Security Arguments
in the early morning on Sunday, the 9th of March 2008 by Chad
OK for my real job I do a lot of computer security type stuff. One of the security mailing lists I’m on recently had the argument on allowing MP3 and other music formats on office computers.
The argument broke into a few different camps quickly.
The first group took the “it’s the companies computers and they can do whatever they want to…” line. That’s technically true, but it’s like saying “it’s the doctor’s needles, he can inject you with whatever he wants to.” Besides, this argument is about security, not business productivity, except where a security decision affects the productivity.
Next comes the group that says if music makes the employees happier, then they’ll work harder and be more productive, so allow it. Sounds like a positive effect except for a few counter arguments: copyright of the music and again, it is a business decision to make. The business decision has to come down to HR in case someone is offended by someone else’s music and how disagreements are handled, maybe everyone is required to use headphones that are non-audible to others. As for the copyright issue, it’s not like the company needs to set up a server for streaming music or anything. Simply require no music is to be stored on company machines, that it has to come in on CD format. That should effectively remove any responsibility from the company.
Others talked about using up all the internet bandwidth using streaming music. That’s an operations issue though. The ops group would have to make a decision that streaming music bandwidth interfered with business requirements to either throttle or block streaming media, or increase the available bandwidth.
Finally one voice of reason. This is a security issue, and therefore the only question is: can the various types of media pose a security risk? And if one type of media player has security risks, shouldn’t that individual player be blocked and leave everything else alone? A warning to management is required about the copyright issues, but then it goes to the legal department to make a decision.
![[del.icio.us]](http://pirate-king.com/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://pirate-king.com/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](http://pirate-king.com/wp-content/plugins/bookmarkify/facebook.png)
![[MySpace]](http://pirate-king.com/wp-content/plugins/bookmarkify/myspace.png)
![[Sphere]](http://pirate-king.com/wp-content/plugins/bookmarkify/sphere.png)
![[StumbleUpon]](http://pirate-king.com/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Technorati]](http://pirate-king.com/wp-content/plugins/bookmarkify/technorati.png)
![[Windows Live]](http://pirate-king.com/wp-content/plugins/bookmarkify/windowslive.png)
![[Email]](http://pirate-king.com/wp-content/plugins/bookmarkify/email.png)
(No Ratings Yet)
Loading ...
March 9th, 2008 at 11:13 am
As someone who has done a lot of Security work myself, let me offer my opinion:
Camp one is correct, but their response has nothing to do with the discussion. “They can do what they want” is their response to “what should they want to do?” Duh.
Camp two, recent research has shown, is incorrect. Happy employees are not productive employees; those two traits actually arise together from other, more basic, factors in a person’s personality.
With camp three I’m on the fence. To my way of thinking, Security is about the prevention of loss of a company’s assets, no matter how they might be lost. Depending on the company, bandwidth might be an asset.
Camp four, sorry… if you take my position that Security is loss prevention, copyright is an important factor. Even if the company turns out not to be liable, they still have do defend themselves against the RIAA. That’s expensive, and the costs are completely unnecessary.
I’m in camp five: music does help people be more productive if they’re the productive type, so it should be encouraged. The company buys everyone their own mp3 player, complete with decent headphones, and disallows streaming if it’ll harm them in a way that matters. The employees get music, IT gets to play God, and management gets some employee goodwill.
March 11th, 2008 at 11:50 am
I don’t agree with the first camp. Because there are various groups of employees responsible for the company in different areas. Camp 1’s decision is a management CxO type decision.
Camp 2 - my security concern would be protection from copyright abuse and vulnerabilities in software. Raising the copyright issue immediately makes that the corporate lawyers call. So bring them in from the golf course and have them earn the 250k$ they’re making. And vulnerabilities? Hey, that finally sounds like a job for… information security!
Camp 3 - Operations issue, hands down. If the firewall team doesn’t care, and no business functions are blocked from occurring, then I wouldn’t care. It’s like CPU. People freak out when their computer’s CPU sits at 50% usage. When you learn real performance tuning for network systems, you only start to peg CPU as a resource issue once it hits 85%. Why pay for a server with 4 ultrafast CPUs if you want to keep them at the relative capacity of a 486?
Camp 4 - The requirement of information security should be to simply ensure the legal team is aware of the possible violation, end of story. If the legal team doesn’t do their job, then maybe bring it up the chain to the CxO level. But it would not be in any way the infosec department’s realm of authority to ban based on copyright issues.
The problem with Camp 5 is that by buying the MP3 players for the people, there may be legal obligations on the company based on that. I think that if the company gives out desktops with standard images (which includes Windows Media Player) and cd-rom drives, but prevents any local storage of media content, thats due diligence enough. But thats only my humble opinion and again one the legal team needs to go over…