Interoffice Memo - Essay Example

Interoffice Memo CISO Albrecht Dürer, Public Relations Re: E-mail policies Mr. Durer I was a bit saddened to learn of employees using corporate email addresses for their personal online activities. However, I am thankful that you showed enough concern to contact me about this matter. I will be happy to provide you with an outline of our global e-mail policies. I hope this will help stop the abuses of our corporate email. As a PR Manager, you have every right to be concerned. Global e-mail policies-must be adhered to at all times Username and Password- these are assigned to each employee who has e-mail access. No employee is to share this information with another employee or another person outside the corporation. 1. For difficulties in accessing corporate email, contact the IT department. Do not ask a co-worker or manager. This helps keep your email account secure. 2. Your corporate e-mail is for professional and corporate use only. Do not log on to personal discussion boards or use groups with you corporate e-mail. We are a professional organization and must maintain a professional image. Our corporation should not be to be linked to pornography sites or those associated with specific political or religious groups. Abuses of corporate e-mail in this manner should be reported to a manager and the IT department immediately. 3. No –email account holder(employee) is to use corporate e-mail for dissemination of personal information, regarding other workers. Corporate e-mail shall not be used to incite hatred, violence or otherwise libelous statements about another employee, business associate or other business contact. Users should refrain from such activities regarding non-associates as well. This does not impart a professional image and you may be setting up the corporation and yourself for legal action. 4. Do not use corporate e-mail for contact with friends, family or non-business associates outside the corporation. You may use your personal e-mail account from another provider, as long as you do it on your time, ie: lunch breaks, after hours, etc. Personal matters should not be handled on company time. 5. Corporate e-mail will not be used to share account information of our customers with co-workers, competitors or other customers. We assure our customers privacy and security of their information. 6. No corporate e-mail user shall change or alter origination headers of e-mail. This is unethical and considered fraud. 7. No corporate e-mail account shall disseminate SPAM, viral e-mail or other type of advertising. The exception is with Marketing representatives, who have proper authority to do so from department managers, and only to customers who have opted to receive corporate marketing information in this manner. We take SPAM very seriously. Abuse could lead to legal action against our corporation. I hope this helps you in putting together your booklet on our corporate email policies. If you have any additional ideas or concerns about use of corporate e-mail, please do not hesitate to contact me at any time. Your input as PR Manager is greatly appreciated. Eze Interoffice Memo ___________________________________ From: CISO To: Giovanni Gabrielli, Facilities Security Re: Training for Security Guards Mr. Gabrielli I understand your concern for training of your security guards. With computer crime and use of computers related to criminal activities on the rise, this is an important topic. I am happy to share some key points with you. What are Computer Crimes? Computer crimes fall into many different categories. Some involve the use of computers to defraud, illegally access account information or to otherwise hack into a system to obtain corporate information which that person would normally not have access to. In this instance, activity would most likely occur in a remote location, away from our corporate office. Handling Suspected Computer Crime and Evidence If one of your security professionals does encounter an issue, for instance, an employee believes someone has used their computer or workstation to commit such an act, ask the employee to keep his or her hands off all computer and peripheral equipment. Contact our department immediately, so the employee’s account information can be deactivated. We may have to change username and password for e-mail and for customer databases, When marketing or account management employees are involved. There may be other You can suggest they work from another location or office. I would be more than happy to provide a laptop and equipment for temporary use. Remind the employee that their access to e-mail and database may be suspended temporarily, while an investigation is conducted. For crimes involving receipt of hate e-mail, threats of violence or other abuses to an employee, a report should be sent to the IT department immediately. We may be able to help law enforcement officials in tracing the sender. If you suspect the sender is an employee, do not alert him or her. Contact our department. We may decide to set up a sting operation, or in cases of serious threat that has actually resulted in violence or physical harm, will work with law enforcement. Remind the employee not to delete any suspicious emails or pull any documents off their printers until we have investigated further. For customer complaints of possible security breech, regarding personal account information, employees must contact our department immediately. If the employee is suspected in the security breech, he or she will be asked, without warning, to work in a different office or space for some time. Do not give the employee advanced warning. Simply ask to pick up all personal belongings and a member of your security team will escort them to another work station or area. Do not allow them to delete any e-mail or close out of current computer screen. Tell the employee to go with you now, no exceptions. This procedure should be followed for any type of suspicious computer crime that may be linked to an employee. Finally, instruct your team members that any and all computer equipment, including printers, discs, USB drives and other peripherals should be left alone. Do not handle such equipment. Leave it for investigators and/or the IT department. All e-mail messages or printed documents that are suspicious in nature, ie: a list of employee private contact information, should be left intact in its current location. Do not attempt to move, copy