Clearswift Toolkit Series: A Practical Guide For Creating An

A practical guide for creating an
Email & Internet Usage Policy
Clearswift Toolkit Series

Introduction ...................... 2
Clearswift Email, Internet and Personal

Computer Acceptable Use Policy ...................... 3
Using Email ...................... 4
Using the Web and Internet .................... 14
Using the Company Wireless Network .................... 19
Using the Corporate Desktop

or Laptop .................... 20
Using Personally Owned Desktop or

Laptops .................... 24
Using Remote Access .................... 25
Handling Confidential Data .................... 27
Consequences of Misuse .................... 29
Legal Disclaimer .................... 30
2
© 2007 Clearswift Limited. All rights reserved.
For over ten years, Clearswift has been

evangelizing policy-based security.
For us, content security must start with a

clear, explicit policy that meets the need of
the business and is communicated to all
staff members. Only then can people,
processes and technology play their part in
enforcing that policy.
Over the years, we’ve produced guides to

help our customers create or improve their
own policies. But we’ve never actually
‘opened our kimono’ and shared our internal
policy with the world.
Until now. What you’re about to read is the

same policy that every Clearswift employee
signs up to, and is enforced for email, web
and IM usage through MIMEsweeper It has
served us well over the years, helping clarify
acceptable use, deterring unacceptable
behavior, guiding our MIMEsweeper
deployments and removing the ‘But I didn’t
know’ defense.
To help clarify some of the issues

surrounding security policies, we’ve
annotated the policy with Legal, Practical
and Technical Tips.
We hope this exercise helps you to sharpen

your own policy. And we welcome your
views on this or any other security issue.
Jon Lee
CEO
Clearswift
Hints & Tips Key
Legal Tips Practical Tips Technical Tips
3
The purpose of this policy is to ensure the

acceptable use of Clearswift’s computer,
e-mail and Internet facilities by its
employees, sub-contractors and other
computer users (“Users”). The following
policy rules apply to all Users of Clearswift’s
(“the Company”) e-mail, Internet and
computer facilities wherever the Users are LEGAL TIP
located.
Date your policy and issue updates
to all employees to ensure you’re all
IMPORTANT: The policy guidelines listed
on the same page. When you make
below are of critical importance and
updates, issue them to everyone,
non-compliance can constitute a serious
highlighting the changes and the
disciplinary matter.
reasons. Think about adding version
numbers to ensure people have the
This policy may be amended or revised
latest documents and consider
periodically.
source control systems to accurately
back-up and archive your policy.
Consider also sending your policy in
a format that will not be tampered
with, such as a PDF document.
Think about how you distribute your

policy to make sure everyone has
not only received it, but read it.
Policy Management products (like
those from Policy Matter) can help,
asking employees to ‘tick’ their
agreement to your policy.
LEGAL TIP
Remind employees that this is

essentially a legal document and can
be used in disciplinary hearings or in
court.
4
1. Business & Personal Use

TECHNICAL TIP
The Corporate E-mail system is primarily to
Your policy is only as effective as the be used for business purposes however it is
monitoring and enforcement permissible to use the Corporate E-mail
processes that back it up. It’s vital to system for occasional personal use.
have the tools in place to monitor
and report on email usage – Work on the Company’s business must
including flags for your heaviest always take precedence over a user’s
users and over-use of personal personal use of the system and if the user’s
email. personal use exceeds an acceptable level,
then their access to the system may be
MIMEsweeper technology generates curtailed.
regular reports and can alert
administrators when policies or Users should not have an expectation of
thresholds have been breached. personal privacy in anything they create,
send or receive on the Company’s e-mail
system or the Bulletin board of our intranet,
2.Crafting email communications
as it should relate to business matters
(unless posted on the Employee Bulletin
All e-mail communications must be carefully
board), although commercial confidentiality
LEGAL TIP will apply.
drafted and as much care taken in their
construction as with any other method of
Make sure users understand that communication (see Appendix I). Improper
personal privacy should NOT be statements can give rise to personal liability
expected on the company network. or corporate liability. Clearswift strictly
But make sure this complies with the forbids the sending of e-mails that are:
laws in each country in which you do
business. Discriminatory on the basis of race,
gender, nationality, ethnic origin, age,
sexual orientation, religion or disability.
Threatening, harassing, defamatory,

abusive or malicious.
PRACTICAL TIP
Related to illegal activities.
We’ve added to this list over the
years and feel it’s pretty Related to operating a personal
comprehensive for today’s threats. business or soliciting money for
Does your policy cover all these personal gain.
abuses?
Originating or sending chain e-mail or
spamming
Containing material that infringes third

PRACTICAL TIP party copyright
Consider developing a quick “Guide Containing material that is illegal or

