Moderator: We are now beginning today's live discussion with security expert PJ Varrassi. PJ will field a broad range of questions on how to create a security policy, how to enforce it, what are the hurdles, etc. Please submit your questions at the bottom of your screen now. Thanks!

Moderator: DISCLAIMER by PJ Varrassi: I am not an attorney or a paralegal. This information in this discussion is intended only as recommendations and should not replace any legal counsel. You are directed to obtain legal advice from a licensed attorney in your state.

mlewis409488 : How long does it typically take to develop most policies and standards?

PJ_Varrassi : This is dependent upon the complexity of your system and the complexity of your approval process. The initial policy and standard development can take one to two weeks per policy (depending upon policy developer experience and tools) but modifications and the approval process can take significantly more time, especially when several departments are involved.

cmuetzli108206 : Hi. Today, the most start-up companies have are maybe some good employees with awareness of security. There are no policies, what do you mean?

PJ_Varrassi : Policies, standards and technical controls provide a systematic framework for information dissemination to employees, third party personnel, etc. regarding Standards of Conduct and operational concerns. With the issuance of Corporate wide policies, standards and technical controls, everyone can "get on the same page", that is, the organization advises personnel what is expected of them, what personnel can expect from the organization. Your organization needs to address their environment and assure they comply with all local, state and federal laws. Your legal department and Human Resource group can be of assistance as well as many on-line resources to help direct the security personnel in this endeavor.

bvigil532378 : What groups are normally involved in the policy development process?

PJ_Varrassi : Parties having knowledge and experience for the given policy, or if the policy would have direct impact on. Most certainly, representatives from Legal, Human Resources, Audit, Systems and Computer Resource Management should always be involved. By obtaining buy-in early in the policy development life cycle, wasted time and resistance is decreased. I have always been a fan of appointing a user advocate. By having a "link" to the user community, acceptance for policies being implemented is greater, because users feel they do have input into the process and feel less alienated. The last feeling you want your user community to have is that their suggestions are being made to deaf ears. While in all probability, you will not be able to implement the request, the open communication will allow all parties to see the issues from another perspective.

ssimpson739101 : What are the recommended ways to hold employees, contractors and business partners accountable for policies?

PJ_Varrassi : The legally shrewd answer is simple. Have workers READ AND SIGN an agreement (along with the confidential statement) to abide by policies, procedures and technical controls implemented. Obtaining written agreement by workers to abide by policies is an absolute must BEFORE granting / issuing user-IDs. However, I find it difficult (morally, ethically and legally, to some extent), to hold someone accountable to abide by policies they either don't know exist, or worse, don't understand. Whether through ignorance or misunderstanding, the end result is the same: The company risks reputation or financial damages.

pvio163576 : What is the best method to assure system users know and understand policies?

PJ_Varrassi : With a Security User Awareness program. Through my experience in developing these programs in many different security environments, I find the preferred method is to provide workers with an overall security briefing complete with security handbook tailored to your industry or site. In the security briefing (re-enforced with the handbook): Advise workers what is expected of them and the consequences (both personally and for the corporation) for failure to abide by the policies; Review critical policies with users; Go over each area of the agreement and solicit questions. If no questions, have the workers sign the agreement, then the security presenter sign as WITNESS. One thing to emphasize: If workers DO NOT UNDERSTAND ANY statement contained on the document or have issues with a statement, ADVISE THE SECURITY PRESENTER. Tell the workers NOT to sign if they don't understand a statement or have issues with a statement. Clarify the statement in question (if everyone may benefit - then have them sign) or take the conversation off line if it is of a personal nature, answer the question (or refer the worker on).

emilev320776 : How can I use SSL in my work place?

PJ_Varrassi : Not to be evasive, but it would depend on your environment, architecture, business applications and current policies.

jhammar430364 : I am part of a corporation based in the U.K., with offices in 12 countries. How do we implement a security policy that takes into account laws in all of the affected countries?

PJ_Varrassi : Some issues are universal such as good password design, portable electronic device safeguards, information classification, etc. The critical issue you will probably be dealing with relates to the EU Directive and other privacy concerns. Since you are a multi country organization, your attorneys are going to be your best avenue for recommendation on sensitive policies (i.e., privacy, censorship).

scushman158608 : How often should policies be reviewed for change?

