The first item to consider is the local legal requirements. I work with an industry ISAC in the U.S. and we have Canadian members. In our discussions the laws of Canada are much different then the U.S. They also have local laws to comply with.
Another item is that asserting ownership of anything on the server is an interesting idea. If I send you an email do you own it? In most countries the answer is no. I own it (as the creator) and you have a license to read it (a form of ownership but not what most people mean by ownership). Finally, if you offer health insurance and someone puts personal health information into email, is that information protected under HIPAA (again a U.S. law)? What if it is encrypted? Is this company usage (the company provides the insurance)? We are working on a policy that states the systems and software are provided to a person to aid them in the performance of their job. As such we reserve the right to examine the usage of the system and to troubleshoot issues with the system. If we find inappropriate usage the person is subject to action up to termination. We are also looking at appointing a privacy person in H.R. that would examine the account based on a complaint and they would sanitize the account of any HIPAA protected information (and personal financial transactions, etc. that are not the target of the investigation. Complaints would have to be from V.P. level or above and must be in writing. There will also be a time frame for reporting to the person about the investigation. As with most statements of policy, it is complicated. However, we are attempting to protect privacy, overlook incidental use, allow ourselves the ability to work offensive issues such as spam and porn, support the infrastructure, and stay out of court. Good luck, Mark -----Original Message----- From: pablo gietz [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 12:03 PM To: [EMAIL PROTECTED] Subject: e-mail policies Dear gurus We are defining policies for the use of corporate e-mail, I have doubts about privacy of messages sent by employees. Since the e-mail system is intended for business use, we need to prevent sensitive information disclosure. If we respect the privacy , how can discover infidelity employee? What is your opinion or the standard in this cases? What is the companies approach? Thanks a lot. -- Pablo A. C. Gietz Jefe de Seguridad Informática Nuevo Banco de Entre Ríos S.A. Te.: 0343 - 4201351 > ---- Mark Reardon Reardon Information Security Corporation 156 Blue Sky Drive Marietta, GA 30068 (770) 565-0544 (404) 444-0041 cell
