December 2008                                                E-Newsletter
 
Geek-Gurui
 
Internet Explorer Logo IT, Internet & E-mail Policies

After last months newsletter on security we had a fair few requests for additional help and advice on security related issues for SMEs. Instead of our planned December newsletter we've decided instead to produce the first of a series of articles highlighting areas of IT security in a bit more detail.

In this months issue we're going to be looking at IT policies, why you should have one, how to go about writing one and what to do to monitor and enforce them.
Contact Us
We want these newsletters to be useful; a source of insider IT knowledge and inspiration; not simply another e-mail to fill up your inbox. If you feel there is more we can do to make this newsletters useful to you and your business please
e-mail us
 
Computer

Why have a policy?

 There is no longer any doubt that the internet is a powerful tool for your business. From customer relationship management through to marketing and sales there's not many aspects of business that haven't in some way been affected by the internet revolution.

With all these benefits it's no wonder that almost all businesses now have some form of internet connection but allowing staff unrestricted access to the internet can leave your business open to unacceptable threats:

  • Security - The internet is a vast resource but not all of it is benign. Allowing your staff unrestricted access to the internet puts your internal network in danger of infection from a range of malicious software (Viruses etc).

  • Productivity - You wouldn't allow your staff to sit reading a novel all day or sit chatting on the phone to mates whilst at work and the same should apply to the internet.

  • Legality - Allowing unrestricted access to the internet leaves you open to damaging and costly legal action if your employees either accidentally or intentionally access illegal content.

  • Bad PR - There are numerous cases of very damaging e-mails making it to the public domain. Allowing your employees to use the communications system for their personal use means your company name will automatically be associated with employees personal views and thoughts; no matter how disagreeable they may be.

It's fairly easy to see that every company should have restrictions on what is and is not acceptable when it comes to IT and internet use. Whilst technology can help to control and monitor IT use we feel at Geek-Guru that first and foremost every company should prepare a formal acceptable use document which forms part of their employment contract.
USB Risks
The Computer Emergency Response Team released an alert in November 08 highlighting the risks posed by a new virus that spreads via USB disks.

In days gone by computer viruses were almost exclusively transmitted via removable mediums such as these, but the advent of the internet had seen these decrease in favour of network born threats.

The massive growth in USB flash drives, iPod storage and removable hard disks has meant this threat has again resurfaced as a serious security risk.


All companies should have a policy on USB drive usage on their network and actively monitor and manage these kind of devices to minimise threats from not only viruses and Trojans but also data leakage.

@ Sign How do we write a policy?

Although it makes sense to get the help of your legal team in preparing an IT and internet policy document we still feel it is better to have some form of written policy that none at all. We've prepared some guidelines for what your policy should contain:

  1. Clarify your definition of personal use and specify clearly how much access time is acceptable (if any) and during what times (for instance only at lunch).

  2. A clear warning to abide by copyright and licensing restrictions as well as any other laws that apply to your industry.

  3. Warnings about the dangers posed by viruses and clear instructions on what should and should not be downloaded and how to minimise the risks from downloading internet based content.

  4. What sites or types of sites are explicitly banned from access (i.e. Pornography, Terrorism, Inflammatory).

  5. What shouldn't be circulated on the company e-mail system (i.e. messages that could be classed as sexual harassment).

  6. Rules for sending confidential business data and how e-mail attachments should be handled (i.e. Encryption).

  7. What is considered appropriate e-mail etiquette for your business; how should e-mails be signed off, should people use signatures etc.

  8. Usage policy on potentially dangerous items such as USB disks or iPods (See cut-out: USB Risks).

  9. Guidelines on storage and back up of company files and archival of e-mail.

  10. The disciplinary procedure if any of the rules specified in the document are broken. If these are not clear you may risk an unfair dismissal claim if you fire an employee who has broken your rules.


In addition to a formal policy you might like to think about how these rules might be enforced. If you plan to monitor or record web access or e-mails you MUST inform your employees that this is occurring as it is illegal to do so without.

Servers do sometimes include basic tools for monitoring access but you might like to think about additional tools (such as the marshal products featured in last months newsletter or Safend featured in the side bar of this newsletter) if you feel monitoring and active enforcement is desirable.
Featured Product
Safend

In the industry we talk of endpoints which are devices such as USB disks or writable CD drives which can be used to take data off the internal network. These devices, whilst being very useful, also pose a threat in terms of undesirable data leakage. 

Safend Protector is the industry's most comprehensive, secure and easy-to-use endpoint information leakage prevention solution - controlling every endpoint and every device, over every interface.

Click for more info
Geek-Guru are certified Safend distributors and installers. Please call us if you'd like to discuss this or any other product.

www.geek-guru.co.uk
0845 2340580

This e-mail is freely distributable. If you know someone who you think might like to read this please feel free to forward it on or drop us an e-mail and we'll add them to the database.

Equally we don't want to offend so if you'd rather not receive the most up to date and inspirational IT ideas in future please click here to unsubscribe.