Re: IT Security Policy & Procedures Manual

Subject: Re: IT Security Policy & Procedures Manual
From: Sandy Harris <sandy -at- storm -dot- ca>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Fri, 16 Feb 2001 13:19:11 -0500

Dick Margulis wrote:
> Merv,
> This topic just came up today, coincidentally. If you are aiming for a comprehensive
> policy, you want to include an agreement/acknowledgment that all employees sign and
> that specifies proscribed behaviors.
> The range of behaviors you have to address includes, but is not limited to:
> What software it is permissible to install on a company-provided computer, along with
> related licensing issues

This should include some mechanism for getting approval of pieces of software you
need. The list cannot be static, defined in the policy. There must be a mechanism
for adding to it.

It should also deal with the question of who is authorised to download and install
open source software on which machines. Generally there is no licensing issue there,
but there may be security issues.

> What the limits are on personal business that can be conducted (okay to check your
> personal email account? execute brokerage trades? read the news? do the books for a
> charity? for your spouse's home business? print wedding invitations? print business
> cards for your own home business?)
> What the limits are on the use of the Internet for downloading and uploading (Napster?
> Porn? Hate literature?)

These may not belong in security policy, though they do belong somewhere.

> Personal responsibility for maintaining virus protection and not opening weird
> attachments

To some extent this can be dealt with at the server level, e.g. ussing "MIME defanger"
from to remove dangerous attachments.

> Personal responsibility for machine maintenance (defrag, archiving, ...)

Not a security issue, I'd say.

> Use of the company network for sending unsolicited email for personal or business purposes
> Use of the company network for hacking into competitors' networks or conducting other
> illegal business activities
> Circulating chain letters,

Firing offenses, I'd say.

> bogus virus warnings,

Provide a channel to an admin to catch these. Make it very clear that "warnings" should
go only to that admin. Provide links to hoax reference sites:

> jokes (okay jokes, not-okay jokes) within or outside the company

I'd say political correctness does not belong in a security policy.

On the other hand, it may be appropriate to mention that anything sent from the
work address that might embarass the company should not be sent.

In some companies, you should also notify employees that mail sent from work is
archived on the server and what the policies are for access to that archive.
For example, in the event of complaints from recipients, the archive will be
checked and the employee disciplined if ...

Develop HTML-Based Help with Macromedia Dreamweaver 4 ($100 STC Discount)
**WEST COAST LOCATIONS** San Jose (Mar 1-2), San Francisco (Apr 16-17) or 800-646-9989.

Sponsored by ForeFront, Inc., maker of ForeHelp Help authoring tools
for print, WinHelp, HTML Help, JavaHelp, and cross-platform InterHelp
See for more information and free evaluation downloads

You are currently subscribed to techwr-l as: archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit for more resources and info.

Previous by Author: Re: IT Security Policy & Procedures Manual
Next by Author: Re: Information Technology Dictionary
Previous by Thread: RE: IT Security Policy & Procedures Manual
Next by Thread: Re: IT Security Policy & Procedures Manual

What this post helpful? Share it with friends and colleagues:

Sponsored Ads