This snapshot, taken on 26/07/2008, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
 
 26 July 2008
Department for Innovation, Universities and Skills (DIUS)
 
You are here:
 

Prevention

There are four main areas for consideration in the prevention of e-mail and Internet misuse. These are:

Policy Development

The first step in addressing e-mail and Internet misuse is to determine exactly what the company's position on the matter is.

Senior managers should write and agree a specific company policy or series of policies.

Any such policy should contain:

  • A clear definition as to what is acceptable use, and what is not
  • A clear definition of responsibilities regarding e-mail and Internet use

Having established a policy, you need to ensure that people read, understand and act upon it.

One of the most effective means is to promote the policy using an education and awareness  programme. You should also use this to raise awareness of any other information security issues that may be relevant.

Virus defence software

You should install and maintain appropriately configured virus defence software

E-mail Content

CheckingE-mail content checking addresses the following:

  • Anti-virus measures

    You should install and maintain appropriately configured virus defence software.

 

  • Content

    content checker  filters incoming and outgoing e-mail messages for specific words and phrases. These words normally include obscenities and unwelcome terms - for example, racist and abusive terms

    It can also be fine-tuned to detect specific subject titles, and thereby detect and stop the spread of certain types of virus. For example, if the subject title of an incoming e-mail message includes the phrase 'I Love You', this could be stopped, quarantined and inspected to make sure it does not have the 'I Love You' virus as an attached file.

 

  • Attachments

    These can be checked to ascertain whether given file types (for example, program files) are present. These can be investigated whilst stored off-line (a practice sometimes called 'dirt-boxing') and released to the intended recipient if harmless

 

  • Message size

    It is wise to set a limit on the size of messages and attachments, as large files can jam links and fill storage. Often, a limit of 2Mb or less is applied, but in practice your limit needs to be decided on the basis of need

 

Usage Filtering & Monitoring

Filtering

It may be necessary to install software that prevents access to websites that are deemed inappropriate.

Web browsing can be managed through simple 'allow or deny' lists in firewalls  or proxy servers. Access is allowed or denied on the basis of category.

These categories are used by a number of commercial products, and vendors are constantly updating their lists.

This is a huge task, and many websites are not categorised. There are normally facilities in the software to report un-categorised sites, and these are added to relevant lists. Some sample categories might be:

Allow:  Business, News, Travel, IT
Deny:  Gambling, Sex, Travel, Entertainment

'Allow' lists are often too restrictive and therefore annoy users, whilst 'Deny' lists can become unmanageably large and annoy system administrators.

Any 'allow or deny' lists need to be monitored to make sure the needs of security are not harming the core needs of business users.

Filters can also be used to screen:

  • Active content
  • Applets
  • Viruses in web pages
  • Software downloads (allow or deny certain file types - *.exe, *.mp3, etc.)

Monitoring

Monitoring is a complex issue, with a raft of legislation that must be considered if you are thinking about monitoring network traffic and staff activity.

Laws and regulations regarding monitoring (collectively referred to as 'legal instruments') that are most likely to affect businesses are:

  • Computer Misuse Act 1990
  • Copyright Design and Patents Act 1998
  • Data Protection Act 2000
  • Defamation Act 1996
  • European Convention on Human Rights Article 8(1)
  • European Union Data Protection Directive
  • Human Rights Act 1998
  • Obscene Publications Act 1959 & 1964
  • Protection of the Children Act 1999
  • Regulation of Investigatory Powers Act (RIPA) 2000
  • Telecommunications Act 1994
  • Telecommunications Act 2000 (Lawful Business Practice) (Interception of Communications)
  • Turnbull Report (Compulsory for listed Companies)

Many of the instruments act to prevent unfettered monitoring. For example, the Human Rights Act considers secret interception to be an unjustifiable interference with respect to privacy and correspondence.

Others make special provision for it. For example, interception is permitted under the Telecommunications Act, provided the storage of any personal information meets the needs of the Data Protection Act.

From these simple examples, the complexity of the monitoring issue is clear.

Always seek legal advice before monitoring staff e-mails and browsing activities.

For further information, please visit our HR Monitoring  section. Also check the E-mail Checklist which details steps that can be taken to minimise the risks associated with e-mail abuse within an organisation.

© Crown copyright 2008