I’ve been involved in a debate today about iTunes. More to the point, about whether iTunes should be permitted installation onto a company owned PC. A colleague of mine was quite adamant in his view that “there is no business reason for it so it shouldn’t be installed.” Now, I can quite readily concur with this view, but hold on a moment: I’m not sure that some-one from Information Security should be expressing a view on what is and what isn’t a justifyable business application. As far as I am concerned, we make decisions based upon a) corporate policy b) reasoned professional judgement c) associated level of risk d) the needs of the business as they are described to us. So, if someone within the business says that they want iTunes and we don’t have a good policy based reason to say “no” (in fact we do have a policy on unauthorised software but the question was whether or not this particular software could be allowed), then the next thing we can do is provide some measure of informed council to the party concerned.
In this particular instance my recommendation was not to allow the software to be installed – my justification being that the onus is on the business to support it, keep it updated, together with added risks from files that might end up on the PC in breach of copyright. It’s also worth noting the End User License Agreement (EULA). How many of you actively make sure that this is reviewed, by someone with contract experience, for all software installed onto company machines?
Personally I have nothing against the software in question – use it myself at home – and I don’t want to spoil anyone’s fun. However, in the workplace we need to consider such requests from a risk perspective, do our research, and if we are going to refuse a request have a reasoned arguement based on facts in support of our decision. Obviously there is an arguement that a standard desktop build with a more restrictive policy on software installations would go a long way towards negating the issue altogether. I don’t dispute that however, company culture also plays it’s part and I’m glad to be part of an organisation that provides a degree of flexibility within most aspects of work-life. It might make for a more challenging security environment – and that’s perfectly OK by me – it also makes it a better place to work!