Users rarely think about ownership when sending personal e-mail from their company accounts, but they should. A survey released last week shows almost half of large enterprises now read employees' outbound e-mail to ensure company secrets aren't leaked. This makes the establishment of ownership an essential element of an enterprise's e-mail policy.
While it may seem elementary, the first step in creating an e-mail security policy is defining what e-mail is: the message, regardless of format; attachments; and supporting infrastructure. While laws vary by jurisdiction, most states recognize that enterprises have the right to access, monitor and audit user accounts to enforce policies and take disciplinary action.
E-mail security policies should outline the roles and responsibilities of those managing the e-mail system. They set expectations as to how security managers, e-mail administrators and other department managers respond to e-mail issues and security.
At a minimum, policies should include:
--Auditing e-mail usage and policy enforcement. The policy should establish parameters for real-time monitoring and auditing e-mail accounts and define how investigations will take place, how evidence is collected and retained and how policy violations will be resolved (reprimand, termination or referral to law enforcement).
--Encryption. Requiring users to protect intellectual property and proprietary information is meaningless without giving them the proper security mechanism, such as encryption. An e-mail security policy should include the types of accepted encryption, when it should be used and how it will be implemented. Regulatory compliance may also be a factor.
For more info on this topic, visit these SearchSecurity.com resources:
- Read this tip to learn more on holistic messaging strategies.
- Check out this policies tip, to learn more about e-mail security policies.
--Access control. Only users with a need for e-mail access should be granted credentials, and those credentials should be revoked as soon as that need ends. Make sure files, mailboxes and other artifacts are backed up for future reference.
--Disclaimers. Enterprises should consider adding a disclaimer statement to the end of each e-mail, informing recipients of the sending organization's policy, the nature of the e-mail (such as "For Official Use Only") and what material it disavows. A disclaimer puts the onus on recipients to act responsibly when receiving improperly disclosed information. Disclaimers offer no guarantee of compliance, but they do establish a legal standing for making claims against those who perpetuate a security violation.
An e-mail security policy is worthless unless users see it and are periodically reminded of it. Best practice is to give new employees a copy of the policy when they are hired. Enterprises should treat e-mail security policies as dynamic documents that evolve to meet changing legal and operating conditions, technologies and threats. Annual reviews and revisions will ensure the policy keeps up with changing needs.
About the author
George Wrenn, CISSP, is a technical editor for Information Security and a security director at a financial services firm. He's also a fellow at the Massachusetts Institute of Technology.
Note: This article appeared in the July issue of Information Security magazine. Read the complete article, including information about the do's and don'ts of e-mail security and usage, and e-mail retention and liability.