miércoles, septiembre 02, 2009

Los filtros de contenidos deberían ser más listos...

A continuación reproduzco un artículo bueno sobre la conveniencia de sofisticar los filtros de contenidos, hoy muy básicos y con filosofía "café para todos y para todo"...

Towards a Kinder, Gentler Big Brother

Walk softly and carry an array of small sticks could be the motto for the HR professional charged with acceptable usage policy. Users are sophisticated about technology. Connectivity is ubiquitous. Web applications are now popular business tools and there is a rich and growing supply of content contributing to a more productive, customer-oriented workforce. It’s time to put away the big stick of one-size-fits-all Internet policies.
Users were once expected to do their jobs within the parameters of an Acceptable Internet Usage Policy (AUP) designed to block pornography, hate content, surfing on corporate time, spam, viruses, spyware and phishing, and to ensure regulatory compliance. While users may have groused about being blocked from X, Y, and Z site, HR and IT gave them no choice. Big Brother was watching, protecting the enterprise his numero uno priority.
But then the web browser went from being an extension of the desktop to become the desktop, at least metaphorically. Now we have more Web-based applications, peer-to-peer voice and video, IM, job and networking sites such as LinkedIn, and the YouTubes and MySpaces--and fewer desktop solutions. The Web has grown in breadth and complexity of content, making the decision to allow or deny a far more nuanced proposition. Users have found ways of getting around older static Web Filters and simplistic proxies by downloading proxy-avoidance software.
Securing the enterprise from the deluge of ever-changing threats and servicing users increasingly dependent on the Web may seem like mutually exclusive endeavors. Granular policy making helps HR and IT strike a balance. Granular policy setting allows HR and IT to meet enterprise security and user requirements case-by-case using multiple triggers such as time, user, IP address and content-based policy filters. Sports, shopping, and other “non-business” sites may be appropriate before and after work hours for different user groups. Blanket blocking of career sites is one way to prevent brain drain, however HR needs access, and allowing your marketing staff to mine LinkedIn and other career sites for competitive intelligence is good for the bottom line.
A granular approach allows IT to selectively allow certain web sites and deny specific content within that website for individual users or user groups, depending on their jobs and information needs. Picture the executive assistant who can’t make the CEO’s plane and hotel reservations because IT has blocked her (and everyone else in the company) from travel sites. Since executables can be spyware and also updates from software providers, how do you tell the difference? Should streaming video and audio be blocked from entertainment sites? Do you also block streaming media from a financial site?
A flexible usage policy applies to “personal business” as well. The CEO who can’t access a sports site to find out the final score of a football game is likely to be just a teensy bit annoyed with IT. The receptionist who keeps leaving her post to chat with colleagues may be more likely to stay in her desk if she has at least limited access to YouTube. The same company would possibly be better served if the hourly contract employee emailing his buddies throughout the day were blocked from Web-based email sites.
Customization Ensures Global Compliance
The gentler approach to policy setting also enables enterprises to comply with a complex array of government regulations and privacy laws. In the U.S., regulations abound. Some are national-- Sarbanes Oxley (SOX), the Gramm-Leach-Blilely Act (GLBA) and HIPAA (Healthcare Insurance Portability and Accountability Act) and SEC 17; others, such as California¹s Security Breach Information Act, are state-mandated. The terrain gets even more complex for companies doing business internationally, and the ability to implement country-specific policies can mean the difference between compliance and expensive fines. All countries have distinctly different privacy laws, requiring customized Web policies.
In Germany, everything users communicate is considered private unless the user has specified it’s not. This poses challenges for monitoring web and email usage. But even putting aside legal restrictions on Internet security for a moment, does it make sense to intercept encrypted traffic between an employee and a respected shopping site such as Amazon? How about to an unknown or suspicious website? The Web policy solution system you use should allow you to differentiate from among the category of websites, enabling you to allow access where and when appropriate and preserving bandwidth used to filter what is essentially benign web usage.
Many organizations block streaming video as a general policy. But streams from a financial website may provide valuable information for the user depending on his or her job. YouTube is a more obvious productivity and bandwidth drain and should be blocked for most users--but perhaps not for your marketing staff who may want to use YouTube for marketing purposes.
Again, the ability to define policy based on multiple simultaneous parameters is the key. Are you able to associate a given policy with this user at this PC at this time using this browser, visiting this web site, downloading this type of file? This level of granularity is essential to defining an AUP suitable for the ever-changing Web environment.
The kindler gentler big brother communicates with users. The tenor of the conversation between HR and users should be friendly, not authoritarian. Automated alerts triggered by a policy filter help inform employees about usage policies. If a user attempts to access a blocked site, for example, the alert should explain the policy and any exceptions to that policy—for example, limited access to shopping sites outside of business hours. When an executable has been blocked and the rest of the requested content allowed, the user needs to know. Personalized alerts change user behavior. The employee who wiles away the hours on eBay may think twice about getting on eBay again if she knows IT and HR are aware of her activity.
And yet, it’s important to treat users like mature, discerning adults, allowing them to make their own decisions. Rather than a blanket policy of blocking sports, travel, auction, and shopping, a much better approach is to present users (exempting CEO, perhaps) with a message that asks them to consider the productivity merits of visiting sports sites or eBay during working hours. Provide them with a link to the AUP for more information. Then allow access. If enterprises must exercise control, and indeed they must, let Big Brother walk softly.

No hay comentarios: