Google Answers Logo
View Question
 
Q: Corporate Information Technology Communication Policies ( Answered,   2 Comments )
Question  
Subject: Corporate Information Technology Communication Policies
Category: Computers > Security
Asked by: eight-ga
List Price: $50.00
Posted: 20 Dec 2002 10:15 PST
Expires: 19 Jan 2003 10:15 PST
Question ID: 127392
I am looking for information regarding corporate information
technology security policies concerning internal and external
communication using tools such as email,instant messenger, internet
mail, wireless communications, blogs and phone.  I am seeking actual
security policies as well as information regarding the issues faced by
businesses that have employees using these tools for internal and
external messaging, and the manner in
which businesses train their employees regarding the use of these
communication tools.
Answer  
Subject: Re: Corporate Information Technology Communication Policies
Answered By: kyrie26-ga on 21 Dec 2002 02:26 PST
 
Hello eight-ga,

To reiterate your question, you requested information on the following
:

Elements :
- IT security policies 
- internal and external communication
- email, instant messenger, internet mail, wireless communications,
blogs and phone
Need :
- actual security policies
- info on issues faced by management
- info on training regarding use of these communication tools

Below are the results of my research. It appears that most of the
communication tools you mention are grouped together under the concept
of "Internet use", in most of the resources I found, with email being
more distinct. Most Internet Acceptable Use Policies (IAUPs) draw on
the same basic principles and apply more to the usage and content of
these communication methods, as opposed to being specific with each
kind.

You will find the following resources relevant, as they include sample
policies, articles and instances of issues faced by businesses. The
topic of training seems to be sparse, and it seems that most companies
issue policy handbooks, guidelines or memos that are expected to be
followed; there does not seem to be much documentation on formal
training for this (see my unsuccessful search terms below).

Without further ado, here is what I found :


+----------------------------------------------------------------------------------+
 
Guide to E-Mail & the Internet in the Workplace, Susan E.Gindin
http://www.info-law.com/guide.html

" As e-mail and Internet use increases in the workplace, there are
likely to be many Internet-related disputes, including those
concerning employment relations, privacy, freedom of speech,
intellectual property, and record-keeping issues. Many workplace
disputes involving the Internet will be resolved according to
traditional labor and employment law. However, because of
uncertainties, as well as differing opinions, regarding appropriate
uses of the Internet in the workplace, the Internet has intensified
workplace disputes. The Internet also raises many entirely new
questions. For example, questions are raised because Internet
technology eliminates boundaries, between the home and the workplace
as well as between state and national borders. Consequently, the
resolution of Internet-related disputes will often require the
application of case law and statutes which specifically address
electronic issues.

This guide examines the legal issues that can arise as a result of
Internet use in the workplace, and is meant to guide employers and
employees in avoiding Internet-related workplace disputes. Chapter II
briefly introduces many of the issues which have arisen as Internet
use in the workplace increases, including questions regarding e-mail,
workplace Internet use, off-site Internet activity and personal Web
sites, information security, electronic record-keeping, and
telecommuting. Chapter III considers the competing interests of
employers and employees, and Chapter IV discusses established
workplace laws. "

+----------------------------------------------------------------------------------+

LLRX.com - My Kingdom for An Effective Internet Policy!
http://www.llrx.com/features/internetpolicy.htm

"Another day, another story about an executive who loses his job or
reputation because of questionable use of e-mail. This month, it was a
24-year old new associate at the Carlyle Group in Seoul, South Korea,
who sent a message about his recent sexual conquests and bohemian
lifestyle to 11 friends at his recent stomping ground, Merrill Lynch
in New York. In a vivid illustration of the potential of "viral
marketing," or in this case, "viral destruction," the message was
forwarded to hundreds of people on Wall Street, and eventually made
its way back to the Carlyle Group. The young man was fired."

"An effective policy should be short, clear and courteous. Many
lawyerly-written policies are too long and confusing to be understood
by many people, especially as most people scan, rather than read,
documents full of "wherefores." ("Whatever.") Issuing a draconian
policy ("Company's e-mail is never to be used for personal purposes")
turns all your employees into potential lawbreakers and alienates many
people. And it might actually be more efficient and less disruptive
for employees to arrange some personal matters via e-mail rather than
by telephone."

+----------------------------------------------------------------------------------+

Business 2.0 - Magazine Article - Traffic Cops
http://www.business2.com/articles/mag/0,1640,13229,00.html

"In the past, Internet security focused on malicious things coming
from outside — viruses, Trojan horses, other kinds of intrusions,"
says Kelly Haggerty of Elron Software, which sells CommandView
Internet Manager, the category's most widely used product. "But now
there's a whole other risk that companies are becoming more aware of.
The risk of liability. The risk of employees abusing a new resource
and becoming less productive."