PJ_Varrassi : Policies should be developed so they do not require frequent modifications and should be revisited whenever significant changes in technology, corporate strategy or culture occur. Implementation of new technology (i.e., A strictly mainframe environment now implementing distributed systems) or the removal of technology resulting in policies, procedures or technical controls that are no longer valid, generally bring about a review of policies. Acquisition / mergers and divestitures also should bring about a revisiting of policies.

mderby10940 : How long should policies be?

PJ_Varrassi : How ever long it takes to relay management directives. Policy statements are generally just one or two lines. The procedural portion of the document may be rather extensive depending upon the policy. One of the better formats I have seen (and worked with) gives the policy purpose and scope, policy statement, procedures and then technical controls.

dtart465597 : What happens if someone refuses to sign?

PJ_Varrassi : This is a management decision your company will have to make. It will negatively impact the position / authority of the security department if individuals are granted user-IDs without a signed agreement. Another concern would be if others are made aware that some workers received exemption from signing, and thereby cite potential discrimination. Again, it is a management decision and they may be willing to assume the risk.

bob690198 : Apart from normal O/S ACLs, do you use anything else to control access to sensitive company documents?

PJ_Varrassi : Thats a loaded question!! This could be an entire session in itself. With sensitive documents you have to assure control is maintained through transmission, softcopy (including backups maintained on-site and offsite) and hardcopy (through destruction). One method may be to maintain a log of sensitive documents (the military does this) to assure proper controls. I found developing a matrix detailing how senstive documents each information classification should be handled most helpful. Don't forget that image making media has the potential to recreate any document and therefore must also be controlled!!

ccampbell104460 : How many policies should a company have?

PJ_Varrassi : As many as it takes to provide proper protection for your environment. A company with a limited environment (1,000 workers or one mainframe) does not require the same structure as an international company with 100,000 workers, five mainframes, 50 servers or as military installations protecting national secrets.

Moderator : If you want to hide the chatters that are entering and leaving the chat room, click the hush button.

sfogarty265994 : What are the most overlooked policies in policy development?

PJ_Varrassi : In my estimation there are several: Search and seizure; privacy; e-mail; and Web-related policies (privacy, collection of information from visitors).

mdavidson264740 : What is the best method to disseminate policies?

PJ_Varrassi : Electronically with search capability. Having a policy on the Web or on an electronic databases (such as on Lotus Notes or in an 4th GL database) is quite advantageous. I recommend putting policies in ONE PLACE for consistency (so workers know where to look for them) and on an electronic system so they are accessible to all workers. The other advantage is you only have to make the change in one place, reducing the likelihood that someone will obtain an overlooked copy of the policy. Don't forget to DATE each policy and note when something is new. I also recommend sending e-mail announcements when policies are modified or new policies are added.

bjohnson384921 : Do you know of any sample polices, preferably local government in nature?

PJ_Varrassi : If you peruse the WEB, there are an abundance of governmental (as well as educational and corporate) policies available.

brenda.ruelas178358 : Do you have a methodology for disseminating new policies throughout the organization?

PJ_Varrassi : Electronically with search capability. Web based or policies on electronic databases (such as on Lotus Notes or in an 4th GL database) is quite advantageous. I recommend putting policies in ONE PLACE for consistency (so workers know where to look for them) and on an electronic system so they are accessible to all workers. The other advantage is you only have to make the change in one place reducing the likelihood that someone will obtain an overlooked copy of the policy. Don't forget to DATE each policy and note when something is new. Broadcast electronic mail announcements of new or modified policies is recommended.

paul.dashner910637 : How important is it to get certifications as related to presenting your network as a secure entity?

PJ_Varrassi : I'm not sure I understand the question. If you are referring to getting your system certified, this will probably be dictated by your environment such as military certification of a system being C2, C2, through A2, etc.

brad617229 : How do you divide the policy making process? Do you develop separate policies for hardware/network/software issues?

PJ_Varrassi : As a rule, yes. The thing to remember when developing and naming policies is how the user will attempt to locate information when they need it. Sometimes what is most logical to us, is not logical to the user. For instance, I generally divide application development (programming) policy and system development policy because the audience is generally different.

hmolina134786 : What is the standard "use" policy of a typical personal computer in the workplace?

PJ_Varrassi : It would dependent upon the site and the architecture. Basics would be what is to be expected from the user and from the company. Don't share your password, backup critical files, power on and screen saver passwords are common.

jebyrne958730 : Under what circumstances do you recommend outsourcing policy development?

