When Policies that have 'Always Worked', Don't or 'The Mask of the Code

In a small organization the pursuit of a secure and virus free computing environment can be a challenge for those of us who must wear many hats. As Director of Engineering for a statewide public radio network I am responsible not only for our broadcast studios and five transmitter facilities but also for the oversight of a growing network of office computers, networked audio file servers, and web/email/file servers. To assist me in maintaining this conglomeration of technical equipment I have one broadcast engineer, and an engineering associate; a critical part of the engineering associate's work involves monitoring the updates of virus signatures on a weekly basis and verifying that users are complying with company policies regarding acceptable software packages for company use. The scenario I will describe in this paper outlines a failure of our 'human systems' due to a limitation in our thinking about our procedures that could easily have had catastrophic results. What I will describe is a situation regarding one particular software package, but the principle it illustrates I hope will serve as a warning to those of us who may have let our past successes lull us into a sense of complacency regarding the security of our networks.