They don’t carry long rulers or frown more than most people, but Information Technology managers for health and human services agencies do bear the heavy burden of issuing sober reminders about rules for computer use at work.
For example:
- Instant messaging is a flagrant invitation to hackers, so don’t do it at the office.
- Streaming video (including YouTube) is a bandwidth hog; use it sparingly and only if related to work.
- Ixnay on the floral-print e-mail backgrounds, script fonts and emoticons.
- Keep personal e-mailing to a minimum.
- No eBay, ever. Ditto for ringtone downloading, online gaming, blogging and MySpace page maintenance.
- And, by the way, your work computers, any files they contain and any websites you visit may be viewed or monitored at any time.
There’s plenty more to know about technology-oriented policies, but you get the idea. Many seemingly harmless practices are restricted or forbidden because they can reduce security, degrade computer performance and make it harder for other users to get work done.
That’s why our colleagues in IT urge us to reread the most recent edition of the HHS Enterprise Information Security Standards and Guidelines, which cover not only the rules but also, in many cases, the rationales behind them.
Malice in Networkland
One of the document’s most important sections deals with spyware, viruses, Trojan horses, adware, worms and other nasty bits of malicious code. Once in place, they’re devilishly hard to find and can cause problems ranging from annoying slowdowns to system crashes, data loss and security breaches.
Barry Fredrickson of DADS noted that malicious code infection can be introduced when employees use thumb drives and laptop PCs to do work away from their headquarters.“If a thumb drive is used on a nonagency workstation that’s not protected from viruses or malware, and data is transferred between workstations, the virus can wind up on the agency network,” Fredrickson said. “Malicious code infection may also be caused by employees using their regular workstations or laptops to surf the net, read personal e-mail on an agency workstation or download unauthorized software.”
DARS’ Stan Dodd also zeroed in on malicious code as a top concern and said e-mail scams are a frequent mode of transmission.
“We advise our people not to click on any links embedded in an e-mail if you have any doubts about the sender,” he said. “You click on something you’re unsure of, and it can download a piece of malicious code, which then reports back to the propagator [and compromises security].”
The damage can easily spiral out of control. Remember the I Love You virus that quickly spread to computers around the globe in just one day in 2000? It affected 10 percent of computers worldwide and caused $5.5 billion in damage.
Dodd added that “employees shouldn’t enter their work e-mail address into anything unless it’s business related, and then only if absolutely necessary. People seem to think they get spam because their e-mail address was extracted electronically from their PC. But most often it’s because they entered it into a web page, and from there it went to a database, which eventually was sold to some spammer.”
Preserving Bandwidth
Employees are becoming far more cautious about e-mail scams and security risks, but fewer people are aware of the problems inherent in heavy use of streaming video and audio resources such as YouTube, RealPlayer and Windows Media Player. All are greedy consumers of bandwidth — a measure of how much stuff you can send through a given connection.
Even so, these applications are great tools that are used by state agencies for training and other purposes. Many employees, though, are unsure about which uses of audio and video are OK and which are not. HHSC Information Technology Director Hope Morgan has a straightforward answer to that question.
“Streaming audio and video are resources we use quite a bit — during the legislative session, for instance. That’s acceptable use. So is anything else for which there’s a legitimate business purpose. But if you’re just watching videos on YouTube [for entertainment], you’re eating up bandwidth and possibly detracting from other employees’ ability to do their work.”
Deborah Wattman of DFPS said preserving bandwidth and assuring legitimate business need are why her agency requires advance permission for use of online media such as YouTube.
“It’s essential for us to ensure that mission-critical functions aren’t limited or compromised,” Wattman said. “With all of our security and usage policies, we’re trying to strike a balance between giving people full access to online tools and keeping risk to an acceptable level.”
For Wattman, Morgan and other IT security watchdogs, the rule of thumb for use of streaming media is straightforward: If online video enhances your ability to perform designated work tasks, go for it. If it enhances only your knowledge of March Madness hoops, the “cell phone popcorn” controversy or the latest adventures of Dramatic Chipmunk, save it for home.
No Guarantee of Privacy
One of the least understood IT policies deals with how much privacy you can (or can’t) expect when using state agency computers.
The best guidance is found in Section 1.21 of the Enterprise Information Security Standards and Guidelines, which states: “Internal users of HHS IR should have no expectation of privacy with respect to the use of those resources, except as otherwise provided by law.”
This section further notes that all files created, sent, received or stored on state computers “may be accessed . . . at any time without knowledge of the resource user or owner.”
Agencies also have the right to monitor phone numbers dialed by employees and websites visited or state equipment.
In addition, files created by state employees are subject to being collected through open records requests.
The bottom line: It’s not your computer; it belongs to the state. That means there are restrictions on its use — even during your lunch hour — to help keep the equipment up and running.
So save checking out the latest “lolcats” hilarity for your home computer, and your friends in the IT department will thank you from the bottom of their hearts.
[10 Tips for Smart Computer Users]