PJ_Varrassi : Generally, I wouldn't. Outsourced individuals do not have the same committment or intimate knowledge of your organization that an internal individual would. Should modifications or questions arise, the policy generate may not be available to respond to the question or to the modification.

kbnelson994406 : With the advent of a cross-platform virus, what would be the next step for a security policy admin?

PJ_Varrassi : The policy should be written to include all platforms within the organization. I wouldn't specify any particular one. Saying something like "virus protection is utilized on all systems" should suffice.

david.barnett9453 : I am gathering policy and procedure guidelines from various sources such as NIST and SANS. What is the best way to apply all this information towards building our work? What are some of the standards I can strive for? We do business with financial institutions and medical companies.

PJ_Varrassi : If you are looking for standards such as COBIT you can visit their site. There are many excellent books currently available which provide standards. Referencing HIPPA will also provide some insight.

shale916955 : Is there a policy draft (template) that developers of policies can get and modify to suit their own needs?

PJ_Varrassi : My personal favorite is Information Security Policies Made Easy by Charles Cresson Wood. (Our philosophy on policy development is same!) It comes complete with a CD and provides excellent documentation on policy development.

sloejack460384 : What are some common security policies that companies should have?

PJ_Varrassi : Depending upon the environment the usual are:

• Privacy
• Password
• Acceptable use policy
• Search and Seizure
• Laptop (Portable Electronic Device)
• Information Classification
• Third Party
• Encrytpion
• Incident Reporting
• Information Retention
• Contingeny Planning
• Privileged Accounts

bvandegriend761374 : What is the best way to handle the migration from what a policy says to actually enforcing it? Should you wait to issue a new policy until you are ready to enforce it with software, controls, etc.? Or put the policy out there, and then work to enforce it?

PJ_Varrassi : First off, never implement a policy you cannot or will not enforce. ("All bark and no bite"). It lessens your position and authority within the organization. I would wait until the logical or hardware is implemented before releasing the policy.

rnendza27473 : Do you know a good source of sample security policies (guides, case studies, etc) that a new company could refer to when formulating a policy?

PJ_Varrassi : Reference is made again to: Information Security Policies Made Easy by Charles Cresson Wood.

mike.johnson75755 : Is there a real need or use for logon banners and disclaimers at the end of e-mails?

PJ_Varrassi : YES!!!!!!! This cannot be stressed enough!! By not having disclaimers you are leaving yourself and company open for liabilities.

bmiller256106 : Where does one find good policy models?

PJ_Varrassi : Reference is made to Information Security Policies Made Easy by Charles Wood.

carlosbranco0618 : What resources do you recommend that may help with the overall creation of company-wide security policies and awareness programs?

PJ_Varrassi : There are an abundance of companies which assist with user awareness program development. I recently had the pleasure of researching several and was impressed how the industry has grown.

Moderator: This concludes our session with PJ Varrassi. Thank you for joining us. And a special thank you to PJ for her time and expertise!

Moderator: Please visit our Ask the Expert feature on the SearchSecurity home page. Thanks for attending today! PJ will join us again at a later date.

Moderator: These questions were answered by PJ after the chat concluded.

hbuchan354255: Should security policies be a standard part of the HR orientation process?

PJ_Varrassi: The advantages of implementing security policies through an HR orientation are multi-faceted. It underscores the company's commitment the security program and lets everyone know from the beginning what everyone's (their's and the company's) computer security rights and responsibilities are. New hires do not have preconceived or habits instilled as do long term employees so information dissemination is more readily accepted. I find the preferred method is to provide workers with an overall security briefing complete with security handbook tailored to your industry or site during the HR presentations.

cflint898779: What is the best way to implement a security policy on an extranet that has hundreds of users, not specifically subject to "internal" policies? Don't we need more than a "terms of use" statement?

