Sunday, March 28, 2010

The Accidental Expert

James (Duck) Howard

Master of Science in Information Assurance student.

This can be complicated, so allow me to provide some background. I am employed as a contractor serving as an Information Assurance Officer (IAO) for the United States Air Force (USAF) in the Air Force District of Washington (AFDW). As a Department of Defense (DoD) information technology entity, my unit receives inspections by various DoD and USAF entities. Recently, my unit was inspected twice by the Defense Information Systems Agency (DISA). The first inspection was for one of the bases that our unit manages, and the second inspection was a newer, more intrusive inspection for our other two bases.

Our first inspection was in early September of last year, about two weeks after I finished Seminar 3 (Prevention-Human Factors) in the MSIA Program. As you may know, Seminar 3 is policy-intensive. Please keep in mind I have never considered myself a “policy guy”. I am much more comfortable with technology and technology architecture. But my new boss decided to make me the point of contact for the DISA inspectors about local policy. Admittedly, I was a bit nervous, but I resigned myself that this might be a good test of my policy skills, and even the training I was receiving through the MSIA program.

The DISA inspector arrived on the second day and spent a good deal of time asking me about where we store our policies and how available they were to our clients. He asked if we enforced Rules of Behavior and how we monitored and maintained policy compliance. And like any good auditor, whenever I answered him, he would follow up with “show me”. He went down a checklist of policies all DoD bases and commands were to maintain, and after about an hour of (sometimes grueling) questions, he thanked me for my time and left. I felt like I had just run a marathon.

That was literally the last time I heard anything about the DISA policy review.

Until late October, when the second DISA inspection was ready to begin; early one late October morning, I received a call from my boss. He wanted me to again serve as the point of contact for the DISA inspectors for local policy and initiatives. I protested at first, stating that I was not a “policy guy”.

My boss cut me short and said “That’s too bad, Duck, because you were the only guy to get 100% on the last DISA inspection, so you are now indeed The Policy Guy here…”

Occasionally in life, you have an epiphany, an eye-opening experience where you realize you have turned a corner in life. I had one such moment in October last year, and I have the MSIA program to thank for that. I have been given greater responsibilities at work in large part because of my personal and professional growth from what I am learning in the MSIA program. This story is a small, unclassified example of such an experience at work.

Oh, and we did very well in our second policy review as well.

Last week’s quiz question

What 2010 Olympian from Vermont gained unfortunate notoriety at the Turin Olympics and why?

Answer: Lindsey Jacobellis. Jacobellis was in the lead of the woman’s snowboard race when she hotdogged the last jump by grabbing her board and crashed. More than one person said Hannah Teter because of her Sports Illustrated Swimsuit photos before Vancouver. However, the question asked for someone who gained notoriety at the Turin Olympics, rather than the Vancouver Olympics. But since nobody got my intended answer, I decided to loosen up my standards a bit an accept Hannah Teter.

Winner: Dianne Tarpy

This week’s question:

What Norwich University sports team won its respective NCAA Championship in 2010?

Please send all answers to: jorlando@norwich.edu

Current competition standings:

Matt Bambrick: 3 wins

Andrey N. Chernyaev: 2 wins

Dianne Tarpy: 2 wins

Sam Moore

Autumn Crossett

Gil Varney, Jr.

Glen Calvo

Thomas Reardon

Sherryl Fraser

Srinivas Chandrasekar

Marc Ariano

Linda Rosa

Joanna D'Aquanni

Bill Lampe

Srinivas Bedre

Christian Sandy.

Sunday, March 14, 2010

Images of Town Meeting

Vermont is one of the few places in the world that still has the old fashioned Town Meeting. Town Meeting day is a state holiday, and many people who don’t have off take vacation day to attend it.

I thought you might like some images of Town Meeting.

Last week’s quiz question

What do Vermonters call an area of maple trees that is tapped for maple syrup?

Answer: A Sugarbush (A maple syrup-making operation is called a “sugaring” operation, and the building that makes it a “Sugarhouse” or “Sugarshack”).

Winner: Christian Sandy.

This week’s quiz question
What 2010 Olympian from Vermont gained unfortunate notoriety at the Turin Olympics and why?

