RE: Security policies - few questions!

["Paula McPherson" <qxlr () twmi rr com>]

I agree, in the financial and insurance arenas there is such a thing as
fiduciary responsibility that can be violated by the act of an employee. In
the US special or punitive damages may be the civil risk. But there is also
a criminal penalty that can apply to a breach of trust. 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Laundrup, Jens
Sent: Wednesday, December 06, 2006 5:54 PM
To: Greg Jones; security-basics () securityfocus com
Subject: RE: Security policies - few questions!

I agree, but I would also add for the possibility of prosecution if the
employee places the company in a position where the company is in
violation of the law.  

"'Violation of the company IT policies may result in disciplinary
action, termination and/or legal action."

One VERY important lesson that was hammered into our heads in a Cyberlaw
course I took was that if the act is committed and no action is taken,
that is tantamount to the company accepting that behavior as normal and
the company, not the individual is the law breaker (think of this in the
perspective of some one hacking or spamming from the company system).
If the first employee is not cautioned/disciplined, when a second person
commits the same infraction and is disciplined, that employee then has
grounds for a tort against the company for discrimination due to [fill
in whatever you wish here].  It would violate Equal Employment
Opportunity laws.  

If it is for a company, I would have the company legal advisor look over
the policies to make sure that they are legally enforceable.  

Jens 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Greg Jones
Sent: Wednesday, December 06, 2006 6:52 AM
To: security-basics () securityfocus com
Subject: RE: Security policies - few questions!

 
Depending on your type of business and regulatory concerns, your
Security Policy most definitely should include the possibility of
termination.  If an employee escorts an outsider into the office after
hours and allows them to login using their credentials, would that not
constitute termination?  If an employee takes home company software,
makes copies and distributes to friends and family and then the BSA
comes knocking on your door costing your company potentially tens or
hundreds of thousands of dollars in fines, that employee should be gone.

We use wording similar to the following.  'Violation of the company IS
policies may include disciplinary action up to and possibly including
termination.'

In today's world, employees are a major key to a successful security
program.  They must take it seriously.  The survival of companies can
depend on it.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Faheem SIDDIQUI
Sent: Friday, December 01, 2006 11:24 PM
To: security-basics () securityfocus com
Subject: Security policies - few questions!

Hi guys...

So what are the enforcements/punishments usually written down in IS
Security policy or Acceptable Usage Policy, for non-compliance to it's
clauses. I mean, termination is  a bit far fetched. I am looking for
something more on the monetary/ denial of IT services, front.

...Also..what are the best practices in e-mail retention? In exchange
*tsk* environment, it's quite impossible to save emails of about 2000
users on central server with regular backups. If user workstation
crashes, the mail goes too.The best IT Helpdesk can do is re-ghost
image. What else can be done apart from setting 'store mail on the
server' for top executives?



This e-mail and any documents transmitted with it are the property of
SOUTHBank F.S.B. ? and/or its subsidiary or affiliate companies, is
confidential, and intended solely for the use of the individual or
entity the e-mail is addressed to.  If you have reason
to believe that you have received this message in error, please notify
the sender and delete this message immediately from your computer.  Any
other use, retention, dissemination, forwarding, printing, or copying of
this e-mail or attachments is strictly prohibited.

SOUTHBank, F.S.B. and/or its subsidiary or affiliate companies do not
endorse the use of unsolicited e-mail.  If you believe this e-mail was
sent to you in error or you do not wish to receive these types of
e-mail, please notify us by forwarding this message to
remove () southbank com.


------------------------------------------------------------------------
---
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec
t
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------