+----------------------------------------------------------------------------------+

Managing Internet For The Enterprise : IS Strategies For Access,
Security and Support
http://www.ggtech.com/upload/95027.pdf

" As rapidly as the Internet is providing new opportunities for
commerce, it poses new management, security and legal issues. As a
starting point for analyzing these new issues, let me suggest that the
"information superhighway" is the wrong metaphor. The Internet,
World-Wide Web ("Web") and other on-line systems are not simply means
of transport for getting information and content from one place to
another. Rather, because what is moving is information and data - the
building blocks of thought, and because the Internet is also a
storehouse of information, much like memory, the Internet is changing
the way we think. So the development and implementation of a sound
corporate Internet policy requires us to examine how we think about
various corporate functions and legal issues, and make changes as
dictated by the new technology. "

+----------------------------------------------------------------------------------+

Corporate Networks Become Employee Playgrounds as Growth, Complexity
of Online Games Skyrockets, Cautions Websense Inc
http://www.websense.com/company/news/pr/02/052902.cfm

[begin excerpt]

American users visit game sites for an average of 37.9 minutes,
according to CyberAtlas. And according to PC Data, 35 percent of
gamers play games more than five hours per week. For IT managers, this
could mean valuable network bandwidth is being consumed by interactive
online games, slowing - or worse, halting - work-related Web activity.

"The best way for corporations to prevent online game playing is to
establish and communicate written e-policies regarding employee use of
business Web and e-mail access," said Nancy Flynn, executive director
of the ePolicy Institute and author of "The ePolicy Handbook".
"Another effective measure is to install a flexible employee Internet
management (EIM) software product that permits a reasonable amount of
diversion, while eliminating abuses of the Internet at work."

[end excerpt]

+----------------------------------------------------------------------------------+

ePolicy Institute
http://www.epolicyinstitute.com/

" Employers: Want to Save Millions of Dollars on Legal Fees, Lost
Productivity, Computer Security Breaches, and Other eDisasters?

The ePolicy Institute™ has you covered. The ePolicy Institute is
devoted to helping employers limit eRisks through the development and
implementation of effective eMail, Internet, and software policies. "

+---

E-Mail Policy Guide
http://www.epolicyinstitute.com/e_policies/guide.html

" The ePolicy Institute has teamed with Elron Software to produce a
FREE 16-page guide to developing and implementing an effective ePolicy
program.

The ePolicy Institute/Elron Software E-Mail Policy Guide is provided
in electronic form. Simply download the FREE booklet, and you're ready
to start reducing electronic risks in the workplace.

Sign up to receive your comprehensive 16-page E-Mail Policy Guide. "

+----------------------------------------------------------------------------------+

C2C Systems - Industry Experience - Whitepapers
http://www.c2c.com/industry/whitepapers_policy.htm

"E-policy is a corporate statement and set-of-rules to protect the
organisation from casual or intentional abuse that could result in the
release of sensitive information, IT system failures or litigation
against the organisation by employees or other parties."

+----------------------------------------------------------------------------------+

ClickWorks :: E-Policy Development and Review
http://www.clickworks.com/epolicy/index.html

" An e-policy is your set of "house rules" that defines exactly how
your company's computing assets (computers, email, Internet
connection, etc.) may and may not be used. Every employee signs a copy
of your e-policy document and agrees to abide by the rules you
establish.
      
E-policy documents can and do cover a wide range of topics, each
varying from company to company based on the needs of the business and
level of control you wish to exercise over your employees' activities.
Though all e-policies share common elements there is no "one size fits
all" e-policy. Each one should be tailored to your company's specific
needs. "
 
+---

ClickWorks :: What Your E-Policy Should Include
http://www.clickworks.com/epolicy/epinclude.html

+---

ClickWorks :: Steps To E-Policy Development
http://www.clickworks.com/epolicy/epsteps.html

+---

ClickWorks :: A Basic Sample E-Policy
http://www.clickworks.com/epolicy/epsample.html

+----------------------------------------------------------------------------------+

Writing Information Security Policies--Sample Accptable Usage Policy
(Appendix C)
http://www.panix.com/~barman/wisp/aup.html

" This document sets forth the policy of ______ (the Company) with
regard to the use of, access to, review, and disclosure of various
electronic communications, including those sent or received by Company
employees. This information systems policy applies to all individuals
using the Company's computer and network systems, including employees,
subcontractors, and consultants.
For the purposes of this document, "electronic communications"
includes, but is not limited to, the sending, receipt, and use of
information through the corporate electronic information network, the
Internet, voice mail, facsimiles, teleconferencing, and all other
on-line information services. "

+----------------------------------------------------------------------------------+

When Policies that have 'Always Worked', Don't
http://rr.sans.org/policy/corp_user.php

"A corporate security policy is the gateway to a company's
intellectual property. In today's world of information technology, the
main threat to information security within a company is its employees.
Employees are behind the firewall; furthermore, they have a username
and password on the network. Therefore, a security policy should be
designed to explicitly list out the dos and don'ts in your network. A
security policy should serve as the company's constitution that
governs how employees use the network and take care of both internal
and external security issues. It should be well planned and
periodically updated in order to reflect your company's ever-changing
challenges and the continuous evolution in the world of technology.
Having said so, this paper will discuss what should be covered in a
corporate computer user policy that sets the overall tone of an
organization's security approach. The intended audience is primarily
information technology professionals."