To Email Use” to supplement your offensive such as pornography.
policy. This can be a part of every
employee’s induction process. An infringement of the company’s policy
Some companies use a simple on Confidentiality and protection of
printed piece while others have used Intellectual Property.
online versions.
5
3. Large Files
TECHNICAL TIP
Size and Parking of Large Files: Current
Select a content monitoring solution policy for size and parking of large files
that makes it easy to ‘park’ limits the sending and receiving of files
attachments that exceed your size exceeding 33mb. However if a file is over
limits. Users should then be 10mb it will be parked during the hours of
automatically alerted to the fact, so 0800 to 1900, after which it will be
they don’t waste time repeating the released.These sizes may be changed in
mistake and trying to track down the the future to reflect differing business
cause. demands.
Of course, some departments and

individuals legitimately need to send
large files. Make sure your filtering
solution can recognize these users
and give them more headroom.
Does your current solution do all

that?
PRACTICAL TIP
4. Legally binding emails
Monitoring bandwidth usage is
important for keeping an eye on the E-mail communication can be as legally
heaviest users and for planning binding as a verbal or paper/written
resource allocation. communication. Therefore care must be
taken when committing the Company to any
Consider whether any departments contractual or binding actions or statements,
are more likely to send large files for example agreeing to a price for a service
regularly. At Clearswift, we create in an e-mail, or quoting a price for a product.
TECHNICAL TIP
policy supplements for specific
departments – and set our 5. Copyrighted material
Your monitoring tool should be able
MIMEsweeper filters accordingly (It to analyze content to stop
helps to have granular policy If any copyright material is to be used in an
copyrighted material, embargoed e-mail a user must ensure that they have
management!) financials or even unauthorized price the copyright owner’s written permission to
quotes from leaving the business. use the material for the intended purpose
and that it is correctly referenced. If a user is
With MIMEsweeper, you can in doubt as to whether usage is permitted
decompose an email to identify any they should contact their line manager to
hidden materials and use the lexical discuss the matter further.
analysis, patterns or fingerprinted
information to identify policy 6. Inappropeiate emails
breaches. Based on the information
gathered by the content analysis Users must report any instances of
engine MIMEsweeper then inappropriate or offensive e-mails they
nominates different managers to be receive or become aware of to their line
alerted to different kinds of breaches. manager immediately, except where users
For instance, you could alert the are subject to Supplementary Guidelines,
sales manager to any price quote which cover technical or marketing
being sent out. activities.
6
7. Duty of care
PRACTICAL TIP
All users have a duty of care to the
Signatures can be used to help Company. Therefore if a user is aware of
differentiate company email from any breaches of this Policy they must refer
personal messages. This can be the matter to the Regional IT Manager, their
extremely important in compliance Line Manager or the Regional HR
cases. representative immediately.
8. Signature policy
All Company outbound

PRACTICAL TIP e-mails sent must conform to the Company
Corporate signature policy in force at that
A good reporting tool (like time. Details may be found in our intranet
MIMEsweeper’s) lets you monitor and will be communicated from time to time
how much email data is being by Corporate Marketing. Please note; this
archived so you can plan your signature should not be applied to personal
storage needs. e-mails. If in doubt contact Corporate
Marketing.
Of course, MIMEsweeper’s
policy-based archiving can help keep 9. Archiving
storage usage down by archiving
only relevant emails – instead of Communications sent or received by
paying to store spam. e-mail are Company records and as such
belong to Clearswift; they will be stored and
archived to be used at the Company’s
discretion. If a user believes they will need
information contained in an e-mail in the
future, they should keep hard copies of
e-mails sent or received and save them in a
safe electronic environment. If advice is
needed on how to do this please see the
Regional IT Manager. Please note that the
Company archiving system is not intended
as a means of filing data for future use.
7
10. Outbound disclamers

LEGAL TIP
All Company outbound
Different areas of the business, or e-mails will automatically carry the following
even different regions, may require disclaimers (or similar wording):
specific disclaimers that related to
relevant laws. As an example, see a “This communication is confidential and may
review of the UK Companies Act, contain privileged information intended
including regulations about email solely for the named addressee(s). It may
disclaimers, at: not be used or disclosed except for the
purpose for which it has been sent. If you
www.pwclegal.co.uk/images/uk/eng/ are not the intended recipient, you must not
home/CSec003%20%20Newsletter% copy, distribute or take any action in reliance
20Nov2006v2.pdf on it. Unless expressly stated, opinions in
this message are those of the individual
sender and not of Clearswift. If you have
received this communication in error, please
notify Clearswift by emailing the support
TECHNICAL TIP
team quoting the sender and delete the
message and any attached documents.
A good content filtering solution
Clearswift accepts no liability or
should let you assign different
responsibility for any onward transmission
disclaimers to different kinds of mail
or use of emails and attachments having left
or user groups.
the Clearswift domain.
This footnote confirms that this email

message has been swept by MIMEsweeper
for Content Security threats, including
computer viruses.
Clearswift monitors, controls and protects all

its messaging traffic in compliance with its
corporate email policy using Clearswift
products.
Find out more about Clearswift, its solutions

and services at http://www.clearswift.com.”
8
11. Personal emails

TECHNICAL TIP
Users should mark their personal emails
It’s important to monitor internal sent externally “Personal” in the subject line
email as well as inbound and to clearly identify them as
outbound traffic. Internal mail is the non-business emails.
bulk of most enterprise traffic and
can carry all the hazards associated 12. Internal Disclaimers
with email – especially if an
employee brings in malicious code All internal e-mails will automatically carry
on a personal device or storage the following disclaimers (or similar
medium. wording):
MIMEsweeper handles internal email “This internal email has been scanned by
from the same management console MIMEsweeper for Exchange, in accordance
as the gateway filters ensuring with the latest E-mail, Internet and Personal
consistent, centrally deployed policy. Computer Acceptable Use Policy, for
Just add Exchange manager to the Security Breaches, Compliance, Loss of
MIMEsweeper for SMTP product. Reputation, Business Performance and
Legal Liability.”
13. Protecting against malware
In order to protect the Company from

