RE: e-mail policies

Sequel Technology offers a product for Internet Resource Management.

http://www.sequeltech.com

If anyone is interested...

Joe Martinez
Director of Information Technology Services

-----Original Message-----

From: Bruce Fowler [mailto:bfowler@hvp.com.au] Sent: Tuesday, February 25, 2003 3:34 PM To: 'Fields, James'; 'pablo gietz'; security-basics@securityfocus.com Subject: RE: e-mail policies

I am sure most of you would concede that preventing employees from utilising information systems resources from any form of private use is impossible, if not impractical (having arrived at the office on a Saturday morning only to find an employee printing full colour A3 posters for their kid's bedroom or invitations for their niece's birthday party).

The key phrase is "acceptable use". You can control the types of files your employees e-mail within and outside your organisation, but you cannot control the ingenuity of an employee on a mission. Block all JPEG files - your employees and persons outside the organisation will zip them. Scan zip files n layers deep and they will embed them in Word documents. Each of these measures has a cost (in terms of time, money and performance) and it is up to (dare I say it) Us to determine the most appropriately balanced solution for the organisation based on the identified risks and available resources.

The issue of monitoring and interception is very much a grey area. Police and Intelligence Agencies (in Australia at least) need a court order to intercept and monitor any form of electronic communication. It is interesting that there is such a distinction between the privacy rights accorded to voice communications are not perceived to apply to other forms electronic communication. If we draw comparisons, it is illegal (again, in Australia at least) to:

• deliberately intercept voice communications without appropriate authority (and this applies equally to the telecommunications provider) whereas it is accepted (through the "Terms of Use") that e-mail communication may be "duplicated, modified, reviewed or redistributed to persons other than the intended recipient"; and/or
• monitor a conversation transmitted using across any telecommunications medium without the express knowledge and permission of all parties or appropriate Court Order, whereas it is accepted that a Company can intercept, modify, review and redistribute e-mail communications to any of their employees on the basis that the Company owns or operates part or all of the communications infrastructure across which the communication was made (yet, even on this basis it would be illegal for the Company or any infrastructure provider in the chain to monitor any of their employees telephone conversations).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An interesting sidebar would be where does the scope of "monitoring" begin and end? If I maintain or have access to a list of telephone numbers called by a given employee (telephone numbers, times, dates and duration of call), does this constitute monitoring? And would the same be considered for listings of transmission information for e-mail messages?

My two cents.

Regards

Bruce Fowler

-----Original Message-----

From: Fields, James [mailto:James.Fields@bcbsfl.com] Sent: Wednesday, 26 February 2003 12:35 AM To: 'pablo gietz'; security-basics@securityfocus.com Subject: RE: e-mail policies

Your company simply cannot respect the privacy of its employees with respect to E-Mails sent through your own E-Mail servers. Employees should be required to read and sign off on acceptance of an E-Mail policy, in which it should be made crystal clear that their communications using corporate resources are NOT private. Corporate E-Mail accounts are not for personal communications.

I think you will find that even most Internet Service Providers include such language in their policies; they don't guarantee that no one at the ISP will ever see your E-Mail.

-----Original Message-----

From: pablo gietz [mailto:pablo.gietz@nuevobersa.com.ar] Sent: Monday, February 24, 2003 2:03 PM
To: security-basics@securityfocus.com
Subject: e-mail policies

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Dear gurus

We are defining policies for the use of corporate e-mail, I have doubts about privacy of messages sent by employees. Since the e-mail system is intended for business use, we need to prevent sensitive information disclosure. If we respect the privacy , how can discover infidelity employee?
 What is your opinion or the standard in this cases? What is the companies approach?

Thanks a lot.

-- 
Pablo A. C. Gietz
Jefe de Seguridad Informática
Nuevo Banco de Entre Ríos S.A.
Te.: 0343 - 4201351






Blue Cross Blue Shield of Florida, Inc., and its subsidiary and 
affiliate companies are not responsible for errors or omissions in this
e-mail message. Any personal comments made in this e-mail do not reflect
the views of Blue Cross Blue Shield of Florida, Inc.