| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 365.1 | Organizational Politics | SDSVAX::SWEENEY | | Thu Aug 13 1987 19:05 | 24 |
| Replies to this note will probably be of the form:
(1) Welcome to the real world.
(2) Bravo! When does the revolution start?
The "Field" is managed by "Country Management" and they are located
in Marlboro and Stow. People like you and me, Karl, are expected
to implement policies and when they want our input on the direction
policies should take, they'll ask us.
The way I have coped with this in the past is to talk in-person
or to send my own thoughts to District and Area managers. Pehaps
their opinions, once presented with the fragments of the scenario
I've given them, will coincide with mine.
Without walking around with a four-foot sign that says "LEAKER",
one can reverse the formal flow of information and get people who
will be able to do something about it before it becomes fait acompli.
A Notes persona while nice to cultivate isn't magic. There's a
tension that's created by our network. If you want feedback on
anything you'll get a flood. If there's something that you want
to keep secret and you discover it being mentioned, you might use
the full authority of the organization to keep it secret.
|
| 365.2 | This is a corporation, not a society. | STAR::BECK | Paul Beck | Thu Aug 13 1987 20:41 | 27 |
| Couple of reactions to a couple of your issues:
A. Security of the Easynet
Thinking that a world-wide network with over 20,000 nodes registered
can be considered "secure" with respect to corporate secrets is a
fantasy. There ARE customers who get access; there are contract
workers (no offense to them); etc. There are plenty of things within
DEC that I would not be privy to on or off the network - the way to
maintain reasonable levels of secrecy is to contain access to the
information.
C. Are NOTES entries monitored ?
There's an old game you can play about how "far" you are from being
acquainted from any particular person. For example, my "distance"
from Ronald Reagen is either 3 or 4: I know a number of of people
who know Pete Seeger, and if Pete doesn't know Reagen, he certainly
knows somebody who does. The same type of thing holds in conferences
on the Enet. If you set your personal name to "Fred Mertz is a jerk"
and write a couple of notes, it's like taking out an ad in the New
York Times - within a very short time either Fred Mertz or an
acquaintance of Fred will see the note.
Are NOTES entries monitored? Sure they are - people READ them.
Setting up a hierarchy to "monitor" NOTES would be a joke given how
many people already waste time like I'm doing now.
|
| 365.3 | If they don't want it on the ENET, why don't they say so? | ATLAST::BOUKNIGHT | Everything has an outline | Fri Aug 14 1987 11:35 | 7 |
| I wonder if the folks working on definition of security levels within
the company have considered the possibility that INTERNAL USE ONLY
maybe needs to be broadened to INTERNAL USE ONLY and INTERNAL USE
ONLY - NOT FOR PUBLICATION/DISCUSSION ON THE ENET.
Jack
|
| 365.4 | whats a secret where? | NCVAX1::BLACK | | Fri Aug 14 1987 14:28 | 19 |
|
This whole secrecy thing is somewhat strange in the real world.
It is not uncommon to be included in a 'confidential - don't spread
this to anyone - this time it's for real' session for one of various
reasons and to take that all to heart. Then one of your people
or peers comes back from training or calls CXO or walks through
the Area office and comes back and tells you what everyone there
is talking about ... and it's the same thing that you are keeping
a secret.
It is also strange that there are times when a functional group
will declare some information 'confidential etc' then go give the
same info to the rest of the Area team (as an example) without telling
them 'its a secret' so they desseminate it .. and the people in
the original group find it out that way rether than through their
organization.
Enough rambling.
|
| 365.5 | A problem as old as the hills | STAR::ROBERT | | Fri Aug 14 1987 15:44 | 30 |
| re: .4
It's not that strange. The security of a secret is partially a
function of how many people know it. It's not a binary thing.
Secrets frequently leak; it's the rate at which they leak and spread
that you try and control.
When I tell people "X is a secret", I know very well that X is being
talked about by people who are not supposed to know. One of the
biggest problems is that the minute someone "in the know" hears them,
there is a temptation to think "well, it's in the open now and I
can talk about it openly".
Often that is not the case. A few people have learned of it, often
in some distorted form, but it is less than "in the open".
I do agree with you though, that some people will tell one group
it's a secret, and then blab it indiscrimately to another group.
Then there's the problem when a secret begins transitioning into
a "well known secret" -- what was confidential yesterday, might
be quasi-confidental today, but the secret keeper is unaware that
the status has changed.
In any event, unrestricted company notesfiles are definately miles
away from "confidential". As another note pointed out, 20,000 nodes,
100,000 employees, ....
