Corporate e-mail policy
The company I work for has set up a committee to draft a security policy involving, among other things, e-mail. Since I'm responsible for our networking and e-mail, I'm part of this group. Unfortunately, I'm outnumbered by legal, auditing and HR types who, basically, want to have access to everything. I am aware that there's a line of thinking which holds that what you do or say on company time, using company equipment is the company's business. I do not subscribe to this line of thinking, and believe that employees expect a "zone of privacy" in which their telephone calls will not be listened to and their e-mail will not be read or monitored. I am also aware that recent court cases have not supported this "zone of privacy" and have pretty much held that the employer can do whatever it wants with e-mail. What I want out of this process is to keep myself and my staff out of this business. As a practical matter, I'm sure the company could bring in a hired gun to do whatever they want; since our e-mail system does not easily support strong crypto, it's all there for the taking. In an ideal world, the rest of the group would agree with me and say "Yup, we have no business reading e-mail." Since that's not likely, I'm looking for examples of "privacy-friendly" corporate policies that I can put on the table in our meetings, and end up with a minority report. -gk-
George Kuzmowycz wrote:
In an ideal world, the rest of the group would agree with me and say "Yup, we have no business reading e-mail." Since that's not likely, I'm looking for examples of "privacy-friendly" corporate policies that I can put on the table in our meetings, and end up with a minority report.
Maybe it is only me, but I recommend "privacy-fascist" policy. This way employees will at least know to keep their own business out of computers that will be monitored by the company anyways. This is ultimately to the betterment of employees themselves if they fall prey to complaints of the likes of January KOTM The Right Reverend Colin James III (puke). For the information of those who do not know CJ3 made it a hobby to complain to the employers of people whom he did not like -- with not much success though. The employees would easily be able to say that the employer has nothing to do with the alleged matters of complaints. - Igor.
ichudov@algebra.com (Igor Chudov @ home) writes:
employees will at least know to keep their own business out of computers that will be monitored by the company anyways.
Igor learned it the hard way... He's no longer reachable @wiltel.com. :-)
This is ultimately to the betterment of employees themselves if they fall prey to complaints of the likes of January KOTM The Right Reverend Colin James III (puke). For the information of those who do not know CJ3 made it a hobby to complain to the employers of people whom he did not like -- with not much success though.
Not true - Colin got several forgers in serious trouble for their net-abuse. More power to him. The Internet needs more people like TRRCJ3 (pbuh). --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
On Fri, 2 Aug 1996 ichudov@algebra.com wrote:
George Kuzmowycz wrote:
In an ideal world, the rest of the group would agree with me and say "Yup, we have no business reading e-mail." Since that's not likely, I'm looking for examples of "privacy-friendly" corporate policies that I can put on the table in our meetings, and end up with a minority report.
Maybe it is only me, but I recommend "privacy-fascist" policy. This way employees will at least know to keep their own business out of computers that will be monitored by the company anyways.
I think you need to take the "fascist" approach, at least officially. I would hope that, unofficially, you don't monitor, eavesdrop, etc., unless a problem requires you to. (such as receiving email from another site that attacks have been detected, originating from your systems, etc.) If you don't take the "fascist" approach, you are granting employees a "reasonable expectation of privacy", which you cannot, in truth, provide (without spending a lot of additional money). Once you've put your company in this position, you've now set them up for an employee to have their "privacy" violated, so you've increased the company's risk. The benefits of running a "privacy friendly" corporate system just don't outweigh the costs and risks. If somebody wants to read alt.sex.whatever-floats-their-boat, I really don't care, but I don't want to be in the position of ensuring their privacy while doing so on corporate equipment; they can get their own 'net account and play at home. I prefer to put out an official "fascist sysadmin's system use policy", and then leave users to themselves, as long as I don't get any complaints of illegal activity that could land my company in hot water. What you publish as a use policy, and what you actively enforce do not have to be the same. Just my $.02.
participants (4)
-
dlv@bwalk.dm.com -
George Kuzmowycz -
ichudov@algebra.com -
Rabid Wombat