System Admin Followup

We do the same as Zac's company. From an IT standpoint there are too many issues with leaving it wide open such as:

1. Bandwidth consumption - You have the potential for users to stream video, download non-work related media, etc. About 4 years ago I turned of the ability to instant message, stream video, and go to sites known for downloading media. This cut our bandwidth usage in half. Reducing the cost of doing business by ~$10,000/year.

2. Just because each workstation/Server has AV loaded there is always the chance that the latest and greatest virus will bypass it. Mimimizing the sites that users can go to will minimize the risk of getting a virus from the browser. We recently had a situation where a remote employee who had AV loaded on his laptop, but wasn't connected to the firewall and it's content filtering, went to a site and gave them his company credit card information because it told him he wasn't protected (no comment). Content Filtering would not have allowed him to go to this site.

3. Just because "everyone should be a grown up" doesn't mean that they are. Last year we had to fire a temporary employee for repeated internet usage of trusted sites. Prior to the firing he was given a warning in which he replied "I didn't know I wasn't suppose to do that".


Exceptions can always be made through the firewall. Our HR department needs access to youtube, facebook, twitter, etc. so those individuals are able to get to those sites.

If you've ever had a security audit on your system (We've had 2) you'd know that best practice says to proactively lock down the internet completely and only give access to what is needed, as it's needed. I don't want to deal with the fallout (complaining from users, more work for me, etc.) which is why we do a hybrid.

Also, make sure to inactivate the rights for executing IE for users/computers that don't need access to the internet. We have workstations scattered throughout the plant that are used by supervisors to check email and run their equipment. They don't need internet access so they belong to a GPO that restricts IE.


Jennifer Mesiano
IT Director
Walton Signage

--- In vantage@yahoogroups.com, Zac Jason Woodward <zac@...> wrote:
>
> Bandwidth shaping needs to be done per your own business' needs. Our choice was to route all internet traffic through a content filter and an AV scanner making sites that are known security risk unavailable. If somehow there is a false positive all they have to do is call or shoot off an email to have that site whitelisted.
>
> "Zac" Jason Woodward
> Network Administrator
> Intermountain Electronics, Inc.
> O: 877-544-2291
> M: 435-820-6515
> F: 435-637-9601
> www.ie-corp.com
>
> Creating customer confidence through extraordinary service and experienced industry experts.
>
> From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of Barbara Hemme
> Sent: Tuesday, March 13, 2012 7:09 AM
> To: vantage@yahoogroups.com
> Subject: [Vantage] System Admin Followup
>
>
>
> What is your internet usage policy? Do you allow total internet access for those in the office? Do you only allow certain sites?
> We are gathering this info to determine whether or not we need a second IT person.
>
> [Non-text portions of this message have been removed]
>
>
>
> [Non-text portions of this message have been removed]
>

What is your internet usage policy? Do you allow total internet access for those in the office? Do you only allow certain sites?
We are gathering this info to determine whether or not we need a second IT person.


[Non-text portions of this message have been removed]

Yes, allow full internet access to everyone. This is 2012, if your
employees are not adult enough to understand what's right and wrong then
you have bigger problems. Studies after studies have shown that repressing
internet access just leads to frustration. We leave it wide open and they
can do whatever they want on the internet as long as they are getting their
work done. If that means that they spend 8 hours of Facebook but somehow
still manage to get 8 hours worth of work done then who am I to question
their habits.

*Jose C Gomez*
*Software Engineer*
*
*
*checkout my new blog <http://www.usdoingstuff.com> *
*
*T: 904.469.1524 mobile
E: jose@...
http://www.josecgomez.com
<http://www.linkedin.com/in/josecgomez> <http://www.facebook.com/josegomez>
<http://www.google.com/profiles/jose.gomez> <http://www.twitter.com/joc85>
<http://www.josecgomez.com/professional-resume/>
<http://www.josecgomez.com/feed/>
<http://www.usdoingstuff.com>

*Quis custodiet ipsos custodes?*



On Tue, Mar 13, 2012 at 9:09 AM, Barbara Hemme <
bhemme@...> wrote:

> **
>
>
>
> What is your internet usage policy? Do you allow total internet access for
> those in the office? Do you only allow certain sites?
> We are gathering this info to determine whether or not we need a second IT
> person.
>
> [Non-text portions of this message have been removed]
>
>
>

[Non-text portions of this message have been removed]

Bandwidth shaping needs to be done per your own business' needs. Our choice was to route all internet traffic through a content filter and an AV scanner making sites that are known security risk unavailable. If somehow there is a false positive all they have to do is call or shoot off an email to have that site whitelisted.

