RE: e-mail policies

["Moeckel, Sharon" <smoeckel () co bucks pa us>]

Bravo, Scott.  My opinion, better expressed.  Your exact scenario has come back to bite my org, yet they do not change.

-----Original Message-----
From: SMiller () unimin com [mailto:SMiller () unimin com]
Sent: Wednesday, February 26, 2003 1:03 PM
To: Tim Heagarty
Cc: security-basics () securityfocus com
Subject: RE: e-mail policies



Caveat: I'm neither a guru nor a lawyer, nor do I appear on a reality TV
show purporting to be either. I'm in this thread late, so I am commenting
on more than the text of this message. I hope that is alright. Someone
posted that the first thing to do is do determine the local legal
requirements. I differ, that is needed.but not first. The first thing that
you need to do is to determine what it is you are trying to accomplish, and
to make sure that all the concerned parties agree on that.

When 12-15 hour days are common, it is IMO unrealistic (and unfair) to
expect that employees will not conduct any personal business electronically
using employer owned resources while at work. Unrealistic because many
salaried employees work hours such that necessary personal business cannot
easily be completed during off hours. This applies to telephone systems
too. While the employer may have configured the switch to not allow long
distance calls without an access code, many numbers for personal business.,
are toll free or local. Does anyone contend that their company effectively
prevents personal calls to toll free numbers? Unfair because many employees
are working extra hours without extra compensation even though the nature
of their job may reasonably expect that they are entitled to it. So if the
employee is allowing the employer to use some of his or her "property" in
the form of uncompensated time, isn't it fair for the employer to allow
reasonable use of company property in order to mitigate the effects of
working those extra hours?

I think the selective enforcement could bite the employer in the nether
regions in the event of a wrongful dismissal suit. It seems to me that if
the email "abuse" is cited as a primary cause for dismissal and the former
employee can show by direct evidence or by testimony of other employees
that others violated the same policy to the same degree and went
unpunished, the employer may have a big problem. Executives might get away
with this, but it could cost the company an expensive settlement.

Our email policy does state that electronic systems and all information on
those systems is company property and subject to official examination if
certain prior authorizations are obtained. It further defines certain types
of conduct and materials regarding those systems to be forbidden, with
penalties up to and including dismissal (sexual harassment, for example) It
does not otherwise prohibit or regulate personal use of company email.
Employees can use PGP and other tools to obfuscate content in any event. No
policy or set of policies can ever completely lock down employee (or
employer) behavior. It's completely impractical. At some point, trust must
take over. The art is to choose that point wisely.

-Scott Miller


                                                                                                           
                      "Tim Heagarty"                                                                       
                      <tim () heagarty com        To:       <security-basics () securityfocus com>               
                      >                        cc:                                                         
                                               Subject:  RE: e-mail policies                               
                      02/25/2003 03:35                                                                     
                      PM                                                                                   
                                                                                                           
                                                                                                           




Isn't all discipline selective? Upper levels of management don't come under
the same scrutiny and rules that the lower levels are required to live
under. The VPs won't be fired for chatting with their kids at college using
IM though they would drop one of their underlings in a heartbeat for the
same thing.

I understand what you are saying but does your HR and Legal agree with the
"occasional use" stance? My client's HR and Legal folks understood that the
people were going to use the systems personally but they required the
"absolutely no personal use" clauses just so they did have a tool available
for selective use. Be sure that you somehow define "occasional use", as it
will be difficult to terminate for just cause if you have not. It is easy
to
define "never" and show violation. The employee probably has other things
stacked against them at that point anyway but your AUP won't be one of the
supports for the company's case, which is just why they want an AUP in the
first place.

Tim Heagarty MCSE, MCP+I
"There are only 10 kinds of people in the world, those that understand
binary, and those that don't."
Work: (928) 636-0489
Cell: (928) 533-9690

-----Original Message-----
From: Moeckel, Sharon [mailto:smoeckel () co bucks pa us]
Sent: Tuesday, February 25, 2003 12:40 PM
To: Tim Heagarty; security-basics () securityfocus com
Subject: RE: e-mail policies


My company's current policy is the same.  I am writing one that would allow
occasional use.  Otherwise, they do not enforce it until they want to get
rid of someone - and IMHO that is selective discipline.

-----Original Message-----
From: Tim Heagarty [mailto:tim () heagarty com]
Sent: Monday, February 24, 2003 8:47 PM
To: security-basics () securityfocus com
Subject: RE: e-mail policies


The email policies that I have written don't have any leeway for personal
communications. Any and all messages contained within the system are the
property of the company and may be read by an administrator in the normal
course of their duties. Absolutely no email of a personal nature should
ever
be transmitted using the corporate email system.

Now, we all know that personal email is going to be transmitted, and by
some
employees that's all that will EVER get transmitted. But, the statement is
out there, the employee had to sign it and if they ignore it and put their
personal information through our system, and they will, then the decision
is
theirs and not from the company.

Tim Heagarty MCSE, MCP+I
"There are only 10 kinds of people in the world, those that understand
binary, and those that don't."
Work: (928) 636-0489
Cell: (928) 533-9690

-----Original Message-----
From: pablo gietz [mailto:pablo.gietz () nuevobersa com ar]
Sent: Monday, February 24, 2003 12:03 PM
To: security-basics () securityfocus com
Subject: e-mail policies


Dear gurus

We are defining policies for the use of corporate e-mail, I have doubts
about privacy of messages sent by employees. Since the e-mail system is
intended for business use, we need to prevent sensitive information
disclosure. If we respect the privacy , how can discover infidelity
employee?
 What is your opinion or the standard in this cases? What is the
companies approach?

Thanks a lot.

--
Pablo A. C. Gietz
Jefe de Seguridad Informática
Nuevo Banco de Entre Ríos S.A.
Te.: 0343 - 4201351