- greg
|
| 365.6 | Information is not labeled, and labels are ignored | ULTRA::HERBISON | Less functionality, more features | Fri Aug 14 1987 18:21 | 64 |
| Re: .4
It seems that large numbers of DEC employees don't take proper
care in protecting DEC proprietary information. There is a
general lack of security awareness, and, even when employees are
aware of the correct thing do to, they don't always do it.
An example: DIGITAL Press sends regular announcements of books
and self-teach courses to everyone in our group (and presumably
a large portion of DEC employees). These all have a line in
small type on the bottom that says `For Internal Use Only'.
That means that each of those sheets should be placed in the
proprietary information bins rather than being disposed in any
other way.
In my group many of the sheets end up in wastebaskets. This
could be because:
- People just notice that it is another DEC Press notice an
toss it without looking at it.
- People look at it and don't notice the small print.
- People see the notice but don't know it means use the
proprietary information bins (hopefully unlikely in this
group (Secure Systems)).
- People realize that most of the company places them in
wastebaskets, so it is a waste of effort to place them in
the proprietary information bins.
Should the notices be labeled? I'm not sure, but the labels
should be respected if they are present.
Another example: SQM recently sent out a memo covering layered
product testing for an unannounced processor. They mentioned
the processor, the release date, and described the speeds and
configurations of the processor. But there was no indication
that the information was proprietary or that the processor was
unannounced. According to DEC policy there should have been a
`For Internal Use Only' label ON EVERY PAGE. (The standard
is going to be revised and the label changed, but not the
requirement to label.)
Please don't think I'm picking on SQM -- that is just the most
recent case I discovered. I constantly discover documents that
are not properly marked and report the fact to the author. I am
normally *ignored*!
When one person who is not aware of the proprietary nature of
a piece of information, they can distribute it (directly and
indirectly) to a large number who then believe it is common
knowledge. DEC employees have to be made aware of the need to
label all proprietary information (and also to avoid over
labeling, which results in labels being ignored).
Maybe I should set my personal name back to `DIGITAL Internal
Use Only'. At least people noticed that. Something has to be
done to get people aware.
B.J.
|
| 365.7 | awaiting the chop ;-) | RDGENG::CORNE | If Will Power was Horse Power | Mon Aug 17 1987 08:51 | 11 |
| A digression.....
When .0 said "NUKE (whatever)" he was jumped on.
If you read all of .0 you will probably be able to guess what
(whatever) was.
How come .0 hasn't been been set hidden yet?
Jc
|
| 365.8 | | NETMAN::SEGER | this space intentionally left blank | Mon Aug 17 1987 09:24 | 11 |
| re:-2
What are proprietary informaton bins?
btw - I remember back when the VAX was being breadboarded in building 3. It was
one of the only doors in the entire mill (except for disk engineering) that had
a lock on it and all the windows were fogged over. If anyone were to say, "gee,
what's going on in there" they were told that was were the new secret computer
called a VAX was being developed.
-mark
|
| 365.9 | | ULTRA::HERBISON | Less functionality, more features | Mon Aug 17 1987 11:42 | 19 |
| Re: .8
> What are proprietary informaton bins?
Proprietary information bins are boxes/bins/drawers/file
cabinets that proprietary information can be placed in to be
disposed. These are locked, and they are emptied and the
contents destroyed by security.
Proprietary information (anything labeled `For Internal Use
Only' or `Restricted Distribution' or discussing unannounced
products or other sensitive corporate information) should be
placed in these bins rather than thrown in a random wastebasket.
Most facilities I have visited have some special receptacles for
proprietary information, if there aren't any then I guess you
have to assume that everything thrown out is disposed as though
it was proprietary.
B.J.
|
| 365.10 | .0 isn't hidden because... | RDGENG::LESLIE | Andy, CSSE OSI Products/Program | Mon Aug 17 1987 18:07 | 6 |
|
There are at least three things that I know of that may be the matter
referred to in .0 . There are probably a hundred others that I don't
know of.
Thats why THIS moderator hasn't hidden .0.
|
| 365.11 | .0 didn't blow it - Someone else DID! | RSTS32::DELBALSO | I (spade) my (dog face) | Tue Aug 18 1987 12:38 | 57 |
| The last time I read the policy regarding labeling and classification of
internal documents, I believe I understood it to say that ALL documents
and information having anything at all to do with DEC's business were
company confidential, or, "For internal Use Only". This includes your
status report to your manager, your vacation request card, the mail you
send to a support or engineering organization regarding a problem or a
technical question, the order you send to the SDC for a new Doc set, etc., etc.
As such, any and all such should be disposed of in proprietary material
disposal containers. However, any and all such do NOT necessarily belong
in a class which is forbidden to be disseminated freely within DEC. The
materials in the latter class [forbidden for general distribution] are,
according to corporate policy, to be clearly and prominently labeled as
either "Restricted Distribution" or "Personnel confidential". The latter
are such things as medical/salary records, etc. and I doubt that anyone
would normally fail to recognize and respect such even if it WEREN'T labeled
according to policy. The former ["Restricted Distribution"] tend to be the
types of things that cause the problems like those mentioned in .0, largely
because they AREN'T labeled as such and it's very tough to be able to
expect people to "guess" that you meant them to be so restricted.
