If the CEO is willing to sign off on a policy banning the use of social networking and IM then, there should be controls in place to enforce the policy, a policy without the associated controls and punishments ( Administrative, enacted by Management/HR) then the policy isn't worth the paper its written on.
There should be a section for exception, due to the things that you just specified, but the exception have to be approved in writing by the CEO or CIO accordingly. ( I know marketing departments are using face book, twitter, Myspace and emerging social networking sites to get the brand name out or to communicate with new customer bases, along with those "one-offs" that a member of the military is using IM/Skype to talk with loved ones back in States. The SANS templates are pretty good shell its just the language will actually have to come from you. Just make sure its not extremely technical in nature, and embodies message you want to get across, and is signed by senior management. Also if you have controls to block the usage of the IM/Social Networking sites, a reference back to established policy for those users that break policy after its enacted serves as a nice deterrent to future violations and serves as security awareness training which always helps. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Tuesday, May 04, 2010 12:39 PM To: NT System Admin Issues Subject: Internet Policies What restrictions, if any, do your organizations place on things like IM or social networking sites? I sent out a warning to the office personnel this morning regarding the new "IM Virus" and got an email back from the CEO basically stating "shouldn't that be a violation of company policy anyway?" and I had to tell him, I knew of no policies regarding that; and that in fact, my former supervisor was fully aware of at least one person (who's child is overseas in the military) who used IM on a semi-regular basis. For this reason, I'm working on coming up with a company policy. I've looked at the sample template from SANS as well as another one that someone sent me off-list. I'm planning on incorporating the best of everything I get, so if anyone has any suggested language regarding IM or social networking, please let me have it. J ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image001.jpg>>
<<image002.jpg>>