Seems to me that Mr Mid-level IT Manager feels that the corporate policy doesn't apply to him or anyone above him.

Why else go to the trouble of installing a "secret DSL line?" It's only a secret because he doesn't want the unwashed masses (aka users) to be able to do something that he can.

While I certainly understand the need for security policies, it's hypocritical to install a policy but then install something that completely circumvents it.

Why not set up a small group of kiosks with systems that are isolated from the rest of the network and let people use them as they wish? If he can set up one isolated network, he can set up another. If he's concerned that people will spend the entire day there, put the computers in a public place. Or make them stand-up kiosks, which would discourage lengthy use.

People often accuse IT workers of being arrogant. This line:

"Do I feel bad for everyone else who doesn't have this access? Not really. They would just use it to waste their time...."

is the reason why.

And exactly how is Mid's access to personal email, and the access of Mid's boss and his boss, any less a waste of time than it would be for other employees? A bit hypocritical is it not?

Ahh... The Hastie-Greenhaw Law strikes again.

My freind Neil and I have discovered the law that states:
"You have enough security when you can longer do your job."

So, you have a policy that denies web-based e-mail.

You, your boss and his boss don't like the policy. You set up a secret DSL line / network so the three of you won't "waste time" like the others.

Forget the astonishing arrogance of this viewpoint. How about the potential risk you have created? How can the company be sure that none of the three of you won't abuse this new found connection?

As a financial services company, you do have obligations and responsibilities and policies are put in place to respond to liability issues.

When individuals in positions of authority and/or power decide that the rules don't apply to them - and such exceptions are not part of the rules - all kinds of bad things can and do happen.

I fervently hope that no one I know relies on your organization for anything.

The three of you have shown incredibly poor judgement and, given the responsibilities that you have each been charged with and your willingness to hide this behavior, you should all be shown the door.

I do not disagree with the IT mid-level manager on shutting down access to person email accounts. But what makes him so self-righteous about everyone else wasting time on personal emails and not he or his boss? That is one of the many problems with America. O please stop with this holier than thou attitude. For all I care, Mr. IT mid-level manager and his boss are screwing around accessing their personal email accounts during office hours.

Yes, many employees spend too much time not doing work but surfing or doing personal emails. I hope the company is not paying for the extra DSL line. I do not work for a financial services company but I hope my bank and other financial institutions I do business also prohibit employees from accessing personal email accounts in their firms. I certainly do not want my identity stolen.

To Bob Lewis point - If it isn't made to be easy, if you don't market to the staff why it is important to follow the policies, then Darwinian laws start to apply. People will do what they think is right to get their jobs done.

I agree that the Mid-level IT manager shows some arrogance in by-passing the system with a "secret" DSL link. How many other groups in that organization have done exactly the same thing or are using wireless connections to get to the Internet for what may be legitimate and/or illegitimate reasons? If the staff in general doesn't adhere to the policy they have a big problem.

My guess is that this is common in many organizations. I appreciate that this individual was honest in passing on this information. However, I think he and his management should have tried to work within their system to bring to light why strong-arm tactics to follow a policy sometimes just make the problem go underground.

To all those who were offended by the statement that everyone else would just use the connection to waste time ...

Maybe I'm nuts. I read this to be irony - or perhaps sarcasm is a better term - not as a sincere and arrogant statement.

Self-deprecating, too, when viewed in that light.

- Bob

Mr unsophisticated,
From what I read, there would be no threat to you having your identity stolen unless you requested one of those employees to send you information via that channel. Thus, whether the employees access outside e-mail should be no concern unless you are one of the people making use of that mechanism.

As far as whether the wasting time comment was meant to be self-deprecating or was really arrogant, the crux of the matter is that the attitude of "the rules apply to everybody else but me" is one of the most irritating things I have found when dealing with security type people. If they have to bypass their own rules to get their jobs done, this should serve as a) a bright light, b) a shovel over the head that maybe the policies are out of whack.

1. Personal email wastes employee time and bandwidth.

Are these hourly employees who get paid overtime, or are they salaried workers who are assigned a job that no human can do in less than forty hours a week. If so, is not the company stealing their time. So, would it not be fair to occasionally allowing these employees to conduct personal business during office hours using company resources to compensate for the employer time theft.

