Friday, February 1, 2008

Should we let consultants use their own computers?

The question was raised, again, because of this.A funny thing about the discussions about it is that everybody is always right, in a certain point of view :-)This is yet another case where several other variables need to be assessed before a decision is made. A company where the business requires lots of third parties with access to its network and data won't be able to cope with a policy that denies the use of third party devices. In those cases a study to compare the cost (and viability) of compensatory controls (e.g. NAC, device checking policies, DLP) and option of having hardware and software reserved to those people is the best way to go before choosing a way to go.Some companies have most of their employees working in fixed positions and just a small need for mobility and third parties computers accessing the network. For them, the Policy denying the use of the devices (and even the use of controls to avoid it) is quite reasonable.This is just one of those decisions (almost all of them?) that need to be taken together with the Business.