RE: e-mail policies

[Bruce Fowler <bfowler () hvp com au>]

I am sure most of you would concede that preventing employees from utilising
information systems resources from any form of private use is impossible, if
not impractical (having arrived at the office on a Saturday morning only to
find an employee printing full colour A3 posters for their kid's bedroom or
invitations for their niece's birthday party). 

The key phrase is "acceptable use". You can control the types of files your
employees e-mail within and outside your organisation, but you cannot
control the ingenuity of an employee on a mission. Block all JPEG files -
your employees and persons outside the organisation will zip them. Scan zip
files n layers deep and they will embed them in Word documents. Each of
these measures has a cost (in terms of time, money and performance) and it
is up to (dare I say it) Us to determine the most appropriately balanced
solution for the organisation based on the identified risks and available
resources.

The issue of monitoring and interception is very much a grey area. Police
and Intelligence Agencies (in Australia at least) need a court order to
intercept and monitor any form of electronic communication. It is
interesting that there is such a distinction between the privacy rights
accorded to voice communications are not perceived to apply to other forms
electronic communication. If we draw comparisons, it is illegal (again, in
Australia at least) to:

- deliberately intercept voice communications without appropriate authority
(and this applies equally to the telecommunications provider) whereas it is
accepted (through the "Terms of Use") that e-mail communication may be
"duplicated, modified, reviewed or redistributed to persons other than the
intended recipient"; and/or

- monitor a conversation transmitted using across any telecommunications
medium without the express knowledge and permission of all parties or
appropriate Court Order, whereas it is accepted that a Company can
intercept, modify, review and redistribute e-mail communications to any of
their employees on the basis that the Company owns or operates part or all
of the communications infrastructure across which the communication was made
(yet, even on this basis it would be illegal for the Company or any
infrastructure provider in the chain to monitor any of their employees
telephone conversations). 

An interesting sidebar would be where does the scope of "monitoring" begin
and end? If I maintain or have access to a list of telephone numbers called
by a given employee (telephone numbers, times, dates and duration of call),
does this constitute monitoring? And would the same be considered for
listings of transmission information for e-mail messages?

My two cents.

Regards

Bruce Fowler

-----Original Message-----
From: Fields, James [mailto:James.Fields () bcbsfl com] 
Sent: Wednesday, 26 February 2003 12:35 AM
To: 'pablo gietz'; security-basics () securityfocus com
Subject: RE: e-mail policies


Your company simply cannot respect the privacy of its employees with respect
to E-Mails sent through your own E-Mail servers.  Employees should be
required to read and sign off on acceptance of an E-Mail policy, in which it
should be made crystal clear that their communications using corporate
resources are NOT private.  Corporate E-Mail accounts are not for personal
communications.

I think you will find that even most Internet Service Providers include such
language in their policies; they don't guarantee that no one at the ISP will
ever see your E-Mail.

-----Original Message-----
From: pablo gietz [mailto:pablo.gietz () nuevobersa com ar] 
Sent: Monday, February 24, 2003 2:03 PM
To: security-basics () securityfocus com
Subject: e-mail policies

Dear gurus

We are defining policies for the use of corporate e-mail, I have doubts 
about privacy of messages sent by employees. Since the e-mail system is 
intended for business use, we need to prevent sensitive information 
disclosure. If we respect the privacy , how can discover infidelity 
employee?
 What is your opinion or the standard in this cases? What is the 
companies approach?

Thanks a lot.

-- 
Pablo A. C. Gietz
Jefe de Seguridad Informática
Nuevo Banco de Entre Ríos S.A.
Te.: 0343 - 4201351






Blue Cross Blue Shield of Florida, Inc., and its subsidiary and 
affiliate companies are not responsible for errors or omissions in this
e-mail message. Any personal comments made in this e-mail do not reflect the
views of Blue Cross Blue Shield of Florida, Inc.