I was involved in a situation not too long ago where I had received a mail
message through a Looonnnggg multiple ditribution list chain. It contained
information which answered some very direct questions that were posed by
someone in the field in a notes conference. There was no labelling on it
to indicate "Restricted Distribution", hence I mentioned that fact when I
posted the message in the conference as a reply to the questions - i.e.
by default it was for "Digital internal use only" and apparently available
to any DEC personnel. (BTW, when a message or document is labeled "Restricted
Distribution", it is the responsibility of the author or his/her responsible
manager to control a distribution list so that he may always know who is in
posession of the information. If a receiver wishes to disseminate it further,
he/she must contact the distribution list maintainer to obtain permission to
distribute it and also to let them know to whom it is going to be distributed
as they are still responsible for knowing who posesses the info.) To make a
long story short, my reply was set hidden by the conference moderator as he
felt it inappropriate to air the info contained in the message to the Easynet
at large. (He additionally cited me for committing a "reprehensible" act by
posting a mail message I had received, however I have yet to see anything
in ETTIQUETTE which supports this view. Conversely, the general opinion seems
to be that if you receive something which is not obviously "Personnel
confidential" or explicitly labeled "Restricted Distribution", you apparently
should not be expected to protect the info any more than other "Internal Use
Only" information.)
In my opinion, one commits a faux pas if one knowingly distributes or posts
information known to be "Restricted Distribution" or "Personnel Confidential".
In my case, and the case of .0 from what I conclude, the faux pas was committed
by the author/manager of the original document/information or someone else
along the distribution chain, not the party that got his/her note set /HIDDEN.
The bottom line is, if you don't want something generally distributed, then
take the trouble to label it that way and manage it. Don't expect someone
else down the chain to exercise their judgement to prevent a leak. It's
your responsibility, not theirs.
-Jack
|
| 365.12 | | ULTRA::HERBISON | Less functionality, more features | Tue Aug 18 1987 12:57 | 14 |
| Re: .11
I wasn't explicit about it in my previous responses, but I agree
with the author of .11 that the author of .0 did not mess up in
using the acronym in his personal name, because he had not been
told that use of it should be restricted.
On posting received mail messages: Look at 52.* in
HUMAN::ETIQUETTE. It is a discussion on posting private
communication and the consensus is that you should ask
permission before posting (unless you have reason to believe
that the author would approve of the posting).
B.J.
|
| 365.13 | But officer, the speed limit wasn't posted! | STAR::ROBERT | | Tue Aug 18 1987 17:03 | 25 |
| re:< Note 365.12 by ULTRA::HERBISON "Less functionality, more features" >
> Re: .11
>
> I wasn't explicit about it in my previous responses, but I agree
> with the author of .11 that the author of .0 did not mess up in
> using the acronym in his personal name, because he had not been
> told that use of it should be restricted.
Where in .0 is this claim made? I believe the author of .0 is addressing
the general issue, but not contesting the instance.
re: .10
I sense a "not my job man" attitude here. All employees should be
responsible. Lack of posting is not a license to be irresponsible.
The original author is _accountable_. Everyone is _responsible_.
"Do the right thing" is the overriding company motto. Legislative
nit-picking is perhaps why the 10 commandments were superceded by
the golden rule.
- greg
|
| 365.14 | Talking to myself already? Must be the heat. | STAR::ROBERT | | Tue Aug 18 1987 17:43 | 13 |
| re: .13
> re: .10
I think you meant .11?
-- greg
====================================
Yes, whoops, .11.
tkx, greg
|
| 365.15 | | ULTRA::HERBISON | Less functionality, more features | Tue Aug 18 1987 20:52 | 23 |
| Re: .13
>re:< Note 365.12 by ULTRA::HERBISON "Less functionality, more features" >
>> I wasn't explicit about it in my previous responses, but I agree
>> with the author of .11 that the author of .0 did not mess up in
>> using the acronym in his personal name, because he had not been
>> told that use of it should be restricted.
>
>Where in .0 is this claim made? I believe the author of .0 is addressing
>the general issue, but not contesting the instance.
The author of .0 is talking about the general issue, and is not
contesting that ACRONYM should not be used in public if it is
sensitive. But it seems clear to me from reading .0 that the
author was not aware that special restrictions were necessary in
the use of ACRONYM at the time he used it in his personal name.
