Re: Corporate policies on web mail services like Hotmail?

From: Richard Pitt (richard@belcarra.com)
Date: 12/07/02 

From: Richard Pitt <richard@belcarra.com>
Date: Sat, 07 Dec 2002 06:40:38 GMT

On Fri, 06 Dec 2002 05:34:33 -0800, Ron Ruble wrote:

> "Richard Pitt" <richard@belcarra.com> wrote in message
> news:EZUH9.109865$ea.1896880@news2.calgary.shaw.ca... <snip>
>> Personnel in a company should be accessing mail from corporate servers
>> only unless done from a system outside of the corporate LAN environment
>> (DMZ or outside the firewall) from specially set up external connected
>> systems.
>>
>> This is not just advice, it should be policy.
>
> More detail: accessing mail without following the prior advice exposes
> the company to possible security breaches. Exactly what the consequences
> are depends on how the company servers are secured.

As you note below - my answer was pretty short and "knee-jerk" - and it
appears I got the kind of reaction I expected.

Quite a while ago I wrote some of the first policies on such usage ever
put in place in Canadian business. Some of them are still in effect
including at a couple of local municipalities and businesses.

In writing the policies I ended up taking many things into consideration,
not the least of which were privacy and security. In broad terms, Prior
to the Internet we had telephone policies - and even without the
telephone, we had policies and regulations regarding workplace such as
breaks (lunch, coffee, toilet, etc.) and access to water, food, etc. But
no company ever specifically allowed employees to do anything personal
during the time they were supposed to be actually working (i.e. not on
break) and there were few facilities or long enough break times to be
able to do much in any case.

Of course those in postions of responsibility could (and did) bend the
rules - especially if their work took them outside the office or they had
access to staff and/or facilities that could be used (auto, photocopier,
steno staff, fax machine, telephone, etc.) though the "blind eye" was
typically turned because the person did other things outside of normal
office hours or had greater responsibilities and this was "one of the
perks of the job"

The "perks" have grown in some people's minds to include any-time use of
communications facilities to talk to people, download porn and gamble and
all manner of other things that are contrary to getting the job done that
the employer is paying for - all because it "really doesn't cost anything
extra - the phone (in North America) is free for local calls and the
network bandwidth is paid for anyway"

The point I'm trying to make is that regardless of what actually happens,
there still needs to be a policy in place that respects the fact that the
employer has the employee there for one purpose - work. The policy is
what people (managers and employees) have to fall back on when things get
out of hand.

IMHO employees should not expect to "normally" use employer facilities
for anything personal.

Now we start the trade-offs.

Employee doesn't get paid as much as similar in another company but has
more lax policies on use of company facilities - ping-pong, use of fax,
copier, network, etc.

Employee works long hours, gets pizza, use of folding cot in corner, etc.
and gets to do pretty much whatever she wants with company equipment
because employer knows that employee is more productive when working 72
hours straight.

Problem in above is that another employee sees the priviledged one
"bending the rules" and does the same but doesn't benefit the employer by
doing the extra or taking home less pay. The policy is what has to keep
this straight.

I've always pitched my basic policies at the government, union employee -
they live by the rule book and die by the rule book (employees who die on
the job are asked to please fall down so we know you're dead ;)

Your sMileage May Vary ;)

>
>> Reading personal e-mail
>> while on company time is stealing company time.
>
> Whoops!
>
> Reading personal email while on company time _may_ be deemed to be
> inappropriate, just as accepting personal telephone calls may be deemed
> to be inappropriate.

yes - inappropriate - either to the employer or the employee (gee - I
didn't know that having my personal mail sent to my company address meant
that my boss got a copy :) so it has to be part of the policy.

>
> The term "theft" is deliberately provocative, and not necessarily
> accurate. I, personally, have a big disagreement with the general policy
> most companies have, namely "all your time belongs to us while you are
> here, and we need you to work late until further notice, come in every
> weekend, and carry this pager. Oh, and we expect 5 minute response time
> to pages, 24/7/365. What! You want to talk to your kid's teacher on
> _company time_!!!"

Right - you can do whatever you want in your 15 minute smoke/coffee break
twice a day and your 1/2 to 1 hour meal break - just bring your own cell
phone and/or wireless computer because tying up one of our phone lines
means a customer can't call in to order (or we need to have more lines
than otherwise needed so costs us more) and downloading porn to your
workstation - even if it is _your_ computer - slows down our link which
means our web pages don't go out as fast and we find we need a faster
link at higher cost, etc.

