Small Business Susan

Confidentiality clause anyone?

So an interesting topic came up recently.  As a professional with clients and an industry that expects confidentiality, for those that are consultants in this space, do your clients require you to sign a confidentiality agreement?  Do you offer it up in your contract that you supply to them?


If you don’t you should.  If they aren’t asking you this, they should.


When you work on their network you are an extension of their access.  If you have admin rights, even more so. 


SANS policy center has a sample access policy here:


http://www.sans.org/security-resources/policies/Third_Party_Agreement.pdf


And here’s a sample policy at my firm for temporary employees….


1.  CONFIDENTIAL INFORMATION

In the course of the discharge of your duties, you may have access to and become acquainted with confidential information and trade secrets relating to the Firm’s business and clients.  Such confidential information and trade secrets include, without limitation, information concerning the Firm’s financial, personnel, sales, planning and other operations that are owned by the Firm and regularly used in the operation of the Firm’s business.  Access to such confidential and trade secret information should be on a “need-to-know” basis only and must be authorized by those Supervising you.  Any breach of this policy will not be tolerated and may lead to discipline up to and including immediate termination and, under certain circumstances; the Firm may take legal action.

2.  INSPECTION AND SEARCH POLICY

All furniture, equipment, computers, files, etc. on the Firm’s premises are the Firm’s property and must be maintained according to the Firm’s rules and regulations and should only be used for work-related purposes.  The Firm has implemented an inspection and search policy to protect against the unauthorized removal of Firm property from its premises, to keep alcohol and illegal drugs off the premises, and for general safety reasons.

Therefore, the Firm reserves the right to inspect and/or search any item brought onto Firm premises.  This includes, without limitation, any laptop or personal computer, or any package, lunch, toolbox, purse, briefcase or other personal item the employee may bring on the premises.  The Firm also reserves the right to monitor the use of its computer system and electronic communications devices, such as the voice mail system and fax machine, and reserves the right to access, review, copy, delete and disclose any personal information contained on any Firm electronic communication device or on its computer system, including Firm-owned PCs used by individual employees.

Any such inspection and/or search may be done with or without notice and with or without your consent.  Your refusal to cooperate in an inspection and/or search may result in termination.
    
If you do not want any personal item inspected and/or searched pursuant to this policy, you should not bring such item onto Firm premises or property.  Additionally, you should not use the Firm’s computer system, e-mail system, voice mail system, or fax machine for any personal information they wish to keep private, as the Firm treats all such information as business information and it will be treated no differently than other business information.  

3.    ELECTRONIC COMMUNICATION DEVICES POLICY

The Firm uses various forms of electronic communication devices, including, but not limited to, computers, e-mail, telephones, voice mail, and fax machines.  All electronic communications, including all software and hardware, are the sole property of the Firm and are to be used only for Firm business to transmit or receive business information and are not to be used for personal use.  The Firm treats all messages sent, received or stored in any of the electronic communication devices as business messages.  The Firm reserves the right to access and review, copy or delete electronic files, voice mail messages, etc., for any purpose and to disclose them to any party (inside or outside the Firm) it deems appropriate.  The Firm further reserves the right to monitor the use of electronic communications as is necessary to ensure that there is no misuse or violation of Firm policy. Use of any of the Firm’s electronic communications devices in violation of this policy may lead to discipline up to and including immediate termination.

Should you make incidental use of the e-mail system, fax machine, etc., to transmit personal messages, such messages will be treated no differently than other messages, i.e., the Firm reserves the right to access, review, copy, delete or disclose them for any purpose.  Accordingly, you should not use the computer, e-mail system, voice mail system, or fax machine for any personal information they wish to keep private.  

The Firm’s e-mail system permits employees to communicate with each other internally and with selected outside individuals and companies that the Firm, in its sole discretion, decides should be connected to the system.  Users should treat the computer and e-mail systems like a shared file system — with the expectation that messages sent, received or stored in the system (including any individual hard disks) will be available for review by any authorized representative of the Firm for any purpose.

Confidential Information

Essentially, Firm e-mail messages should be treated in the same way as other Firm confidential printed material.  There are three common circumstances where confidentiality can be breached:

An employee leaves the e-mail program running on his or her screen, or leaves an e-mail message on his or her screen.  In either case, this allows others to view e-mail messages should they sit at the employee’s computer.

A confidential message is printed on a printer in an employee’s office or perhaps on a shared printer down the hall.  Anyone with access to that printer can view this document.

An e-mail message is inadvertently sent to someone who was not intended to receive it. Caution should be exercised regarding any confidential message before it is sent.  

Caution should be used when using the Internet.  The Internet is a convenient, cheap way to send business communications that are not security risks or time sensitive.  You should not rely on the Internet for critical communications due to the possibility of compromise.