One hint was the use of `faux pas' which has the connotation of
an accidental, rather than intentional, blunder. Another hint
was that the references were `removed immediately' when told
that ACRONYM was an unannounced product.
B.J.
|
| 365.16 | I STILL say 'NUKE it'.. | SALSA::MOELLER | 115�F.,but it's a DRY heat..(thud) | Wed Aug 19 1987 14:58 | 28 |
| > The author of .0 is talking about the general issue, and is not
> contesting that ACRONYM should not be used in public if it is
> sensitive. But it seems clear to me from reading .0 that the
> author was not aware that special restrictions were necessary in
> the use of ACRONYM at the time he used it in his personal name.
As (ahem) 'the author'... first, I certainly was not aware that
(ACRONYM) was 'restricted', and, not being a hardhead, and not wishing
to jeopardize the continued existence of the conference in which
it was posted, I removed it PDQ.
And it is true I'm not debating this specific instance, but using
it as an illustration of how Digital has ceased using the Easynet
and VAXnotes as a true INTERNAL communications medium. Also, I contend
that the *implementation* of policy (ACRONYM) will give us all LOTS
more pain than some uninformed software guy mentioning it in a
conference. Also, I strenuously contest the mindset that is threatened
by such mention.
Not one of these replies has addressed my central concern:
Are policies (marketing/sales/internal,etc.) evaluated as rigorously
as a new VAX processor ? By people who know their business as well
as Engineering does ?
The track record seems to say "no."
k moeller
|
| 365.17 | The times they are a-changin (thank goodness) | STAR::ROBERT | | Thu Aug 20 1987 08:02 | 89 |
| re: < Note 365.16 by SALSA::MOELLER "115�F.,but it's a DRY heat..(thud)" >
-< I STILL say 'NUKE it'.. >-
> And it is true I'm not debating this specific instance, but using
> it as an illustration of how Digital has ceased using the Easynet
> and VAXnotes as a true INTERNAL communications medium.
Disagree. This discussion, this conference, and dozens of
others disprove it. Your ability to post these notes (which are
just fine by me) disproves it.
One boat on the lake: no rules.
Two boats: they say "hi" to each other.
100 boats: time to make rules about speed, drinking, safety, etc.
All we've done is gotten bigger. Interactions grow exponentially.
Ditto exposure. One simple example, we are now an established
target -- 5-10 years ago hardly anyone cared about us. Now a few
(no aspersions on their legitimacy) would like to sue us. Things
change. Among other things we are refining our table manners.
I miss the old DEC too, but not as much as I abhor stagnation.
> Also, I contend that the *implementation* of policy (ACRONYM) will
> give us all LOTS more pain than some uninformed software guy mentioning
> it in a conference.
You've been invited to express your concerns directly to the people
that make the policies. Have you done so? How can the door be opened
wider?
> Also, I strenuously contest the mindset that is threatened by such mention.
What mindset? Either you agree that unanounced products and policies
are not for discussion in unrestricted notesfiles or you don't. Do
you want to eat your cake or have it?
> Not one of these replies has addressed my central concern:
>
> Are policies (marketing/sales/internal,etc.) evaluated as rigorously
> as a new VAX processor? By people who know their business as well
> as Engineering does ?
No. We do not have architectural verfication tools for policies. (Yet).
Rigour has a special meaning in scientific and engineering environments,
and your use seems to draw that sort of comparision.
But, let's pose the question differently. Are policies of the type
you mention thought through as well as engineering changes? I don't
know, possibly not. I wouldn't really expect the discipline and culture
among sales and marketing to be the same as engineering. It's a different
mindset, different problems, different concerns -- all appropriately.
Can't it just be turned around? "Does engineering do as well as sales/
marketing at considering the impact of engineering changes on financial
and MIS planning concerns?" Probably not. That is why we bring both
parties, and others, to the table to evaulate these things. The process
is imperfect, but I would stop short of attacking one side for being
less perfect at the other side's speciality. It's a charge that can
easily boomerang, and it's not _constructive_ critism, it's flaming.
> The track record seems to say "no."
This is an opinion, and one that I must confess seems buttressed
by some examples. Yet I fear the story has another side (or even
many).
=================================
So, on the policy in hand, you know where to go and who to talk to.
If you're not part of the solution ....
On the general issue, do you have positive suggestions? This is a
valid place to express them. Though I'll guess the readership here
is heavily weighted by engineers, so perhaps another forum would
be more effective.
On the question of "monitored" conferences: let me see if I've got
this right. You had a concern, you expressed yourself in a notesfile,
that concern reached someone who could do something about it, and
they did, and now you're worried that the notesfiles are "monitored"?
Notesfiles are _read_. Isn't that exactly how it is supposed to work?
You were startled by the speed with which this happened. Isn't that
more goodness? Doesn't that indicate that conferences _are_ an effective
internal communication medium?
