There is a big question mark on shall we leverage corporate users to use the official email ID for personal use with some restricted policies, as the security remains as the biggest concern and the inside threat is more than the outside threat.

Beware! Gmail scam can steal your email data

Many CIO/CISO says, this is strictly not advisable... it will violate many ISM controls under ISO 27001 and also practically I have seen these small leverages end up in data breach and further leading to arbitration / Civil Suits for breach company security policy / NDA / Non-Compete / Employment Agreements.

It would not restrict... it will violate and deviations need to be taken.... the control violations would affect not only IT controls but multiple departments and stake holders from HR to Compliance and Legal. Modifications are needed to allow such exceptions from HR policies to offer letters and on any NDA signed, in case of breach or violation, even regulatory requirements would apply…

Now there are some cases of company IP stolen / misused because of business access allowed to be used for non-business purpose and left un-monitored. Specially in the field of Healthcare IT where, the business run a business of processing sensitive patient records / business contracts, where there is a compliance of ISO control restrict that from ISO 27001:2013. The 114 Annex-A controls of ISO 27001:2013 specifically restrict it.

When we see certain use case of company property used for the personal usage... including office internet used for personal purpose as violation of acceptable usage policy... but in some other organisation with most policies from Europe it's opposite... employees can keep private data on laptop and email data is considered as private to employee since it's marked to his name and not to a common id of company...so bank salary credit alerts are personal emails on official id...so it's not very easy to differentiate.

Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed. None of the controls are per se restrictive. This is why the SoA is one important document that should be done right.

There is one the flip side in the European office, they can implement anything on company laptop; company has right to investigate and check as per acceptable use policy.

Secondly, about SoA is one of the most important document! In practice the team reviews and respond to multiple RFIs from client and only a fraction of clients as for SoA whereas anyone concern with ISO implementation must check the SoA and there is no specific direct control in 27001 or in HIPAA controls to have control on official email for personal purpose, there some controls on information transfer (A.13.2) which will can correlate not to allow.

27001:2013 controls

A.13.2.1 - Information transfer policies and procedures (Depends on the organization whether to allow the use of official email for personal, based on risk assessment)

Protects the exchange of Information through the use of all types of communication facilities.

HIPAA control 164.312(c)(1) - Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

164.312(c)(2) - Mechanism to authenticate electronic protected health information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

A.13.2.2 - Agreements on information transfer (Since software is provided over the internet, not having right agreements can lead to compromise of information security which needs to be avoided)

A.13.2.3 - Electronic messaging (Needed to ensure that confidential information is not compromised)

A.13.2.4 - Confidentiality or non-disclosure agreements (NDAs helps in ensuring protection of company intellectual property, HIPAA control 164.308(a)(1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations.)

HIPAA control - 164.306(a))

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted

(4) Ensure compliance with by its workforce.

Finally, if someone from your contact list also sending you emails as an invitation to edit a file on Google Docs, beware, it may be a phishing scheme spam. Because, ‘Google Docs’ is merely the name of an unknown third-party application which could be used by hackers to obtain access to your email data. Google has warned users about opening emails from contacts which ask them to click on a link to Google Docs.

However, the expert says, using of the official email id for the personal usage is stand not legal…..