This is a loser of a case. If the annotations are official legal guidance of the state of Georgia then it's not copyrightable. If they're a third-party creation owned by a third party then Georgia has no standing to bring suit. That's for the third-party to do.

Sounds like they're playing fast and loose with the rules.

You misunderstand. Security isn't cow sh** it's bullsh**.

This is presumptuous. You're a security guy. You don't know enough about the myriad and varied work the company's employees do to make birght-line rules about how they must do it. Nor will you with any amount of training.

Hear hear! The user base doesn't actively subvert security unless security is obtrusive and overbearing. Subverting security is too much effort.

Seriously?

There, I fixed it for you.

Clearly a job for openvpn. Split tunnel when you don't want to control Internet access. No split tunnel when you do.

Can't use peer to peer tech without something in the middle to mediate it. That's not an assumption, it's a requirement for a reasonably secure system. Without that approach you're vulnerable to arp hijacking and all manner of related badness.

Requires the sysadmin to implement strong situational awareness. That's not an assumption, it's a requirement for a reasonably secure system.

Daily backups with quick restore. If you don't have this, your network is a time bomb no matter what else you do.

For information loss issues, you partition the network. There's no excuse for time cards bound up in monolithic accounting software where every employee needs to be able to trade packets with the server holding all the employees' SSNs. Any system you can build will leak. Better for those leaks to be droplets rather than a flood.

Or you can do things that are ineffective and crush staff productivity. It'll look good on your resume after the company goes under.

Sure.

Many of the folks you describe have company credit cards, often without fixed spending limits. The accountants even write checks on the company's behalf, often for large sums. Misuse of these privileges leads to discipline and even termination.

The firewall is there because some crap on the Internet is more problematic than other crap on the Internet. Done right, it's a speedbump - it makes the user slow down his rush to reach the problematic site and make a judgement call whether he really needs to go there. Done poorly it's a brick wall -- the user trying to do his job hits his head against it uselessly and hates the IT group with a passion.

Accountability belongs with the individual. IT's job is to facilitate and advise. That includes IT security.

There is no loop here. Your switches should be configured so that one workstation can't send packets to another. Your monitoring system should alert you to an unusual quantity of access on the file shares (a tip off that a virus is active) and your backups should be good enough to restore damaged files after you isolate the workstation that did the damage.

And when the user overrides the web filter, the override should apply to just that site and should warn the user that, "This site was blocked for a reason and your access to it will be logged. Please take care to avoid use that could compromise network security."

A reasonable IT strategy leaves the user in command. It advises when the user wants to do something dangerous and it stands ready to recover when things go sideways.

If a user then causes problems, that's a disciplinary issue for management to resolve, not IT.

If the user can infect the network, you designed the network wrong.

The subject is: class action lawsuit in the US. Just in case you forgot.