RE: Security policies - few questions!

I concur, but make certain your bark and bite match. There is a great
article on this topic: http://www.securityfocus.com/columnists/421

IANAL, but if you state you are going to monitor, enforce, etc... be
certain you demonstrate to the employees that you are monitoring,
enforcing, etc.... Otherwise there may be a perception of privacy as the
article above describes or as Jens wrote "the company [is] accepting
that behavior as normal". Always consult your legal consul before
adding/removing wording from your AUP or notices/warning messages.

Mark Palmer
IT Security Compliance

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Laundrup, Jens
Sent: Wednesday, December 06, 2006 4:54 PM
To: Greg Jones; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Security policies - few questions!

I agree, but I would also add for the possibility of prosecution if the
employee places the company in a position where the company is in
violation of the law.

"'Violation of the company IT policies may result in disciplinary
action, termination and/or legal action."

One VERY important lesson that was hammered into our heads in a Cyberlaw
course I took was that if the act is committed and no action is taken,
that is tantamount to the company accepting that behavior as normal and
the company, not the individual is the law breaker (think of this in the
perspective of some one hacking or spamming from the company system).
If the first employee is not cautioned/disciplined, when a second person
commits the same infraction and is disciplined, that employee then has
grounds for a tort against the company for discrimination due to [fill
in whatever you wish here]. It would violate Equal Employment
Opportunity laws.

If it is for a company, I would have the company legal advisor look over
the policies to make sure that they are legally enforceable.

Jens


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Greg Jones
Sent: Wednesday, December 06, 2006 6:52 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Security policies - few questions!


Depending on your type of business and regulatory concerns, your
Security Policy most definitely should include the possibility of
termination. If an employee escorts an outsider into the office after
hours and allows them to login using their credentials, would that not
constitute termination? If an employee takes home company software,
makes copies and distributes to friends and family and then the BSA
comes knocking on your door costing your company potentially tens or
hundreds of thousands of dollars in fines, that employee should be gone.

We use wording similar to the following. 'Violation of the company IS
policies may include disciplinary action up to and possibly including
termination.'

In today's world, employees are a major key to a successful security
program. They must take it seriously. The survival of companies can
depend on it.



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Faheem SIDDIQUI
Sent: Friday, December 01, 2006 11:24 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Security policies - few questions!

Hi guys...

So what are the enforcements/punishments usually written down in IS
Security policy or Acceptable Usage Policy, for non-compliance to it's
clauses. I mean, termination is a bit far fetched. I am looking for
something more on the monetary/ denial of IT services, front.

...Also..what are the best practices in e-mail retention? In exchange
*tsk* environment, it's quite impossible to save emails of about 2000
users on central server with regular backups. If user workstation
crashes, the mail goes too.The best IT Helpdesk can do is re-ghost
image. What else can be done apart from setting 'store mail on the
server' for top executives?



This e-mail and any documents transmitted with it are the property of
SOUTHBank F.S.B. ? and/or its subsidiary or affiliate companies, is
confidential, and intended solely for the use of the individual or
entity the e-mail is addressed to. If you have reason
to believe that you have received this message in error, please notify
the sender and delete this message immediately from your computer. Any
other use, retention, dissemination, forwarding, printing, or copying of
this e-mail or attachments is strictly prohibited.

SOUTHBank, F.S.B. and/or its subsidiary or affiliate companies do not
endorse the use of unsolicited e-mail. If you believe this e-mail was
sent to you in error or you do not wish to receive these types of
e-mail, please notify us by forwarding this message to
remove@xxxxxxxxxxxxxx


------------------------------------------------------------------------
---
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec
t
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec
t
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

Relevant Pages

  • RE: Security policies - few questions!
    ... fiduciary responsibility that can be violated by the act of an employee. ... Security policies - few questions! ... "'Violation of the company IT policies may result in disciplinary ... Detect Malicious Web Content and Exploits in Real-Time. ...
    (Security-Basics)
  • Iran might release the 3 hikers at the intervention of Iraq. Intesting huh?
    ... two contractors for a British security firm were shot ... Khalif, spokesman for the Ministry of the Interior. ... Khalif said that Iraqi police responded when they heard gunfire ... A second British employee of the ...
    (soc.retirement)
  • Re: Culling the Singapore security industry
    ... A lot stuff produced by NTUC about how they "help" to improve productivity ... > It was in last week papers that ntuc said security guards are now paid ... >> security guard are often suck in by these small agencies offering ... >> S$50 or $108 monthly as into the employee CPF account, ...
    (soc.culture.singapore)
  • Re: [Full-disclosure] Undisclosed breach at major US facility
    ... If the effects of HIPAA, SOx, GLBA et al could be measured in dollars, it has cost corporations millions of dollars in software, hardware and personnel expenses. ... A perfect example of the dichotomy between what should be and what is is the recent theft of a laptop with millions of VA records on it. ... Furthermore, I'm certain that the theft of the laptop never crossed the mind of the employee who took the records home or of his supervisors, who merely winked at the violation of policy, because they were more concerned about getting "extra" work out of the employee than they were about the potential loss of data should the laptop be stolen. ... When passwords finally go away, almost one-half of the security problem will be solved, simply because humans will no longer be making decisions about what constitutes a secure authentication methodology. ...
    (Full-Disclosure)
  • Re: Question about Security
    ... Employee works for small 7 employee company doing classified work for ... Too small to have dedicated security ... Friend of ex husband hears her blaming him ... pull/guide her toward the front door. ...
    (misc.legal)