Users must exercise a greater degree of caution in transmitting Firm information on the e-mail system than they take with other means of communicating information, (e.g., written memoranda, letters or phone calls) because of the reduced human effort required to redistribute such information.  Confidential information should never be transmitted or forwarded to outside individuals or companies not expressly authorized to receive that information and should not even be sent or forwarded to other users inside the Firm who do not need to know the information.  Always use care in addressing e-mail messages to make sure that messages are not inadvertently sent to outsiders or the wrong person inside the Firm.  In particular, exercise care when using distribution lists to make sure that all addressees are appropriate recipients of the information.  Lists are not always kept current and individuals using lists should take measures to ensure that the lists are current.  If highly confidential information needs to be transmitted, please contact IT Administrator, for assistance in sending confidential information via encrypted means.  It is against Firm policy, and possibly the law, to e-mail information that contains social security numbers.

E-Mail Security and Computer Security

The security on the Firm e-mail system and other computer programs is as good as password security can be.  If your network and e-mail passwords are easy to discover, your e-mail may easily be accessed by anyone with that intention.  It is strongly advised that you not use their first or last name, the Firm name or other such passwords.  It is also advisable that employees change their passwords periodically.  

Viewing and Protecting E-Mails

In order to guard against dissemination of confidential information, users should not access their e-mail message for the first time in the presence of others.  E-mail passwords (as well as other computer passwords) should be routinely changed every ninety days and will be reset by the Network Administrator.  

Copyrighted Information

Use of the e-mail system to copy and/or transmit any documents, software, or other information protected by copyright laws is prohibited.

E-Mail Etiquette

Please bear in mind that your e-mail messages may be read by someone other than the addressee you sent them to and may even someday have to be disclosed to outside parties or a court in connection with litigation.  Accordingly, please take care to ensure that your messages are courteous, professional and businesslike.

Other Prohibited Uses

The Firm prohibits use of the e-mail system or the Firm computer system to engage in any communications that are in violation of Firm policies including, but not limited to, transmission of defamatory, obscene, offensive or harassing messages, or messages that disclose personal information about other individuals without authorization.




Storing and Deleting E-Mail Messages

The Firm strongly discourages the storage of large numbers of e-mail messages for a number of reasons.  First, because e-mail messages frequently contain confidential information, it is desirable to limit the number, distribution and availability of such messages to protect the Firm’s information.  Second, retention of messages fills up large amounts of storage space on the network server and personal hard disks, and can slow down the performance of the network server, backup tapes, or individual hard disks for genuinely important documents.  The fewer documents the Firm computer has to search through, the more economical the search will be.

Accordingly, it is Firm recommendations that you do not retain e-mail messages in their electronic inboxes longer than 90 days.  Messages older than 90 days are recommended to be deleted from the your electronic mailbox.

Internet Access

The Internet offers a vast amount of easily accessible information to those who access it. The Firm is linked to the Internet to allow all members of the firm access to information and resources for Firm purposes and in order to enable you to perform their job duties more efficiently.  Anyone accessing the Internet for non-Firm purposes must obtain authorization in advance and in writing.  Any “downloading” from the Internet by employees for their personal use must be authorized in advance and in writing.  Accessing pornographic, offensive or other inappropriate information in violation of Firm policy is expressly prohibited and may lead to discipline up to and including immediate termination.  You are urged to use common sense and judgment.


Personal Programs, Screen Savers, Wallpaper and Games

You may not load or unload any programs on the Firm’s computer system without management approval. Any unauthorized personal programs, screen savers, wallpaper or games found on the computer system will be removed from the system without contacting you. Unauthorized loading or unloading of programs may result in disciplinary action up to and including termination.

Hacking

Anyone caught “hacking,” introducing a “virus” or foreign agent, or attempting to pierce the Firm’s security arrangements on the Firm’s computer system will be subject to immediate termination.

Firm Information

Anyone who removes information concerning the Firm or the Firm’s clients or employees from any part of the Firm’s computer system and uses that information for personal reasons is subject to discipline, up to and including immediate termination




4.    E-MAIL MANAGEMENT AND RETENTION POLICY

The Firm’s electronic mail (“e-mail) system allows everyone in the firm to communicate with each other internally and with outside individuals, companies and agencies in order to conduct the Firm’s business.  It is your responsibility to manage and protect the Firm’s business records resulting from all e-mail communications.  

E-mail messages on the Firm’s computer system, including personal e-mail messages, will be treated in the same manner as any other correspondence received by the Firm.  For example, regular mail of importance is kept, whereas junk mail is discarded.  The Firm reserves the right to access, review, copy, delete or disclose them for any purpose. Accordingly, you should not use the Firm e-mail system to transmit personal information you wish to keep private.      

