mailing list archives
RE: e-mail policies
From: "Joe Martinez" <jmartine () bio2 columbia edu>
Date: Wed, 26 Feb 2003 15:07:06 -0700
Sequel Technology offers a product for Internet Resource Management.
If anyone is interested...
Director of Information Technology Services
From: Bruce Fowler [mailto:bfowler () hvp com au]
Sent: Tuesday, February 25, 2003 3:34 PM
To: 'Fields, James'; 'pablo gietz'; security-basics () securityfocus com
Subject: RE: e-mail policies
I am sure most of you would concede that preventing employees from
utilising information systems resources from any form of private use is
impossible, if not impractical (having arrived at the office on a
Saturday morning only to find an employee printing full colour A3
posters for their kid's bedroom or invitations for their niece's
The key phrase is "acceptable use". You can control the types of files
your employees e-mail within and outside your organisation, but you
cannot control the ingenuity of an employee on a mission. Block all JPEG
files - your employees and persons outside the organisation will zip
them. Scan zip files n layers deep and they will embed them in Word
documents. Each of these measures has a cost (in terms of time, money
and performance) and it is up to (dare I say it) Us to determine the
most appropriately balanced solution for the organisation based on the
identified risks and available resources.
The issue of monitoring and interception is very much a grey area.
Police and Intelligence Agencies (in Australia at least) need a court
order to intercept and monitor any form of electronic communication. It
is interesting that there is such a distinction between the privacy
rights accorded to voice communications are not perceived to apply to
other forms electronic communication. If we draw comparisons, it is
illegal (again, in Australia at least) to:
- deliberately intercept voice communications without appropriate
authority (and this applies equally to the telecommunications provider)
communication may be "duplicated, modified, reviewed or redistributed to
persons other than the intended recipient"; and/or
- monitor a conversation transmitted using across any telecommunications
medium without the express knowledge and permission of all parties or
appropriate Court Order, whereas it is accepted that a Company can
intercept, modify, review and redistribute e-mail communications to any
of their employees on the basis that the Company owns or operates part
or all of the communications infrastructure across which the
communication was made (yet, even on this basis it would be illegal for
the Company or any infrastructure provider in the chain to monitor any
of their employees telephone conversations).
An interesting sidebar would be where does the scope of "monitoring"
begin and end? If I maintain or have access to a list of telephone
numbers called by a given employee (telephone numbers, times, dates and
duration of call), does this constitute monitoring? And would the same
be considered for listings of transmission information for e-mail
My two cents.
From: Fields, James [mailto:James.Fields () bcbsfl com]
Sent: Wednesday, 26 February 2003 12:35 AM
To: 'pablo gietz'; security-basics () securityfocus com
Subject: RE: e-mail policies
Your company simply cannot respect the privacy of its employees with
respect to E-Mails sent through your own E-Mail servers. Employees
should be required to read and sign off on acceptance of an E-Mail
policy, in which it should be made crystal clear that their
communications using corporate resources are NOT private. Corporate
E-Mail accounts are not for personal communications.
I think you will find that even most Internet Service Providers include
such language in their policies; they don't guarantee that no one at the
ISP will ever see your E-Mail.
From: pablo gietz [mailto:pablo.gietz () nuevobersa com ar]
Sent: Monday, February 24, 2003 2:03 PM
To: security-basics () securityfocus com
Subject: e-mail policies
We are defining policies for the use of corporate e-mail, I have doubts
about privacy of messages sent by employees. Since the e-mail system is
intended for business use, we need to prevent sensitive information
disclosure. If we respect the privacy , how can discover infidelity
What is your opinion or the standard in this cases? What is the
Thanks a lot.
Pablo A. C. Gietz
Jefe de Seguridad Informática
Nuevo Banco de Entre Ríos S.A.
Te.: 0343 - 4201351
Blue Cross Blue Shield of Florida, Inc., and its subsidiary and
affiliate companies are not responsible for errors or omissions in this
e-mail message. Any personal comments made in this e-mail do not reflect
the views of Blue Cross Blue Shield of Florida, Inc.