Mail call: Reducing risk

Users rarely think about ownership when sending personal e-mail from their company accounts, but they should. A survey released last week shows almost half of large enterprises now read employees' outbound e-mail to ensure company secrets aren't leaked. This makes the establishment of ownership an essential element of an enterprise's e-mail policy.

While it may seem elementary, the first step in creating an e-mail security policy is defining what e-mail is: the message, regardless of format; attachments; and supporting infrastructure. While laws vary by jurisdiction, most states recognize that enterprises have the right to access, monitor and audit user accounts to enforce policies and take disciplinary action.

E-mail security policies should outline the roles and responsibilities of those managing the e-mail system. They set expectations as to how security managers, e-mail administrators and other department managers respond to e-mail issues and security.

At a minimum, policies should include:

--Auditing e-mail usage and policy enforcement. The policy should establish parameters for real-time monitoring and auditing e-mail accounts and define how investigations will take place, how evidence is collected and retained and how policy violations will be resolved (reprimand, termination or referral to law enforcement).

--Encryption. Requiring users to protect intellectual property and proprietary information is meaningless without giving them the proper security mechanism, such as encryption. An e-mail security policy should include the types of accepted encryption, when it should be used and how it will be implemented. Regulatory compliance may also be a factor.

• Read this tip to learn more on holistic messaging strategies.
• Check out this policies tip, to learn more about e-mail security policies.

--Access control. Only users with a need for e-mail access should be granted credentials, and those credentials should be revoked as soon as that need ends. Make sure files, mailboxes and other artifacts are backed up for future reference.

--Disclaimers. Enterprises should consider adding a disclaimer statement to the end of each e-mail, informing recipients of the sending organization's policy, the nature of the e-mail (such as "For Official Use Only") and what material it disavows. A disclaimer puts the onus on recipients to act responsibly when receiving improperly disclosed information. Disclaimers offer no guarantee of compliance, but they do establish a legal standing for making claims against those who perpetuate a security violation.

An e-mail security policy is worthless unless users see it and are periodically reminded of it. Best practice is to give new employees a copy of the policy when they are hired. Enterprises should treat e-mail security policies as dynamic documents that evolve to meet changing legal and operating conditions, technologies and threats. Annual reviews and revisions will ensure the policy keeps up with changing needs.

About the author
George Wrenn, CISSP, is a technical editor for Information Security and a security director at a financial services firm. He's also a fellow at the Massachusetts Institute of Technology.

Note: This article appeared in the July issue of Information Security magazine. Read the complete article, including information about the do's and don'ts of e-mail security and usage, and e-mail retention and liability.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Enterprise email security and messaging security Too many encryption methods make secure communications difficult Shifting to a flexible information security framework Google ordered to deactivate Gmail account after bank email error Wyoming bank sues Google after bank employee email mishap Wells Fargo deploys Voltage for secure email Study of banking malware analyzes underground economy Cisco: Cybercriminals more savvy than ever in 2008 Secure communications How to easily integrate managed email security services Email security and compliance best practices, part two Security Architecture Insider Multifactor authentication options to secure online banking Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult How to streamline role-based access control Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Winning the war: Personal information protection Why financials must implement Web application security best practices RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.