For the next three weeks, The Practical
Mac will be exploring the topic of security and privacy in the
Internet Age. Today, we begin a two-part series focusing on important
topics for companies; the series will finish with an article geared
toward home users.
Firewalls, intrusion detection systems, sniffers, content monitoring
programs, virus protection suites and biometric authentication systems
are all great ways for companies to protect their proprietary
information and encourage efficiency among their user base. However,
without a proper foundation, many of these tools are virtually useless.
By foundation, I am referring to what is considered a four-letter word
by most Information Technology Directors: paperwork. Proper policies
and procedures - and thorough documentation thereof - are essential to
a viable security and privacy system. The task of implementing these
policies and procedures need not be daunting, however. The framework
can be broken down into a few simple steps.
Policies/Procedures
Email: Email, like the telephone, is an area inevitably
subject to abuses by a few employees. It is therefore important to lay
out expectations clearly and concisely. A good email policy should, at
a minimum, cover the following areas. I have included a few example
sentences for each area:
Usage guidelines. The employee must know what constitutes
"acceptable use."
The Company provides electronic mail ("email") capability to
selected employees for the purpose of assisting employees in performing
their work-related duties. The Company believes the use of email can
greatly facilitate and enhance communication both within the Company
and with outside parties and encourages the use of electronic mail for
such purposes. Occasional personal use of the email system is
acceptable, but such personal usage should be limited so as not to
interfere with the employee's job responsibility. Email capability may
be revoked by the Company at any time.
Establish that the employee has no expectation of privacy in their
email communications. This is extremely important should monitoring of
the employee's email become necessary in the future. In fact, without
this clause, you cannot monitor your employees' email!
The nature of electronic mail makes electronic mail less private
than users may anticipate. For example, electronic mail intended for
one person sometimes may be widely distributed because of the ease with
which recipients can forward it to others. No employee shall have an
expectation of privacy in their email usage. All email correspondence,
both incoming and outgoing, shall be the property of the Company, just
as any other employee work product. Senior Management, the IT Director,
and the employee's immediate supervisor may inspect employee email at
any time, but shall not be obligated to do so.
Spell out, in no uncertain terms, that the employee's email is
subject to monitoring.
All employee email is subject to monitoring, both electronically
and by any other means, at all times. Although the Company reserves the
right to perform such monitoring, it shall not be obligated to do so.
Regular and routine monitoring of employee email shall not be the
policy of the Company.
Define what is unacceptable use.
Employees are expected to exercise good judgment in their email
activity, just as in all other aspects of their employment with the
Company. Employees may not use the Company email system for any
improper purpose(s), including but not limited to: sexual harassment;
indecent or obscene communications; threatening or harassing
communications; libelous remarks; disseminating "spam;" carrying on of
employee's outside business interests; communications favoring any
political party, politician, or political issue; communications racist
in nature; any communications that may be defined by state or federal
law as "hate speech;" and any other communications prohibited by state,
federal, or local law.
Make the employee aware that the Company cannot monitor or be
responsible for the content of email the employee may receive.
The Company cannot, in general, protect users from receiving
electronic mail they may find offensive. Any employee who receives such
email, whether it originated outside the Company or from within, should
immediately report this to the immediate supervisor and to a member of
the IT staff.
However, if the offensive email did originate within the
company, you'd better do something about it pronto.
Make sure you can read the monitored email, should the case
arise.
No employee may encrypt any email without the permission of the IT
Director and the employee's immediate supervisor and without first
providing a member of the IT staff with the decryption key.
Keep your secrets your secrets!
Employees may not send any proprietary, sensitive or confidential
material to outside parties without the express permission of the
employee's immediate supervisor. If in doubt as to the status of any
material to be sent outside the Company, the immediate supervisor
should be consulted.
One way to keep proprietary information from outside viewing is to
insure that the employee does not catch a nasty bug that causes these
trade secrets to be automatically sent to everyone in their address
book.
