Security Basics mailing list archives
RE: e-mail policies
From: Bruce Fowler <bfowler () hvp com au>
Date: Wed, 26 Feb 2003 09:33:39 +1100
I am sure most of you would concede that preventing employees from utilising information systems resources from any form of private use is impossible, if not impractical (having arrived at the office on a Saturday morning only to find an employee printing full colour A3 posters for their kid's bedroom or invitations for their niece's birthday party). The key phrase is "acceptable use". You can control the types of files your employees e-mail within and outside your organisation, but you cannot control the ingenuity of an employee on a mission. Block all JPEG files - your employees and persons outside the organisation will zip them. Scan zip files n layers deep and they will embed them in Word documents. Each of these measures has a cost (in terms of time, money and performance) and it is up to (dare I say it) Us to determine the most appropriately balanced solution for the organisation based on the identified risks and available resources. The issue of monitoring and interception is very much a grey area. Police and Intelligence Agencies (in Australia at least) need a court order to intercept and monitor any form of electronic communication. It is interesting that there is such a distinction between the privacy rights accorded to voice communications are not perceived to apply to other forms electronic communication. If we draw comparisons, it is illegal (again, in Australia at least) to: - deliberately intercept voice communications without appropriate authority (and this applies equally to the telecommunications provider) whereas it is accepted (through the "Terms of Use") that e-mail communication may be "duplicated, modified, reviewed or redistributed to persons other than the intended recipient"; and/or - monitor a conversation transmitted using across any telecommunications medium without the express knowledge and permission of all parties or appropriate Court Order, whereas it is accepted that a Company can intercept, modify, review and redistribute e-mail communications to any of their employees on the basis that the Company owns or operates part or all of the communications infrastructure across which the communication was made (yet, even on this basis it would be illegal for the Company or any infrastructure provider in the chain to monitor any of their employees telephone conversations). An interesting sidebar would be where does the scope of "monitoring" begin and end? If I maintain or have access to a list of telephone numbers called by a given employee (telephone numbers, times, dates and duration of call), does this constitute monitoring? And would the same be considered for listings of transmission information for e-mail messages? My two cents. Regards Bruce Fowler -----Original Message----- From: Fields, James [mailto:James.Fields () bcbsfl com] Sent: Wednesday, 26 February 2003 12:35 AM To: 'pablo gietz'; security-basics () securityfocus com Subject: RE: e-mail policies Your company simply cannot respect the privacy of its employees with respect to E-Mails sent through your own E-Mail servers. Employees should be required to read and sign off on acceptance of an E-Mail policy, in which it should be made crystal clear that their communications using corporate resources are NOT private. Corporate E-Mail accounts are not for personal communications. I think you will find that even most Internet Service Providers include such language in their policies; they don't guarantee that no one at the ISP will ever see your E-Mail. -----Original Message----- From: pablo gietz [mailto:pablo.gietz () nuevobersa com ar] Sent: Monday, February 24, 2003 2:03 PM To: security-basics () securityfocus com Subject: e-mail policies Dear gurus We are defining policies for the use of corporate e-mail, I have doubts about privacy of messages sent by employees. Since the e-mail system is intended for business use, we need to prevent sensitive information disclosure. If we respect the privacy , how can discover infidelity employee? What is your opinion or the standard in this cases? What is the companies approach? Thanks a lot. -- Pablo A. C. Gietz Jefe de Seguridad Informática Nuevo Banco de Entre Ríos S.A. Te.: 0343 - 4201351 Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc.
Current thread:
- RE: e-mail policies, (continued)
- RE: e-mail policies Bram Van Dam (Feb 26)
- Re: e-mail policies Ivan Hernandez (Feb 25)
- RE: e-mail policies Jones, Andrew (Feb 25)
- RE: e-mail policies Fields, James (Feb 25)
- RE: e-mail policies Moeckel, Sharon (Feb 25)
- RE: e-mail policies Tim Heagarty (Feb 26)
- RE: e-mail policies Mark Burgess (Feb 26)
- RE: e-mail policies Tim Heagarty (Feb 27)
- RE: e-mail policies Tim Heagarty (Feb 26)
- Re: e-mail policies mweatherford (Feb 26)
- RE: e-mail policies Mark Reardon (Feb 26)
- RE: e-mail policies Bruce Fowler (Feb 26)
- RE: e-mail policies Joe Martinez (Feb 26)
- RE: e-mail policies SMiller (Feb 26)
- RE: e-mail policies Moeckel, Sharon (Feb 27)