Security Basics mailing list archives
RE: how to setup a global disclaimer in exchange 2003
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 3 Apr 2007 10:51:50 -0700
An awful lot of IT time gets wasted on "make this thing work" when it is later discovered that that "thing", even when it "works", doesn't actually Solve The Problem. I'm going to guess, since you sent this to the "Security Basics" list, that your organization has a security problem that you're trying to solve. I'm going to go a little further out on a limb, and guess that your concern is that employees may use their company email accounts to send confidential company information to recipients who should not be privy to it. There are three popular/obvious strategies, used alone or in combination, to address this problem: 1. Policy and User Education Employees should understand what their employer considers appropriate use of company resources. There's empirical/anecdotal evidence that this is frequently not the case. I'm one of the co-moderators of a couple of technical mailing lists; 90% of our list content is about issues people are having with their own home computer. About twice a month, we receive a submission with the sort of attached disclaimer you've proposed. We patiently explain to the subscriber that their employer apparently doesn't consider it appropriate to use their work email to participate in our forum, and recommend that they get themselves a free web email account such as from Yahoo, Google, HotMail, or wherever, to use on our lists. That points out one of the benefits of this approach to protecting the Confidentiality of your corporate information: It works just as well when your employees use some other email system! 2. Technology There are a number of third-party products out there that promise to recognize when outbound email contains company confidential material, and to block or flag for review such messages. Some also filter postings to web sites, too. (I cannot claim to have actually evaluated the performance of these products.) This does have a couple of obvious limitations: These products tend to be expensive, and they don't address employees taking materials home and sending them from there.... But within those limitations, they at least have the opportunity to be effective. 3. Mumbo-jumbo Far too many companies resort to attaching a long (some are four or five paragraphs!) chunk of legalese to every outgoing message, trying to scare recipients into solving the problem for them, by claiming to impose a bunch of conditions on their use of the material in the email. Even if we were to assume that some court somewhere might rule that any such conditions were enforceable -- which seems to me very unlikely because the recipient has no opportunity to review and consent to the conditions before reading the message (remember shrink-wrapped licenses?) -- this approach completely fails to address the actual problem. The employees who are sending out the possibly confidential material almost never SEE this "disclaimer", so it does nothing to discourage their behaviour. It doesn't apply to web postings or use of other email systems. The one thing we can say it does accomplish is to add overhead to every email message, elevating demand for bandwidth and perhaps ultimately sending a little more revenue to router vendors and telecom companies. Oh, and presumably to the lawyers who compose them. I am not a lawyer, and none of this should be taken as legal advice -- nor should your corporate lawyer be giving you technology advice! I think it's obvious that I don't consider email disclaimers any kind of solution to the problem of employees disseminating (intentionally or not) confidential information, and so I consider time spent crafting and implementing them to be wasted. David Gillett, CISSP etc
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Sohail Sarwar Sent: Monday, April 02, 2007 6:01 PM To: Scott Ramsdell; WALI; security-basics () securityfocus com Subject: how to setup a global disclaimer in exchange 2003 Hi All, I do have a question. I wanted to put out a general disclaimer.. like the following in exchange, so that if any employee send out email to the world out side of the company email, this would be at the bottom. Can someone direct me on how to do this and implement this on exchange 2003... This message (including any attachments) contains confidential information intended for a specific individual and purpose and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Thanks! Sohail
Current thread:
- how to setup a global disclaimer in exchange 2003 Sohail Sarwar (Apr 02)
- Re: how to setup a global disclaimer in exchange 2003 shaheedpak (Apr 02)
- RE: how to setup a global disclaimer in exchange 2003 Lee Clemens (Apr 03)
- RE: how to setup a global disclaimer in exchange 2003 Sohail Sarwar (Apr 03)
- RE: how to setup a global disclaimer in exchange 2003 Oscar Bravo (Apr 03)
- RE: how to setup a global disclaimer in exchange 2003 Nick Duda (Apr 03)
- RE: how to setup a global disclaimer in exchange 2003 David Gillett (Apr 03)
- Re: how to setup a global disclaimer in exchange 2003 Florian Rommel (Apr 03)
- RE: how to setup a global disclaimer in exchange 2003 Karthikeyan Mohanakrishnan, ASDC Chennai (Apr 03)
- Re: how to setup a global disclaimer in exchange 2003 Joel W Pauling (Apr 04)
- <Possible follow-ups>
- Re: how to setup a global disclaimer in exchange 2003 nfanelli (Apr 04)
- RE: how to setup a global disclaimer in exchange 2003 Bryan J. McBride (Apr 04)
- Re: how to setup a global disclaimer in exchange 2003 shaheedpak (Apr 02)