The Social Security Administration isn't doing enough to follow its own policy preventing unauthorized software from being installed on agency computers, the agency's inspector general says in a new >report. But the agency's policy is unrealistic, and the lack of enforcement -- to a point -- isn't necessarily a bad thing.The agency's Information Systems Security Handbook states that the only software authorized for use on agency computers is software purchased through agency-sanctioned requisition processes or developed, evaluated and documented in-house. In order to run other software, employees need to get their managers to submit a waiver request (with specific justification for why they need the additional software) to a cybersecurity official within the agency.
The government needs to open up to the idea that its users are consumers and will use the tools that are valuable to them. Consumerization of IT is in full swing, and it's high time for government to embrace it.
I'd argue that in my own work life, I'm more productive because I opt for a browser other than my company's stock browser choice. Certain other applications, like a video editing app, a desktop Twitter client, an unzipping application and an application to send links and other information directly to my smartphone also make it easier for me to get my work done. And yet none of these, so far as I remember, was supplied directly by IT.
Of course, there should be limits, but a blanket policy against installing any personal apps whatsoever doesn't make much sense. Security and the installation of apps counter to the goal of increased productivity are clearly concerns, especially in an agency that holds so much sensitive information and that has such a huge backlog of claims. The National Institute of Standards and Technology, which provides cybersecurity guidance and manages cybersecurity requirements under the Federal Information Security Management Act (the governing law for federal agency cybersecurity) even recommends organizations identify what types of software installations are prohibited. That, too sounds like a good idea.
However, these are justifiable reasons to blacklist certain applications, whether they be, say, LimeWire or World of Warcraft, to educate users on secure use and to conduct real-time monitoring of apps installed on agency machines for anything that violates the precepts of security and productivity. They aren't license to create a limited whitelist that places monumental approval hurdles in the way of productive uses that might coincidentally fall outside that list.
The inspector general raises the specter of unapproved software as a boogeyman, saying that seven of 197 of the agency's "malware incidents" in the past year -- including five keyloggers and two Trojan horses -- were caused by the installation of "non-standard" software. However, this may miss the point. The vast majority of the malware instead came in through a sanctioned piece of software -- the email client.
There are legitimate concerns being expressed here, as it's true that all it takes is one intrusion to create a major security incident. However, this boils down to a bit of overprotection. Sure, block everything, and nothing gets in. On the other hand, there's also the matter that nothing will get done.