It sounds as with the established IT policy, the hapless employee cannot do their job AND they can't live their lives. Hmmm...

Here is a quarter, now go buy a clue. The poster was MAKING A JOKE people!!! You know, using humor to illustrate a point. If you would quit whining about He can do something that I can't (wow, that argument never even worked with my mother when i was complaining about my sister being able to stay up a half hour later than I could back when i was 4 years old) you would realize that you have been subjected to an example of IRONY. Learn to laugh and get over it. Life is too short.

Wow. Lost in all the furor of the above comments is the poster's POINT: Security is a tough balancing act with no easy solution.

Thanks for the post, Mid. As Bob mentioned, examples of what is actually happening out there in security land is far more valuable than discussing the subject in theory.

I am a policy guy, but this is exactly why I don't agree with absolutist policies. The end user feels forced to find a workaround, and this could extend as far as running their offsite email through a proxy server - say - in China. Talk about risk!

Much better to implement web filtering to prevent sensitive information from being uploaded - same as with email encryption. There are a bunch of technical issues, but it is no less viable and allows access to webmail (at least unencrypted webmail). (You can track the time spent if you're concerned about wasted time.)

As a friend of mine says "An old patient is much better than a young doctor". User education will get you much farther than implementing draconian policies in a vacuum.

I understand irony. It certainly is ironic that those above Mid's level on the corporate ladder, and those presumably responsible for the policy of shutting off this access to employees, feel free to circumvent that policy for personal convenience.

I think what touched off the comments, in many cases, was the "Do I feel bad for everyone else who doesn't have this access? Not really" part. It makes the "joke" a little harder to get and starts to come across in a way Mid probably didn't intend. If it had read, "Does my boss, or his boss, feel bad ...", then I think I would have gotten the meaning Mid probably intended.

Well, if he's not arrogant he's got a pretty lame sense of humor. But the point is, security is like any other tool; it should be as transparent as possible. The problem is, security is such a hot topic that those who work in that industry think that they are the reason computers exist. They act like bad cops who use intimidation to keep people in line, and they put their own agendas ahead of the company's work that they are supposed to be facilitating, not obfuscating.

So we get pointless annoyances like being made to type our password twice, or having to choose a set of "secret questions" from a list that doesn't include anything meaningful, like "what was the name of your favorite restaurant in college?" (which cuts out not only people who never went to college, but the vast majority of those who did but couldn't afford to eat in a restaurant).

IMHO, a perfectly reasonable employee attitude is, "you hired me to do a job, now get out of my face and let me do it." Security people who are doing their job right will find a way to prevent the need for such sentiments.

Mark said: "From what I read, there would be no threat to you having your identity stolen unless you requested one of those employees to send you information via that channel. Thus, whether the employees access outside e-mail should be no concern unless you are one of the people making use of that mechanism."

Come again?

If sensitive data is in those E-mails, identity theft is possible. This does not have to happen just because a customer requested the data be sent.

Installing a "Secret DSL and LAN" in many larger financial institutions would find one in violation of several security violations that could (and should) result in termination of employment. If the support teams can't follow policies, how does one expect the rest of the company to comply?
Perhaps working with the architect teams to design a "user friendly" interface/solution that works would be better than going around the system.

About five years ago, my company shut off FTP access, presuming that we didn't need it. It can cause minor inconveniences for everyone, like when updating Microsoft Streets and Trips. However our department has to exchange files with our outside programmers when there's a suspected bug. A zipped file containing all of a user's data might be over 50M.

Since FTP access was closed, we have been dropping off the LAN and using our wireless cards, or taking our laptops home and using our own high-speed Internet provider. Our laptops are designed to always connect to the network, through VPN if we are not physically connected. Bypassing is a time-consuming manual process that leaves us without any sort of firewall. (For some reason, the company disables ZoneAlarm and similar freeware firewalls.) And of course, if I do this during office hours, I can't get to e-mail, our problem ticket system, network files, etc.

So by refusing to grant us access to FTP sites that we need to do our job, the company is not actually preventing us from FTP'ing, just making it difficult, time consuming, expensive (50M over wireless!), inconvenient, and unsecure to do so.

This morning I was finally granted FTP access specifically to the two domains that I need to post files to. It requires an additional log on when initiating FTP, which is odd because it uses the same logon and password that I use to log onto the network. But whatever. At least I can do my job at work.