Beware if you use Official email id for personal Uses
By MYBRANDBOOK
There is a big question mark on shall we leverage corporate users to use the official email ID for personal use with some restricted policies, as the security remains as the biggest concern and the inside threat is more than the outside threat.
Beware! Gmail scam can steal your email data
Many CIO/CISO says, this is strictly not advisable... it will violate many ISM controls under ISO 27001 and also practically I have seen these small leverages end up in data breach and further leading to arbitration / Civil Suits for breach company security policy / NDA / Non-Compete / Employment Agreements.
It would not restrict... it will violate and deviations need to be taken.... the control violations would affect not only IT controls but multiple departments and stake holders from HR to Compliance and Legal. Modifications are needed to allow such exceptions from HR policies to offer letters and on any NDA signed, in case of breach or violation, even regulatory requirements would apply…
Now there are some cases of company IP stolen / misused because of business access allowed to be used for non-business purpose and left un-monitored. Specially in the field of Healthcare IT where, the business run a business of processing sensitive patient records / business contracts, where there is a compliance of ISO control restrict that from ISO 27001:2013. The 114 Annex-A controls of ISO 27001:2013 specifically restrict it.
When we see certain use case of company property used for the personal usage... including office internet used for personal purpose as violation of acceptable usage policy... but in some other organisation with most policies from Europe it's opposite... employees can keep private data on laptop and email data is considered as private to employee since it's marked to his name and not to a common id of company...so bank salary credit alerts are personal emails on official id...so it's not very easy to differentiate.
Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed. None of the controls are per se restrictive. This is why the SoA is one important document that should be done right.
There is one the flip side in the European office, they can implement anything on company laptop; company has right to investigate and check as per acceptable use policy.
Secondly, about SoA is one of the most important document! In practice the team reviews and respond to multiple RFIs from client and only a fraction of clients as for SoA whereas anyone concern with ISO implementation must check the SoA and there is no specific direct control in 27001 or in HIPAA controls to have control on official email for personal purpose, there some controls on information transfer (A.13.2) which will can correlate not to allow.
27001:2013 controls
A.13.2.1 - Information transfer policies and procedures (Depends on the organization whether to allow the use of official email for personal, based on risk assessment)
Protects the exchange of Information through the use of all types of communication facilities.
HIPAA control 164.312(c)(1) - Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
164.312(c)(2) - Mechanism to authenticate electronic protected health information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
A.13.2.2 - Agreements on information transfer (Since software is provided over the internet, not having right agreements can lead to compromise of information security which needs to be avoided)
A.13.2.3 - Electronic messaging (Needed to ensure that confidential information is not compromised)
A.13.2.4 - Confidentiality or non-disclosure agreements (NDAs helps in ensuring protection of company intellectual property, HIPAA control 164.308(a)(1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations.)
HIPAA control - 164.306(a))
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted
(4) Ensure compliance with by its workforce.
Finally, if someone from your contact list also sending you emails as an invitation to edit a file on Google Docs, beware, it may be a phishing scheme spam. Because, ‘Google Docs’ is merely the name of an unknown third-party application which could be used by hackers to obtain access to your email data. Google has warned users about opening emails from contacts which ask them to click on a link to Google Docs.
However, the expert says, using of the official email id for the personal usage is stand not legal…..
BHIM to join e-commerce, competing with PhonePe and Google Pay
The government-supported payment software BHIM is getting ready to join t...
The latest version of X helps prevent deepfakes on social medi
To combat deepfakes and shallowfakes, Elon Musk revealed a new update t...
India and Namibia collaborate on a payment system similar to U
Once operational, the platform will enable digital transactions in Namibia,...
Sebi issues show-cause notices to six Adani group firms
Sebi issued show-cause notices to six Adani Group firms, including Adani ...
DELL TECHNOLOGIES INDIA PVT. LTD.
MICROMAX INFORMATICS LTD.
SECLORE TECHNOLOGY PVT. LTD.
MATRIX COMSEC PVT. LTD.
Technology Icons Of India 2023: Josh Foulger
Josh is the Country Head of India and MD of Bharat FIH Ltd (A Foxconn ...
Technology Icons Of India 2023: Girish Mathrubootham
Girsh Mathrubootham envisioned and co-founded Freshworks. Freshworks, ...
Technology Icons Of India 2023: Alok Ohrie
Alok plays a critical role in the Government of India’s Atal Innovat...
STPI encouraging software exports from India
Software Technology Parks of India (STPI) is an S&T organization under...
Leading company into fertilizers in the country
NFL is a dynamic organization committed to serve the farming community...
EESL encouraging e-mobility adoption across India
Energy Efficiency Services Limited (EESL) is a Super Energy Service Co...
IVALUE INFOSOLUTIONS PVT. LTD.
: iValue Info Solutions is a value added distributor, provides solutio...
Crayon Software Experts India Pvt Ltd
Crayon helps its customers build the commercial and technical foundati...
TECH DATA, A TD SYNNEX COMPANY
Tech Data Corporation was an American multinational distribution compa...