How should I control the internal management behavior of the LAN?

Some time ago, a senior engineer threw out a question about the internal network management of the enterprise. Let's take a look:

1. The final draft of the company's new product drawings has not yet been confirmed, and competitors have listed them in batches based on the first draft of the design;

2. Over 90% of employees share shares on the internet, watch news, watch short videos, play games, find jobs, and send resumes with the help of convenience;

3. CD burning, USB flash drive copying, external computer access, leading to loss of important data;
4. Financial issues that the boss cares about. All of these problems, due to internal staff's network behavior, have plagued IT staff with the fragile nerves.
To address this issue, let's talk about it. The relationship between the spear and the shield, the fight between the Tao and the magic, and the time to see the points ....
I am deeply touched by this issue and have come up with many ideas. I would like to share with you:

==================================

Intranet management software (network-wide control of Internet access by employees)
Encryption software
Develop effective systems

However, it seems that there are still vulnerabilities, and the human nature vulnerabilities are quite large.

======================================

For network management, I think data security may be managed in several aspects ..
 
1. Regulations on routine maintenance and management of data centers

2. Regulations on Routine Maintenance and Management of servers
 
3. network security and attack prevention
 
4. Client Computer Security Regulations
 
5. Operation Specifications of computer operators
 
6. Computer Network Behavior Monitoring and Incentive Mechanism

This seems to be called "internet behavior management.

======================================

1 \ for technical drawings, use the PDM system to uniformly incorporate all technical data into server management;

======================================

Experience, human feelings, and big vulnerabilities! At the same time, the job-hopping phenomenon in Wenzhou is not well controlled. Even if you are negligent in management, do employees copy two sets of drawings? Three sets? That's just for this scope. But in view of the current job-hopping in Wenzhou, if your employee is out of the company, what is the best way to keep his drawings in mind! The number of items taken away by a person's job hopping is far greater than that of the two sets of =!
 
I feel that some of the points proposed by HW are basically comprehensive, and many times good things need to be managed and supported by senior management! I personally want to add:
 
The "data backup mechanism" In data security cannot be left behind! Nowadays, many enterprises cause hardware damage due to management negligence = data loss caused by other reasons is also serious!
 
We also mentioned that the USB flash drive virus can be used as a countermeasure. For example, you can master the features of the USB flash drive virus and disable all the drives to run automatically, before the computer is inserted into the company, you must go through the Information Department for Autorun. INF patch immune Processing =! Of course, it is unlikely to eliminate the virus by 100%, but as long as you grasp the dynamics and features of the virus in time! In a timely manner, do not worry about the corresponding immune countermeasures!

====================================

Network security is not a trivial matter. Internal Control is naturally the focus. Currently, mature control methods include:
(1) disable the USB port;
(2) network environment encryption software;
(3) The file server manages files in a centralized manner. Local machines are prohibited from storing all company documents;
(4) Electronic Documents are usually managed by a specialist.

It is easy to communicate with some people.

======================================

JJ's comments are very reasonable. In fact, there are still technical problems in the operation:
1. The software encrypted in the network environment is not mature. Although some enterprises are using the software, the software itself has many problems, the large amount of data that is most worried about is lost by these encryption software, and the software vendors are still unable to cope with the loss. I have tested two cases and read several cases that they think are successful. There are some problems, stability is worrying;
2. the centralized printing method is good, but it is difficult for enterprises with scattered office environments to operate;
3 In domain management mode, it is good to disable the USB interface and Set permissions. However, there are some problems with the design department. For example, if the design department has many software versions, CAD has R14, it is a headache to install and authorize multiple versions such as, and it must be connected with different suppliers and customers;
4. Centralized file management. The bandwidth requirement is relatively high. The good practice is diskless network. However, the graphic design software has a huge capacity and occupies a high bandwidth. If all files are downloaded to the local device, bandwidth usage during download and upload.
Of course, I will try my best to find a problem. In this way, the feasibility of these solutions can be improved.

========================================

When I saw this discussion, I mentioned how to manage the original enterprise:
USB port: the USB port is a sealing Module Made of special mold opening. The main board needs to be split before the module is installed and removed;
Chassis closed: the same use of the sealing machine module, one-time use, can not be recycled, the removal of the need to destroy the module;
File Management: For file storage and remote FTP servers, only drive C is available on the machine, and the size is 10 ~ 20g, the administrative staff around 15g XP system, 10g 2000 system, a large number of technical staff, the local machine will take the initiative to upload anything to the server, and regularly recycle the machine "maintenance" to inform users, we directly delete all the information from the machine, and they will upload the server;
File Transfer: OA is used for transferring files through the Intranet. the approval process for sending and receiving files using OA requires approval from relevant department leaders and then the server will automatically send the files;
Printer management: purchase a dedicated printing server. The printer connects to the network through the printing server for network printing, which is convenient to use on the surface, in fact, each piece of printed information is recorded on the server (print monitoring King), and the printer is placed in the data room or office, not in the open office area, dedicated personnel (Data reporters and department managers );
File encryption: it has never been done. Because the USB port is blocked, all files are passed the OA approval process. Only one machine in the Information Department can be opened at the USB port, the operator of the machine is responsible for incoming and outgoing data and registers the data. Therefore, there is no need for encryption.