RE: Securing E-mail

[Holman, Lisa A.]

I agree with Kelley, and have found that the most prevalent solution to the Internet email quandry has been to use a secure server.  I recently worked with a benefits management company which had a portal site utilizing the model in which a secure server resides on the network and the recipient accesses from inside the firewall after passing authentication.    Re: the gossip hotline.  Going a step beyond security awareness and personal accountibility for internal email communication, if content filtering/monitoring is not used then company policy must be documented, in place, and enforced in the event that privacy breaches occur and are discovered.  It is simply not enough these days to warn employees not to do it; the consequences of such infringements must be spelled out also.        Lisa Holman Haverstick Consulting [EMAIL PROTECTED] 952-656-3733 ofc 952-239-1093 mobile   -----Original Message----- From: Kelly, Lee [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 8:39 AM To: [EMAIL PROTECTED] Subject: RE: Securing E-mail As for the first scenario there are a variety of secure mail solutions. Most require the mail to be sent to their secure server (on the Internet) and the client can retrieve it from there, but there are some that you install a secure server on your network and the intended recipient accesses the message after putting in a password on a website that is located on your network.   In the case of the ‘gossip hotline’ unfortunately there is not much for easy fixes. You could set up a content filtering solution for all internal mail but the management of this could potentially be a nightmare. One of the best things is in conjunction with the AUP you mentioned is to have a strong, on-going security awareness program. These programs can (and often do) include periodic reminders through flyers, notices in company newsletters, brown-bag type lunches, etc.   Thank You,   Lee Kelly, CISSP Manager, Assessment Services Fortrex Technologies [EMAIL PROTECTED] 1-877-Fortrex - Office 1-301-906-6269 - Cell   -----Original Message----- From: Bill Bernath [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 4:33 PM To: [EMAIL PROTECTED] Subject: Securing E-mail   We've talked about our needs to provide reasonable protection for verbal, paper and electronic PHI content.  Another critter we need to wrestle with is how do we handle at least two families of e-mail?  One set is that which is used in a legitimate exchange between ourselves and our business associates and providers.  These audiences will likely have varied levels of security sophistication at their end.  The second group is the internal 'use' by the gossip hotline, where members of the workforce are sharing sensitive stuff with their pals, because they can.....  Other than having a strong personal accountability policy, has anyone considered other solutions?  Thx - b   Bill Bernath Blue Cross Blue Shield of North Carolina Privacy Office (919) 765-7006 [EMAIL PROTECTED] ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=ivacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.