Welcome to the SecAware blog

I spy with my beady eye ...

1 Jun 2011

Giving employees an uphill battle

A blog piece by David Lineman emphasizes the importance of having explicit corporate policies regarding private/personal use of corporate IT facilities.  David outlines three cases in which employees claimed that their emails were private, even though they were using the company systems and network.  His conclusion is straightforward enough:
"All of these cases have happened within the last year, and they are likely to continue.  The message for employers is clear:  You must have acceptable use policies that cover internet and email, including the use of personal email accounts.   In every case, employees had an uphill battle when there were policies in place. "
I would add two things. 

Firstly, email is not the only issue here - as well as using the corporate email systems for personal reasons, employees often use the ICT facilities to access their webmail, and for SMS/TXT, IM, ICQ and other forms of person-to-person messaging.  Our model policy on person-to-person messaging (one of the items provided in the latest bunch of NoticeBored awareness materials) includes a policy axiom stating that 'Corporate person-to-person messaging facilities are provided for legitimate operational and administrative purposes in connection with the organization’s business.  All messages processed by or traversing the corporate IT systems and networks are considered to be the organization’s property.'  It goes on to expand on that and another axiom.

Secondly, 'having a policy' is not necessarily enough: employees also need to know about and ideally understand and comply with it - which is where the rest of the NoticeBored module comes into play.

Gary (Gary@isect.com)

No comments:

Post a Comment