"Zac" Jason Woodward
Network Administrator
Intermountain Electronics, Inc.
O: 877-544-2291
M: 435-820-6515
F: 435-637-9601
www.ie-corp.com

Creating customer confidence through extraordinary service and experienced industry experts.

From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of Barbara Hemme
Sent: Tuesday, March 13, 2012 7:09 AM
To: vantage@yahoogroups.com
Subject: [Vantage] System Admin Followup



What is your internet usage policy? Do you allow total internet access for those in the office? Do you only allow certain sites?
We are gathering this info to determine whether or not we need a second IT person.

[Non-text portions of this message have been removed]



[Non-text portions of this message have been removed]

We have a firewall/proxy appliance in place. To my frustration we block gambling, porn and phishing sites. Other than that, it’s wide open 24/7.

I completely agree with Jose’s comments. It’s fine to leave the floodgates open.... but trackable. Have a question/concern/curiosity? Check the logs. Furthermore, ensure that all employees are cognizant of the fact that the ARE being tracked. That in itself should be sufficient... otherwise, our unemployment rate is still high. So bye-bye employee and you have 400 others waiting to do a better job, cheaper.

From: Barbara Hemme
Sent: Tuesday, March 13, 2012 9:09 AM
To: vantage@yahoogroups.com
Subject: [Vantage] System Admin Followup



What is your internet usage policy? Do you allow total internet access for those in the office? Do you only allow certain sites?
We are gathering this info to determine whether or not we need a second IT person.

[Non-text portions of this message have been removed]




No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1913 / Virus Database: 2114/4866 - Release Date: 03/12/12


[Non-text portions of this message have been removed]

Other than addressing direct security concerns ours is wide open, jose was exactly right, things will get frustrating fast. Our IT guy went all hitler on us a while back and blocked everything from youtube to craigslist. Well most of us here had legitimate business needs to go to both, and too many other places a person couldn't anticipate (more and more companies are publishing their product demos to youtube). So now we are back to a wide open policy, though I do think they do some random monitoring now and then. I just make sure what I view is so repulsive they'll think twice before looking over my shoulder again...


Rob Bucek
Production Control Manager
PH: (715) 284-5376 ext 311
Mobile: (715)896-0590
FAX: (715)284-4084
[Description: cid:1.234354861@...]<http://www.dsmfg.com/>
(Click the logo to view our site)<http://www.dsmfg.com/>

From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of Barbara Hemme
Sent: Tuesday, March 13, 2012 8:09 AM
To: vantage@yahoogroups.com
Subject: [Vantage] System Admin Followup



What is your internet usage policy? Do you allow total internet access for those in the office? Do you only allow certain sites?
We are gathering this info to determine whether or not we need a second IT person.

[Non-text portions of this message have been removed]



[Non-text portions of this message have been removed]

We, like others, have an appliance in place that monitors employee usage of
the Internet. If someone is complaining that they do not have enough time
to do their job and they have been surfing the net (not for business) while
at work, we will evaluate the need for their services. Like Vic said, we
have a high unemployment rate and there are many others waiting to take
their place.



Beth Rye

IT Director

CIGNYS
Email: <mailto:brye@...> brye@...



***ITAR NOTICE***

This e-mail and/or the attached documents may contain technical data within
the definition of the International Traffic in Arms regulations, and are
subject to the export control laws of the US Government. Transfer of this
data by any means to a foreign person, whether in the US or abroad, without
an export license or other approval from the US Department of State, is
prohibited. No portion of this e-mail or its attachment(s) may be reproduced
without written consent of CIGNYS. If you are not the intended recipient or
believe that you may have received this document in error, please notify the
sender and delete this e-mail and any attachments immediately.



From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of
Barbara Hemme
Sent: Tuesday, March 13, 2012 9:09 AM
To: vantage@yahoogroups.com
Subject: [Vantage] System Admin Followup






What is your internet usage policy? Do you allow total internet access for
those in the office? Do you only allow certain sites?
We are gathering this info to determine whether or not we need a second IT
person.

