Security Basics mailing list archives
RE: Security policies - few questions!
From: "Mark Palmer" <mpalmer () hoovers com>
Date: Fri, 8 Dec 2006 09:41:03 -0600
I concur, but make certain your bark and bite match. There is a great article on this topic: http://www.securityfocus.com/columnists/421 IANAL, but if you state you are going to monitor, enforce, etc... be certain you demonstrate to the employees that you are monitoring, enforcing, etc.... Otherwise there may be a perception of privacy as the article above describes or as Jens wrote "the company [is] accepting that behavior as normal". Always consult your legal consul before adding/removing wording from your AUP or notices/warning messages. Mark Palmer IT Security Compliance -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Laundrup, Jens Sent: Wednesday, December 06, 2006 4:54 PM To: Greg Jones; security-basics () securityfocus com Subject: RE: Security policies - few questions! I agree, but I would also add for the possibility of prosecution if the employee places the company in a position where the company is in violation of the law. "'Violation of the company IT policies may result in disciplinary action, termination and/or legal action." One VERY important lesson that was hammered into our heads in a Cyberlaw course I took was that if the act is committed and no action is taken, that is tantamount to the company accepting that behavior as normal and the company, not the individual is the law breaker (think of this in the perspective of some one hacking or spamming from the company system). If the first employee is not cautioned/disciplined, when a second person commits the same infraction and is disciplined, that employee then has grounds for a tort against the company for discrimination due to [fill in whatever you wish here]. It would violate Equal Employment Opportunity laws. If it is for a company, I would have the company legal advisor look over the policies to make sure that they are legally enforceable. Jens -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Greg Jones Sent: Wednesday, December 06, 2006 6:52 AM To: security-basics () securityfocus com Subject: RE: Security policies - few questions! Depending on your type of business and regulatory concerns, your Security Policy most definitely should include the possibility of termination. If an employee escorts an outsider into the office after hours and allows them to login using their credentials, would that not constitute termination? If an employee takes home company software, makes copies and distributes to friends and family and then the BSA comes knocking on your door costing your company potentially tens or hundreds of thousands of dollars in fines, that employee should be gone. We use wording similar to the following. 'Violation of the company IS policies may include disciplinary action up to and possibly including termination.' In today's world, employees are a major key to a successful security program. They must take it seriously. The survival of companies can depend on it. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Faheem SIDDIQUI Sent: Friday, December 01, 2006 11:24 PM To: security-basics () securityfocus com Subject: Security policies - few questions! Hi guys... So what are the enforcements/punishments usually written down in IS Security policy or Acceptable Usage Policy, for non-compliance to it's clauses. I mean, termination is a bit far fetched. I am looking for something more on the monetary/ denial of IT services, front. ...Also..what are the best practices in e-mail retention? In exchange *tsk* environment, it's quite impossible to save emails of about 2000 users on central server with regular backups. If user workstation crashes, the mail goes too.The best IT Helpdesk can do is re-ghost image. What else can be done apart from setting 'store mail on the server' for top executives? This e-mail and any documents transmitted with it are the property of SOUTHBank F.S.B. ? and/or its subsidiary or affiliate companies, is confidential, and intended solely for the use of the individual or entity the e-mail is addressed to. If you have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail or attachments is strictly prohibited. SOUTHBank, F.S.B. and/or its subsidiary or affiliate companies do not endorse the use of unsolicited e-mail. If you believe this e-mail was sent to you in error or you do not wish to receive these types of e-mail, please notify us by forwarding this message to remove () southbank com. ------------------------------------------------------------------------ --- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec t ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec t ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- RE: Security policies - few questions! Lorteau Clement (Dec 06)
- <Possible follow-ups>
- RE: Security policies - few questions! Laundrup, Jens (Dec 07)
- RE: Security policies - few questions! Paula McPherson (Dec 08)
- RE: Security policies - few questions! Mark Palmer (Dec 08)