We are in the middle of revising and revisiting our Internet access and email policy. Generic clauses aside, there is a need to define policy which caters to the following:
1. Some websites need to be allowed for one department but not for others, e.g Accounts and Finance can access Stocks and shares categorised websites ( we use an internal proxy /webcache device) while HR can access job search and postings related, otherwise such websites are disallowed for everyone else. Also, seniour executive management/ HODs etc are allowed everythinge xcept their ability to download executables / zips etc. Then we have some in our proposals/ marketing department who insist on having (with a sound busines case) to have access to free email services like gmail/ yahoo etc.
So, how do you guys deal with such disarate demands and still create a well controlled policy around it?
2. What's the usual practise to allow / disallow access to free email servcies? The concern is, there are zillions of ways to send the data out of our premises, USB/ CD writers or even sending to your own account via official email and then going home and forwarding it to someone from there. Security wise, it doesn't make much sense to restrict access to private email but still shall we leave it open for access to all?