Archive
Email Security Policy
- Source: smartertools.com
One of the first things you should put in an email security policy is to tell your employees that their work email is not private. Even if you don’t actually check the emails this will save you a lot of grief if legal actions need to be taken and important information is contained in their emails. If you don’t do this then you wont be able to get that information legally. Decide if employees should be able to use their company email addresses for personal use.
According to Nolo, your email policy should address these issues:
- Personal use of the email system. Explain whether employees can use email for personal messages. If you place any restrictions on personal messages (for example, that employees can send them only during nonwork hours, must exercise discretion as to the number and type of messages sent, or may not send personal messages with large attachments), describe those rules.
- Monitoring. Reserve your right to monitor employee email messages at any time. Explain that any messages employees send using company equipment are not private, even if the employee considers them to be personal. If you will monitor regularly using a particular system — for example, a system that flags key words or copies every draft of a message — explain it briefly. This will help deter employees from sending offensive messages in the first place.
- Rules. Make clear that all of your workplace policies and rules — such as rules against harassment, discrimination, violence, solicitation, and theft of trade secrets — apply to employee use of the email system. Remind employees that all email messages sent on company equipment should be professional and appropriate. Some employers also include so-called netiquette rules — style guidelines for email writing.
- Deleting email. Establish a regular schedule for purging email messages. If you don’t, you will eventually run into a storage problem. Let your employees know how they can save important messages from the purge.
(Nolo,2009)
Tittel’s (2003) research has found the following:
It’s particularly important that employees understand that e-mail is an inherently insecure communications tool, and that confidentiality breaches are possible (if not likely) unless special steps are taken to protect proprietary information, trade secrets and other sensitive information. Thus, e-mail policy needs to state if (and how, where applicable) e-mail may be used to transmit such information (usually only if strong encryption technologies are available and used). (Para. 3)
References
Email Security (2004) Email Security (image). Retrieved from
Nolo (2009) Email Security Policy: Why You Need One for Your Employees. Retrieved from
http://www.nolo.com/legal-encyclopedia/article-29771.html
Tittel (2003) The security policy document library: E-mail policy. Retrieved from
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci912509,00.html
Threat Identification
Threat analysis or identification is “Systematic detection, identification, and evaluation of areas or spots of vulnerability of a facility, operation, or system” (Threat analysis, 2009). It is used to help a company assess all possible threats to their assets and use that assessment in a threat model.
A common threat model is known as the “attack tree” which “represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes” (Scheiner, 1999). The overall goal of threat identification and threat modeling is to supply the company with needed information on all possible routes of attack so that they may better understand and quickly assess the “who” “what” and “why” of any attack.
References
Schneier, B. (1999). Modeling security threats. Dr. Dobb’s
Journal
Threat Analysis. 2009. In BusinessDictionary.com. Retrieved Dec 1, 2009 from http://www.businessdictionary.com /definition/threat-analysis.html
Password Management Policies
Companies should create and strongly suggest to employees to adhere to a password management policy. This policy may have instructions that range from the amount and type of characters to not have any sensitive information.
Because a password policy may become troublesome for many employees to create and remember strong passwords, the use of password management software has become a great tool in helping IT technicians (online, paragraph 2). Also, the use of password synchronization offers solutions for users that have many applications with different passwords requirements memorizing one password and allowing access once the employee is logged on to the system (online, paragraph 1)
References
Password Auditing Software. (2004). Retrieved December 02, 2009 at WindowsITPro.org web site. http://windowsitpro.com/article/articleid/43483/password-auditing-software.htm
Password Synchronization. (2007). Retrieved December 02, 2009 at WindowsITPro.org website. http://windowsitpro.com/article/articleid/96220/password-synchronization.html
Email Retention Policy
Email Retention Policy
Usually refers to all means of communication that is either stored or shared via electronic mail or instant messaging technologies. Since the recently grow of e-commerce, the need to storage and regulate electronic communication is important to the company. All the information acquired by this means, should be revised and categorized in different storage areas, depending on the importance of the content. No doing so can create big consequences for the institution, Critical information lost; keeping documents, restricted and financial retributions are some of the problems that fallow a lack of policies to enforce security in electronic communications.
“Any email that contains information in th
e scope of the Business Record Keeping policy should be treated in that manner. All email information is categorized Into four main classifications with retention guidelines:
Administrative Correspondence (4 years)
Fiscal Correspondence (4 years)
General Correspondence (1 year)
Ephemeral Correspondence (Retain until read, destroy)” Email Retention Policy Created by or for the SANS Institute.(2006).
