First and foremost please allow me to extend a Hearty Thank-You
for all the discussion and feedback, it was truly refreshing to read them.
Secondly, I was grateful for the diversity of the answers, realizing that
I did not provide a great deal of detail.
So with that end in mind I will briefly comment:
I am not concerned with telling you who I am using (vendor)
specific, but more with policy, process and procedure to address Virus
Protection for a Corportion.
The Corportion has in place an effective internal AntiVirus
protection product that is confined to the internal environment. It is
when we receive mail from external clients, customers, suppliers,
employees, from around the world that we have a problem. The virus issue
is really their problem, but we have to provide resources to detect,
deploy, eradicate, and administer the clean-up of a virus. This is a loss
in productivity for all those involved.
Therefore we are wanting to enhance our first line of defense by
implementing a AntiVirus Protection Software at the firewall. This will
hopefully minimize the impact an infected document passes through the
internal environment infecting all those it was addressed to.
Privilege not Right:
The Corporations Business Systems are for business purposes and
shall be utilized in that manner. Stated exceptions in the Information
Security Policy allows for personal use of Business Assets, when in
support of educational, community or not-for-profit organizations.
Each employee is required to sign an agreement to maintain confidentiality
of information and protection of information assets. Employees are futher
advised that monitoring of system usage is normal course of business
practice. Use of Internet resources are encouraged and permitted provided
they are business appropriate. Employees who access inappropriate sites
will be subject to ethical conduct policy of the organization, which would
include verbal warnings, written warnings and/or termination of
AntiVirus scanning software only scans a file for the executeable
code consistent with a virus. The message and or document are not visibly
viewed by a human, but by the software application.
Finally, I am very fortunate to be a part of a team (Corporation)
that is highly supportive in taking proactive measures toward all facets
of Security, something I haven't seen in a while. To that end, as the
Corporations Security Practitioner I am allowed some face time to express
those security concerns in business terms to the organization. By
learning to effectively manage and merge both security and business the
critial success factors can be achieved.
Again, Thank-you all for the dialog and input. We hopefully will
render a decision within a week.
Charles L. Johnson
Sr Mgr I/T Security and Asset Management