viruses, exploits and malware the Company
uses a number of scenarios to prevent
threats from entering the network. These
include, but are not limited to, anti-virus
checking, checking for spam, blocking of
various file types e.g. executables, screen
savers, batch files.
9
14. Profanity
TECHNICAL TIP
Profanity refers to any words or list of words
Can your content monitoring solution that may give cause for offence. Clearswift
monitor profanity in many is actively scanning and monitoring e-mail
languages? for profanity, if this is detected you may
receive the following information message:
Also, you may not want to expose
your IT staff to profanity abuses – it’s Inbound:
not really their job. MIMEsweeper “An e-mail intended for you has been
lets you choose the department classified as containing profanity and may
alerted to each type of breach. So therefore be in breach of the Company’s
The HR department might be better e-mail policy. The e-mail has been sent by
able to deal with illegal or profane <sender> and on the subject of <subject
content. header>.
If the e-mail is intended as a formal

business communication and you believe
the content does not contain profanity,
please contact IT Support to clarify.
TECHNICAL TIP
The quarantined e-mail will be deleted if
MIMEsweeper lets you decide what
you do not request it to be released
to do about policy breaches. Block,
within 5 days.”
park, quarantine, alert administrators,
warn users, record the breach or
Outbound:
design any combination of these.
“Your e-mail to <recipient> with subject
<subject header> is quarantined in <area
name> because it may contain profanity and
be in breach of the Company’s E-mail
Policy. The e-mail has therefore been
quarantined and not sent to the recipient(s).

business communication and the content
does not appear to contain profanity, please
contact IT support to clarify. The message
was quarantined by the <Regional
MAILsweeper>”
Users may not use or circulate profanity in

the Company’s
e-mail unless it is part of an approved
conducted trial or test to validate our
software performance and they have
previously signed the Supplementary
Guidelines or in the event that an e-mail
containing profanity is being forwarded as
evidence of a breach of policy to a Line
Manager. The inappropriate use of profanity
by users in an e-mail is considered a
disciplinary matter.
10
15. Inappropriate Content

TECHNICAL TIP
Clearswift will be actively scanning and
For pornography, image filtering can monitoring e-mail and Internet information
be as important as text filtering. Talk for pornographic content. If pornographic
to us about MIMEsweeper’ image material is detected then it will be deleted. It
scanning capabilities with is considered a matter of Gross Misconduct
IMAGEmanager. for a user to be in possession of, or to
circulate, pornography and related
inappropriate material (i.e.: offensive on the
basis of ethnic origin, sex, sexual
orientation, religion, race, disability, age
etc). Any e-mail received containing such
PRACTICAL TIP
material and that is delivered to a user must
be reported to the Regional IT Manager to
Pornographic images aren’t the only
determine how it entered the network and
ones that can damage your
from where it came.
company. You may also need to
scan for other images such as
16. Personal Message Manager (PMM)
confidential blueprints, or images
from a new product, package or
MIMEsweeper for SMTP will scan and
campaign.
monitor for spam. Where an e-mail is
suspected of being spam a user may
receive a digest which will notify them of the
mails that have been quarantined due to
TECHNICAL TIP being detected as spam. If they believe
such a mail to be a genuine business mail
Letting users manage their own they will be able to release the mail by
quarantine lists takes a massive accessing PMM.
burden from the shoulders of your
administrators. But make sure all
activity is logged so you can audit
any breaches.
11
17. Individual email identity
It is prohibited to use another individual’s e-

mail identity (accomplished by forgery or
unauthorized access) to send or receive
mail, either for private or business usage. If
a user has signed Supplementary
Guidelines they may, for testing purposes,
need to use fictitious identities.
18. Mailbox access
Users should be aware that other members

of the Company may need to access their
mailboxes in their absence or following the
termination of their employment and it may
be appropriate to give a colleague access to
their mailbox for business purposes when
they are unavailable.
Where, for whatever reason, a user needs

to access another user’s mailbox
permission must be obtained from the HR
Manager who will then make the necessary
arrangements with IT.
19. Encrypted documents and files
No encrypted documents/files should be

attached to outbound e-mails. If there are
special circumstances and encryption is
required then this will need the approval of
the relevant Executive. If an encrypted
message is sent, the following information
message will appear:
“An e-mail sent by you has been classified

as containing encrypted information and
may therefore be in breach of the
Company’s e-mail policy. The e-mail is
TECHNICAL TIP being sent to <recipient> and on the subject
of <subject header>.
Encrypted files can carry all sorts of
hazards. MIMEsweeper lets your
business communication and you believe
policy control encryption, limiting its
should be sent in this format please contact
use to specific groups or file types
the relevant Executive and ask him to
and tracking all encrypted traffic. For
contact IT Support to release it.
instance, you can automatically route
all messages sent from the legal
The quarantined e-mail will be deleted if
department to an encryption server
you do not request it to be released
and from their route to your lawyers.
within 5 days.”
12
20. Confidential emails
Users should not forward confidential e-mail

to any other person or entity without the
express permission of the sender unless
there is a valid business reason for doing
so. Bear in mind that Copyright belongs to
the author and consideration should be
given to whether the author would object to
their e-mail being forwarded. At all times
users must be aware that they should take
all steps to maintain the confidentiality of
Clearswift’s confidential information which is
transmitted by e-mail and to take no action
which would jeopardize this confidentiality.
21. Spamming
Users should not spam their colleagues with

personal e-mails e.g. regarding charity
events, sales of goods, etc. although
e-mails regarding special occasions e.g.
TECHNICAL TIP
birthdays, weddings etc are acceptable.
There is an area on our intranet which is
Virus scanning is an essential layer
specifically designed for this type of
of content security. But anti-virus
communication.
scanners alone only identify known
viruses. MIMEsweeper supplements
22. Malicous code & viruses
anti-virus with content filtering to
provide zero-day protection and
Users must not send e-mail containing
enable you to block viruses and
malicious code or viruses to third parties
worms before virus profiles are
unless they have prior written consent from
issued. MIMEsweeper uses
the third party, written consent may be in the
recursive decomposition to break a
form of an e-mail.
message into its constituent parts in
order to identify likely malicious code
and then routes to an AV scanner to
check against known malware.
13
23. Scanning and monitoring