Every action on company facilities has a cost. Either it is factored into
the employee's "burden" and acknowledged as a perk, or it is "stealing"
even though "everybody does it". On the other hand, every company request
for otherwise uncompensated employee work can lead to problems later.
There have recently been a number of court cases where "salaried"
employees have sued and won payment for overtime at equivallent to their
hourly rate figured at 40 hours/week. So Joe middle Exec who gets
$100k/year is imputed at $50/hour or so - and gets extra for the weekend
meetings, travel on the "red eye", etc. - after the fact 'cause his
manager canned him for cause and now he's getting even.

Anyone talking about policies regarding use of the computer facilities
has to take the HR problems into consideration as well as the security
ones.

>
> The choice of whether to consider employee usage of company resources
> (any resources, not just computers) is an individual company decision.
> Yes, there should be limitations, but they should be well thought out,
> balancing company interests with employee interests, and striking a fair
> balance.
>
> It should _never_ be based on a knee-jerk "What! Steal _my_ time, will
> you!" reaction by managers, especially middle managers and line
> managers.
>
> This is not intended as a knock to you, Richard. Just as a strong
> suggestion to consider all aspects of the issue and have the policy
> decisions set by a level of management high enough to be aware of the
> big picture.

As noted above, I have considered them. As also noted, I posted the first
reply with the expectation that this type of discussion would ensue.
Thanks for staying awake in class ;)

>
> If you treat your employees like criminals, you tend to create an
> organization of criminals.

and if you don't give your employees some guide lines, the *** will hit
the fan sooner rather than later. You're right - there has to be a
balance and that balance will be different in different companies. I
can't say I've seen it all, but I've seen enough to want to start from a
hard-assed perspective and allow some flex, rather than from a too-soft
perspective and have to clean up the mess.

>
>> Reading personal e-mail
>> using company computers (not set aside for such a thing - like
>> providing coffee or water coolers) is stealing company resources.
>
> ...if the company has an official policy against it.

If there are specific facilities which are set up to allow it and
which guard the corporate assets appropriately. This includes privacy
concerns as well as security concerns.

>
>> Using something other than company facilities without putting things
>> through an acceptable e-mail checker is no longer acceptable.
>>
>> If an employee wants to redirect their personal e-mail to their
>> corporate account (and thereby put it through virus checkers and
>> subject it to corporate archiving and inspection) then fine - but it
>> must come via normal channels -not via Hotmail or Yahoo or...
>
> This is the best policy.
>
> The problem I have with some of the statements you made is that they are
> overly brief, lack enough detail for the reader to understand the
> necessity for the policies given, or evaluate the real risks.

Noted and answered (I hope) but let's keep the discussion open and going.
>
> Please note that I agreed with you on the subject of the risks involved.
>
> But managers in many companies accept this sort of advice without
> understanding it, and use this kind of advice to close the windows,
> while leaving all the doors wide open.

And the policies have to be backed up by education of those in charge of
enforcing them.

>
> The advice you have given is (mostly) good; but it presupposes the
> network is otherwise secured.
>
> I recently spent some time at a company which had an email policy quite
> like your recommended policy. In spite of this, they were completely
> insecure. Email through the company servers was _not_ checked for
> malicious payloads.
>
> While I was there, the company was hit with the nimda virus, which hit
> all the company computers (deliberately not secured properly, because it
> would inconvenience managers), while causing no harm to my laptop
> (properly secured, by me).
 
You can't do anything in a vacuum in IT. For those of us who do know what
we're doing it is a must to ensure that we are not the source of the
problem and be able to prove it if necessary. I've been the "devil's
advocate" far too often to deaf (blind, dumb, stupid, incompetent) ears.
It's never fun to say "I told you so" while having to clean up the mess
and the "back stabbing for fun an profit" crowd are always looking for
scapegoats. Watch your back.

richard 

-- 
Richard C. Pitt			C.E.O. Belcarra Technologies
richard@belcarra.com		direct: 604-644-9265	www.belcarra.com
Software Systems - design and implementation: Internet, Linux, Communications
USB, RNDIS, ATM, E-mail, SQL, Encryption, Security, Web, Embedded Systems