PJ_Varrassi: I'm not exactly clear on part of the question; so if the answer doesn't meet your needs, please let me know. Yes, you definitely need more than a terms of use statement. It is EXTREMELY important site visitors know and understand their rights and responsibilities while visiting your extranet / Web site. They need to be advised of several issues, which are covered through the privacy statement or Legal Statements. For example: user's need to be aware of (and accept) "cookie" collection, copyright, trade secrets, harassment, acceptable use statements, consent to monitoring while on the site, to name just a few. If you collect electronic payment information, it is critical your user community KNOWS AND UNDERSTANDS the ground rules. Implementation of policies for a highly decentralized environment can be performed via an electronic mail system or via a secured Web based method. When a new policy is developed and implemented, the information could be splashed across the screen and the subject, would acknowledge the information by clicking on ACCEPT or NOT ACCEPT. When not accepted, the user would be prohibited from entering the site.

steve102595: What do you think of the PentaSafe Vigilant Policy Center and its ability to write tests for the security policy that employees must pass?

PJ_Varrassi: I haven't had the opportunity to review PentaSafe's product line and in particular the "testing" for specific security policy comprehension, so my answer will be general. The action of testing would indicate some instruction (CBT / computer based training, instructor lead) training / education has occurred. If training has not occurred (or was poorly designed or presented resulting in inadequate preparation), then implementing testing would perhaps alienate your user community because failure would probably be high. (As we can remember from school, studying material for the sole purpose to pass a test is entirely different than studying, retaining and utilizing this information on a daily basis.) As security practitioners, we should be more concerned with the DAILY voluntary security commitment and compliance of our user community than their ability to pass a test. Prior to implementing a testing program, try to answer some very basic questions:

• What are you hoping to achieve by testing users? (Mitigate legal issues, identify user community strengths and weaknesses)
• What are the consequences of individual failure? (Additional training, revocation of ID until passing score is obtained? Are the consequences the same for the CIO / VP who fails as for the accounting clerk?)
• Are we, as practitioners, willing to assume responsibility for our failure to properly educate our user community? (What will our measure of success be?)
• What if someone refuses to take the test? (Same consequences for the CIO / VP as the clerk?)
• How many times do people get to retest?
• Is testing the means to an end or an end to a mean?

leonard.dupray63461: I have a network security policy in place. How or what is the best approach to enforce this?

PJ_Varrassi: I would enforce it the same way any other policy is enforced. The platform shouldn't be a deciding factor on how a policy is enforced.

luis.rodriguez882275: Can you give any guidance on when personal/employee rights end and when the company ones start, regarding the information everyone manages in the company environment?

PJ_Varrassi: Federal, state, local and sometimes international laws will largely govern "employee rights". For instance, Federal laws detailing what is and is not acceptable will drive your harassment policy. Where the employee rights are not SPECIFICALLY addressed and can be considered as part of the manner in doing business is the challenge. For example, the hot area is privacy. You need to remove any expectation they have privacy as it relates to specific areas such as: electronic resources (including voice communications) monitoring, auditing, logging and search and seizure. You need to tell electronic resource users who own the information, too. You will save yourself and your corporation by setting forth the ground rules in this area.

tyler.hudak303205: How specific should security policies get? How general?

PJ_Varrassi: Security policies should be written in generalities to relay to the user community management's directives allowing the standards to be specific. For example:

• Purpose and Scope:
  This policy defines password requirements for access to electronic information resources and applies to all users of electronic resources.
• Policy Statement:
  Passwords are organizations first line of defense to protect assets therefore all access to electronic resources will be password protected.
• Standards:
  All passwords will be 6-8 characters in length using alpha and numeric characters. Passwords will not be easily discerned by using personally identifiable to the individual by using relative's names, relative's date of birth, etc. Passwords will not be shared nor written down in any easily discernable form. Passwords will be changed every 30 days.

connell_dan412537: Are there some basic elements that should appear in all security policies, regardless of your business, and if so where can they be found?

PJ_Varrassi: Key elements / points should include the policy purpose and scope, the policy statement and the standards. One important idea to remember is no one source has all the answers. As you develop policies, you will find yourself incorporating information from SEVERAL sources to develop one policy. The Internet has proven an invaluable tool in this research. There are a variety of resources currently available offering templates and sample policies. One I have been recommending is Information Security Policies Made Easy by Charles Cresson Wood. His book provides sample policies and a CD to make searching / researching easy. As with any method however, remember the policies provided are to be used as a baseline and must be tailored to your site.

carlosbranco38384: What is your opinion on the following security polices resource by Pentasafe: "Information Security Policies Made Easy - Version 7; By Charles Cresson Wood, CISA, CISSP"?

