Published December 2000

Online security policies necessary in Internet era

By Tom Schreier
Computer Q&A

So, you know you need to get your business on the Internet soon, or maybe you have been on the Internet for a short time. It’s now time to take a look at defining or updating your computer security and usage policies.

Creating information security policies that clarify what is appropriate and what is not can mean an enormous difference to a company’s success and reputation. With the migration of the Internet to every desktop, a potential open door exists through which inappropriate material could be entering the company or private financial assets could be leaving to become public information.

Well-written and followed policies can protect your company from problems ranging from lawsuits to data loss. The policies need to define proper usage on such things as e-mail, Web browsing and the sharing of data inside and outside the company.

A company can be held liable for any misuse of company resources, such as illegal software downloads, sexually explicit material being viewed and even e-mails sent. As seen in the recent Microsoft anti-trust case, e-mail within the company was used in court against the software maker. There also have been cases where employees have viewed adult material and sexual harassment charges were brought against the company.

Your company’s policies need to cover all the “what ifs” in language that all employees can understand. Once written, the policies will need to be updated as company issues change.

Some things to consider:

• How do employees handle information that is proprietary or confidential in nature? Every employee has an information protection duty. Policies are needed to inform employees of what they can and cannot do with respect to this sensitive information. This would include, but not be limited to, e-mails sent from inside and outside the building, chat rooms or any other public posting areas.
• Could your organization have any disciplinary problems concerning the use of computers or networks? Policies are needed to define both acceptable and unacceptable behavior. For example, spending a lot of time surfing the Web or downloading pornography from the Internet are both generally unacceptable. Can employees use the Internet for non-business purposes throughout the day or during breaks? Can they use computer resources to print off 500 copies of a personal holiday letter? Is the e-mailing of jokes OK? Is online stock trading allowed?
• Does the company monitor computer usage? If not, does it reserve the right to do so? Companies need to inform employees that they can monitor any communications, and may do so. Policies are needed to establish the basis for any possible disciplinary action that may be needed.

Setting these policies will only get you so far. Communication and enforcement of the policies are equally important to the success of your business.

In the past, having security policies was merely a good idea for companies that could afford them. Today, corporate survival requires them.

Tom Schreier is the Webmaster and Network Security Analyst for The Herald. He can be reached by sending e-mail to schreier@heraldnet.com.

Back to the top/December 2000 Main Menu