Send your entries to jorlando@norwich.edu

Current competition standings

Matt Bambrick: 3 wins
Andrey N. Chernyaev: 2 wins
Dianne Tarpy
Sam Moore
Autumn Crossett
Gil Varney, Jr.
Glen Calvo
Thomas Reardon
Sherryl Fraser
Srinivas Chandrasekar
Marc Ariano
Linda Rosa
Joanna D'Aquanni
Bill Lampe
Srinivas Bedre
Christian Sandy.

Wednesday, March 3, 2010

Balancing Productivity and Privacy: Electronic Monitoring of Employees

David Lease

In MSIA Seminar 4 there is always a healthy debate over electronic monitoring of employees because of the natural conflict between employers’ property rights, security needs, liability concerns, and mandate for organizational effectiveness, and employees’ privacy rights and perceptions of fairness and organizational justice.

E-mail, the Internet, and other technologies we use every day provide great opportunities to improve employee productivity and organizational profitability, but they can also pose realistic threats to organizational effectiveness and security. For example, business e-mails can be concise, quickly composed, and instantly transmitted, thereby improving organizational effectiveness when they replace formal memos and letters. Unfortunately, e-mail can also waste resources when employees spend hours e-mailing family and friends. E-mails can also compromise security when they contain (inadvertently or otherwise) company confidential or other sensitive information. The Internet, like e-mail, can also serve to improve organizational effectiveness when used to conduct company-related e-commerce and business-to-business (B2B) transactions. Conversely, the Internet can reduce productivity when employees surf the Web, shop for personal items, and download files and programs for personal use (including the occasional virus, keystroke logger, or other malware).

Electronic monitoring (content filters, e-mail scanners, etc.) products are readily available. Global positioning systems (GPS) and biometrics enable organizations to accurately and cost-effectively track worker movements in the office, in the field, and on the road. By using GPS sensors in company-provided cell phones and cars, infrared LED ID badges, and biometric touch-pads, employers can know whether a trucker is deviating from a prescribed route, whether a receptionist is taking too long for a lunch break, whether an outside salesperson really is calling on customers, and even whether a food handler washed his hands after going to the restroom.

In my experience, I’ve found that electronic monitoring in the workplace has become as ubiquitous as electronic communications and that many employees have come to expect it (if not accept it). Nevertheless, I’ve also found that many employees are surprised and alarmed about the extent of electronic monitoring of their workplace activities, with a significant percentage quite convinced that it is illegal for employers to engage in such monitoring. Employees often view electronic monitoring of their behavior as an unwarranted invasion of their right to privacy and as fundamentally unfair.

For organizations considering electronic monitoring of employee use of e-mail and Internet assets, I recommend that they develop a comprehensive, written policy on employee use of the Internet and e-mail as well as on company programs of electronic monitoring. This policy should communicate the rules for personal use of e-mail and Internet assets – what is allowed, what is not allowed, and the rewards and penalties for following the rules. The monitoring of employee e-mail and Internet use is much less of an issue when there is a clear understanding of expectations – for both the employer and the employees – and when the guidelines are relevant to the organization, its culture, and the technology it uses.

This type of “expectation setting” is the sort of information that is often found in an “acceptable use policy” for e-mail and Internet assets. Acceptable use policies are not new; many organizations have adopted them and examples can be found readily on the Internet. As argued by Stewart (2000), “often the mere existence and promulgation of a clear [emphasis added] policy is enough to stem most forms of Internet access abuse” (p. 50). However in my experience, acceptable use policies are effective only when they are clearly communicated and when the policies are integrated with the organization’s overall strategy, vision, and culture.

Reference:

Stewart, F. (2000). Internet acceptable use policies: Navigating the management, legal, and technical issues. Information Systems Security, 9(3), 46-52.

Last week’s quiz question

When you come to Residency, you want to take your kids to what museum located in Norwich, Vermont?

Answer: The Montshire Museum of Science. http://www.montshire.org/. We guarantee that you and your children will enjoy this experience. Make sure to bring a change of clothes for small children who will get wet in the outdoor water park.

Winner: Srinivas Bedre wins a leather bound instruction manual on how to navigate dirt roads during mud season.

This week’s quiz question

What do Vermonters call an area of maple trees that is tapped for maple syrup?

One lucky winner drawn at random from correct entries will receive a special edition CD training program on how to identify the 76 native varieties of mud found in Vermont.

Send your entries to jorlando@norwich.edu