web. This also includes an employee's personal software and any beta software.

 

Also, there is the whole open source issue. Employees download and agree to open source licenses. So in effect, they agree to the license, and then load it on their company's computer, putting the company in the middle.

 

A good software policy should at least do these five things:

 

1. Clearly make it understood that software not owned by the company cannot be used on company-owned computers. This includes personal and open source software.

 

2. State that if open source software is needed, then the company's counsel should review all licenses.

 

3. Clearly state what will happen if unauthorized software is downloaded onto company equipment.

 

4. If desktops are going to be monitored, it should state how and who will view the logs.

 

5. If systems are given out for take home use, then the same rules apply.

 

If software does need to be downloaded, and it will be, then there must be a clear procedure that needs to be followed. For example, a request should be given to the IT department. The software will be downloaded and put into a test environment, and it should obviously be checked for malware. In addition, it should be checked for interoperability with other desktop software to see if there are conflicts.

 

In closing my series, keep in mind that policies should not be created just to meet a lawyer's requirement to have them. They need to be usable. IT security policies should not be an impediment to doing business. That being said, as security professionals, we are paid to protect company assets and this comes before anything else.

More from our Network

Passwords, Policy and Protection  Network Security Edge

Telecommuting and Enterprise Security  Network Security Edge

Effective Security Policy Messaging Important  Network Security Edge

The Four Myths of Cyber Security  Network Security Edge

Add a comment Leave a comment on this blog post.

There are no comments on this post

Related Content

Browse

Topic: User Policies

A best practice is to make sure employees understand what they can and can't do

Blog: Social Media and Security: 2010 and Beyond

Article: The Security Risks with Sharing Documents and How to Prevent Them

News: Social Networks Cost UK Firms Billions in 'Wasted' Time

Related Topics

Business Communications, Business Culture, E-mail and Web Policies, Security Policy

Featured White Papers

Browse

Extreme Savings: Cutting Costs with WAN Optimization

Download this white paper on cost-savings through WAN optimization and discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation.

Business Driven Access Management and Governance

Read this white paper to learn how an automated access request model removes traditional IT operations and security bottlenecks and improves overall security, resulting in a drastic reduction in IT-related cost, complexity, and risk.

Resource Centers

Browse

Tape Storage

Disaster recovery and business continuation that includes encryption, all at a manageable TCO.

Featured Whitepapers

Tape Fallacies Exposed — The Future of Tape Is Still Bright

Data Warehousing for Business Intelligence

Comprehensive storage solutions for better data access and retrieval, leading to better-informed business decisions.

Featured Whitepapers

Maximizing Operational Efficiency with Oracle Business Intelligence (BI) Applications

Application Grid

Learn more about this middleware layer that pools and dynamically provisions infrastruction application delivery resources to lower costs and improve efficiency.

Featured Whitepapers

Application Grid: The Ideal Platform for IT Consolidation

Applications for Mid-size Businesses

Applications that mid-sized businesses can use to improve operational efficiency, accelerate growth, and maintain profitability.

Featured Whitepapers

Leveling the Field: Powerful Software Solutions for Midsize Companies

Premium Tools

Browse

Disaster Recovery & Business Continuity Template Pack

Prepare your company for any type of disaster you can envision and those you cannot. Immediately download this comprehensive set of templates and tools for documenting your business contingency plans.

Learn more >

IT Security Manual Template

Updated for 2010 Threats!  Immediately download a customizable set of documents and templates that covers every aspect of IT Security. These templates are compliant with ISO27000, HIPAA and Sarbanes Oxley standards.

Learn more >