or otherwise bring the information to the appropriate authorities. Let our department know, so our departments(Security and IT) can decide the best course of action. I hope this helps you with the training of your team. Please keep in mind that most computer crimes leave little obvious evidence. However, when they involve an employee, fingerprints and access to e-mails or files may be necessary, so nothing should be tampered with. I appreciate your desire to provide the corporation with a professional security team. Eze Interoffice Memo From: CISO To: All employees Re: Social psychology = mind-control? Dear Staff I recently received an anonymous memo asking about social psychology and its use in security awareness. Concern was expressed that such activity might be a form of mind control. I would like to explain what social psychology involves, so that every has a better understand. I hope that after the explanation, everyone will see why I am taking this approach to security awareness. How Social Psychology Works First, I would like to explain that social psychology involves the study of how individuals act in various social setting or groups. Settings include work environments, business meetings, social affiliations, churches, families, community organizations and many others. Some are more open in groups than others, willing to share just about any information or details about themselves. Others are more private. For those who are considered the ‘social butterfly’ type, this puts them at risk for security breaches of their private information. They may more readily supply others with passwords and information to access corporate information. They do so with no intention of breaching security, but may set themselves up for problems nonetheless. They do so with an attitude of eagerness and willingness to please others. This is a wonderful quality that employers embrace. However, it can set the employee up for many security issues. Others are more introverted. They may choose to keep all personal information to themselves. Often these employees, while the may be considered uncooperative or socially inept, are acutely aware of risks involved in security breaches. How We Use Social Psychology Most employees fall in the middle of this spectrum. They are aware of security risks, though they may need reminders occasionally. The use of social psychology for security awareness, involves the continued monitoring and efforts of all employees. We are simply asking, that if one employee sees another taking risks, such as providing others with password or customer account information, a gentle reminder that this could compromise security should be sufficient. During the course of our work days, we all may receive reminders of specific tasks or processes from co-workers or managers. I realize some employees appreciate this more than others. Co-workers can provide the best social and professional support for one’s career. The concept of reminding each other of possible security breaches or activities that could compromise corporate security is a common social activity for many, in the workplace. We often become very busy juggling multiple tasks. A simple reminder to a co-worker to log out of the account database before going to lunch can go a long way in security awareness. If any employee wishes to speak to me regarding the subject, please feel free. I would be Happy to discuss this matter with anyone. Eze Interoffice Memo From: CISO To: Jeanne d’Arc, CEO Re: Assessment vs audit Ms. d’Arc In response to your memo regarding security audits and security assessments, I would be more than happy to explain. First, let me say that both have their place in meeting obligations. I will provide you with information on how each works, so that you can make more informed decisions about security compliance. What are Security Audits Security Audits can be thought of as periodic check-ups of the security measures in place. Some corporations conduct audits as infrequently as every three years. Others conduct them more often, depending on the level of risk. Typically one member or a small team of IT professionals are assigned to perform the audit. The audit serves as a means for IT professionals to gain a more thorough understanding of how information is used by various departments, managers and employees. Audits address the philosophy and style of managers, related to their awareness of security issues and compliance with laws and corporate policies. The audit also determines the efficiency and effectiveness of current IT security measures. This is done by reviewing the organizational structure, to determine who is responsible for adopting security standards, developing policies and monitoring of ongoing security measures. Audits also take into consideration “Compliance with applicable laws, regulations, policies, and procedures” (Huff, 2003, p.2). What are Security Assessments Security assessments are activities that monitor the effectiveness of current security measures. They are done periodically and typically within the security cycle. They involve testing of current security systems or measures, to check for possible areas of weakness or vulnerability. Security assessments can be done externally, internally or both(recommended0. External assessments may involve attacks purposely launched from outside the perimeter of the corporate system. For example, an IT professional may attempt to attack the system security from outside the corporate intranet system. Specifically, the external assessment is “often concerned with firewall and other perimeter protection” (smu.edu). Internal assessment, on the other hand, involves attempted attack from inside the system or corporate intranet. Such attacks simulate those from corporate insiders, such as employees and associates. It is estimated that “more than 60% of threats” to corporate intranet security come from inside (smu.edu.) I hope this helps answer your question. I you would like more information regarding my personal recommendations, with respect to the frequency of security audits and assessments, call my office. I would be happy to meet to discuss any concerns you may have. Eze References Security Audit. Closing the Loop. Risk Assessment VS Security Assessment. engr.smu.edu/~nair/courses/8349/audit.ppt. Huff, D. (2003). Core Audit Program: Information Technology Physical Security. www.ucop.edu/audit/core/Physical%20Security%20Core%20Program.doc. Read More