Remember the Good Old Days?
Gone are the days when executives used to scribble out on a piece of paper the draft of a correspondence, unmindful of the errors it contained and pass it on to the person capable to correct the piece which otherwise could have drawn the funeral of the grammarian. After a minor edit at one or two places, that piece of communication could be finalized and the same was sent out of the organisation within a few days.
And E-mail Today!
Look at correspondence today. You are out in the field with your laptop computer and can send a fax, check e-mail, schedule appointments and work on documents. E-mail is an important part of your professional and personal life. As with any new technology, new rules and conventions must be followed. Here are some basic and not-so-basic points to help make e-mail messages more appealing and acceptable.
Before You Send the Message
First, determine if e-mail is the appropriate medium for the message. Remember, in an e-mail message the recipient only receives the words. A large percentage of the intent can be lost due to the absence of body language and tone of voice. As a result, e-mail messages frequently can cause misunderstandings between the sender and recipient. If dealing with a sensitive issue, an e-mail message may not be the best means of communication. Treat e-mail messages as seriously as any correspondence otherwise sent using snail mail. Recognize that while an e-mail message is privately delivered, the recipient can print the message or forward it to others without your knowledge. If a message is forwarded to an unintended party, the contents of the message could come back to haunt you. Check for messages often. One of the advantages of e-mail is how quickly people can be contacted. Failing to check e-mail daily nullifies this advantage. Be sure your system's date and time are accurate. The date and time of a message can be important to determine which information is most recent. Many times recipients and senders fail to print needed copies of messages. Having copies of messages can often save time and effort. However, delete promptly unwanted messages. To save resources and promote privacy, consider moving old messages from your mailbox to a floppy diskette.
It is quite possible to spoof (fake) an e-mail message. In other words, you may receive a message from someone that has been sent by someone else. If you suspect that you have received a spoofed mail message, contact a university computer center in your locale immediately. Sending an e-mail to appear to be from someone else is a violation of the Computer Use and Abuse Policy and violators can be prosecuted.
E-mail and Employees
Employers, today, consider it imperative to extend the data communication facility to all employees whose productivity is expected to improve in the future. E-mail is one such data communication facility. More and more employers are utilizing computers, networks, e-mail and similar resources to communicate and to conduct business operations. Many employers willingly tolerate employees tinkering or playing with such systems, since time spent by an employee learning about hardware or software may be ultimately productive for the employer since the employee can achieve greater efficiency in use of the systems. This is the positive side of the story. But, employees who are allowed to use company resources in such a loosely supervised fashion can stray out of bounds. Most employers are expected to assess and decide certain basic, but clear guidelines pertaining to the use of e-mail and other computing resources owned by the organisation.
Employers should also consider adopting conduct standards for employees using company resources. There have been, for example, lawsuits recently arising out of employees abusing e-mail systems and posting messages to harass or insult other employees. Employers face the prospect of legal responsibility for such communications that create a "hostile environment" for employees unless preventive steps are taken to avoid such harassment in the workplace. At a minimum, management may wish to consider a policy barring threatening, abusive or inappropriate language over company channels of communication.
The issue of employee privacy should not be overlooked when developing a basic policy on computers and all company resources and facilities. Employees are sometimes allowed to use company computers for lunch-time correspondence or personal recreation. A written policy should advise employees that any files of a personal nature should be maintained by the employee only on a personal diskette, and not stored on a company hard drive or other storage medium. Employers need to be able to access, audit and even seize or remove storage media used in business operations. If an employee's personal files or correspondence are maintained on such a medium, the employee may complain of an invasion of privacy. By warning the employee up front that personal material should simply not be maintained on company facilities, the possibility of a privacy claim can be avoided.
Finally, companies should carefully examine whether all of the software used on company computers, whether by managers or other employees, is properly licensed. Unauthorized duplication of software is a common phenomenon in many offices, and is commonly ignored by managers, employees and software vendors. However, software publishers and their trade associations have become more aggressive in pursuing cases of unauthorized software use. A careless practice, which has been ignored by a company for years, can suddenly become a major problem if a disgruntled ex-employee chooses to report the company's unauthorized use of computer software. Prudent management would consider auditing a company's current systems, and both develop and enforce a clear policy forbidding the use of unlicensed or unauthorized computer software.
Employers, Employees and E-mail: The Issues
Employers are to address the following issues in their organisations to control the use and abuse of the e-mail facility in the written policy statement:
- To what extent can an employer monitor employee electronic communications?
- How should an employer deal with: Access to, downloading and redistribution of pornography throughout the corporate networks. Use of unauthorized encryption technology. Online harassment. Improper use of company computing resources.
- Who owns work produced with company computing resources that has not been unauthorised?
- What is the company exposure for copyright infringement done by an employee without the company's knowledge?
- Is the company at any greater risk for data and system security and disclosure of company trade secrets due to access to the Internet and expanding worldwide communications capabilities?
- Should the company permit company credit card purchases over the Internet?
Proactive Audit of E-mail
Computer security, privacy and fraud are critical issues as corporate networks and employees link into the Internet. With improved remote access, corporate data are increasingly vulnerable. Employees need to be educated on how to handle sensitive information in the office, from home and in the field. During the Persian Gulf War, a British general jeopardized the entire operation by leaving his laptop computer in his car, from which it was stolen. We will never know for sure the aim of the thieves, but we do know that one career was destroyed.
Trade secret protection is becoming more difficult as foreign governments take on post-cold war assignments. Old formerly friendly spy networks are now being used for industrial espionage. There is increased concern over how personally identifiable data are collected, used and shared in both the government and private sectors.
