mailing list archives
RE: e-mail policies
From: Mark Reardon <riscorp () mindspring com>
Date: Tue, 25 Feb 2003 18:14:08 -0500 (GMT)
The first item to consider is the local legal requirements. I work with an industry ISAC in the U.S. and we have
Canadian members. In our discussions the laws of Canada are much different then the U.S. They also have local laws to
Another item is that asserting ownership of anything on the server is an interesting idea. If I send you an email do
you own it? In most countries the answer is no. I own it (as the creator) and you have a license to read it (a form of
ownership but not what most people mean by ownership).
Finally, if you offer health insurance and someone puts personal health information into email, is that information
protected under HIPAA (again a U.S. law)? What if it is encrypted? Is this company usage (the company provides the
We are working on a policy that states the systems and software are provided to a person to aid them in the performance
of their job. As such we reserve the right to examine the usage of the system and to troubleshoot issues with the
system. If we find inappropriate usage the person is subject to action up to termination.
We are also looking at appointing a privacy person in H.R. that would examine the account based on a complaint and they
would sanitize the account of any HIPAA protected information (and personal financial transactions, etc. that are not
the target of the investigation. Complaints would have to be from V.P. level or above and must be in writing. There
will also be a time frame for reporting to the person about the investigation.
As with most statements of policy, it is complicated. However, we are attempting to protect privacy, overlook
incidental use, allow ourselves the ability to work offensive issues such as spam and porn, support the infrastructure,
and stay out of court.
From: pablo gietz [mailto:pablo.gietz () nuevobersa com ar]
Sent: Monday, February 24, 2003 12:03 PM
To: security-basics () securityfocus com
Subject: e-mail policies
We are defining policies for the use of corporate e-mail, I have doubts
about privacy of messages sent by employees. Since the e-mail system is
intended for business use, we need to prevent sensitive information
disclosure. If we respect the privacy , how can discover infidelity
What is your opinion or the standard in this cases? What is the
Thanks a lot.
Pablo A. C. Gietz
Jefe de Seguridad Inform��tica
Nuevo Banco de Entre R��os S.A.
Te.: 0343 - 4201351
Reardon Information Security Corporation
156 Blue Sky Drive
Marietta, GA 30068
(404) 444-0041 cell