Link to home
Start Free TrialLog in
Avatar of Swift
Swift

asked on

The internet access policy conundum

Hi Guys
We are in the middle of revising and revisiting our Internet access and email policy. Generic clauses aside, there is a need to define policy which caters to the following:
 
1. Some websites need to be allowed for one department but not for others, e.g Accounts and Finance can access Stocks and shares categorised websites ( we use an internal proxy /webcache device) while HR can access job search and postings related, otherwise such websites are disallowed for everyone else. Also, seniour executive management/ HODs etc are allowed everythinge xcept their ability to download executables / zips etc. Then we have some in our proposals/ marketing department who insist on having (with a sound busines case) to have access to free email services like gmail/ yahoo etc.
 
So, how do you guys deal with such disarate demands and still create a well controlled policy around it?
 
2. What's the usual practise to allow / disallow access to free email servcies? The concern is, there are zillions of ways to send the data out of our premises, USB/ CD writers or even sending to your own account via official email and then going home and forwarding it to someone from there. Security wise, it doesn't make much sense to restrict access to private email but still shall we leave it open for access to all?
 
Pls advise!!
ASKER CERTIFIED SOLUTION
Avatar of Nenad Rajsic
Nenad Rajsic
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Swift
Swift

ASKER

Thanks for the reply.

Logically speaking, what's the security hazard of allowing access to private emails apart from the fact that users can send confidential info/ atachments out?
not only they can send info out but they can also bring things in - things that you don't want on your network. Most public email providers scan their emails now a days but that won't stop encrypted zip,rar files so if you want to be 100% safe on that front just block everything.

I know is not easy to completely lock down everything but for your piece of mind you should do everything you can to make it as secure as possible. Just make sure that you present your case to you senior management properly in order to get their support for your policies otherwise you will always have people complaining and wanting to be excluded from your policy etc and it just creates additional work for you and by making exceptions you just create potential problems for yourself/your network

more and more people have their own domain names now a days so you might want to look for webmail.domain.com urls in your content scanner and block that too
Avatar of Swift

ASKER

Thanks for the pointers but the original issue remains as to how should the Internet Policy sound? I mean to ask, should my written policy statement depict all such inclusions and exclusions at the end of the day?
Your written policy can be vague. You want to tell them that the internet is for work only, then tell them whom they can appeal to for exclusions. Something like,
"Internet access is for work-related functions only. For access to work-related sites that are blocked by policy, please open a ticket with the helpdesk."
Agreed. Your policy should cover most basics, but should be vague enough to cover exceptions. You might just want to include a general exception clause.. You can also set it up so the onus is up to the user to get approval for such sites (so then you end up with a log of what's approved for certain people and what's not, and why and who approved it).

for example:

Exceptions:
In special cases, certain users may require access to restricted sites. In cases such as this, users must fill out and submit the "Internet Special Privilege Policy" form (which requires that the user provide proper justification for access and agreement to not abuse said access). The form is then reviewed by XX (IT Security or IA team). Upon approval, the form must be signed by "XX high ranking official/lead/govvie" before access is granted.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
As for free email - we do not allow access at all. 99.9% of the time, users are NOT using it for business purposes (unless maybe wen the user is doing some secret undercover stuff or something HAHA!) and half the time that's where you run into spam and phishing emails and other unsecured downloads. You basically have no control over that.

We DO allow company email though.