- greg
|
| 365.18 | | LESLIE::LESLIE | Andy, CSSE OSI Products/Program | Thu Aug 20 1987 08:53 | 3 |
| RE: .17
Well put.
|
| 365.20 | � | STAR::BECK | Paul Beck | Thu Aug 20 1987 23:24 | 34 |
| NOTES is a very effective medium for gathering information and
opinions. It is used this way, even for sensitive material -
but with appropriate constraints attached to ensure a reasonable
level of security. Conferences set up to discuss unannounced
products and the like are (or should be) restricted, members-only
affairs.
By definition, a lot of people are "left out" of these conferences.
Even if the Easynet were completely SECURE from customers and
competitors (and I believe it's reasonably secure, but definitely
not air-tight), I would personally oppose discussing sensitive
material in unrestricted conferences. This is not a democracy, and
there is not some "inalienable right" for every employee to know
everything that is happening within Digital.
Policies and products clearly need substantial study and review
before they are foisted on an unsuspecting public. This review
should take into account the wisdom of a sufficient cross-section of
the company to ensure that no major problems have been overlooked.
Perhaps this was done in regard to the policy we're not discussing
here, perhaps not.
This is a far cry from saying that every employee in the company
must have an opportunity to express an opinion on every product or
policy being produced. That would lead to chaos; we'd never get
anything accomplished.
In the case you cite, you managed to make yourself heard to someone
closely associated with the policy you oppose. That the policy
has not been "nuked" does not necessarily mean the system has
failed; it might simply mean that your opinion has not prevailed
this time. Every policy is going to have some detractors, and
not everybody is going to get their way every time.
|
| 365.21 | | SALSA::MOELLER | 115�F.,but it's a DRY heat..(thud) | Fri Aug 21 1987 13:16 | 50 |
| Note 365.17 STAR::ROBERT
>Either you agree that unanounced products and policies
>are not for discussion in unrestricted notesfiles or you don't.
I obviously DO wish that we could discuss unannounced policies
and products here.
>Your ability to post these notes (which are just fine by me) disproves it.
As far as I can see, we're not talking about the subjects at hand,
which are:
First, a policy I feel will be a terrible mistake. Second, why can't
I discuss this specific policy in Notes.. thereby leading to 'secrecy
in policy-making within Digital'.
We're talking about talking about it.. which is as close as legal issues
seem to let us get. This makes REAL communication pretty difficult, and,
outside of engineering-specific, empirical subjects, in my opinion, makes
notes fairly useless.
>You've been invited to express your concerns directly to the people
>that make the policies. Have you done so? How can the door be opened
>wider?
>So, on the policy in hand, you know where to go and who to talk to.
>If you're not part of the solution ....
Well, Greg, I DID speak to a certain person intimately involved with
the upcoming policy (ACRONYM). How far did I get? I got a pleasant,
fairly detailed explanation of the rationale for and technical
implementation of, this policy. I remained unconvinced. Is the policy
going away ? I am mortally certain that it is not. I wasn't
rude enough to ask for the name of this person's supervisor, and
therefore this ONE person is the only contact I have, and that person
has been directly apprised of my position. What IS 'the system'
when it comes to policy-making? There IS none.. it's distributed
throughout the company.
>On the general issue, do you have positive suggestions?
YES. Tighten security on the Easynet so that we CAN discuss things
internal to Digital without this paranoia. Separate the issues
of mentioning 'locking out' competitors (Legal) from 'unnannounced
product' paranoia, which is NOT imposed on us by Legal.
Using Notesfiles, allow free and OPEN discussions of both upcoming
products and policies .. solicit the Field's input. VAXnotes is the
ideal medium, and we're not using it this way.
karl moeller
|
| 365.22 | a matter of opportunity (not a matter of rights) | VIKING::FLEISCHER | testing proves testing works | Fri Aug 21 1987 15:25 | 57 |
| re Note 365.21 by SALSA::MOELLER:
> First, a policy I feel will be a terrible mistake. Second, why can't
> I discuss this specific policy in Notes.. thereby leading to 'secrecy
> in policy-making within Digital'.
>
> We're talking about talking about it.. which is as close as legal issues
> seem to let us get. This makes REAL communication pretty difficult, and,
> outside of engineering-specific, empirical subjects, in my opinion, makes
> notes fairly useless.
I share your frustration, Karl.
We have the opportunity to let parties affected by a plan or product to discuss
this among themselves, without requiring the mediation of the policy maker. We
have the opportunity to allow parties who recognize themselves to be affected
by a proposal, but who are not recognized by the policy maker as affected, to
state their case and discuss it with others of their choosing.