LEGAL TIP
Clearswift scans all email (including
It’s essential that all employees personal email) and carries out random
know that they’re email traffic can monitoring in order to protect the interests of
and will be monitored. Check for the Company. This is done in order to
legal implications in different enforce this Policy and to maintain the
countries. effectiveness, integrity and security of the
Company’s network. The Company may
specifically monitor a user’s email under the
following circumstances:
An employee is absent or their

employment has been terminated and
mails need to be checked to ensure the
smooth running of the business.
If the Company suspects that a user has

been viewing or sending offensive or
illegal material, such as material
containing racist terminology or nudity
(although the Company understands
that it is possible for users inadvertently
to receive such material and they will
have the opportunity to explain if this is
the case).
If the Company suspects that a user has

been sending or receiving an excessive
number of personal communications.
If the Company suspects that a user is

sending or receiving e-mails that are
detrimental to the Company.
If the Company suspects a breach of

this Policy.
As required by instructions from a law

enforcement body or legislation
14
1. Internet access
Clearswift provides access to the Internet

via Clearswift’s computer system for the
purposes of the user’s employment. Use of PRACTICAL TIP
the Internet for any other purpose is
therefore strictly prohibited with the Almost every enterprise secures
exception of reasonable use in accordance their email traffic to some degree.
with this Policy outside the User’s working But many still allow un-secured use
hours or during agreed work breaks. All of the web. With a new generation of
connections will be monitored and scanned web-based attacks, spyware,
via MIMEsweeper for Web and this should adware and webmail-borne viruses
not be circumvented, unless expressly and increasing usage of Web 2.0
authorized in advance by IT or sites, it’s more important than ever to
Supplementary Guidelines have been apply your security policy to the web
signed. as well.
2. Inappropriate sites
The following are almost always considered

unacceptable: accessing sites that are or
might be considered to be indecent,
PRACTICAL TIP
offensive (eg. Contain racist/sexist
terminology or nudity), pornographic, Again: define the unacceptable,
obscene, racist or illegal, including sites don’t just name it.
relating to criminal skills, gambling and
illegal drugs. This list is not exhaustive.
However, please be aware that blocking
cannot be guaranteed and you may access PRACTICAL TIP
sites that are inappropriate or offensive. If
this occurs please report immediately to IT Webmail is an increasingly popular
for further investigation. medium that is not covered by email
filters. Many companies not only
allow webmail, but actively
encourage it for personal email as a
way of separating the personal from
the business traffic.
Of course, it’s still essential to filter

webmail, something MIMEsweeper
for Web and the MIMEsweeper Web
Appliance do exceedingly well.
Usage of Web 2.0 sites is now

prevalent in the work place, and
organizations need to ensure that
they implement policies that enable
secure use of such sites, while
protecting themselves from
inadvertent data leakage or the use
of inappropriate or damaging
language.
15
3. Blogs
The Company will monitor and scan any

TECHNICAL TIP
postings to Internet Blogs. If the
Company notices that a user has been Just as with email, your web filtering
posting offensive or illegal material, such solutions should be able to recognize
as material containing racist terminology, the user and apply your policy
slanderous statements or pornography, accordingly. For instance, your IT
this may be considered a disciplinary teams may need to download drivers
matter. If the user has been posting and applications that you don’t want
comments which damage the reputation the entire staff to download.
of the Company, or disclose confidential
information about the Company, its
employees or clients, this may also lead
to disciplinary action being taken.
TECHNICAL TIP
4. Corporate resources
URL blocking is only the first layer of
Personal use of the Internet from a comprehensive web security
corporate resources outside the Users strategy. MIMEsweeper Web
normal working hours is acceptable, solutions combine one of the world’s
however, employees should ensure that most powerful URL blockers
there are no excessive downloads of data integrated with a content filtering
as this may impact the performance of engine that monitors every byte of
Corporate access to the Internet. data being uploaded or downloaded.
PRACTICAL TIP
Web 2.0 applications like blogs, wikis

and social networking are a new
medium for digital threats to your
organization. Bring them into your
policy, and implement a set of rules
that enables individuals to harness
all the benefits of Web 2.0
technologies while protecting your
business.
TECHNICAL TIP
MIMEsweeper for Web and the

MIMEsweeper Web Appliance
provide complete audit trails and
reports so you can monitor and
manage web use throughout the
enterprise.
16
5. Downloading Software
TECHNICAL TIP
Extreme care must be exercised when
MIMEsweeper can tell employees considering downloading any information
why access to a particular website from the Internet. The following questions
has been blocked, referring them must be considered by a User:
back to the policy they signed.
Do I have the express permission of the
owner of the information/graphics
/software to download and use it as I
wish? Downloading without the owner’s
PRACTICAL TIP permission will amount to copyright
infringement.
A policy on Freeware and Shareware
is important. They’re a major source Do I need a software license to
of security problems, especially use/download the software? If a license
spyware and adware. Of course, is necessary for business purposes
your most educated users, like the IT users must contact the IT Department to
department, may need to download gain approval before installing and
shareware – make sure your policy accepting any license terms. Users have
and filtering technology allows for a duty of care and should not evaluate
this. or install software on Corporate systems
unless they have ensured that the
license terms are complied with.
Unlicensed software could create a
liability for the company.
Users should also note that Freeware or

