Email security and compliance best practices

Managing email regulatory compliance and security in the financial services sector can be a daunting task. To be certain, email speeds up the business and makes servicing customers and partners easier, but there is a dark side.

Consider one high-profile case, which involved a star investment banker at Credit Suisse First Boston (CSFB) who sent an email to more than 400 subordinates telling them to clean up their email accounts -- federal prosecutors used that email as evidence of a cover up of improper trading at CSFB. The banker was convicted of obstruction of justice.

Let's examine the issues around email security and best practices to help manage compliance while still enjoying the benefits of this crucial communications tool.

Have a well-crafted policy
Before you can bring control to email, you must first create a policy. It may seem very basic, but your security policy must define email precisely.

A good working definition would cover all electronically transmitted messages, regardless of format (HTML, XML, RTF, etc.), attachments (documents, spreadsheets, graphics, etc.) and supporting infrastructure -- the servers that transmit and store email. For financial services, this list will include such services as Bloomberg mail and instant messaging, Internet mail providers and your in-house MS Exchange, Lotus Notes or other email system.

Refer to your information security policy or data protection policy (if available) to have a crisp definition of your company's specific data classification framework. This is important if you decide that certain information must not be transmitted insecurely, or at all, via email.

Now that you have defined what email is, it's time to consider the myriad of regulations that apply to it. For most in the financial services industry, a good starting point is the US Securities and Exchange Commission; for self-regulated organizations, check with your governing body re

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Essentials By addressing data privacy, companies avoid public scrutiny Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach The Societe Generale fraud story: Keith White on fraud Institutionalizing risk management for ongoing management support Risk assessments: Internal vs. external Putting risk analysis into words Lessons learned: The Texas Insurance Claims Services case Lessons learned: The Montgomery Ward breach Lessons learned: The Citibank ATM breach Email security in financial institutions Wells Fargo deploys Voltage for secure email Study of banking malware analyzes underground economy Cisco: Cybercriminals more savvy than ever in 2008 Secure communications How to easily integrate managed email security services Email security and compliance best practices, part two Mail call: Reducing risk Cleansing an infected mail server Who, or what, is reading your email? When relationships end, so does security

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

garding regulations applicable to email.

Archiving email
The requirement to archive email for specified period, usually 10 years, should be at the top of your list. Archiving must be done in a manner that prevents users from deleting emails that could be important in an investigation. The best way to accomplish this is to have both incoming and outgoing email archived in real-time. This prevents users from mass deleting emails. It's best to consider a secure an off-site archive. Ideally, this archive is managed by administrators without a conflict of interest, such as an outsourced provider, lessening the chance of malicious insider email and data destruction.

Your choice of archive technology and/or outsourced provider should include protections against altering or deletion. A forensically compliant system is the best. Here there are cryptographic checksums, hashes, encryption, signatures, timestamps and other data protection mechanisms that can stand up in an investigation or against cross examination in a court of law. When something was emailed may be as important as what was emailed. That's why nothing less than a rock-solid forensically compliant system is best.

Supervision review capability
Supervisory review of email sent through the system is critical to meeting compliance objectives. You must have a program and policy in place that ensures regular review of the email content that is flowing though your company. The review has to be done in such a manner that it constitutes due care and monitoring to catch illicit or prohibited communications. The workflow for this may have to meet other requirements such as keyword matching, randomness, frequency or target specific roles within the organization, such as the trading desk. Your systems must support these policy or regulatory requirements.

Detailed reporting is a must
In order to prove the effectiveness of your regulatory compliance program, you need to produce detailed reports on email activity for your auditors.

For starters, your reporting should include the following:

Don't underestimate the importance of reporting. If you miss these critical capabilities, you may find yourself with a failed audit despite otherwise solid archiving practices.

>> Read part two

About the author:
George Wrenn, CISSP, ISSEP, is frequent contributor to SearchSecurity.com and Information Security magazine, he served as a Director of Security in the financial services industry and is now a consulting security expert. He's also a Six Sigma Black Belt, a Harvard grad and was trained in cryptography at MIT. He can be reached at mitalum@mac.com.