And it is important not only that affected parties be involved, but also that
parties who have special knowledge of the situation be involved. In a
corporation of 100,000 individuals, it is nearly impossible to identify all
those who possess information that could potentially influence a decision.
And, given conventional one-to-one communications techniques, it would be
foolish to try.
I think that we all recognize that Digital is not a democracy, and I don't
make my case on a claim of "rights". It is merely an opportunity for
Digital to make better business decisions, and make them more effectively. If
"Digital" wishes not to take advantage of such an opportunity, then that is its
"right". But it might not be wise.
Of course, this is very threatening to policy makers. The control over
information flow is in itself power. And any broadening of decision-making
influence appears to dilute such power. Thus it is natural that strong
defenses are made for the status quo.
A common complaint about decision-making at Digital these days is that too many
people are already involved in the typical decision. I both agree and disagree
with this.
I think that too many people are *formally* involved. Too many people have to
sign off the smallest things. Too many people have to attend the formal
meetings and read the formal documents. (Of course, for some extremely
important decisions, this might not be true.)
But too few people are informally involved, because the only mechanisms we have
for involvement these days are "formal". We need to streamline the formal
mechanisms while at the same time broadening the informal involvement. Notes
conferences are an excellent tool to broaden informal involvement. In some
cases the information is so sensitive that only restricted-membership
conferences can be trusted; but restricted conferences are just that,
restricted, and won't draw out the unexpected source of information or the
unexpected problem. THAT is a business risk that has to be weighed against the
risk of lax security.
Bob
|
| 365.23 | Let them make policy and take the heat for it | SDSVAX::SWEENEY | | Fri Aug 21 1987 16:01 | 26 |
| Let me make up a hypothetical high impact policy:
"Concern about shipment of VAX 8xxx to the Soviet Union is so high
that Digital (on its own) is installing a chip which will render
the processor board non-functional every 24 months. This means
that Digital will have to replace processor boards every 20 or so
months."
While this is exactly the sort of policy that would trigger a high
degree of interest in the field (me), the Digital Twins, and customers,
I'd be shocked to see it discussed in a VAX Notes Conference in
advance of formal public announcement.
Unless Digital wants to run itself by leaks, trial balloons, and
plausible deniability, I want managers to make those decisions,
know what they are, and take full responsibility for them.
The absolute worst aspect of the licensing fiasco of last year, was
that unnamed Digital "officials" were denying that now canceled "no
transfer" policy had been approved in the form in which it was
announced. I sent my opinion on the matter to my local management
and asked them to follow it up.
If my opinion is sought, I'll give it, but I don't expect any VAX Notes
conference to be an ex-officio Board of Directors meeting.
|
| 365.24 | we're all individual contributors | MYCRFT::PARODI | John H. Parodi | Fri Aug 21 1987 16:13 | 13 |
|
Pat, why would it be "shocking" to see your hypothetical policy discussed
in a VAX Notes Conference?
The worst aspect of the licensing fiasco was that it was not given a full
airing before it was announced -- the engineers at DECUS had not even been
informed about the policy through the normal "DECUS party line" channel.
Had that policy been presented in a VAX Notes Conference, there would have
been no fiasco because the policy would have been canceled before it was
announced.
JP
|
| 365.25 | | SDSVAX::SWEENEY | | Fri Aug 21 1987 16:28 | 14 |
| I'm uneasy about this "full airing" business.
Either policies happen or they don't.
Either feedback is sought or it isn't.
If some group is cooking up bad policy and wants to keep it quiet until
it is formally announced to customers, I don't think a leak in a VAX
Notes conference as a guerrilla management tactic to in an attempt to
stop the policy is a wise act.
When it comes to supporting innovation, maybe the anarchy of VAX
Notes helps us. When it comes to controversial customer policies,
let them make the policies and then take the heat.
|
| 365.26 | informed decision-making is the goal | VIKING::FLEISCHER | testing proves testing works | Fri Aug 21 1987 17:17 | 20 |
| Pat,
I suppose that you are responding to, among other notes, mine which
proposes something you seem to be characterizing as a "full airing" policy.
I certainly wouldn't expect EVERY decision, no matter how sensitive, to be
made this way. And I certainly wasn't talking about the level of decisions
that the Board of Directors makes.
But I was suggesting that it be the norm, which would be followed except in
certain kinds of cases.
I'm not talking about a substitute for decision-makers' decisions. I'm
talking about a recommended policy to be followed in order to inform that
decision-making.
I'm talking about the kinds of decisions that led to a monochrome-only
VAXmate, for example.