Shareware generally allow for free
personal usage, but require a license for
business use. Therefore a user is
permitted to download and install
appropriate Freeware or Shareware to
assist them in their normal duties only if any
such installation is done in compliance with
the provider’s license terms. If you are
uncertain about the license terms or have
reason to suspect that any of the license
terms will be unacceptable to the Company,
you must contact the IT department before
agreeing to these terms or downloading the
software.
If a user has a valid business reason for

using software that has to be purchased,
they should seek financial approval for the
purchase as per the appropriate company
policy.
17
1. Profanity
TECHNICAL TIP
Clearswift is actively scanning and
Viruses often hide in popular file monitoring access to the Internet for
types, waiting to be downloaded profanity, if this is detected you may receive
from the web. Scanning for known the following information message:
viruses is important, but so is filtering
the entire file to detect unknown “The URL you have requested has been
artifacts with all the hallmarks of blocked by MIMEsweeper for Web because
malicious code. it contravenes the company Web Policy with
regard to profanity.
If you feel this page shouldn't be subject to
this policy, or is essential for work, then
please contact IT support.”
Therefore please contact IT if you believe

this has been blocked in error.
The company actively block certain

categories of Websites, e.g. criminal skills,
hate speech, violence and pornography.
When trying to access this type of web site
a user may receive this alert:
2. File Attachments
“The URL you have requested has been
blocked by MIMEsweeper for Web because MIMEsweeper for Web will block the
it contravenes the company Web Policy. uploading of certain file types including:
If you feel this page shouldn't be subject to
this policy, or is essential for work, then Word
please contact IT support.” Excel
PDF
If you feel the URL is business related
please contact IT to review 3. If you attempt to attach one of these files
to an e-mail through your web browser you
will receive the following alert:
“The following File you have requested has

been blocked by MIMEsweeper for Web as
it is an unapproved file type to upload”
4. Registering on
Non-Business related web sites for personal

use is acceptable provided the registered
e-mail address for contact is the employee’s
personal email account and not their
Clearswift account.
PRACTICAL TIP
Your policy can also identify what is

acceptable, not just what’s
unacceptable.
18
5. Monitoring
PRACTICAL TIP
Clearswift monitors and scans all internet
Many policies we’ve seen don’t access via browser access (including
cover the use of wireless networks, personal emails via web browsers) this is
PCs and laptops. As you can see, carried out either randomly or where the
the right policy here can prevent a lot Company considers there is a valid reason
of the problems that later crop up in for doing so, this may include but is not
web or email use. limited to, the following:
If the Company suspects that the

employee has been viewing offensive or
illegal material, such as material
TECHNICAL TIP containing racist terminology or nudity
(although the Company understands
End-point security, such as that it is possible for employees
protecting against files uploaded inadvertently to view such material and
from a USB stick, is an important they will have the opportunity to explain
part of content security. Talk to us if this is the case).
about how MIMEsweeper addresses
the new generation of end points. If the Company suspects that the
employee has been spending an
excessive amount of time viewing
websites that are not work related.
If the Company suspects that an

employee has been using the Internet to
send and receive an excessive number
of personal communications.
If the Company suspects a breach of the

Policy.
19
There are wireless networks installed in our

offices which are available to visitors for
connection to an ADSL line. The network will
also allow employees who have company-
installed SecureClient VPN software on their
laptop to access the corporate network.
Users of the wireless network must follow

the following guidelines:
1. Access to the network will be by a

Password which will be changed on a
very frequent basis. As with other
passwords, users must ensure that they
do not share the password with anyone
else.
2. In order to preserve the team

environment in the office, the wireless
network should only be used by
employees from within the building.
3. Users of the wireless network for

Corporate Network Access must have
signed a Teleworking agreement.
As use of the Wireless network is an

extension of the Corporate network, users
should be aware that all aspects of this
Corporate Email and Internet Policy apply.
20
1. Laptop backup
All Users in possession of a Company

supplied Laptop or Desktop computer
should save all their work on the relevant
company file server. These servers are
backed up nightly. In the event that a user
has data on their local hard drive, it is their
responsibility to back-up Company
information on a regular basis to the
appropriate Company file server as notified
by the IT Department. In any event, back-
ups must be done on no less than a weekly
basis. If an employee is unaware how to
back-up their Laptop or Desktop data they
should contact the IT Department for
assistance. Failure to back-up Company
information within this guideline is
considered a matter of Gross Misconduct as
the impact of lost information could be very
damaging to the Company. 2. Passwords
Users are responsible for safeguarding their

passwords for the system. Individual
passwords should not be printed, stored
online, written down or given to others. In
the unfortunate event that this should
happen the password should be changed as
soon as possible. Passwords will be flagged
to be changed at least every 90 days.
Passwords must be more than 6 characters
PRACTICAL TIP long, should include a mix of characters,
letters and numbers and should not be
At Clearswift, we issue specific sequenced e.g. content1 should not be
reminders about password safety. updated to content2.
Identity access management is a
cornerstone of security. 3. Third Party Software
Third party software must not be loaded

onto Company computers without the prior
written approval of the IT Department. Any
software loaded on Clearswift equipment
LEGAL TIP must be licensed. Clearswift strictly forbids
Users from using any illegal copies of
At Clearswift, we have a separate software. The IT Department will carry out
Data Protection policy but it’s periodic software compliance checks, and
important to refer to it here as well. the User must make the equipment
available on request.