Care should be exercised when opening any email attachment.
No employee should open an email attachment sent to them from any
unknown party. Attachments to email received from familiar parties, but
from whom the employee was not expecting an attachment, should not be
opened without first contacting the sender and verifying the contents
of the attachment. Any known or suspected computer virus should be
reported immediately to a member of the IT staff. If unable to
immediately reach an IT staff member, the immediate supervisor should
be contacted.
Of course, to greatly reduce or even eliminate this worry, issue
each employee a Mac on which to do their work. You can click all day
long on the attached ".exe" file, but nothing will ever happen! Trade
in the PC on something more useful and with a longer life, such as a
nice potted plant.
To alleviate the possibility of your employees passing out from
hysteria when Ed McMahon emails them to say they have won a trillion
dollars.
There is no guarantee that electronic mail received was in fact
sent by the purported sender, since it is relatively straightforward,
although a violation of this Policy, for senders to disguise their
identity. Furthermore, electronic mail that is forwarded may also be
modified. As with print documents, in case of doubt, receivers of
electronic mail messages should check with the purported sender to
validate authorship or authenticity.
And finally, spell out the consequences of transgression.
Misuse of the email system and/or violation of any provision of
this policy may subject the violator to discipline up to and including
termination of employment by the Company. Certain violations may also
subject the violator to prosecution by federal, state, and/or local law
enforcement agencies.
You will notice in more than one instance above, the Company
reserves the right to monitor but explicitly states that it shall not
be obligated to do so. This is a very important distinction. Consider
the following scenario: A female employee receive harassing, obscene,
and sexually suggestive email from an unknown sender outside the
company. It may even be a "generic" spam mailing, not even specifically
directed at her. However, the employee is deeply offended by this and
sues the company for not protecting her from such obscenity at work.
Her basis? The personnel handbook is filled with references to all
sorts of email monitoring. "Why didn't the monitoring catch this email
and protect me from it?"
How would you like to be responsible for screening each and every
piece of email that is sent from and delivered to your mail server,
every minute of every day? If you are not careful in the wording of
your policy, this may be exactly what you imply is being done and
perhaps even what you are obligating your company to do.
The above topics are not intended to be exhaustive. For example, in
the policies I write, I usually define what constitutes the "email
system," "spam," etc., as well as including some more mundane subjects,
such as "representing the company in a professional manner" and "using
proper grammar and spelling." Hopefully the above topics will be enough
to get you headed in the right direction.
Internet/Network Usage: Most of the same topics covered under
"Email" are equally applicable to usage of the Internet and the
Company's internal network. However, there are a few additional areas
which should be covered in an Internet policy.
Once again, lay out the ground rules.
The computer network is the property of The First National Bank
("Company") and is to be used for legitimate business purposes. Certain
employees ("Users") are provided access to the computer network to
assist them in the performance of their jobs. Additionally, Users may
also be provided with access to the Internet through the computer
network. All Users have a responsibility to use the Company's computer
resources and the Internet in a professional, lawful and ethical
manner.
The Company's computer network may not be used to disseminate, view or
store: commercial or personal advertisements other than those related
to Company; destructive code (e.g., viruses, Trojan horse programs,
etc.); obscene or indecent material; material racist in nature; any
material prohibited by federal, state, or local law; or any other
unauthorized materials. Occasional limited appropriate personal use of
the computer is permitted if such use does not: A) interfere with the
user's or any other employee's job performance; B) have an undue effect
on the computer or Summit's network performance; or C) violate any
other policies, provisions, guidelines or standards of this agreement
or any other of Summit. Further, at all times Users are responsible for
the professional, ethical and lawful use of the computer system.
Personal use of the computer is a privilege that may be revoked at any
time.
The list of prohibited activities will necessarily be a little
different this time.
