It has been quite some time I have been writing this blog. More of the time, I have been writing Thoughts, POV ( Point Of view ) or sometimes just useless youtube videos.
Now, I have decided to use this blog for some contructive use. Since all of my friends including you are working in companies which have established themselves in their markets, are now stable and have their own processes in place, who be a better lot of pose my problems too.
So hence forth i will be posting my business problems, my dilemmas as well Ideas to this open forum for best of the ‘consulting ‘ advice as well as brain storming.
Problem Backdrop :
From initial 2 employees in june, We have migrated to now 15 employees big with average experience of 3 years in the industry. Most of my employees are from technical backgrounds and have been in the web development industry for a considerable time. Compared to them, My experience in this industry is practically nil.
Now we are planning to move to a new office - nothing great but a rented but bigger office. I want to signify this move to big office as a progressive move. We are growing bigger and better. I also want to implement certain processes such as a well defined HR policy like total number of leaves, casual , sick leaves etc. as well as policies to ensure data security.
Getting Closer to the problem :
Currently we were a small team, so essentially every one has access to our web servers, the code libraries, etc. Since internet in India is unpredictable, My employees are used to taking the codes in pen drives home and upload data from their machines on to the web server because US client delivery pressure.
Till now this things were fine as we were getting small projects from individuals in US. But now, we have started on with few medium size projects which kick off with a Non- Disclosure Agreement ( NDA) as well as Contract of Copywrite of all the codes written as the Intellectual Property of the Client. Now, Since my employees have their codes and they copy it and take it home. It is in some sense infringement of the contract. But, till they dont sell it its ok.
Now, I want to incorporate a policy where i want to ensure that Our as well as Client’s Intellectual property stays safe. how do i ensure security from external as well as internal staff?
As an organisation, we want to stay young, open as well as entertainment oriented. We openly support streaming Youtube songs, humour videos during lunch time etc.
So we dont want to cut down internet access.
We are skeptical of Employee moral once we block personal email access sites like gmail.com, hotmail.com. Should a young company like us do that?
Should we disable the USB ports so that they cannot copy Files in the storage device ?
One thing is for sure, we are now authorising only one person with the access for the webserver. So upload , download from that server can be restricted as well as made accountable for.
But what other steps should be taken to ensure Zero Liability for any contract infringement by our employee or X- employee.
Please Help me out with this. Because time and again i will keep writing you my queries.
If you enjoyed this post, make sure you subscribe to my RSS feed!
May 24, 2008
I wound not recommend the use of Group Policy deployment regestry key to protect usb storage, Because that on ly works for known devices. If a device. (try commecting a usb pen drive that has never been conected and the key that offered protection is changed back to start automatic. (well, it also depends on how you set your user account permissions)
I would recommend the use of a software specialized for the purpose as USB Lock RP can be seen and tested from http://www.advansysperu.com this is a realy easy to manage and effective solution.
We use it for 40 PCs.(works great) When we ordered installer arrived customized with our company logo. excellent service and support from the Advanced Systems.I really recommend the becouse we tested like 5 other solutions. and have to say The Advanced Systems product pricing and support was far better.
May 25, 2008
You can set a policy from the server in which you can restrict priviledges given to your employees.
Data security is a critical issue specially when working with sensitive client data so I think that at the cost of employee morale you can restrict access to mail sites while retaining access to social networking sites. I am sure you employees will understand. And I think its critical to implement these policies at an early stage, later when you grow larger it can become a real challenge to change the work practices which have developed
May 26, 2008
There are broadly two or three aspects of the problem at hand:
a) How to ensure the compliance of the NDA and the Contract of Copyright, in view of the current practices of the firm?
b) How to seamlessly bring about the changes in the culture of the firm and at the same time ensure that the morale of the employees remain high?
c) (Minor one) What kind of restrictions have to be imposed on the unlimited internet access for the employees.
One thing is for sure. The practice of taking the code home in a pen/usb drive has to go away. The clients that the firm is currently dealing with will never approve of this. Invoking a complete ban on USB drive would be rather harsh. The firm should devise a strategy that would obviate this necessity. One of the strategies would be to develop a central source control system, with an embedded development GUI. All the necessary tools for development and testing can be merged with this GUI. This GUI can be a lightweight application. Employees will have access to their development area through a simple login system. And all it would take for the development process is to take a copy of the source code in the GUI, modify it as per requirement and then merge it with the source code. New code lines can be developed in the GUI and merged with the source code. This way, the employees will have the access to code both from office as well as home (through a secure tunnel like VPN). Regarding the only loophole in this that the current employee still has unlimited access to the code, a certain level of trust is required on the part of the firm . This continued faith in the employees in wake of the new changes will ensure that the employees are not policed beyond a certain limit.
About the moral of the employees, since this firm is a very small one, whatever changes are introduced should be brought about taking the employees in full confidence. The firm should make the employees aware of the situations that warrant such changes and also brief them about all the aspects of the changes. This will make sure that the firm is transparent, and will reflect the fact that the firm has full trust in its employees. These steps in return ensure full cooperation from the employees.
Regarding the unlimited internet access, I think that completing banning the access to personal email sites and other entertainment sites completely would be detrimental. Again, the question of trust comes into picture. Does the firm think that if it allows the employees a unlimited access, would it adversely effect the productivity. Rather than issuing a blanket ban, the firm can monitor the usage of the personal and entertainment sites. If the firm thinks that the average usage is beyond a threshold, measures like deliberately slowing the internet (at the same time ensuring that the intranet works fine) will help.
One thing to keep in mind though is the acceptability of these practices from the clients the firm is currently negotiating deals with. If the tangible benefits from the new business flowing (and expected to flow to the firm in the near future) are pretty good, but it requires stricter policing, the firm should apply strict policing codes. Although in the short-term, this might prove counter productive, this will definitely help in the longer run.
Remember, firms operate to earn profit. Intangible benefits like employee satisfaction, freshness of work culture etc do matter, but what matters the most is the last line on the P&L Statement. They don’t call it the bottom line not for nothing.
On the lighter side, this concept posting real world consultancy challenges is pretty good. Looking forward to more such challenges.
Arnab
Arnab and Suvagata , Thanks for your feedback.
while there are lot of solutions which does make sense for my company but one aspect was largely not brought to light was the Monitoring cost.
Currently, We are closing on breakeven, and Monitoring/ Security measures all comes with their implementation as well as maintainance costs.
So can you shed some light of those. Currently We have done is Assigned only one guy can upload codes that too within the office premise. If internet is down, I personally upload the files from home.
But Again, the obvious problem with this setup is scalability specially when certain uploads take around 1. 5 hours each.
What kind of manpower ( networking engineers ) will i need to implement your solutions. WOuld that be a one time cost or a recurring cost ?
Do i need to hire one permanently to monitor the activities ?
Few solutions will take care of your problem.
- Install proxy. Restrict domains like gmail.com, orkut.com but allow google.com.
- Dont block USBs but install a fingerprinting service on desktops and laptops. This services makes sure nothing is copied on USBs.
- DVD/CD Writers on laptops, desktops are just stupid.
- Block messenger traffic but make sure you have a internal messenger that works within your network. Collborative messengers are very productive.
- Unlimited Net Access - Yes. Unrestricted Net Access - No.
- Fingerprint the machines for pirated softwares or books-mp3s.
- Install internal newsgroups for information exchange.
Everything I listed above comes for free. All the tools can be installed in no time by even a novice.
July 19, 2008
Hey Sid,
Any success with the solutions that I had suggested?
Comments RSS TrackBack Identifier URI
Leave a comment
Posts
6 Comments