Such documents that are share via e-mail or instant massaging should be protected. Take the example of Nancy temple”It began with an e-mail, a reminder to colleagues about the company’s document-retention policy. “It will be helpful to make sure that we have complied with the policy,” wrote Nancy Temple, a Chicago-based in-house lawyer for the Arthur Andersen accounting firm, in October 2001. The policy called for destroying documents when they were “no longer useful” for an audit. But coming as it did, just as government inquiries into the Enron Corp. scandal were about to include Andersen, Enron’s accounting firm, the e-mail led to the criminal prosecution and conviction of the accounting giant for destroying thousands of Enron-related documents, and brought about its collapse” Mauro, T. “One little e-mail, one big legal issue, document-retention policy.” The National Law Journal.( April 25, 2005).
In today business, relation there is a need to not only keep a well-organized retention policy but also monitoring that mail is essential for the protection of the company against a lawsuit.
Employers have a number of reasons to monitor email—more than two million, if you ask Chevron Corporation. Recently, Chevron was required to pay four plaintiffs a total of $2.2 million where plaintiffs’ attorneys found email evidence of sexual harassment. The attorneys had found the “smoking gun” when they located, on Chevron’s email server, an email message that was sent to a number of people within the firm containing a list of jokes about “why beer is better than women.” Had Chevron been monitoring its employees email, it may have seen the problem coming Hartman, L. P. “Workplace Monitoring Can Be Ethical.” Opposing Viewpoints: Technology and Society. Ed. Auriana O. San Diego: Greenhaven Press,( 2002)
Not only are the need to protect the company’s information but to ensure proper communication and other policies not violated within the organization. This required a well plan and execution of this policy to prevent any kind of problem with customers, employees, and government laws. Developing a well planned, enterprise-wide email retention policy helps establish uniform and consistent rules for all email and electronic records. Such a policy outlines email content, sets retention and deletion criteria and provides the flexibility to accommodate litigation holds and enable role-based user access. Leveraging a robust information governance solution also, helps simplify the management of this process. The ideal solution should automate retention policy enforcement and task documentation, while providing an archiving and retrieval engine that streamlines an organization’s ability to locate messages for audits, litigation, and e-discovery in a timely and cost-effective manner. By doing so, organizations can reduce costs, improve regulatory compliance, enhance data access, reduce the risk of litigation and improve IT performance without increasing costs.
Source Citation:
Mauro, Tony. “One little e-mail, one big legal issue. (Document-retention policy).” The National Law Journal. (April 25, 2005): NA. Opposing Viewpoints Resource Center. Gale. Brigham Young University – Utah. 1 Dec. 2009 <http://find.galegroup.com/ovrc/infomark.do?&contentSet=IAC-Documents&type=retrieve&tabID=T004&prodId=OVRC&docId=A132081986&source=gale&srcprod=OVRC&userGroupName=byu_main&version=1.0>.
Email Retention Policy Created by or for the SANS Institute (2006).
DMZ Security
DMZ (Demilitarized Zone) is a sub network designed to limit access to an internal network (Miessler, 2007). A DMZ is setup for public access, and may contain a company website or some other public accessible information, but limits access to a company’s internal network. If a DMZ is attacked, the information may become corrupt within the DMZ server, but the internal network servers are untouched. ” The DMZ concept came into use as the need for separation of networks became more acute when we began to provide more access to services for individuals or partners outside the LAN infrastructure” (Grube, 2007).
The ideal way to set up a DMZ is with two firewalls; one firewall on the perimeter of the outside network, usually the internet. Beyond the first firewall is the DMZ. The second firewall is placed between the DMZ and the internal, or private, network. Below is a diagram showing this setup.
Remember that the DMZ network still needs to be hardened. If an attack brings down the DMZ network, it can still be costly.
References
Grube, G. (2007, November 20). DMZ Security for Data Transmission between Hosts on the Network. Submit articles directory: A free article submission service and portal. Retrieved December 2, 2009, from http://www.web-articles.info/e/a/title/DMZ-Security-for-Data-Transmission-between-Hosts-on-the-Network/
Miessler, D. (n.d.). What is a DMZ? Security – dslreports.com. DSL · Cable · VOIP · Security · Satellite · Fiber · News · Tips · Reviews · Community · Tools – dslreports.com. Retrieved December 2, 2009, from http://www.dslreports.com/faq/4545
Asset Identification
When designing a security policy, it is important to first know the specifics of what it is you are meant to protect. This process is known as asset identification. Anything that has a positive economic value in an organization is known as an asset. Every asset can be organized into one of the following categories:data, software, hardware, physical assets or personnel. Data, software and hardware are self explanatory. Physical assets are defined as anything physical that is not computer related. Personnel assets include people such as employees, customers, business partners, etc. (Network Magazine, Dec. 2002)
The whole idea behind a security policy is to protect anything that is worth any amount of money. Different assets are worth different amounts of money, so as you build a security plan you should rate each asset on a scale of 1 to 5, depending on how important it is to protect that item. Once you have done this you will know what your main focus should be. (Network Magazine, Dec. 2002)
IS Student Journal 
You must be logged in to post a comment.