PJ_Varrassi: It is excellent, and I have recommended it to many people.

bvandegriend761374: What is the best way to deal with valid exceptions to a security policy? With a separate document and approval process for them?

PJ_Varrassi: Yes, an exception policy is a definite must have. In this policy you need to identify, clarify and document under what circumstances exceptions will be considered and their appropriateness (make sure it is WRITTEN), risks be identified and documented as well as influencing factors either way (pro or con), how long the exception will be valid for (question any extended period of time) and most importantly have all concerned parties SIGN OFF. This includes the requestor / their department MANAGER, IT management, Audit management and others who might be affected by the exception (i.e., operations personnel). Note the exception policy is different from an emergency system "fix".

sburns621554: Can you tell us how the landscape has change from five years ago to today? Do you see much of an attitude change on the importance of policies?

PJ_Varrassi: Excellent question! The focus on computer security and in particular policies has increased dramatically during the last five years, which is astounding, BUT we still have a long way to go! I am shocked to discover the number of companies who do not have adequate policies (or any policies at all). It appears auditing has become more involved in the security function too, which is VERY encouraging since they can drive change easier (many times) than the security department. I feel corporate motivation for the creation of policies and standards development has also significantly changed. Previously, it appeared companies provided limited policies / standards primarily as due diligence (and having a negative connotation.) Now, more companies appear to be using policy / standards in a positive manner (reinforcement) letting everyone know the game rules (everyone has the opportunity to be a winner). The abundance of WEB sites, CD's, manuals, training and especially companies dedicated to policy development are an indication of the current importance of policies (regardless of the motivating factor). Many factors facilitated the focus on policies including early efforts by the FTC to encourage on-line organizations to self-police, the EU Directive, Clinton's PDD 63, privacy groups, hacking and litigious individuals.

mgumkows62575: Is there any product that can be a front end to my security policies that I am creating?

PJ_Varrassi: If I understand your question correctly, yes. Any 4th GL product can be used such as Lotus. There are products offered through the Big 5, which can also be used. PWC makes a product (ESAS) that runs on the Web. Pentasafe also has a product, but I am unfamiliar with it.

bobe128220: How can I convince my company CTO that we need a formal policy?

PJ_Varrassi: I'm surprised the Auditing Department hasn't become involved in this issue. If they haven't met with success (by issuing non-compliance findings), then equating the security function to the Human Resource function might help. Inform the CTO: "Organizations have long recognized the necessity of generalized policies, standards and technical controls as evidenced by Human Resource Departments use policies driven by Federal, State, and Local laws. Computer Security policies, standards and technical controls provide a systematic framework for information dissemination to system users regarding Standards of Conduct and operational concerns and are driven (just as Human Resource Policies) by Federal, State, Local and sometimes International Law today. With the issuance of Corporate wide policies, standards and technical controls, everyone can "get on the same page", that is, the organization advises personnel what is expected of them, what personnel can expect from the organization, and the consequences should policies, standards or technical controls not be adhered to." It is not in the Corporations best interest to (morally, ethically, and legally to some extent), to hold someone accountable to policies they either don't know exist, or worse, don't understand. Whether through ignorance or misunderstanding, the end result is the same: The company risks damage either to reputation or actual financial loss. If that doesn't work, try this...Depending upon your company, he **MAY** be held financially accountable should a known computer security vulnerability result in a computer security incident ending in a loss of revenue to the shareholders not to mention the potential loss of the companies reputation. If the inadequacies of the company's computer policies, standards, technical controls are great enough or continue for an extended length of time, this could also be reflected in an external audit report negatively affecting the company.

paul817183: Are we assuming for the purposes of the discussion that spare machines and dummy data are available for the development process to insult the development team from any live data and to ensure limited access for prevention of fraud?

PJ_Varrassi: If the question is why do we use dummy data there are several reasons. Reducing the potential of fraudulent activity is only one. The separation not only assures integrity in development and testing, but also permits separation of changes from one environment to another. Using copies of production data is discouraged for normal testing unless the use of such data does not violate any Federal, State, local laws (i.e. Privacy) such as the Computer Security Act of 1987 requiring unclassified but sensitive information have confidentiality protection. Should live data, which is covered under the aforementioned regulations, be used in testing environment information, sensitive information (i.e., personnel information containing salary or level) should be replaced by "dummy" data or jumbled so as to not be identifiable to the person.

steve102595: If virus protection is to be utilized on all systems, what antivirus software is available for UNIX?

