RE: e-mail policies

[Mark Reardon <riscorp () mindspring com>]

The first item to consider is the local legal requirements. I work with an industry ISAC in the U.S. and we have 
Canadian members. In our discussions the laws of Canada are much different then the U.S. They also have local laws to 
comply with.

Another item is that asserting ownership of anything on the server is an interesting idea. If I send you an email do 
you own it? In most countries the answer is no. I own it (as the creator) and you have a license to read it (a form of 
ownership but not what most people mean by ownership).

Finally, if you offer health insurance and someone puts personal health information into email, is that information 
protected under HIPAA (again a U.S. law)? What if it is encrypted? Is this company usage (the company provides the 
insurance)?

We are working on a policy that states the systems and software are provided to a person to aid them in the performance 
of their job. As such we reserve the right to examine the usage of the system and to troubleshoot issues with the 
system. If we find inappropriate usage the person is subject to action up to termination.

We are also looking at appointing a privacy person in H.R. that would examine the account based on a complaint and they 
would sanitize the account of any HIPAA protected information (and personal financial transactions, etc. that are not 
the target of the investigation. Complaints would have to be from V.P. level or above and must be in writing. There 
will also be a time frame for reporting to the person about the investigation.

As with most statements of policy, it is complicated. However, we are attempting to protect privacy, overlook 
incidental use, allow ourselves the ability to work offensive issues such as spam and porn, support the infrastructure, 
and stay out of court.

Good luck,

Mark

-----Original Message-----
From: pablo gietz [mailto:pablo.gietz () nuevobersa com ar]
Sent: Monday, February 24, 2003 12:03 PM
To: security-basics () securityfocus com
Subject: e-mail policies


Dear gurus

We are defining policies for the use of corporate e-mail, I have doubts
about privacy of messages sent by employees. Since the e-mail system is
intended for business use, we need to prevent sensitive information
disclosure. If we respect the privacy , how can discover infidelity
employee?
 What is your opinion or the standard in this cases? What is the
companies approach?

Thanks a lot.

--
Pablo A. C. Gietz
Jefe de Seguridad Inform��tica
Nuevo Banco de Entre R��os S.A.
Te.: 0343 - 4201351






>

----
Mark Reardon
Reardon Information Security Corporation
156 Blue Sky Drive
Marietta, GA 30068
(770) 565-0544
(404) 444-0041 cell