Mail call: Reducing risk

Users rarely think about ownership when sending personal e-mail from their company accounts, but they should. A survey released last week shows almost half of large enterprises now read employees' outbound e-mail to ensure company secrets aren't leaked. This makes the establishment of ownership an essential element of an enterprise's e-mail policy.

While it may seem elementary, the first step in creating an e-mail security policy is defining what e-mail is: the message, regardless of format; attachments; and supporting infrastructure. While laws vary by jurisdiction, most states recognize that enterprises have the right to access, monitor and audit user accounts to enforce policies and take disciplinary action.

E-mail security policies should outline the roles and responsibilities of those managing the e-mail system. They set expectations as to how security managers, e-mail administrators and other department managers respond to e-mail issues and security.

At a minimum, policies should include:

--Auditing e-mail usage and policy enforcement. The policy should establish parameters for real-time monitoring and auditing e-mail accounts and define how investigations will take place, how evidence is collected and retained and how policy violations will be resolved (reprimand, termination or referral to law enforcement).

--Encryption. Requiring users to protect intellectual property and proprietary information is meaningless without giving them the proper security

    Requires Free Membership to View

mechanism, such as encryption. An e-mail security policy should include the types of accepted encryption, when it should be used and how it will be implemented. Regulatory compliance may also be a factor.
For more info on this topic, visit these SearchSecurity.com resources:

--Access control. Only users with a need for e-mail access should be granted credentials, and those credentials should be revoked as soon as that need ends. Make sure files, mailboxes and other artifacts are backed up for future reference.

--Disclaimers. Enterprises should consider adding a disclaimer statement to the end of each e-mail, informing recipients of the sending organization's policy, the nature of the e-mail (such as "For Official Use Only") and what material it disavows. A disclaimer puts the onus on recipients to act responsibly when receiving improperly disclosed information. Disclaimers offer no guarantee of compliance, but they do establish a legal standing for making claims against those who perpetuate a security violation.

An e-mail security policy is worthless unless users see it and are periodically reminded of it. Best practice is to give new employees a copy of the policy when they are hired. Enterprises should treat e-mail security policies as dynamic documents that evolve to meet changing legal and operating conditions, technologies and threats. Annual reviews and revisions will ensure the policy keeps up with changing needs.

About the author
George Wrenn, CISSP, is a technical editor for Information Security and a security director at a financial services firm. He's also a fellow at the Massachusetts Institute of Technology.

Note: This article appeared in the July issue of Information Security magazine. Read the complete article, including information about the do's and don'ts of e-mail security and usage, and e-mail retention and liability.

This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.