RE: e-mail policies

["Joe Martinez" <jmartine () bio2 columbia edu>]

Sequel Technology offers a product for Internet Resource Management.

http://www.sequeltech.com

If anyone is interested...

Joe Martinez
Director of Information Technology Services

-----Original Message-----
From: Bruce Fowler [mailto:bfowler () hvp com au] 
Sent: Tuesday, February 25, 2003 3:34 PM
To: 'Fields, James'; 'pablo gietz'; security-basics () securityfocus com
Subject: RE: e-mail policies


I am sure most of you would concede that preventing employees from
utilising information systems resources from any form of private use is
impossible, if not impractical (having arrived at the office on a
Saturday morning only to find an employee printing full colour A3
posters for their kid's bedroom or invitations for their niece's
birthday party). 

The key phrase is "acceptable use". You can control the types of files
your employees e-mail within and outside your organisation, but you
cannot control the ingenuity of an employee on a mission. Block all JPEG
files - your employees and persons outside the organisation will zip
them. Scan zip files n layers deep and they will embed them in Word
documents. Each of these measures has a cost (in terms of time, money
and performance) and it is up to (dare I say it) Us to determine the
most appropriately balanced solution for the organisation based on the
identified risks and available resources.

The issue of monitoring and interception is very much a grey area.
Police and Intelligence Agencies (in Australia at least) need a court
order to intercept and monitor any form of electronic communication. It
is interesting that there is such a distinction between the privacy
rights accorded to voice communications are not perceived to apply to
other forms electronic communication. If we draw comparisons, it is
illegal (again, in Australia at least) to:

- deliberately intercept voice communications without appropriate
authority (and this applies equally to the telecommunications provider)
whereas it is accepted (through the "Terms of Use") that e-mail
communication may be "duplicated, modified, reviewed or redistributed to
persons other than the intended recipient"; and/or

- monitor a conversation transmitted using across any telecommunications
medium without the express knowledge and permission of all parties or
appropriate Court Order, whereas it is accepted that a Company can
intercept, modify, review and redistribute e-mail communications to any
of their employees on the basis that the Company owns or operates part
or all of the communications infrastructure across which the
communication was made (yet, even on this basis it would be illegal for
the Company or any infrastructure provider in the chain to monitor any
of their employees telephone conversations). 

An interesting sidebar would be where does the scope of "monitoring"
begin and end? If I maintain or have access to a list of telephone
numbers called by a given employee (telephone numbers, times, dates and
duration of call), does this constitute monitoring? And would the same
be considered for listings of transmission information for e-mail
messages?

My two cents.

Regards

Bruce Fowler

-----Original Message-----
From: Fields, James [mailto:James.Fields () bcbsfl com] 
Sent: Wednesday, 26 February 2003 12:35 AM
To: 'pablo gietz'; security-basics () securityfocus com
Subject: RE: e-mail policies


Your company simply cannot respect the privacy of its employees with
respect to E-Mails sent through your own E-Mail servers.  Employees
should be required to read and sign off on acceptance of an E-Mail
policy, in which it should be made crystal clear that their
communications using corporate resources are NOT private.  Corporate
E-Mail accounts are not for personal communications.

I think you will find that even most Internet Service Providers include
such language in their policies; they don't guarantee that no one at the
ISP will ever see your E-Mail.

-----Original Message-----
From: pablo gietz [mailto:pablo.gietz () nuevobersa com ar] 
Sent: Monday, February 24, 2003 2:03 PM
To: security-basics () securityfocus com
Subject: e-mail policies

Dear gurus

We are defining policies for the use of corporate e-mail, I have doubts 
about privacy of messages sent by employees. Since the e-mail system is 
intended for business use, we need to prevent sensitive information 
disclosure. If we respect the privacy , how can discover infidelity 
employee?
 What is your opinion or the standard in this cases? What is the 
companies approach?

Thanks a lot.

-- 
Pablo A. C. Gietz
Jefe de Seguridad Informática
Nuevo Banco de Entre Ríos S.A.
Te.: 0343 - 4201351






Blue Cross Blue Shield of Florida, Inc., and its subsidiary and 
affiliate companies are not responsible for errors or omissions in this
e-mail message. Any personal comments made in this e-mail do not reflect
the views of Blue Cross Blue Shield of Florida, Inc.