Inappropriate Computer Use Is your workplace protected?

Author: Brian O'Donnell

While there are huge efficiencies to be gained from the use of information technology, there are also
risks from uncontrolled access to the Internet. One of the largest information security issues facing
Irish businesses today is inappropriate computer usage in the workplace. Brian ODonnell offers advice
on how to tackle the issue.

Inappropriate use comes in many guises, and ranges in severity and risk for the organisation. At its
most benign, inappropriate use impacts onemployee productivity, where many hours are wasted
through Internet browsing and use of instant messaging services. A survey published in June of this
year by the employment law firm, Peninsula Ireland, suggested that Iris employees are spending an
average of 90 minutes per day on social networking sites such as Bebo and Facebook. That works out
at 43 working days per year! While there is clearly a serious cost arising from this time-wasting,
inappropriate use has other more serious forms.

Personal email accounts Access to personal email services such as Gmail and Hotmail can facilitate
transmission of sensitive information out of the organisation, allowing disaffected employees to
perpetrate intellectual property theft of, for example, customer databases, new product blueprints or
other commercially sensitive and valuable information.

In addition to these personal email services, the ability to use USB memory sticks and to burn data to
CD or DVD is a serious point of exposure for organisations subject to this kind of risk.

Inappropriate images Perhaps the hardest form ofinappropriate use to control is the use of
corporate IT resources to view pornographic material. Employers have a duty of care to their
employees to protect them from inappropriate material, and any inappropriate use of computer
systems can lead to damage to corporate reputation. The risk and embarrassment associated with the
presence of offensive, pornographic, and sometimes illegal images in the workplace has become very
highprofile over the past few years. There are specific legal requirements related to inappropriate
images which businesses need to comply with, such as the Child Trafficking and Pornography Act
1998, and various employment laws.

But how can organisations address this broad range of risks in a balanced way, without impacting on
the efficiencies that IT can provide?

Policy An effective policy for acceptable usage of computers should be the cornerstone of any
approach to these issues. Without effective policies, clearly communicated to employees and
consistently implemented, problems will arise.

Acceptable Usage Policies Typically, an Acceptable Usage Policy (AUP) will have the following key
objectives:

- Clearly state the organisations policy regarding the use of information technology, the Internet,
email and other telecommunications resources (e.g. mobile phones). - Clearly state the organisations
responsibilities with regard to protecting the individual. - Clearly state the responsibilities of individual
employees with regard to using corporate IT resources. - Protect the organisation against potential
liability. - Promote security awareness among management and staff. - Encourage effective and
productive use of IT resources.

In addition to acceptable usage policies, management should also consider developing incident
response plans. These plans provide detailed steps to be followed by responsible individuals in the
organisation should a security incident arise. The types of security incident which would typically be
addressed will be wider than just inappropriate use and will include hacking attempts, etc. However,
the plan should identify the steps to be followed should a theft of intellectual property be suspected
(such as to call in legal advisers and IT forensic specialists).

Tone of Policy In the changing environment described above, many organisations struggle to find the
right balance in their policies between risk mitigation and empowering users. Ultimately, however, one
has to err on the side of protection for the user and for the organisation.

AUPs need to be unambiguously worded and lawful, as any subsequent sanctions will rely on the
existence of enforceable policies. It is important to involve other departments, e.g. HR, legal, risk
management and the business to ensure that the corporate culture, business requirements and
employee capabilities are appropriately considered. All employees must receive a clear and consistent
message from management describing what is considered appropriate activity in the workplace
together with what action will be taken for any abuse. It must be clear as to who in the organisation is
responsible for enforcing the policies. This will ensure that disciplinary measures are applied
consistently and fairly.

Employee education and training Critical to the success of the policysetting initiative is ensuring that
the policy is communicated to employees (through staff awareness training and education) and
enforcing the policy (through the implementation of control processes to monitor user activity and
taking action on foot of findings). An appropriate corporate culture and good user practices need to be
established.

Policies need to be clearly communicated and supported by a structured communications and
awareness programme. This should provide evidence of every employees understanding and
acceptance. Management should be seen to lead by example and should make clear that any
disregard of policies will not be tolerated.

Enforcement controls and processes It is good practice to implement technical controls to reduce
the risk of a breach of your AUP, and to increase the likelihood of uncovering a breach, so that
appropriate action can be taken.

Some of the forms of inappropriate use are easier to control than others. For example, web content
filtering tools exist, and are probably already installed on your network, which can prevent users from
accessing websites that are in breach of policy. These tools allow you to specify the website addresses
you want to prevent, such as those of social networking sites, and the domains of the popular free
personal email services.

A decision to enforce policies to prevent access to social networking sites and personal email services
can often cause disquiet among employees, particularly Generation Y staff who are used to
unfettered access. Some organisations decide to make the policy enforcement easier by providing
Internet kiosks in high visibility areas of their office to allow staff brief access during break times.

More difficult to solve is the exposure to USB memory sticks and other removable media. Laptop and
desktop PCs are routinely issued with CD or DVD burners as standard. Organisations should question
whether these are really needed for all users, and should consider downgrading to CD/DVD players
upgrading to burners only where there is a proven need.

Memory sticks are ubiquitous at this time. But they carry significant risk as discussed above, and are
often the means by which viruses are brought into an organisations systems. Given that these devices
are very useful and often desirable in a corporate environment, controls need to be put in place to
manage their use. Only memory sticks supplied by the organisation should be used. Your AUP should
stipulate that only USB memory sticks supplied by the organisation can be used. This is important
because if a suspected issue of intellectual property theft arises, you retain the right to recover the
device and to examine it using IT forensic techniques. Then, you can enforce the policy by using tools
available in the market to only allow particular types of devices to be used, and to encrypt all data. If
your organisation operates a Microsoft Windows Active Directory network, it is also possible to enforce
settings to prevent users or groups of users from using any USB data storage devices.

From the perspective of inappropriate images (pornography) a range of technical controls may need to
be implemented to address the different working practices and the various routes inappropriate
material may take to enter the IT environment.

Traditional gateway-based web filtering and email systems only form part of an overall integrated
solution. They can be bypassed by using proxy servers or encryption and do not address the
numerous other ways material can get onto systems. An approach may include combinations of the
types of tools already discussed, as well as email/spam content filtering, hostand network-based
intrusion protection, and client-based filtering.

The effectiveness and practicality of these controls will be dependent on how a business uses its IT
resources and should be designed accordingly.

Compliance monitoring Regular compliance monitoring is an effective way to enforce the acceptable
use policies and mitigate the impact of inappropriate computer use.

Depending on the technical IT controls put in place, different monitoring processes will need to be
implemented. To address the risk of unproductive use of Internet, email and instant messaging,
management should use the reports available from the web content filtering tools to ensure that the
filters are kept up to date for all significant non-productive sites being used, and repeat offenders
should be dealt with in line with your HR disciplinary procedures.

Compliance monitoring for inappropriate images typically consists of the following phases:

- Establish policies - Define scope - Perform asset discovery / identification - Scan devices for illicit
images - Categorise images - Perform detailed analysis and forensics - Implement remedial activities,
e.g. clean up, HR sanctions - Management reporting

With the appropriate policies established, the first stage is to agree which areas of the business will be
scanned.

Those doing the review must have a clear understanding of what material is considered appropriate.
There will always be material that will be clearly inappropriate, but depending on the business, certain
images may be allowed. The categories and what action should be taken if images have been
discovered should be defined early on to facilitate the image analysis phase.

The asset discovery phase and actual image scanning can be automated using multi-source image
detection technology. These tools automate an extensive part of the data gathering and image
analysis work. They are installed on a PC and they remotely scan personal computers (laptops,
desktops), email boxes and networked user shares on file servers for inappropriate content. They scan
all files to identify if they are capable of supporting an image, i.e. not only typical image files such as
jpegs or bitmaps, but also files such as Microsoft Office documents. The images flagged as possibly
illicit are then viewed by an appropriately trained auditor and placed into one of the previously agreed
categories.

By following this approach, a detailed view can be generated that shows the different categories of
material found, together with its location and possible owners. Based on the findings, appropriate
remedial action can then be taken, such as the secure removal of the material through to the
assessment of affected systems for any further compromises by malicious software or individuals.

Appropriately trained individuals should always perform this work with agreement from management
to establish requirements, to preserve forensic information and ensure that appropriate remedial
action is taken. By taking proactive steps to enforce acceptable use policies, the need to deal with the
aftermath of unsuspecting employees being repeatedly exposed to illicit images may be avoided.

Brian ODonnell, ACA, CISA is a Senior Manager in the Enterprise Risk Services group at Deloitte. He is
also a member of the ICAI IT Services Committee, and the President of the Irish Chapter of ISACA.