Prohibited Activities. Company's computer network may not be used
to disseminate, view, or store: commercial or personal advertisements
other than those related to Company; destructive code (e.g., viruses,
Trojan horse programs, etc.); obscene or indecent material; material
racist in nature; any material prohibited by federal, state or local
law; or any other unauthorized materials. Occasional limited
appropriate personal use of the computer is permitted if such use does
not: A) interfere with the user's or any other employee's job
performance; B) have an undue effect on the computer or Company's
network performance; or C) violate any other policies, provisions,
guidelines or standards of this agreement or any other of Company.
Further, at all times Users are responsible for the professional,
ethical and lawful use of the computer system. Personal use of the
computer is a privilege that may be revoked at any time. Illegal
Copying. Users may not illegally copy material protected under
copyright law or make that material available to others for copying.
Users are responsible for complying with copyright law and applicable
licenses that may apply to software, files, graphics, documents,
messages, and other material you view on the Internet. Users may not
agree to a license or download any material for which a registration
fee is charged without first obtaining the express written permission
of Company. Communication of Trade Secrets. Unless expressly authorized
to do so, Users are prohibited from sending, transmitting, or otherwise
distributing proprietary information, data, trade secrets or other
confidential information belonging to Company.
In order for your firewall and elaborate security systems to work,
usage has to actually occur through these systems.
To ensure security and avoid the spread of viruses, Users must
access the Internet through a computer attached to Company's network.
Bypassing Company's computer network security by accessing the Internet
directly by modem or other means is strictly prohibited.
Finally, the "offensive material" warning should be worded
differently as well.
The Internet is a worldwide network of computers that contains
millions of pages of information. Users are cautioned that many of
these pages include offensive, sexually explicit, and inappropriate
material. Even though purposeful access of such material is a violation
of this policy, in general it is difficult to avoid at least some
contact with this material while using the Internet. Even innocuous
search requests may lead to sites with highly offensive content. The
Company is not responsible for and cannot protect users from material
viewed or downloaded by users from the Internet. To minimize these
risks, use of the Internet is governed by this policy.
Although the following policies do not fall into the "must-have"
category, they can be of significant benefit to companies:
Software Acquisition: It is important to set down guidelines
for introducing software to the network. Generally, no end user should
be able to do this without the approval and assistance of a member of
the IT staff. Typically, new or updated software should be installed in
a testing environment prior to being installed in production
systems.
Hardware Acquisition: Without this policy, one day you will
inevitably have an unenlightened user show up with a Windows notebook
he found laying on the sidewalk and want you to make it work with the
Macs. The Macs will rebel, you will be frustrated and the user will
feel stupid. Avoid the subject by having a policy to cover this
scenario already in place!
Employee Monitoring
As stated earlier, before you can monitor any employee computer
activity, that employee must have adequate notice that they are subject
to monitoring. One thing you cannot do, regardless of notice, is to
monitor email in transit by using "sniffer" technology or otherwise
intercepting messages. There are not a lot of court cases on this
subject, and even among those dealing with the issue,there is some
contradiction. With that caveat, here is where the law seems to stand
today:
Assuming adequate notice, email may be monitored and investigated
without restriction when residing on the employee's company-owned
computer. You can check the "inbox," "deleted items," "sent items," and
anywhere else you believe something of relevance may be found.
Messages in transit may not be monitored under any
circumstances.
Messages residing on the company email server are in a state of
limbo, both legally and technically. Some courts have considered them
as being in transit and deemed them off-limits. Others have pronounced
them as fair game, since they reside on a piece of company-owned
equipment. The better advice, should it become necessary to undertake
monitoring on any given employee, is to gather all you can from their
computer and not even broach the email server unless you feel the
information to potentially be gained is worth the risk. The best advice
is to consult a local attorney and find out what the state of the law
is in your particular jurisdiction.
