Which would you rather have? Employees who:

1. Do what’s best for the business. Or,

2. Follow all policies and procedures.

What’s that? Breaking the rules is bad for the business? Sure — I read about a company like that once. In a work of fiction.

Even the best policies are one-size-fits-many solutions to anticipated situations. They don’t always fit the world as it actually happens. When a company places too much emphasis on its policy manual, it’s a stifling, choking bureaucracy. Count on it.

That doesn’t mean employees should ignore the rules whenever they’re inconvenient, though. Unless, that is, your business model requires utter chaos, and not everyone runs an advertising agency.

Striking the proper balance is far from easy. Still, I’m pretty sure that making every policy violation a firing offense is about as sensible as making jaywalking a felony.

Which brings us back to desktop lockdown and information security in general.

Last week’s column laid out some steps you can take to improve security. Desktop lockdown was conspicuous by its absence, which led a number of readers to conclude that I favor leaving PCs wide open, so end-users can do whatever they want. That’s far from the case.

I covered this ground ten years ago, in the original “End-user Computing Manifesto.” It’s overdue for an update. Here goes:

Purchased Applications

  • Where IT has established a standard, end-users must accept it. If you’ve settled on Microsoft Office, for example, nobody has the right to insist on StarOffice instead, any more than they can insist on using a different voice mail system from the rest of the company. IT will, however, find out what it is about the official application that makes it so seriously deficient that buying an alternative seemed like a good idea.
  • Where IT hasn’t established a standard, the right of end-users to purchase and install software depends on the nature of their jobs.Some procedure-driven jobs have tight boundaries. PCs just happen to be the programmable platform IT gives employees to run the fixed set of applications that drive the process. Lock these PCs down tight.Other jobs require flexibility, innovation, and an emphasis on goals over technique. Give employees in these jobs more latitude. When in doubt, the business manager makes the call, not IT.

    Exception: IT will maintain a “blacklist” of disallowed software that’s known to contain either malware, serious security holes, or severe bugs. Automated software inventory tools will regularly scan PCs to detect newly installed software, and IT will research any new packages to determine whether they should be added to the blacklist.

  • IT promises no support for end-user-installed software, but may choose to help out as time and staff are available.
  • IT will never say, “We don’t provide this kind of tool and we won’t let you buy it either.”
  • If a PC goes haywire, IT will recover its data if possible, and restore it to a standard build.
  • End-users will never be given administrative access to a shared resource that’s maintained by IT.

End-user Development

  • IT will provide suitable tools and support for end-user software development.
  • IT will never say, “We won’t build it for you, and we won’t let you build it for yourself either.”
  • If an end-user develops an application that is redundant to an existing IT-supplied application, IT will give that employee’s manager the old hairy eyeball. It will also find out what about the official application is so seriously deficient that building an alternative seemed like a good idea.
  • Responsibility for the accuracy and integrity of applications developed (or purchased) without IT’s involvement is the responsibility of the business manager. IT will provide training for business managers on how to manage small-scale application development and maintenance.
  • IT and internal audit will provide consulting and review services for end-user-developed applications, if requested, or if the situation demands it.

Other Stuff

  • End-users may only upload information into production databases through audited validation programs provided by IT for that purpose.
  • IT will provide secure, convenient facilities for remote network access. End-users may never, under any circumstances, install and use their own.
  • End-users are not allowed to install software that tunnels through open firewall ports to bypass IT security.

If this strikes you as too permissive, imagine you discover that your employer’s top sales representative — the one who personally brings in a quarter of the company’s new accounts — installed Act! on his company laptop in violation of policy. Which is the right answer: Firing his sorry behind?

Or buying copies for all the other sales reps?