4. System configuration
PRACTICAL TIP
Users must not alter or interfere with the
Lexical analysis templates allow you system configuration, which includes
to easily control the unauthorized configuration of hardware, software, the
dissemination of PII (Personally network and peripherals except in the
Identifiable Information) and comply course of business and after approval from
with PCI regulations. the IT department.
5. System covers
In no circumstances must Users remove

covers from any systems for upgrade or
repair unless they have been formally
trained to do so and where Supplementary
Guidelines have been signed or as agreed
and approved by the Regional IT Manager
or Regional HR representative. If in doubt 8. Insurance
please contact the IT Department for
assistance. Insurance of computer equipment and
peripherals is invalid if they are left in
6. Repair & replacement unattended vehicles unless locked out of
sight in the vehicle boot/trunk. Users are
The User may be responsible for the cost of therefore responsible for the safekeeping of
repair or replacement of equipment that such equipment when outside Clearswift’s
becomes faulty through its mis-treatment, premises.
mis-use, neglect or abuse.
9. Loss or theft
7. Data protection
In the event of loss or theft of a Company
In the UK, Users should be aware that the laptop, the local IT resource must be
Data Protection Act covers any personal informed as soon as possible, this will
information about individuals, from which enable IT to revoke and disable the
those individuals could be identified, necessary accounts that provide access to
including expressions of opinion about the Corporate resources.
them. As such, you must comply with the
company’s Data Protection Policy which is 10. Copyrighted material
detailed in the Employee Handbook.
Unauthorized copying or storage of
copyright material including, but not limited
to digitization and distribution of
photographs from magazines, books, music
(e.g. MP3’s) or other copyrighted sources is
strictly prohibited.
11. Passwords
Under no circumstances should an

employee reveal their account password to
others or allow their account to be used by
others. If you need to access another
employees user account you must obtain
permission from the HR Manager who will
then make the necessary arrangements with
IT.
22
12. Unauthorized access

PRACTICAL TIP
To prevent unauthorized access to an
We’ve all seen the headlines. employee’s PC/Laptop, employees are
Hundreds of companies are responsible for ensuring that if the
embarrassed and brands damaged PC/Laptop will be left unattended, even if
every year by individuals breaking only for a few minutes, that they either:
laws on company time. The first step
to preventing this is to identify the Screen lock the PC/Laptop using a
problem and make it a clear offense. password for protection and set this to
be enabled within 10 minutes of the
screen being inactive. Please ensure
that this does happen automatically,
otherwise you may have to action it 14. Security breaches
manually.
Effecting security breaches is prohibited.
Logout Security breaches include, but are not
limited to, accessing data of which the
13. Company assets employee is not an intended recipient, the
logging into of an account that the employee
Using the Company’s assets to actively is not expressly authorised to access,
procure, store, use or transmit material that (unless these duties are within the scope of
may be in breach of the laws of the country the employee’s regular duties).
and constitute an illegal activity is strictly
prohibited. 15. Network disruption
Disruption of network communication is

prohibited. Disruption includes, but is not
limited to, ping floods, port scanning, and
packet spoofing.
16. Network monitoring
There should be no form of unauthorized

network sniffing or network monitoring in
which the intercepting of data is not
intended for the employee’s host, unless the
activity forms part of the employee’s role
and they have signed Supplementary
Guidelines
17. IT administration
The IT department retains the right to

administer, audit and manage any devices
that are connected to the corporate
networks. The circumvention of
authentication or security access of any
device by an employee with the intention of
knowingly preventing IT from carrying out
their duties is strictly prohibited and may
result in the employee being refused
connection to the corporate network
resources. The SVP of Field Operations
must formally approve exceptions to this.
23
18. Network security
The security of the corporate network and

resources must be maintained. Under no
circumstances should third party devices,
including but not limited to laptops, servers
or desktop, be connected to the corporate
network. For the avoidance of doubt this
includes employee’s personally owned
computers or laptops and devices or those
belonging to visitors/contractors in our
offices. If there are exceptional
circumstances where access to the
Corporate network is required, employees
must first seek approval from the IT
department who may require administrative
access to the device and will install the
necessary security software. The IT
department reserves the right to refuse
access to the corporate network for any
third parties devices without prior notification
and acceptance of the security policy.
Additionally, approval will be required from
the relevant Executive.
19. Privately owned devices
Privately owned devices, including, but not

limited to, personal PDA’s, network hubs,
routers, PC’s, laptops, faxes or printers are
not supported and are the responsibility of
the individual.
24
Users who own their own desktops and

laptops may wish to use the Internet to
access their Corporate mail. This may only
be done by using their internet browser to
connect via the Outlook Web Access (OWA)
service provided by the Company. To do
this, users should connect from their web
browser to a URL supplied by the IT
department then login using their normal
login credentials.
If a user does access the Corporate e-mail

via OWA, care should be taken with the
documents they download, as they may be
Company confidential or contain personal
data and a user may therefore be in breach
of this policy or the Data Protection Act if
they process such information incorrectly. In
instances where attachments are
downloaded and are confidential and/or
contain personal data they should be
removed as soon as possible. Users should
ensure that they are familiar with the
company’s Data Protection Policy
(contained in the Employee Handbook
which can be found on our intranet) and
always comply with it.
25
1. Remote Access
Remote Access to the corporate network is

