I agree with most of Bill Kammerer's contributions on this forum, but disagree with this one: > do we need any more proof that email filtering doesn't work?
Filtering isn't a silver bullet, but it's part of the solution. > ..."rely on users' training and intelligence." That won't work. Taking email encryption as an analogous example, you've probably seen the Carnegie Mellon paper from a few years ago, "Why Johnny Can't Encrypt." They studied a group of fairly high-skill users (CS researchers), and gave them the task of sending and receiving encrypted email. Most of them had trouble with the software (PGP 5.1, I think), but more importantly they consistently forgot to click on "encrypt" when they had a confidential message to send. If you're relying on users' training and intelligence ALONE you're almost certainly not compliant. You don't rely on that alone. As one user told me, "It would be insane to install a bunch of keyword triggers, sit back and assume you're compliant." It would also be insane to base your compliance on users remembering to do the right thing. Email filtering is similar to IDS. You have to buy a good commercial package, spend a lot of time tuning it for your organization, install update almost daily, and put in a lot of maintenance by a live sysadmin. Nobody said it was cheap, and the false positives certainly are annoying, but it's necessary, in my view. By the way, I've seen a lot of unanswered requests for lists of PHI keywords. I don't think anybody has a list they are happy with. Anybody who has, please chime in. __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
