Re: Corporate policies on web mail services like Hotmail?

From: Richard Pitt (richard@belcarra.com)
Date: 12/06/02

  • Next message: those who know me have no need of my name: "Re: Corporate policies on web mail services like Hotmail?" 
    From: Richard Pitt <richard@belcarra.com>
Date: Fri, 06 Dec 2002 03:39:16 GMT

    On Thu, 05 Dec 2002 18:34:51 -0800, SpellCaster wrote:

    > Greetings...
    > I am an infosec type at a US corporation and have been asked for some
    > input into whether we should be allowing users of our network to access
    > webmail servers like YahooMail and HotMail. On the one hand, I see the
    > risks - filters for JavaScript and HTML are not perfect and may result
    > in code being executed on the client. Attachments in webmail messages
    > are not processed by the gateway virus checker we have in place. On the
    > other hand, are these risks that much greater than those posed by users
    > visiting any other web site? Bad JavaScript and HTML may lurk on other
    > sites (I am thinking of web based bulletin boards and forums). We have
    > anti virus software at the desktop which is scanning files as they are
    > downloaded. Do you think that the risks posed merit taking away the
    > ability for our employees to check their personal mail? Any opinions on
    > this issue would be greatly appreciated. SC

    Personnel in a company should be accessing mail from corporate servers
    only unless done from a system outside of the corporate LAN environment
    (DMZ or outside the firewall) from specially set up external connected
    systems.

    This is not just advice, it should be policy. Reading personal e-mail
    while on company time is stealing company time. Reading personal e-mail
    using company computers (not set aside for such a thing - like providing
    coffee or water coolers) is stealing company resouces.

    Using something other than company facilities without putting things
    through an acceptable e-mail checker is no longer acceptable.

    If an employee wants to redirect their personal e-mail to their corporate
    account (and thereby put it through virus checkers and subject it to
    corporate archiving and inspection) then fine - but it must come via
    normal channels -not via Hotmail or Yahoo or...

    richard 

    -- 
Richard C. Pitt			C.E.O. Belcarra Technologies
richard@belcarra.com		direct: 604-644-9265	www.belcarra.com
Software Systems - design and implementation: Internet, Linux, Communications
USB, RNDIS, ATM, E-mail, SQL, Encryption, Security, Web, Embedded Systems
    Loading