Security Basics mailing list archives
RE: e-mail policies
From: Mark Reardon <riscorp () mindspring com>
Date: Tue, 25 Feb 2003 18:14:08 -0500 (GMT)
The first item to consider is the local legal requirements. I work with an industry ISAC in the U.S. and we have Canadian members. In our discussions the laws of Canada are much different then the U.S. They also have local laws to comply with. Another item is that asserting ownership of anything on the server is an interesting idea. If I send you an email do you own it? In most countries the answer is no. I own it (as the creator) and you have a license to read it (a form of ownership but not what most people mean by ownership). Finally, if you offer health insurance and someone puts personal health information into email, is that information protected under HIPAA (again a U.S. law)? What if it is encrypted? Is this company usage (the company provides the insurance)? We are working on a policy that states the systems and software are provided to a person to aid them in the performance of their job. As such we reserve the right to examine the usage of the system and to troubleshoot issues with the system. If we find inappropriate usage the person is subject to action up to termination. We are also looking at appointing a privacy person in H.R. that would examine the account based on a complaint and they would sanitize the account of any HIPAA protected information (and personal financial transactions, etc. that are not the target of the investigation. Complaints would have to be from V.P. level or above and must be in writing. There will also be a time frame for reporting to the person about the investigation. As with most statements of policy, it is complicated. However, we are attempting to protect privacy, overlook incidental use, allow ourselves the ability to work offensive issues such as spam and porn, support the infrastructure, and stay out of court. Good luck, Mark -----Original Message----- From: pablo gietz [mailto:pablo.gietz () nuevobersa com ar] Sent: Monday, February 24, 2003 12:03 PM To: security-basics () securityfocus com Subject: e-mail policies Dear gurus We are defining policies for the use of corporate e-mail, I have doubts about privacy of messages sent by employees. Since the e-mail system is intended for business use, we need to prevent sensitive information disclosure. If we respect the privacy , how can discover infidelity employee? What is your opinion or the standard in this cases? What is the companies approach? Thanks a lot. -- Pablo A. C. Gietz Jefe de Seguridad Inform��tica Nuevo Banco de Entre R��os S.A. Te.: 0343 - 4201351
---- Mark Reardon Reardon Information Security Corporation 156 Blue Sky Drive Marietta, GA 30068 (770) 565-0544 (404) 444-0041 cell
Current thread:
- RE: e-mail policies, (continued)
- RE: e-mail policies Michael Whang (Feb 26)
- RE: e-mail policies Bram Van Dam (Feb 26)
- Re: e-mail policies Ivan Hernandez (Feb 25)
- RE: e-mail policies Jones, Andrew (Feb 25)
- RE: e-mail policies Fields, James (Feb 25)
- RE: e-mail policies Moeckel, Sharon (Feb 25)
- RE: e-mail policies Tim Heagarty (Feb 26)
- RE: e-mail policies Mark Burgess (Feb 26)
- RE: e-mail policies Tim Heagarty (Feb 27)
- RE: e-mail policies Tim Heagarty (Feb 26)
- Re: e-mail policies mweatherford (Feb 26)
- RE: e-mail policies Mark Reardon (Feb 26)
- RE: e-mail policies Bruce Fowler (Feb 26)
- RE: e-mail policies Joe Martinez (Feb 26)
- RE: e-mail policies SMiller (Feb 26)
- RE: e-mail policies Moeckel, Sharon (Feb 27)