+----------------------------------------------------------------------------------+

How to Avoid Inappropriate Internet Use
http://content.monster.com/wlb/articles/benefits_and_politics/internet/

" Richard (not his real name) was a rising star at a Fortune 100
company. His immediate supervisors and the CEO for whom he worked were
highly satisfied with his work.

One day, when Richard was coming down with the flu, he decided to just
stay at work and cover the telephones. He also decided to surf the
Internet. When an X-rated site popped up during a search, Richard
curiously opened it. Before he knew it, he had clicked through several
pornographic sites, and his career at the company was doomed. "

+----------------------------------------------------------------------------------+

Computer Professionals for Social Responsibility : A sample E-mail and
Voice-mail policy
http://www.cpsr.org/program/emailpolicy.html

"The following is a standard policy on Electronic-Mail (E-mail), and
Voice-Mail (V-mail) communications. It is intended to serve as a
reference for companies to establish policies of their own. This is an
authentic operational document that, even with its flaws, has served
its company well."

+----------------------------------------------------------------------------------+

INTERNALMEMOS_COM - Internet's largest collection of corporate memos
and internal communication
http://www.internalmemos.com/memos/memodetails.php?memo_id=1044

"You're probably not going to like this... but 
we took steps to block access to the p2p networks 
(Kazaa, Morpheus, etc.) It's policy now that Viacom employees 
should not use company property (to whit, your computers) 
to illegally trade copywrighted material. You may recall 
Mel Karmazin's memo of a few weeks ago..."

+----------------------------------------------------------------------------------+



Google Search Terms :

corporate internet use policy OR policies
://www.google.com/search?q=corporate+internet+use+policy+OR+policies&hl=en&lr=&ie=UTF-8&safe=off&start=0&sa=N

e-policy OR epolicy
://www.google.com/search?sourceid=navclient&q=e%2Dpolicy+OR+epolicy

sample corporate AUP OR IAUP
://www.google.com/search?q=sample+corporate+AUP+OR+IAUP&btnG=Google+Search&hl=en&lr=&ie=ISO-8859-1&safe=off

corporate internal OR external communication OR communications policy
OR policies
://www.google.com/search?q=corporate+internal+OR+external+communication+OR+communications+use+policy+OR+policies&hl=en&lr=&ie=UTF-8&safe=off&start=0&sa=N


Unsuccessful :

corporate phone OR telephone OR mobile OR cellular use policy OR
policies (no corporate info found)

corporate internet use policy OR compliance training

internet access policy OR policies training

corporate AUP OR IAUP training



I hope you find the above resources relevant to your needs. If there
is any area that needs clarification, or that is lacking, please post
a Request For Clarification and I will be glad to assist. Thank you
for using Google Answers, and I wish you all the best in your
endeavors.


Regards,

kyrie26-ga
Comments  
Subject: Re: Corporate Information Technology Communication Policies
From: chrisabo-ga on 20 Dec 2002 22:34 PST
 
You might want to take a look at SANS' page on security policy.  This
organization is well-regarded in the security and IT community:
http://www.sans.org/newlook/resources/policies/policies.htm
Subject: Re: Corporate Information Technology Communication Policies
From: thonker-ga on 31 Oct 2004 09:30 PST
 
Have you considered the international security standard, ISO 17799?
Many organizations seem to be basing their policies on this, or using
it as a framework for them, for future portability and benchmarking.

It may operate at a slightly higher level than you suggest (or may
not), but should at least be looked at.

The following sites are decent starting points:
<a href="http://www.17799.com">ISO 17799 Forum</a>: This is an
internet user group dedicated to the standard
<a href="http://www.induction.to/bs7799/">Induction to BS7799 / ISO
17799</a>: This is an introducation to the measurment methodology that
comes with the standard.

In case you wondered, BS7799-2 is actually the second part of the
standard, which describes the management system. ISO 17799 (the first
part) is the section you would align your policies with.

Finally, if this is of any interest, I understand that there are off
the shelf policies available now which align specifically with this.
I'm not sure where, so you'd have to search for them.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy