Internet & Computer usage document

AHarvey

AHarvey

AHarvey

Soldato
Joined
6 Mar 2008
Posts
10,085
Location
Stoke area
Hi,

Wasn't sure where the best place to put this was...

We've had a ransomware attack at work due to a careless employee, the department in general is troublesome with internet, computer, email, phone and mobile usage.

There is a rather poor document in place explaining the restrictions and penalties for misusing these items and worse, there is no signatures stating it has been read and understood.

Does anyone have any examples based around the above and including data protection they wouldn't mind trusting me or sharing online?

Thanks in advance
 
What you're looking for is an acceptable use policy, by the sounds of it. Have a Google around, there are loads shared online and you should be able to hack together one general one, including Internet, email, phone, mobile device and data protection from the many that are out there.

The fact that no one has signed as having read the policy is a big problem, but one that's easily solved. All that needs to happen is for IT department to take ownership of the policy, and only give users their password when they have completed the process of reading and signing it. Current users can simply have their accounts disabled until they have signed, or passwords reset and no replacement issued until they are on the list of signatures.
 
KIA said:
Employees are easy scapegoats. :p

What could have been done to reduce the chance of infection?
Click to expand...

Simply put, the lad I had assigned to me, the old IT guy, didn't set the pc's up as he was told and didn't actually turned on the anti-virus. The user shouldn't have opened an email from an unknown email address with no text and definitely shouldn't have run the attached zip file... a user who claims to have a mum who is an expert in the infosec industry as well.. :(


Zefan said:
What you're looking for is an acceptable use policy, by the sounds of it. Have a Google around, there are loads shared online and you should be able to hack together one general one, including Internet, email, phone, mobile device and data protection from the many that are out there.

The fact that no one has signed as having read the policy is a big problem, but one that's easily solved. All that needs to happen is for IT department to take ownership of the policy, and only give users their password when they have completed the process of reading and signing it. Current users can simply have their accounts disabled until they have signed, or passwords reset and no replacement issued until they are on the list of signatures.
Click to expand...

Thanks, i'll have a look around and knock something up. Closing accounts isn't possible, mainly because there's no proper setup to do it remotely and the fact EVERYONE has the same login password :'(
 
Last edited:
AHarvey said:
Simply put, the lad I had assigned to me, the old IT guy, didn't set the pc's up as he was told and didn't actually turned on the anti-virus. The user shouldn't have opened an email from an unknown email address with no text and definitely shouldn't have run the attached zip file... a user who claims to have a mum who is an expert in the infosec industry as well..
Click to expand...

Forget anti-virus for a second. What protection do you have in place?

Email filtering?
Application white listing?
Privilege management?
Is there a budget for user training?
 
AHarvey said:
Thanks, i'll have a look around and knock something up. Closing accounts isn't possible, mainly because there's no proper setup to do it remotely and the fact EVERYONE has the same login password :'(
Click to expand...

The same login password? That needs to change.

Sounds like a workgroup setup rather than a domain as well, is this correct?
 
140 users over 4 locations, no server/domain/active directory/group policies. (+300 remote sales consultants with their own software/hardware)

Email is all done via cpanel.

I've been doing it since last July, by myself, after taking over from someone that didn't document anything (the guy that is helping me out as he works in another department now). We have a mixture of home/pro windows 7/8/10, couple of macs. It is a mess. They won't touch a windows server option until Azure starts managing domains the same way. They won't migrate to O365 due to the costs (£20k+ a year). They had no backup system in place, we now do and I've got some basic asset tracking, password tracking, procedures in place. I've raised the issue with passwords several times, especially as the head of departments/hr etc all have the same. They even had a single admin password that 40% of the company knew.

My problem is, 95% of my days is staying on top of the daily jobs that come in. It means it's taking far longer to get closer towards my goal of a professional (or as close as I can get) setup.

New PC's are being locked down, UAC up, AV up, Scripts to remove all the rubbish, email filtering I am looking at either at the CPanel side or at worst, the User side (thunderbird/outlook). I've had them agree to remove non work related website from being accessible, but I'm having to do this manually at the router for each site. I've finally had permission to change the admin password after this event.. and I'm even considering building a Samba server to use as a test so it's less likely they'll complain about the costs. I also need to find time for a complete security audit.

I love problem solving, which this job gives me plenty of, but sometimes I'd love a proper set up (it would make it easier to find a new job as well) :D
 
Last edited:
Find a new job. That place sounds terrible and if they won't give you any budget to fix it then you're never going to get anywhere.

A computer usage agreement is not going to solve any of your problems, it's a joke.
 
El Pew said:
Find a new job. That place sounds terrible and if they won't give you any budget to fix it then you're never going to get anywhere.

A computer usage agreement is not going to solve any of your problems, it's a joke.
Click to expand...

I am looking, mainly due to the pay being 50% lower than it other companies doing the same thing, but not having experience with the basic things because they are missing from this job, Active Directory etc is causing issues, time to train outside of work is limited as well.

But, that doesn't mean I'm not going to leave this place in a much better state than I started. They are investing slowly but surely, I've just learnt to drop hints to the right people to request changes instead of doing it directly. :)
 
You must log in or register to reply here.
Back
Top Bottom