Bob
|
| 365.27 | | VIDEO::LEICHTERJ | Jerry Leichter | Sat Aug 22 1987 11:06 | 32 |
| re: .22, .26
Very well put. Bob has drawn a very important distinction that really pins
down some of the negative changes at DEC in the last 5-10 years: The over-
growth of formal feedback channels combined with the shriveling of informal
ones. This kind of evolution happens very easily: Every time something goes
wrong, an attempt will be made to figure out why. Often, that attempt will
come to the conclusion that "Y happened because X, who would have anticipated it
because he's involved with Y-like stuff, wasn't involved". So a new, formal
check-off step is added: Any time anything at all like Y might be involved in
a project, X must sign off on it. The result is all too familiar: X becomes
another of the legions of people who can say NO, but no one is added to the
list of people who can say YES. Of course, power is inherent in this ability to
say NO, so others want to get on the list. Thus there's a natural tendency
of people trying to get projects done to say, "I've got this ridiculously long
list of people to deal with already, there's no way I want anyone else involved
who'll just try and get on the list as yet another formal reviewer".
A formal reviewer must take an active step and APPROVE a proposal. He will
probably feel that in doing so his neck is on the line - as it should be.
This will bias him to say NO unless he has a good reason to say YES.
An informal reviewer, on the other hand, has to take an active step, often
one involving a personal comittment outside of his defined job responsibili-
ties, to say NO; if he doesn't act, he effectively says YES. This biases
an informal reviewer to say YES. (Note that an informal reviewer may bitch and
moan in a notesfile, but unless he presents reasoned arguments and follows up,
he should - and probably will - be considered a flamer, and ignored. If you
want influence, you have to make a commitment - and work at it.)
What we need is a better balance between the NO-biased formal reviewers and
the YES-biased informal ones.
-- Jerry
|
| 365.28 | No Democracy, PLEASE! | MISFIT::DEEP | | Wed Sep 02 1987 17:42 | 36 |
|
Perhaps you people don't realize how important corporate security issues are.
In case you aren't aware, Big Blue is starting to get damn scared of us!
Not because we're going to put them out of business ... we got a long way
to go for that ... but because we're taking a lot of their business away from
them. No, they won't fold because DEC sucks up a little action, but they
just might have to loosen the strangle hold they have on the marketplace out
there ... and THAT scares 'em!
I don't know about nationwide, but in this District, an IBM Sales Team that can
make a sale that displaces a DEC system is compensated at double the normal
compensation rate!
So, given this highly competative position, we, as a company, cannot afford ANY
leaks about ANYTHING! Particularly policies that will affect customers!
IBM Sales would have a Field Day on any policy rumors from us. Particularly
ones that are unanounced, and therefore subject to "Blueing" by the
competition.
I would love to have every informed employee be able to express his or her
opinion on every policy and product that DEC plans. But that would make
the DEC corporate machine run about as fast and economically as the U.S.
Government. I could just see waiting 10 years for all the appeals on a
product to make it through the judicial system, or the financial report to
the stockholders proclaim that we're only $1,000,000,000,000 in debt this
year!
No, I think that DEC is doing just fine as it is. Digital Stock is climbing
at an astronomical rate, and the company is making money! It's product
line is solid and positioned for the future, and best of all, they've got
IBM SCARED! I LOVE IT!!!
My two cents ... For what it's worth!
|
| 365.29 | | CANYON::MOELLER | | Wed Sep 02 1987 19:49 | 10 |
| re -1..
thanks for your input. however, this topic was meant to discuss
INTERNAL security.. you know, information flow from Massachussets
outwards, and how secrecy corp<>field affects our performance.
Now, if you believe that once the field finds out something, it's
automatically leaked to customers, we have nothing to discuss.
karl moeller
|
| 365.30 | A try at some sanity? | REGENT::GETTYS | Bob Gettys N1BRM | Wed Sep 02 1987 21:20 | 42 |
| I've stayed out of this as long as I can, so here goes.
I don't think anyone is stating that the Field is
responsible for the "leaks" (if they even exist as a deliberate
act).
What I see happening is that as more people know about
something that should be kept quiet (I won't go as far as to say
secret), the less likely that said information is going to stay
within the company. Again, I will not accuse any one or any
group of deliberately "leaking" the information. It's just that
when lots of people know about something, and somebody on the
outside is out to get that information (yes, industrial spying
DOES go on) all they really need to do is listen to the tiny bit
that each of a few of us reveal in conversation to others
(especially other Deccies), and build a picture around those
many little pieces. Sometimes this results in a picture that is
remarkedly close to reality, and sometimes things get mixed up
and produce something really wild (I'm sure we can all point to
examples of stuff reported that was outlandish [to us], and
other examples that hit too close to home!).
I, too, wish that there were a way to disseminate the
information internaly to the Dec World and have that information
stay inside. But, I'm afraid that the only way that would work
would be for us to never talk about Dec business outside the
walls of Dec, or even in those areas where "outsiders" can be
(like lobbies). Do any of you really think that this could be
made to work?? I don't.