subject to approval from the HR department
and is only granted to those people who
have a need for remote access as part of
their jobs and who have a company laptop.
Please complete a Request for Remote
Access to Corporate Network Form (this can
be found on our intranet), once approved
the user will need to sign a Clearswift
(Occasional) Teleworker Agreement. Upon
receipt of confirmation that this Agreement
has been signed, the IT department will set
up the necessary access.
2. Secure access
Secure access to the corporate network and

resources from a user’s Company approved
device, including but not limited to ISDN,
DSL, analogue dial-up, cable modems,
wireless must adhere to the following:
Immediately upon dialing up whether using

dial-up or Broadband, a user must activate
the VPN access to communicate with the
corporate network.
3. Remote access control
Remote access must be strictly controlled. It

is the responsibility of employees,
contractors, vendors and agents with
remote access privileges to ensure that no
mechanisms implemented to control the
access are circumvented, this will include
but is not limited to – Anti-virus, scripts,
desktop firewall.
4. Remote access privileges
Users with remote access privileges must

ensure that when Clearswift owned or
personal laptops or computers are
connected to the corporate network, they
PRACTICAL TIP are not connected to any other networks at
the same time, with the exception of
Unprotected computer accessing the personal networks that are under the
corporate network is a major source complete control of the user. Internet
of infection and intrusion. A clear access should be gained via the corporate
policy on remote access is essential. network, and therefore subject to the
corporate security policy.
26
5. Personal networks
Users who have their own personal

networks and have Executive approval to
connect to the Corporate network must
ensure that any devices on their network are
securely protected in such a way that if a
Clearswift owned laptop or desktop is
connected to the employee’s personal
network, it is not compromised or infected
by a Virus, Trojan, or Worm from the user’s
own network and devices. Failure to do so
will result in connectivity to the corporate
network being removed. Approval from the
relevant Executive will then be required
before connectivity to the corporate network
is returned.
6. Teleworking
Reconfiguration of a Teleworker’s company

approved equipment or Clearswift owned
devices for the purpose of concurrent
network connections to the corporate
network and another external network is not
permitted. Connectivity to the corporate
network is restricted to approved devices
only.
7. Non-standard hardware
Non-Standard hardware configurations and

usage of un-approved technology for the
purpose of connecting to the corporate
network is prohibited. The IT department will
assess the situation but the employee
should have no expectation that IT will
commit resource and time in providing a
non-standard solution.
27
1. Confidential data
TECHNICAL TIP
All data related to Clearswift employees is
considered confidential, including but not
MIMEsweeper pattern matching can
limited to:
also be set to recognize specific data
to prevent unintentional and
Employee names, home addresses and
deliberate leaks of social security
personal contact details
numbers, customer data, credit card
numbers, etc.
Social security/National Insurance
numbers or similar
Age and birth date
Banking details
Health records
Personnel files including expenses
2. Employee data
Only authorized personnel are permitted to

see or share employee data (see your
contract to determine if you are authorized).
3. Filtering & monitoring
The Company uses content filtering to

monitor all email, web and IM traffic to
identify the unauthorized transmission of
employee data.
TECHNICAL TIP
MIMEsweeper uses finger printing

and pattern matching technology to
identify data with known structures
such as Social Security, National
Insurance or employee- or
customer-related numbers and to
prevent the accidental or deliberate
leakages.
28
4. Customer data
LEGAL TIP
All data related to Clearswift customers is
Check the local data protection laws considered confidential and is protected
wherever you do business to make by Data Protection legislations. The
sure your policy complies. company can be prosecuted and fined for
any breaches to these regulations.
Customer data includes but is not limited
to:
TECHNICAL TIP Customer names, addresses and

contact details
Use pattern matching to identify your
corporate credit cards in all web and Purchase histories, preferences and
email traffic. Policy can be set to transaction data
allow corporate card transactions on
a given list of supplier websites only. Payment-related information including
credit card and bank account details
Clearswift employees are NOT

authorized to send any customer data
to a recipient outside the company.
The company will use content filtering
to monitor all email, web and IM traffic
to identify and prosecute breaches.
Employees are NOT authorized to

copy customer data onto removable
media, including laptops, CDs, hard
drives, PDAs, MP3 players, USB keys,
etc.
For more information, refer to the

Clearswift Data Protection Policy.
Clearswift does not authorize the use

of corporate credit cards for online
purchasing except on approved sites
(see Appendix).
The company will monitor web

transactions to prevent the use of
corporate credit cards on
unauthorized sites.
29
Breach of any part of this Policy will be

considered a serious disciplinary matter
and will be dealt with accordingly.
Examples of offences which may be
considered to be gross misconduct (the
list is not exhaustive), which may result in
immediate dismissal are:
Sending or forwarding abusive, rude,

illegal or defamatory messages or
material.
Sending or forwarding a message

that could constitute bullying or
harassment or intimidation.
LEGAL TIP Accessing pornography or any other
Sending or forwarding the company’s illegal material on the Internet and/or
Consequences are one of the most confidential information without circulating it.
important parts of your policy. Make authorization.
it clear that you have the power to Unauthorized copying or modifying of
discipline or prosecute. Excessive personal use of e-mail or copyright material.
excessive visiting of non-job related
internet sites during your normal Unauthorized downloading of
working day. software or files.
Introducing a virus to the company’s Use of the Internet for criminal

computer system by inserting a disk, activity.
CD or DVD into a company computer
without running a virus check, via e- Hacking, or other breaches of the
mail or from downloading an Internet Computer Misuse Act 1990.
file.
In less serious cases the user may have
Misuse of e-mail or the company access to the Internet from their
computer system which results in any computer removed or other disciplinary
claim being made against the action taken.
company.
Acknowledgement.
I have read, understood and agree to
comply with the Clearswift Email, Internet
and Computer Policy (December 2005)
rules and conditions governing the use of
Clearswift’s computer, e-mail and Internet
systems. I understand that a breach of
this Policy may result in disciplinary
LEGAL TIP action or legal action.
It’s essential to get all employees to Signed: ………………………………..........