Global networks raise privacy and security issues. Most organizations have international offices and their customers, business partners and employees communicate with them 24 hours a day.
Protecting "hard copies" of corporate information in locked file cabinets and locked offices is no longer sufficiently security when most of the original data is online and accessible from at least one computer system. Access to the Internet and on-line networks exponentially increase the identified risks. The trend is toward complex, integrated systems, EDI and automated order processing. Again, data security is a big issue. We need to prevent unauthorized access to confidential information and provide for adequate backup. With distributed processing and local departmental file management, audits of departmental and organizational backup practices are essential for the smooth running of a business and for efficient record keeping purposes.
A policy of destroying unnecessary paper as well as electronic files is critical. Recent court cases in the United States have found "smoking guns" in old e-mail and early drafts of corporate documents. The provisions of an early draft may not be binding but can sometimes be used to establish a party's intent or state of mind when entering into a transaction. For these reasons, regular computer system audits are essential. However, care needs to be taken to conduct audits within reasonable guidelines and to use the resulting information appropriately to avoid seriously damaging employee moral. Employers should address auditing openly and clearly so that employees' expectation of privacy fit within the existing corporate guidelines.
Employment issues take on a new dimension and magnitude when communications are opened onto the Internet. Internal e-mail systems tend to be less regulated and some might assume, less risky. In essence, for the employer, the old questions of whether the employer is permitted to open a letter addressed to an employee at the place of business or open the top desk drawer or read department e-mail remains. Now the repercussions can be much greater when employers monitor e-mail, or employees hack into online company records and then disseminate them worldwide. Worse, they may permanently alter records that can have a devastating impact on those individuals.
How to Monitor E-mails?
Employers are to monitor e-mails in an explicit manner and make it clear to the employees about the expected level of privacy in using the e-mail facility of the company. Company management is to take following actions to monitor the resources:
- Develop or extend corporate policies to address employee privacy expectations.
- Determine the extent of any current monitoring and limit monitoring to "work related" and supervisory activities. State extent of monitoring in policy.
- Educate and periodically remind employees about the management of policy.
- Post a notice when employees log onto the computer network and require an affirmative acknowledgement by having the employee indicate that he/she has read the screen before moving on. The notice should state clearly that the system and e-mail are not private and will be audited according to the parameters of employee use. It should also state online etiquette for using the network and company resources. For example:
"All systems and electronic communications are to be used for business purposes only and in accordance with company policies and procedures. All systems are subject to periodic company audit for business and security purposes. Please keep these guidelines in mind when using company networks and the Internet."
- Address backup and retention of stored mail.
- Set forth how any accessed information will be used.
Employees should clearly understand when and what is being monitored and what will be done with the resulting information and should also be aware that systems may be audited without prior notice to employees. Employees should understand that use of company e-mail, computers and voice mail systems is limited to business purposes unless otherwise stated.
E-mails are Risky to Data Security
Evidence shows that significant international hacking is increasing. USA allied governments have admitted to industrial spying to assist their citizens in technology development. It is said foreign governments hire professional hackers who regularly attempt infiltration of corporations and government agencies. The FBI reported more than 5,000 corporate network "intrusions" in the first four months of 1995, when Internet usage started to surge. This represents 1 percent of the real total as the veil of secrecy remains in place. Corporate file theft and intrusions by online profiteers represent billions of dollars in business. That's just skimming the surface. The former head of the FBI, William Sessions, raised the issue about whether the US government should assist US companies by either letting them know when their network security has been breached or by disseminating information that the government had discovered. There is also increased concern over how personally identifiable data are collected, used and shared in both the government and private sectors.
Opening company computer networks for remote access and Internet connections also greatly increases the risks of maintaining company trade secrets and makes the company vulnerable to computer virus attacks which can destroy and alter data. Repairing the systems can require substantial resources and involve major system downtime. Policies for handling and accessing company confidential information and trade secrets should be developed and made available to all employees. Safeguards for online purchasing with company credit cards should also be addressed. This is an instance where encryption technology can be effective. Digitally signing a message can verify a sender. Network security, both local area and outside to the Internet, must be addressed because the threats are real and the loss of business assets is at risk.
The infamous case of Borland International vs. Symantec Corp. makes the abuse of e-mail by an employee in sending the secret and critical information crystal clear. Auditing e-mails is not a simple issue as it is directly connected to the privacy of the employee concerned. The United States has different laws in various of its states to deal with the privacy and the audit of e-mails. However, having an explicit policy dealing with the use of all resources including e-mails so that employees are clear about the consequences for using the facility against its pre-defined purpose is essential.
J. P. Pathak, Ph.D.
obtained his master's in Finance from the University of Rajasthan-Jaipur and Doctorate in Management Studies on his thesis on Information Systems Auditing in Distributed Data Processing Area from the University of Goa. The author is presently head of the department of MOP (A Graduate-level Programme in Modern Administrative Management) at the Government Polytechnic Institute-Panaji (Goa) India. Dr. Pathak holds memberships in the Indian Society of Technical Education, New Delhi; the Computer Society of India, Bombay; and the Indian Accounting Association-Goa Chapter (executive member.) There are numerous publications to Dr. Pathak's credit including Goal-Oriented Programme Efficiency Test in Operational EDP Audit--A Markovian Experiment; Is your Executive Security Enough?; and The Magic Mantra For Managers. Dr. Pathak can be contacted at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2000 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.