So based on the above, it seems obvious that there will
be groups that will keep their information "secret" from the
rest of us until whatever it is is generaly known to the public.
The only realistic hope that we have is that there will be
enough knowledgable people in the right places (most of the
time, anyway) to get the right other groups involved at the
right time. Yes, I know this is idealistic; but what other
method is there?
Enough.
/s/ Bob
|
| 365.31 | speak softly and work fast! | REGENT::MERRILL | Glyph, and the world glyphs with u,... | Thu Sep 03 1987 09:12 | 14 |
| A sensible attitude toward security of information about, say, a
building is that once the blueprints are in the hands of the
construction workers, the information is virtually "on-its-way"
to the opposition - therefore you should deploy or build as fast
as possible. Witness the failure to apply this attitude to the
U.S. embassy building in Moscow!
Information security is another reason that at DIGITAL we emphasize
the time-to-market: the sooner you get the product out the less
time there is for leaks!
Rick
Merrill
|
| 365.32 | | REGENT::POWERS | | Thu Sep 03 1987 10:14 | 11 |
| < Note 365.28 by MISFIT::DEEP >
> I don't know about nationwide, but in this District, an IBM Sales Team that can
> make a sale that displaces a DEC system is compensated at double the normal
> compensation rate!
This is a bit of an aside, but if such as the comment from .28 (above)
were true, would it be an instance of antitrust activity, perhaps
an example of "predatory" business practices?
- tom]
|
| 365.33 | | INK::KALLIS | Take a deep breath .... | Thu Sep 03 1987 10:21 | 5 |
| On secrecy, in general:
"Three can keep a secret, if two of them are dead." -- Benj. Franklin.
Steve Kallis, Jr.
|
| 365.34 | [this note is classified - read it] | REGENT::MERRILL | Glyph, and the world glyphs with u,... | Fri Sep 04 1987 10:52 | 14 |
|
During WWII the JCS ordered ALL documents to be classified - after
the war some former spies revealed that while they had access to
nearly all the documents, the new classification practice drove
them nuts because they could no longer figure out what was important!
Curiously, the corollary of this is to classify NO documents! Is this
the DEC way? :-) Just kidding!
The REAL secrets are (a) numbers (volume, price, cost, dates ...)
and (b) corp. intentions.
rmm
|
| 365.35 | Possibilities... | ARGUS::CURTIS | Dick 'Aristotle' Curtis | Mon Sep 21 1987 12:15 | 12 |
| regarding security, outside of networks:
The building I work in has its off-hours guards supplied by our
favorite security company. The potted plants are tended by another
company. The second-shift janitors are a third party.
I can't help but wonder about the possibilities for some industrial
espionage. The best argument I can think of against it is the
sort of stuff that most people who work in this building do.
Dick
|
| 365.36 | I do understand | NEXUS::R_JOHNSON | This is it! | Sun Oct 04 1987 14:47 | 40 |
| "Just because I'm paranoid doesn't mean their not out to get me!
<Quote from an Air Force poster>
Security is a tough and touchy issue for any organization. There is a tight
rope that must be walked to avoid falling into one of the extremes; paranoia
on the one hand where everything is secrete so nothing can be discussed, or
complete candor where nothing is sacred.
While in the Air Force I was volunteered to be a classified account manager.
The USAF had several documents, manuals and procedures (some of which were
classified themselves) governing use, handling, transport, disposal of all
materials identified in each classified account. Over kill, redundancy,
ridiculous? Maybe, maybe not, I often thought that somebody could streamline
handling classified materials, but, lets analyse the problem. First, we
know somethings need protection, we also know that in an organization the size
of the Air Force or DEC, many persons/organizations may need input or
understanding of sensitive materials.
First item to cross a securirty persons mind is how to insure security where
its needed. This will eventually generate the first general policy for handling
senitive material. Then as specific projects/policies or operations develop
they are evaluated for protection; in the Air Force this means that each major
command develops their own manuals and guide lines maintaining the scope of the
original general guide lines. This process of review continues to flow to the
lowest levels, and eventually you have the situation I had to deal with. DEC
has not progressed as far as the military establishment, but it is inevitable
given the size of DEC and competitive climate we operate in that more security
issues will surface.
We now need specific direction and definition from security so that we all
know what is or is not sensitive, secondly clear guidelines for handling these
issues should be distributed. I think that many employees are really not sure
where DEC as a company stands regarding openess, propriety, and strick security.
Again, let me say that a need for clarity of this issue is really necessary. I
know that many Deccies dream of those bygone days of open, unfettered
communication, but lets be realistic, this is a BIG company, it requires
controls at various levels, and the next best thing to the old days is a clear
understanding of corporate policy we can all live with.
Rick
|