sign and date the policy. This is not
just an advisory document – it’s a Print Name………………………………….
contract.
Date: ………………………………….........
30
Clearswift does not provide legal advice and

any legal tips provided in this document are
for information only and appropriate advice
from qualified legal advisers should be
sought before relying upon any such legal
tips. This document is an example
document only. This document may vary
from any Clearswift policy document.
Changes to any Clearswift policy document
may not result in any changes to this
document. In the event that you use this
document in whole or in part you may not
accredit any part or the whole to Clearswift
Limited or any of its parent companies,
affiliates, subsidiaries, successors and/or
assigns. You may use and/or copy this
document for your internal use only but may
not provide it to any third party or use in in
relation to any service provided to any third
party whether for a fee, gain or not.
31
Contact Clearswift
United States Spain Australia
100 Marine Parkway, Suite 550 Cerro de los Gamos 1, Edif. 1 Ground Floor, 165 Walker Street, North Sydney,
Redwood City, CA 94065 28224 Pozuelo de Alarcón, Madrid New South Wales, 2060
Tel: +1 800 982 6109 | Fax: +1 888-888-6884 Tel: +34 91 7901219 / +34 91 7901220 | Fax: +34 91 7901112 Tel : +61 2 9424 1200 | Fax : +61 2 9424 1201
United Kingdom Germany Japan

1310 Waterside, Arlington Business Park, Theale, Amsinckstrasse 67, 20097 Hamburg Hanai Bldg. 7F, 1-2-9, Shiba Kouen Minato-ku
Reading, Berkshire, RG7 4SA Tel: +49 40 23 999 0 | Fax: +49 40 23 999 100 Tokyo 105-0011
Tel: +44 (0) 11 8903 8903 | Fax: +44 (0) 11 8903 9000 Tel : +81 (3) 5777 2248 | Fax : +81 (3) 5777 2249
© 2007 Clearswift Ltd. All rights reserved. The Clearswift Logo and Clearswift product names including MIMEsweeper™, MAILsweeper™, e-Sweeper™, IMAGEmanager™, REMOTEmanager™, SECRETsweeper™, ENTERPRISEsuite™, ClearPoint™,
ClearSecure™, ClearEdge™, ClearBase™, ClearSurf™, DeepSecure™, Bastion™ II, X.400 Filter™, FlashPoint™, ClearDetect™, ClearSupport™, ClearLearning™ and SpamLogic™ are trademarks of Clearswift Ltd. All other trademarks are the property of
their respective owners. Clearswift Ltd. (registered number 3367495) is registered in Britain with registered offices at 1310, Waterside, Arlington Business Park, Theale, Reading, Berkshire RG7 4SA, England. 06-07
32

Clearswift Toolkit Series: A Practical Guide For Creating An

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Clearswift Toolkit Series: A Practical Guide For Creating An

Загружено:

Авторское право:

Доступные форматы

A practical guide for creating an

Email & Internet Usage Policy

Clearswift Toolkit Series

Clearswift Email, Internet and Personal

Using Email ...................... 4

Using the Web and Internet .................... 14

Using the Company Wireless Network .................... 19

Using the Corporate Desktop

Using Personally Owned Desktop or

Using Remote Access .................... 25

Handling Confidential Data .................... 27

Consequences of Misuse .................... 29

Legal Disclaimer .................... 30

For over ten years, Clearswift has been

For us, content security must start with a

Over the years, we’ve produced guides to

Until now. What you’re about to read is the

To help clarify some of the issues

We hope this exercise helps you to sharpen

Hints & Tips Key

Legal Tips Practical Tips Technical Tips

The purpose of this policy is to ensure the

Think about how you distribute your

Remind employees that this is

1. Business & Personal Use

Threatening, harassing, defamatory,

Containing material that infringes third

Consider developing a quick “Guide Containing material that is illegal or

Of course, some departments and

Does your current solution do all

All Company outbound

10. Outbound disclamers

This footnote confirms that this email

Clearswift monitors, controls and protects all

Find out more about Clearswift, its solutions

11. Personal emails

13. Protecting against malware

In order to protect the Company from

If the e-mail is intended as a formal

If the e-mail is intended as a formal

Users may not use or circulate profanity in

15. Inappropriate Content

17. Individual email identity

It is prohibited to use another individual’s e-

18. Mailbox access

Users should be aware that other members

Where, for whatever reason, a user needs

19. Encrypted documents and files

No encrypted documents/files should be

“An e-mail sent by you has been classified

20. Confidential emails

Users should not forward confidential e-mail

Users should not spam their colleagues with

23. Scanning and monitoring

An employee is absent or their

If the Company suspects that a user has

If the Company suspects that a user has

If the Company suspects that a user is

If the Company suspects a breach of

As required by instructions from a law

Clearswift provides access to the Internet

The following are almost always considered