All e-mail communications are subject to discovery during legal proceedings and can be used as electronic evidence in the event the Firm is involved in litigation.  Furthermore, unmanaged and unidentified e-mail messages residing on the Firm’s computers may pose a threat to the Firm’s ability to document and reconstruct business and decision-making processes.  

The following policy advises you of your responsibilities regarding the routine removal of messages from electronic file folders, and the storage and retention of e-mail communications which constitute official Firm records.

E-mail messages generally fall into three categories:

1.    Records which document the business of the Firm, such as those involving clients.  These types of e-mail should promptly be printed and a hard copy should be placed into the relevant subject matter file.  Internal e-mails pertaining to internal Firm business and employee and personnel matters will be kept by the Personnel Manager.
    
2.    Messages that have a limited or transitory value to the Firm, such as a message announcing the date and time of a meeting, need not be saved pursuant to this policy.  Retention of such messages serves no purpose and takes up space.  Such messages should be deleted as soon as they no longer serve an administrative purpose.  However, if the purpose of the meeting were to discuss a particular Firm project or client, the e-mail would be considered a business record and should be treated as such.
    
3.    Non-records, such as personal e-mails.  These types of e-mail messages should promptly be deleted from the electronic inbox.   

It is Firm recommendation that you may not retain e-mail messages in their electronic inboxes longer than 90 days.  Messages older than 90 days are recommended to be deleted.  If the e-mail message pertains to Firm business, a printed hardcopy of the e-mail message must be retained for the Firm’s files.  If an e-mail is sent internally, the person who sent the e-mail is responsible for ensuring that a printed hard copy of the e-mail is put in the appropriate file.  The same is true of e-mails sent to persons outside the Firm.  With respect to e-mails received from outside parties, the person to whom the e-mail is addressed is responsible for ensuring that a printed hardcopy of the e-mail is placed into the appropriate file promptly upon its receipt.   

If you are unsure as to whether to retain a particular e-mail message or the appropriate file to which it belongs, please check with the Personnel Manager.  


4.    ANTI-VIRUS AND ANTI-SPYWARE POLICY

The Firm provides corporate antivirus and antispyware software for all attached workstations.  Anyone found disabling or tampering with that antivirus software will be subject to disciplinary actions.  

Files or macros attached to an e-mail from an unknown source should not be opened.  These should be deleted from the system immediately and deleted from the “trash” folder.  

If a file that has been blocked by the e-mail system due to its potentially hazardous attachment and the sender is known and the e-mail is expected, contact the IT Administrator for access to this e-mail.  

Users who work at home on Firm projects are required to maintain antivirus, antispyware and firewall protection on their home computers.  If such protection is not already on a user’s home system, contact the IT Administrator for inexpensive resources for this home protection.

Delete spam, chain and other junk mail and do not forward any e-mails regarding potential viruses.  Many times these are hoaxes and should not be forwarded.

5.    PASSWORD POLICY

The Firm will change employee passwords on an as needed basis.  It is recommended that the following guidelines are used when setting up any Firm password:

•    The password should not contain less than eight characters.
•    The password is a word not found in a dictionary (English or foreign).
•    The password is not a common usage word such as:
o    Names of family, pets, friends, co-workers, fantasy characters, etc.
o    Computer terms and names, commands, sites, companies, hardware, software.
o    The words “<Firm Name>”, “sanjose”, “sanfran” or any derivation.
o    Birthdays and other personal information such as addresses and phone numbers.
o    Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
o    Any of the above spelled backwards.
o    Any of the above preceded or followed by a digit (e.g., secret1, 1secret).

Strong passwords have the following characteristics:

•    Contain both upper and lower case characters (e.g., a-z, A-Z).
•    Contain digits and punctuation characters as well as letters (e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:”;’<>?,./).
•    Are at least eight alphanumeric characters long.
•    Are not a word in any language, slang, dialect, jargon, etc.
•    Are not based on personal information, names of family members, etc.
•    Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: “This May Be One Way To Remember” and the password could be: “TmB1w2R!” or “Tmb1W>r~” or some other variation.

NOTE: Do not use either of these examples as passwords!


Firm Information

Any temporary employee or external consultant who removes information concerning the Firm or the Firm’s clients or employees from any part of the Firm’s computer system and uses that information for personal reasons is subject to discipline or legal action, up to and including immediate termination and lawsuit.



1 comment so far ↓

  • #   Jim Locke on 10.31.09 at 12:02 am     

    Great point, Susan. Such an agreement is something we should all offer up as part of our professional agreements. I know that I will be adding it to mine. It is easy way to differentiate yourself from the competition and demonstrate that you are the client’s “trusted advisor.”