RE: how to setup a global disclaimer in exchange 2003

["David Gillett" <gillettdavid () fhda edu>]

  An awful lot of IT time gets wasted on "make this thing work"
when it is later discovered that that "thing", even when it "works",
doesn't actually Solve The Problem.

  I'm going to guess, since you sent this to the "Security Basics"
list, that your organization has a security problem that you're 
trying to solve.  I'm going to go a little further out on a limb,
and guess that your concern is that employees may use their company
email accounts to send confidential company information to recipients
who should not be privy to it.

  There are three popular/obvious strategies, used alone or in 
combination, to address this problem:

1.  Policy and User Education

  Employees should understand what their employer considers appropriate
use of company resources.  There's empirical/anecdotal evidence that
this is frequently not the case.
  I'm one of the co-moderators of a couple of technical mailing lists;
90% of our list content is about issues people are having with their
own home computer.  About twice a month, we receive a submission with
the sort of attached disclaimer you've proposed.  We patiently explain
to the subscriber that their employer apparently doesn't consider it
appropriate to use their work email to participate in our forum, and
recommend that they get themselves a free web email account such as
from Yahoo, Google, HotMail, or wherever, to use on our lists.
  That points out one of the benefits of this approach to protecting
the Confidentiality of your corporate information:  It works just as
well when your employees use some other email system!

2.  Technology

  There are a number of third-party products out there that promise to
recognize when outbound email contains company confidential material,
and to block or flag for review such messages.  Some also filter postings
to web sites, too.  (I cannot claim to have actually evaluated the
performance of these products.)
  This does have a couple of obvious limitations:  These products tend to
be expensive, and they don't address employees taking materials home and 
sending them from there....  But within those limitations, they at least 
have the opportunity to be effective.

3.  Mumbo-jumbo

  Far too many companies resort to attaching a long (some are four or five 
paragraphs!) chunk of legalese to every outgoing message, trying to scare
recipients into solving the problem for them, by claiming to impose a
bunch of conditions on their use of the material in the email.  Even if
we were to assume that some court somewhere might rule that any such 
conditions were enforceable -- which seems to me very unlikely because
the recipient has no opportunity to review and consent to the conditions 
before reading the message (remember shrink-wrapped licenses?) -- this
approach completely fails to address the actual problem.  The employees
who are sending out the possibly confidential material almost never SEE
this "disclaimer", so it does nothing to discourage their behaviour.  It 
doesn't apply to web postings or use of other email systems.
  The one thing we can say it does accomplish is to add overhead to every
email message, elevating demand for bandwidth and perhaps ultimately 
sending a little more revenue to router vendors and telecom companies.
  Oh, and presumably to the lawyers who compose them.  I am not a lawyer,
and none of this should be taken as legal advice -- nor should your
corporate lawyer be giving you technology advice!

  I think it's obvious that I don't consider email disclaimers any kind
of solution to the problem of employees disseminating (intentionally or
not) confidential information, and so I consider time spent crafting and 
implementing them to be wasted.

David Gillett, CISSP etc

 

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Sohail Sarwar
> Sent: Monday, April 02, 2007 6:01 PM
> To: Scott Ramsdell; WALI; security-basics () securityfocus com
> Subject: how to setup a global disclaimer in exchange 2003
>
> Hi All,
>
>       I do have a question.  I wanted to put out a general 
> disclaimer.. like the following in exchange, so that if any 
> employee send out email to the world out side of the company 
> email, this would be at the bottom.  Can someone direct me on 
> how to do this and implement this on exchange 2003...
>
>
> This message (including any attachments) contains 
> confidential information intended for a specific individual 
> and purpose and is protected by law.  If you are not the 
> intended recipient, you should delete this message.  Any 
> disclosure, copying, or distribution of this message, or the 
> taking of any action based on it, is strictly prohibited.
>
>
> Thanks!
> Sohail