Policies and Procedures – Page 76 – IS Survivor Publishing

Proper processing of processed pig parts

By: Bob Lewis|In: Industry Commentary|Last Updated: May 15, 2006

Every week I send Keep the Joint Running to an opt-in list of subscribers. Every week I get a bunch of messages back — autoreplies about travel plans, messages that were undeliverable for one reason or another, and spam managers that ask me to click to confirm it’s a legitimate e-mail.

I also get returns like this one:

————————————-

This is an automated message from the mail server at [name withheld because I’m such a nice guy].

An email, apparently sent from you was not delivered because it contains one or more forbidden attachments. It has been placed in temporary Quarantine and will be reviewed by the mail administrator and released to the receipient (sic) if appropriate.

If you have any questions as to why your email was stopped, please call information security at 860-555-5555 begin_of_the_skype_highlighting 860-555-5555 end_of_the_skype_highlighting [actual number withheld for similar reasons]

Please read the summary of the email content to determine why it was stopped.

image/jpeg

forbidden content type

Attachment: image001.jpg

image001.jpg

forbidden attachment

image/jpeg

forbidden content type

[a total of 13 images were listed, one of which was a jpeg of my smiling face]

objectionable content.

————————————-

The column in question was “Encouraging adulthood,” (Keep the Joint Running, February 6, 2006). The only possible objectionable content, if you’re wondering, was a reference to the less desirable afterlife alternative.

If Dante had only reserved a circle for the terminally stupid we’d know the ultimate destination of the clever soul who decided to establish this level of security. Because the next step is to ban pens and paper too (to eliminate the risk of nasty doodles), making employees chisel messages in granite. Then the business would be safe from all threats. Except, of course, the threat of employees beating each other to death with memos.

It’s like this: When you eliminate all risk, you eliminate all opportunity. I’m tempted to point out that this is yet another example of optimizing a part (security) at the expense of the whole (getting useful work done) except that we just finally put that subject to bed last week, so never mind.

Corporate America is at risk (get it?) of becoming the League of Frightened Executives. Don’t believe me? How many conversations have you been part of that included the fretful worry, “Someone might sue us!”

Well, yes. There are bottom feeders out there who will sue anyone at the drop of a hat, claiming the hat-fall traumatized their poodle. Does that mean you’ll never remove your chapeau again for fear of litigation?

Among modern corporate executives, the answer, too often, is a proud, resounding “Yes!” And there you are, running IT, trapped in the middle as usual.

The name of the discipline is risk management, not risk elimination. That means IT should be implementing policy, not writing it, and those writing the policy should be clear and explicit about what constitutes the right balance between reducing risk and doing business with as little friction as possible. My bet is that the filter that classified my smiling face as a risk was put in place because there was no policy to follow. Or if there was, it was written by a member of the League of Frightened Executives and stated, “Make sure no spam gets through.”

As a place to start on the path out of the madness, consider the following for your spam filter, which begins with the notion that your employees are adults and you should treat them accordingly: Ask each employee to establish a profile based on their personal preference. Level 1 gives them maximum protection from anything and everything they might find offensive. Level 3 filters out what is clearly spam, but will probably leave in some offensive e-mails they’ll have to deal with manually. Level 2 is halfway between (and if they couldn’t figure that out, it’s time to reconsider your philosophy of employee retention).

Will a setup like this prevent employees from suing you if one of them chooses Level 3, receives something obnoxious, and decides it’s your fault? Of course not. Our legal system needs something equivalent to a Level 3 spam filter but doesn’t have one. There is little or no filtering at the filing level, and probably not enough at the don’t-be-ridiculous level.

You can’t do anything about the risk of being sued. What you should be asking is whether the above policy increases your risk of legitimate lawsuits. It’s a valid question, for which I don’t know the answer.

Besides, if I shared my opinion and it turned out to be wrong, you might sue me.

Comments

KJR Manifesto – Core Principles

By: Bob Lewis|In: Leadership|Last Updated: April 10, 2006

We organized the KJR Conference on the theory that Keep the Joint Running is as much a community as it is a weekly column. The theory proved out: At our reception the first evening it was clear we didn’t have attendees. We had a bunch of old friends who were meeting for the first time.

Our most adventurous effort was to start work on the KJR Manifesto. Among the challenges: Nobody at the conference, including me, was sure exactly what the KJR Manifesto would turn out to be. We still aren’t certain, but we made a start.

The concept is simple: Provide an alternative to what’s usually bandied about as “best practice,” in a form that’s immediately useful to working IT managers, because much of what the industry calls “best practices” are nothing of the sort.

Many are descriptions of what one or two large corporations do and like, applied as prescriptions for every company regardless of whether they fit the circumstances or not. They’re one-size-fits-nobody recommendations. Other best practices aren’t practices at all. ITIL, for example, is more of a classification scheme, describing what rather than how. Then there’s a point that emerged from our Sarbanes-Oxley discussions: In many cases, “best practice” really means “basic professionalism.”

Lest any reader be uncertain: Keep the Joint Running is in favor of basic professionalism.

We started creating the KJR Manifesto with a set of core principles for IT, ending up with a Codd and Date dozen (although like the Pirates Code in Pirates of the Caribbean, they’re really more guidelines than principles). They are:

0. There is no best practice. There are practices that fit best. Different situations call for different solutions — form follows function.

1. To optimize the whole you must sub-optimize the parts. Being clear about where your company wants to optimize is critical to organizational design. Doing so doesn’t absolve managers from their responsibility to make their organizations as effective as possible. It redefines “effective” to prevent organizational silos from competing with each other instead of the company’s competitors.

2. Big solutions that work great generally start as small solutions that work acceptably. In general, putting something into place and iterating is a more certain route to success than trying to “get it right the first time.”

3. Relationships Precede Process. Process is often important. But it doesn’t come first, since no process can succeed until its participants trust each other.

4. Relationships Outlive Transactions. Conflict is natural. Conflict is good — it means employees actively and openly explore new and different ideas, consciously deciding among them. It’s when conflicting parties view each other as enemies instead of opponents that the organization becomes dysfunctional. You might win today; you might lose tomorrow … but when you lose your ability to work together, everyone loses.

5. There are no IT projects. Projects are about changing and improving the business or what’s the point?

6. Measure carefully, because bad metrics are worse than no metrics. You get what you measure. If you measure the wrong thing, or measure the right thing wrong, you’ll get wrong results.

7. Incomplete metrics create organizational dysfunction. If four factors combine to drive success, and you only measure two of them, employees will ignore the other two. Your metrics will have prevented success.

8. Governance must be value-based, not cost-based. Value is the difference between (or ratio of) benefit and cost — cost by itself is an incomplete metric. If you can’t connect cost and benefit, or only measure cost, you’ll reduce the value you deliver, while creating organizational dysfunction.

9. Benefit has three core components: revenue enhancement, cost reduction, and risk mitigation. Everything else fits into one of those three categories.

10. Benefit belongs to the business. When IT focuses on reducing its own costs or headaches, it stops enabling solutions, becoming a barrier instead.

11. IT is an integral part of the business. Run IT in a businesslike way, not as a separate business. Running IT as a separate business violates Guideline #1.

12. Every part of the company, including IT, has the same customers. These are the people who make buying decisions about the company’s products and services. When IT (or anyone else) has internal customers, very few employees have a stake in making sure the people who decide to buy from the company have any reason to do so.

These principles (okay, guidelines) are, like the rest of the manifesto, a work in progress. I welcome your comments, and will use them to refine things.

I have to. Otherwise I’d be violating Guideline #2.

Comments