Section 7.4 E-Mail Policy

   


7.4 E-Mail Policy

graphics/fivedangerlevel.gif

Very confidential data should not be sent unencrypted through e-mail because there are too many ways an interloper can see it, including reading mailboxes directly with root access or sniffing the network. Written policy should give guidelines for establishing what is or is not appropriate for e-mail. Data that, if disclosed, could substantially harm the company, such as upcoming financial plans or marketing or engineering directions, especially should be included. Any medical information, certain types of personnel details, credit card data, or similar should be expressly banned from e-mail unless suitably encrypted.

Passwords for privileged accounts such as root, the database's account, and the Web server especially should not be sent via e-mail. They should be sent by a secure means, such as PGP, via phone, or Registered Mail. See "Confessions of a Berkeley System Mole" on page 373 for a lively explanation of the consequences of not following this rule!

Your policy should state whether personal e-mail is allowed. Some of the following policies should be considered. The more severe ones should contain an explicit penalty of dismissal. Having explicit policy is important to prevent someone from "getting away with it" the first time because "I didn't know."

  1. Programs (especially binaries) obtained from e-mail attachments should not be used unless one is absolutely sure that the sender can be trusted and that he or she validated the source of the program. Filtering out these at the firewall or mail server is recommended.

    In other words, not only must you trust the honesty of the sender but also the ability of the sender to determine that the program that he or she acquired is trustworthy, before using the program. There are virus scanning programs that can be of use here.

  2. E-mail that is harassing, threatening, associated with an illegal activity (such as gambling,[1] fraud, or illegal distribution of data or software) is forbidden. This includes sending copies of programs that violate or allow the violation of software licenses. The reason for making violators of this policy subject to dismissal is that this activity could get the company sued quite easily.

    [1] Many companies make allowances for sports pools and the like.

    Having a severe policy (and enforcing it evenly) protects the company, both by reducing the amount of this activity and by being able to show lawyers, judges, and juries that the company did everything it could to prevent the problem. This counts for a lot in such situations. If the policy is not enforced evenly, this will cause serious problems when the one who suffered more severe enforcement than others files a lawsuit.

  3. E-mail that contains viruses, worms, or hoaxes is forbidden.

  4. E-mail that is considered spam is forbidden. You might want to be specific and state, say,

    Unsolicited e-mail not related to Company business, recreation, or morale that is intentionally sent to more than 10 people in the company or more than 20 people outside the company (without authorization) shall be considered spam and is forbidden.

    This restriction shall not apply to the occasional reasonable invitations for outings, barbecues, homes for kittens, and the like. If in doubt, contact your friendly SysAdmin or manager.

  5. Sending or forwarding chain letters is forbidden.

  6. Sending large amounts of e-mail unrelated to the company's business is forbidden. (Check with the SysAdmin if in doubt.)

  7. E-mail that contains confidential company information may not be sent outside the company (or over unsecured lines) unless specifically authorized. One should especially be careful when replying to e-mail that has a list of recipients, some of whom are not employees.

  8. State whether the company reserves the right to read employee e-mail. In most jurisdictions it is legal for a company to do so. In some cases it is legal only if the company states that it might do so. Certainly, most people consider it is unethical for a SysAdmin to read someone's e-mail without management authorization to do so for a particular purpose related to the company's business.


       
    Top


    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    ISBN: N/A
    EAN: N/A
    Year: 2002
    Pages: 260

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net