Backup Considerations
I won't belabor the point of how important it is to have good
backups of all your data in case disaster strikes. That could be the
subject of an entire column in itself. I will instead endeavor to drive
home the importance of not ever, under any circumstances, having any
sort of backup of one particular system: the email server. Yes, you
read correctly, and no, your eyes do not deceive you. Never back up
your email server. Despite any benefit you might incorrectly
perceive to be derived from this procedure, you are in fact creating
one thing and one thing only: evidence.
Anytime you have a backup of your email server, it is subject to
subpoena in case of legal action. In layman's terms, this means you
will have turn over all backups of your email server to the party suing
you. If you have not passed out by this point, read on. Otherwise, lie
down, catch your breath, and continue reading when you are sufficiently
recovered.
Having represented both the party who received the email backups
(the legal term is called "hitting the jackpot") and the party who was
forced to turn over the email backups ("losing your shirt"), I can say
unequivocally that, in this scenario at least, it is infinitely better
to receive than to give. In a typical company, reference to every
secret that the company would not want to be exposed is contained in
those backups, not to mention quite a few personal emails that the
senders and/or recipients would probably not want paraded about in a
courtroom open to the public.
A good case in point is the Microsoft antitrust trial. In the early
80s, Lotus 1-2-3 was the overwhelming choice for DOS spreadsheet
programs, and with good reason: It was a wonderful program years ahead
of its time. Microsoft produced its own, very lame attempt at a
spreadsheet program (being an attorney, "alleged" spreadsheet program
might be a more accurate term) in an attempt to wrest the market from
Lotus (they failed; Excel was still years away). Around the same time,
Lotus 1-2-3 started developing bugs. Lotus suspected Microsoft was
purposefully manipulating DOS to prevent 1-2-3 from running. Microsoft
denied it and eventually prevailed. Email from that time period
subpoenaed in the recent antitrust trial produced a startling
discovery. Email messages sent by the DOS development team of the day
carried the tag line, "DOS isn't done 'till Lotus won't run!" I
wonder what the statute of limitations is there? Lotus is probably also
wondering what the monetary damages from lost revenue would be on sales
over a 17-year period if Excel had never existed.
This does not mean that you have to leave yourself exposed to a
disaster. Most email servers contain some mechanism by which you can
back up configuration information, such as accounts and so forth,
without actually backing up the messages. One server that doesn't is
one you should not be using anyway. More details in next week's
column.
Here is the way I covered this policy recently:
The Company does not perform or maintain any backups of the
email server. Once email messages are downloaded to user's computers,
they are deleted from the email server and no backup is made.
Let me be very clear: You are under absolutely no legal obligation
to make backups. However, if you choose to do so, you cannot destroy
them or deny their existence ("tampering with evidence" and "perjury,"
respectively) without suffering severe legal consequences ("go directly
to jail; do not pass 'go'"). As an IT professional, you must summon the
strength to deny your most basic of instincts: backing up your stuff.
However, you must be strong - it ain't worth it.
Conclusion
It is not enough to merely have these various policies and
procedures in place. The employees must be made aware of them. Many
companies have a disclaimer in their personnel handbook that policies
may be adopted and/or changed at anytime with or without notice to the
employee. This is not something that should be regularly relied
upon. The only reason this language is included in handbooks is to give
the company a fallback position should they find themselves in
litigation over failure to cross a "t" or dot an "i."
Anytime policies or procedures are changed or new ones are adopted,
the company should get a copy of the policy or procedure signed by
every effected employee and maintain this signed copy in their
personnel file. Contrary to popularly held notions, ignorance of the
law is sometimes an excuse, and ignorance of company policies or
procedures is often an excuse! If you find yourself in court against an
employee or former employee litigating an alleged transgression of
company policy, the jury is not going to care how much money you paid
your attorney to write that flowery language in your handbook. All they
will care about is whether this employee had actual knowledge of the
policy allegedly violated. Having practiced law for over eight years
and served on three different jury panels prior to that, I speak from
ample firsthand knowledge. Be forewarned and be prepared!
Having laid the proper framework, we will examine Internet/Network
privacy and security from the technical perspective next week.
