The internet access policy conundum

Hi Guys
We are in the middle of revising and revisiting our Internet access and email policy. Generic clauses aside, there is a need to define policy which caters to the following:
1. Some websites need to be allowed for one department but not for others, e.g Accounts and Finance can access Stocks and shares categorised websites ( we use an internal proxy /webcache device) while HR can access job search and postings related, otherwise such websites are disallowed for everyone else. Also, seniour executive management/ HODs etc are allowed everythinge xcept their ability to download executables / zips etc. Then we have some in our proposals/ marketing department who insist on having (with a sound busines case) to have access to free email services like gmail/ yahoo etc.
So, how do you guys deal with such disarate demands and still create a well controlled policy around it?
2. What's the usual practise to allow / disallow access to free email servcies? The concern is, there are zillions of ways to send the data out of our premises, USB/ CD writers or even sending to your own account via official email and then going home and forwarding it to someone from there. Security wise, it doesn't make much sense to restrict access to private email but still shall we leave it open for access to all?
Pls advise!!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nenad RajsicCommented:
1. I have normal users=restricted to the max. HR dept = jobsites allowed also quite restricted. Managers= allowed everything apart from ActiveX/exe downloads and social media websites. Senior managers= no activex/exe and social media. Marketing dept= everything allowed including social networking sites but not activex/exe

2. USB Drives restricted through GPO for most computers apart from IT Dept/Senior Managers and Accounts. We use Barracuda to monitor all incoming and outgoing emails and in our policy it says that we are allowed to do it. We have alerts for certain keywords such as our competitor names, job titles and job roles, sex related keywords and we don’t allow video attachments.

Whatever you do don't allow them to use their private email from your network (obviously some people will need it but try to lock down as much as possible)

From my experience our original policy was very strict and every employee had to sign it. Users won't be happy when you introduce your policy but that doesn't last long - after a week or 2 they will stop moaning :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SwiftAuthor Commented:
Thanks for the reply.

Logically speaking, what's the security hazard of allowing access to private emails apart from the fact that users can send confidential info/ atachments out?
Nenad RajsicCommented:
not only they can send info out but they can also bring things in - things that you don't want on your network. Most public email providers scan their emails now a days but that won't stop encrypted zip,rar files so if you want to be 100% safe on that front just block everything.

I know is not easy to completely lock down everything but for your piece of mind you should do everything you can to make it as secure as possible. Just make sure that you present your case to you senior management properly in order to get their support for your policies otherwise you will always have people complaining and wanting to be excluded from your policy etc and it just creates additional work for you and by making exceptions you just create potential problems for yourself/your network

more and more people have their own domain names now a days so you might want to look for urls in your content scanner and block that too
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

SwiftAuthor Commented:
Thanks for the pointers but the original issue remains as to how should the Internet Policy sound? I mean to ask, should my written policy statement depict all such inclusions and exclusions at the end of the day?
Your written policy can be vague. You want to tell them that the internet is for work only, then tell them whom they can appeal to for exclusions. Something like,
"Internet access is for work-related functions only. For access to work-related sites that are blocked by policy, please open a ticket with the helpdesk."
ThinkPaperIT ConsultantCommented:
Agreed. Your policy should cover most basics, but should be vague enough to cover exceptions. You might just want to include a general exception clause.. You can also set it up so the onus is up to the user to get approval for such sites (so then you end up with a log of what's approved for certain people and what's not, and why and who approved it).

for example:

In special cases, certain users may require access to restricted sites. In cases such as this, users must fill out and submit the "Internet Special Privilege Policy" form (which requires that the user provide proper justification for access and agreement to not abuse said access). The form is then reviewed by XX (IT Security or IA team). Upon approval, the form must be signed by "XX high ranking official/lead/govvie" before access is granted.
ThinkPaperIT ConsultantCommented:
>> I mean to ask, should my written policy statement depict all such inclusions and exclusions at the end of the day?

No. You don't have to go into that much detail. A better way would be to document that SEPARATELY -- a policy is basically general rules/guidelines. Since inclusions/exclusions can change frequently, you don't want to be modify the actual policy itself all the time. Policies are "rules" that get approved/signed by the "big guys upstairs" and you dont want to be making them sign it everytime it changes.

Rather - have the policy REFER to a separate document for the actual list of inclusions/exclusions ==> "Please refer to XXX document for the list of inclusions/exclusions".

For us, after an approval is made for a special site, we document that in our Ticketing System, which is then sent as a task to the IT team.
If you don't have a ticketing system, then a simple Excel spreadsheet works as well. Just include the pertinent info on it: date submitted, date approved, requesting user, website, reason, approval person, etc.
ThinkPaperIT ConsultantCommented:
As for free email - we do not allow access at all. 99.9% of the time, users are NOT using it for business purposes (unless maybe wen the user is doing some secret undercover stuff or something HAHA!) and half the time that's where you run into spam and phishing emails and other unsecured downloads. You basically have no control over that.

We DO allow company email though.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.