[Non-text portions of this message have been removed]





[Non-text portions of this message have been removed]

I do not currently manage any actual office IT system, however I have both
managed and been managed at previous employment. I have always felt that it
depends on your employees, and your network.

First off, if your employees are salaried, then that's different than if
your employees are hourly. I feel an hourly employee should have more
blocked than a salaried employee because time wasted is more of a direct
money wasted situation.

Streaming video and audio along with file sharing and file size limitation
on download will cause a pretty severe network hit if there are too many
people on those types of sites, I include YouTube and the like when I am
talking about those video sites, even if it's not actually "streaming". I
also include instant messaging programs in that unless there is one specific
one you have standardized on for employees, then leave that one and only
that one open for them.

Sure, there is some stuff that is put up there that has legitimate business
purposes, but how many standard office drones really need access to that?
Some managers sure, or maybe training rooms, but an everyday employee... I
don't see a ton of value in leaving it all completely open for everyone all
the time.

I think there is also a big security aspect to having a filtering in place,
there are lots of users that check personal email and get spam and click on
links that could potentially infect both their work computer, as well as
your entire network, regardless of how good your AV Software and Firewall
might be, there is always that risk and mild inconvenience to an employee's
entertainment is better than needing to spend my own time or my IT
departments time cleaning up user PCs and potentially servers from
infection, and heaven forbid something crucial gets destroyed, taken
offline, hacked, or any other number of things because of end user ignorance

I think a good amount of filtering is good, and you can always open up a
site if there is an actual business need and the site has been blocked by
the system you have in place. I am also a proponent of timed blocking. Maybe
social media and video sites are blocked from 8-11 and 1-6 for a standard
office, but opened up from 11am to 1pm and after 6pm until 8am to allow
people to access those sites on their lunch breaks and if they happen to be
staying late or working on a weekend.

In terms of the shop floor, I think those need to be more tightly controlled
than an office computer due to its location, and providing a computer or 2
in an employee or break area with full access is acceptable as well for
people who need to or want to check something at some point in the day.

Sure, you can go too far, but remember, this is work time, not personal
time, someone might be frustrated, but they can deal with it or get approval
for access if they actually need it for their job, there's little of actual
importance out there that they "need".

I do a lot of remote work.
I know there are firewalls & some site blocking but for the most part the internet at each location has been open.

I have wondered if some kind of QOS might not be a good idea.

My remote connections regularly slow at the same times as the companies lunchtimes, breaks and late afternoons.

--- In vantage@yahoogroups.com, "Bethany Rye" <brye@...> wrote:
>
> We, like others, have an appliance in place that monitors employee usage of
> the Internet. If someone is complaining that they do not have enough time
> to do their job and they have been surfing the net (not for business) while
> at work, we will evaluate the need for their services. Like Vic said, we
> have a high unemployment rate and there are many others waiting to take
> their place.
>
>
>
> Beth Rye
>
> IT Director
>
> CIGNYS
> Email: <mailto:brye@...> brye@...
>
>
>
> ***ITAR NOTICE***
>
> This e-mail and/or the attached documents may contain technical data within
> the definition of the International Traffic in Arms regulations, and are
> subject to the export control laws of the US Government. Transfer of this
> data by any means to a foreign person, whether in the US or abroad, without
> an export license or other approval from the US Department of State, is
> prohibited. No portion of this e-mail or its attachment(s) may be reproduced
> without written consent of CIGNYS. If you are not the intended recipient or
> believe that you may have received this document in error, please notify the
> sender and delete this e-mail and any attachments immediately.
>
>
>
> From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf Of
> Barbara Hemme
> Sent: Tuesday, March 13, 2012 9:09 AM
> To: vantage@yahoogroups.com
> Subject: [Vantage] System Admin Followup
>
>
>
>
>
>
> What is your internet usage policy? Do you allow total internet access for
> those in the office? Do you only allow certain sites?
> We are gathering this info to determine whether or not we need a second IT
> person.
>
> [Non-text portions of this message have been removed]
>
>
>
>
>
> [Non-text portions of this message have been removed]
>