Home page logo

basics logo Security Basics mailing list archives

RE: e-mail policies
From: "Tim Heagarty" <tim () heagarty com>
Date: Wed, 26 Feb 2003 19:57:10 -0700

Isn't all discipline selective? Upper levels of management don't come under
the same scrutiny and rules that the lower levels are required to live
under. The VPs won't be fired for chatting with their kids at college using
IM though they would drop one of their underlings in a heartbeat for the
same thing.

I understand what you are saying but does your HR and Legal agree with the
"occasional use" stance? My client's HR and Legal folks understood that the
people were going to use the systems personally but they required the
"absolutely no personal use" clauses just so they did have a tool available
for selective use. Be sure that you somehow define "occasional use", as it
will be difficult to terminate for just cause if you have not.

Well, if the company really believes that occasional use is ok, then
why would they want to terminate someone who is occasionally using
the system for personal mail? If they have *good* reasons to
terminate, then they should use those, not some selectively-enforced
ultra-strict rule.

They aren't going to terminate based on just occasional use, they are going
to use the policy and its violation as one more plank in the platform built
against the subject. Violation of the policy is a *good* reason when they
get to court, and it can be a good reason to stay out of court. We had
complaints of an associate playing email games all day but couldn't prove it
during routine work surveillance. I was asked to setup a BCC: on his email
so a copy of everything would go to his boss. The boss called in an hour and
begged me to shut if off as he couldn't get anything done on his own system.
The HR rep printed out a day's worth of email and dropped it on his desk
between himself, the associate and the associate's legal counsel. The lawyer
turned to the associate and told him to take his severance package and go
home which saved everyone a bunch of time and money.

It is easy to
define "never" and show violation. The employee probably has other things
stacked against them at that point anyway

Presumably... otherwise they'd be doing a good job.

but your AUP won't be one of the
supports for the company's case, which is just why they want an AUP in the
first place.

The original poster was looking for ways to detect infidelity while
retaining some sort of respect for privacy -- not for a tool that
would help justify terminations.

Unless things change drastically in American business I don't think there's
going to be much respect for anything, let alone privacy. Why are the
security policies there in the first place? To have something to measure
security procedures and standards against, and punish improper behavior. It
is much easier for business to say "Don't ever do that!" rather than to say
"Well, it's ok, but don't do it too much.". Most employees just don't know
what "too much" is and will fight the definition in court if it ever comes
to that.

Tim H.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]