PJ_Varrassi: There are a variety of virus products available. Enter into a search engine (www.alltheweb.com) and enter the search criteria. Virus Unix, numerous vendors / software will be displayed.

ghatt993167: What considerations weigh most heavily in determining an acceptable use policy?

PJ_Varrassi: Applicability to your environment and enforceability. A company with a limited environment (1,000 workers or one mainframe) does not require the same structure as an international company with 100,000 workers, five mainframes, 50 servers or as military installations protecting national secrets. Guard against issuing decrees your company cannot or will not enforce.

ghatt993167: How much 'freedom' would you allow a security team to have in determining a corporation's policy?

PJ_Varrassi: Policies should not be created in a vacuum and there has to be a balance between allowing the computer security policy developer freedom yet not stepping on other department's policies. A good indicator may be looking at your Charter or Mission Statement. As you get heavily into policy writing you will quickly learn the computer security policies "touch" on other departments which is why I recommend a review process incorporating representatives from Legal, Human Resources, Audit, Systems and Computer Resource Management. There is nothing worse than developing a policy only to have it "walk on" an existing policy or encroach on another departments responsibility. By obtaining buy-in early in the policy development life cycle, wasted time and resistance is decreased.

tbarber22725: I'm a systems admin at a small local government agency. Our first set of technology policies was pretty vague and now the agency wishes to tighten things down. How can we go through this process without damaging employee morale?

PJ_Varrassi: This is going to be a BIG challenge not only because you are attempting to modify ADULT behavior (who have already have set values, beliefs, and goals) but also instituting change, which naturally elicits resistance. These two factors coupled with the security subject matter, present unique challenges. To encourage user community "buy-in" to the new policies, a "kinder and gentler" approach might be most effective. Advise the user community significant changes in technology have occurred since the development and implementation of the original set of policies and the department is in currently revising policies to reflect these changes. Advise them over the next several months new policies will be implemented and you realize these new policies may modify current methods, however, organizational compliance with Federal, State and local laws make these changes necessary. With the popularity of the WEB, you might want to start off with policies the user community can use in their personal life (safety on the WEB). Consider doing a user awareness / policy kick off using freebies and contests. (Contests could be which department has the highest compliance with policies.) Encourage feedback from the user community. While in all probability you WILL NOT be able to eliminate or change the policy, allowing the user community to interact with the Security Department might prove quite advantageous.

lstyres920591: What about policy guidelines that specifically relate to State Government Agencies?

PJ_Varrassi: There wasn't an indication of what department your organization was affiliated with so the answer is going to be rather broad. Your organization?s attorney or auditing department may be able to provide some insight on where to direct you for current legislation specific to your state and special requirements. (Such as HIPAA).

f.castro368692: I'd like to know about the difficulties you find when you are enforcing the security policy, and how you overcome them. In particular, I've observed in several places that employees don't take very seriously the confidentiality of their passwords: how do you handle that? Thank you.

PJ_Varrassi: The largest problem to overcome in enforcing policies is the lack of management commitment to the security function. Without management commitment to the function, your policies are not going to be enforceable. If management is INSTRUCTING users to share, the issue will have to be escalated to upper management. If overall management commitment is positive to the security function and you have limited problem, Security Management could intervene with the offending management and stress the importance of following procedures. One action that might be taken is making security compliance part of the employee's yearly evaluation. You might want to examine the reasons for password sharing. Does the individual KNOW they are not to share passwords? How did the situation of password sharing come to light? Frequent password resets? Access to information someone should not have had access to? "Common knowledge"? "Walk Throughs"? Why are personnel sharing user-IDS / Passwords? Process to get the password reset too complicated or time consuming? Time required to obtain user-ID for new employee (temporary, consultant) too time consuming? User-ID required only for a limited time (relief worker?) If the problem is wide spread, the first step might be sending a company wide electronic mail advising users there is a policy regarding password sharing (attached policy) and the need for the policy (protect company assets, etc.) Further advise them, they are responsible for any actions taken by their user-ID whether they made them or not. (Accountability). If they signed an agreement (which they should have) stating they will not share their user-ID, to share is a violation and may cause revocation of their user-ID or other disciplinary action. If it is a continuing problem with several individuals, advise them to stop (copy their management).