Beware if you use Official email id for personal Uses
By MYBRANDBOOK
There is a big question mark on shall we leverage corporate users to use the official email ID for personal use with some restricted policies, as the security remains as the biggest concern and the inside threat is more than the outside threat.
Beware! Gmail scam can steal your email data
Many CIO/CISO says, this is strictly not advisable... it will violate many ISM controls under ISO 27001 and also practically I have seen these small leverages end up in data breach and further leading to arbitration / Civil Suits for breach company security policy / NDA / Non-Compete / Employment Agreements.
It would not restrict... it will violate and deviations need to be taken.... the control violations would affect not only IT controls but multiple departments and stake holders from HR to Compliance and Legal. Modifications are needed to allow such exceptions from HR policies to offer letters and on any NDA signed, in case of breach or violation, even regulatory requirements would apply…
Now there are some cases of company IP stolen / misused because of business access allowed to be used for non-business purpose and left un-monitored. Specially in the field of Healthcare IT where, the business run a business of processing sensitive patient records / business contracts, where there is a compliance of ISO control restrict that from ISO 27001:2013. The 114 Annex-A controls of ISO 27001:2013 specifically restrict it.
When we see certain use case of company property used for the personal usage... including office internet used for personal purpose as violation of acceptable usage policy... but in some other organisation with most policies from Europe it's opposite... employees can keep private data on laptop and email data is considered as private to employee since it's marked to his name and not to a common id of company...so bank salary credit alerts are personal emails on official id...so it's not very easy to differentiate.
Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed. None of the controls are per se restrictive. This is why the SoA is one important document that should be done right.
There is one the flip side in the European office, they can implement anything on company laptop; company has right to investigate and check as per acceptable use policy.
Secondly, about SoA is one of the most important document! In practice the team reviews and respond to multiple RFIs from client and only a fraction of clients as for SoA whereas anyone concern with ISO implementation must check the SoA and there is no specific direct control in 27001 or in HIPAA controls to have control on official email for personal purpose, there some controls on information transfer (A.13.2) which will can correlate not to allow.
27001:2013 controls
A.13.2.1 - Information transfer policies and procedures (Depends on the organization whether to allow the use of official email for personal, based on risk assessment)
Protects the exchange of Information through the use of all types of communication facilities.
HIPAA control 164.312(c)(1) - Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
164.312(c)(2) - Mechanism to authenticate electronic protected health information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
A.13.2.2 - Agreements on information transfer (Since software is provided over the internet, not having right agreements can lead to compromise of information security which needs to be avoided)
A.13.2.3 - Electronic messaging (Needed to ensure that confidential information is not compromised)
A.13.2.4 - Confidentiality or non-disclosure agreements (NDAs helps in ensuring protection of company intellectual property, HIPAA control 164.308(a)(1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations.)
HIPAA control - 164.306(a))
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted
(4) Ensure compliance with by its workforce.
Finally, if someone from your contact list also sending you emails as an invitation to edit a file on Google Docs, beware, it may be a phishing scheme spam. Because, ‘Google Docs’ is merely the name of an unknown third-party application which could be used by hackers to obtain access to your email data. Google has warned users about opening emails from contacts which ask them to click on a link to Google Docs.
However, the expert says, using of the official email id for the personal usage is stand not legal…..
Nazara and ONDC set to transform in-game monetization with ‘
Nazara Technologies has teamed up with the Open Network for Digital Comme...
Jio Platforms and NICSI to offer cloud services to government
In a collaborative initiative, the National Informatics Centre Services In...
BSNL awards ₹5,000 Cr Project to RVNL-Led Consortium
A syndicate led by Rail Vikas Nigam Limited (abbreviated as RVNL), along wi...
Pinterest tracks users without consent, alleges complaint
A recent complaint alleges that Pinterest, the popular image-sharing platf...
MATRIX COMSEC PVT. LTD.
BEETEL TELETECH LTD.
TATA CONSULTANCY SERVICES
TAC SECURITY SOLUTIONS
Icons Of India : Dr. Sanjay Bahl
Dr. Sanjay Bahl has around four decades of experience in the ICT indus...
Icons Of India : NANDAN NILEKANI
Nandan Nilekani is the Co-Founder and Chairman of Infosys Technologies...
Icons Of India : Debjani Ghosh
Debjani Ghosh is the President of the National Association of Software...
ECIL - Electronics Corporation of India Limited
ECIL is distinguished by its diverse technological capabilities and it...
IREDA - Indian Renewable Energy Development Agency Limited
IREDA is a specialized financial institution in India that facilitates...
TCIL - Telecommunications Consultants India Limited
TCIL is a government-owned engineering and consultancy company...
Indian Tech Talent Excelling The Tech World - PADMASREE WARRIOR, Founder, President & CEO - Fable
Padmasree Warrior, the Founder, President, and CEO of Fable, is revolu...
Indian Tech Talent Excelling The Tech World - Sundar Pichai, CEO- Alphabet Inc.
Sundar Pichai, the CEO of Google and its parent company Alphabet Inc.,...
Indian Tech Talent Excelling The Tech World - Rajiv Ramaswami, President & CEO, Nutanix Technologies
Rajiv Ramaswami, President and CEO of Nutanix, brings over 30 years of...