The InfoSec Blog

About Social Networking policy

Posted by antonaylward

LONDON - FEBRUARY 03: (FILE PHOTO)  In this ph...

Policy development is one of my areas of practice, so when a colleague on a mailing list asked about how to phrase policy to deal with the social networks (Facebook, Twitter, Myspace, etc.) and what the "best practices" are, I came out of my shell to reply.

(We'll skip over the oxymoron "best practices" since "Context is Everything".)

The phrase

"Use of corporate resources ..."

is a wonderful one to use to prefix just about any policy statement or justification. In one workshop on policy development that I ran someone pointed out that it applied to access to the company parking lot!

The issue here isn't "social networking", no matter how much the media and ZDNet would have you believe. It boils down to a few very clear and easy to enumerate issues:

Text vs HTML: what is more secure?

Posted by Anton Aylward

There are "good" mailing lists and "not so good" mailing lists from the point of view of security.

Try posting HTML mail to a "good" and one of two things will happen.

  1. If you have a mailer that includes the plain text then the list
    software will discard that, forward the plain text to the list
    with a message reading

    [Non-text portions of this message have been removed]

    I'm sure you've seen that message in posts on yahoogroups and similar.

  2. If you have a mailer that doesn't include the plain text
    then one of two things may happen:

    1. The plain text version is displayed, but being null the text that appears is
      empty, but you still get

      [Non-text portions of this message have been removed]

      I'm sure you've seen that too.

    2. The list software does its best to convert the html to plain text by stripping
      off the html tags. This works, but may
      produce some odd results. However you still get

      [Non-text portions of this message have been removed]