Editor's note: In part one of his email security and best practices tip, expert George Wrenn discusses how to capture emails, securely archive the messages and detailed reporting. Read part two for more of Wrenn's best practices.
Searching and discovery support
At this stage, you have a good understanding of what it takes to document, capture, review and report on your email compliance program. This is all good until you get hit with your first discovery request, which can turn your world upside down. A simple email discovery request can cost hundreds of thousands of dollars in labor, lost productivity, hardware and software when all is said and done.
It is therefore very important that your implementation supports robust and secure search capabilities. A discovery request can include specific users, keywords, phrases or time periods (sometimes all at once). Sometimes searches can produce damaging information that is not material to the investigation. For example, inappropriate activity recorded in email is often discovered as a byproduct of the search, and the release of this information to outsiders could have consequences.
Your email archiving tool should offer laser-precise search capability and be able to target searches to a limited set of email messages.
All the archiving in the world is not going to stop sensitive data from leaking out of the enterprise. There are two basic concerns with data leakage; the first is the data in the archive. It should be encrypted with a well-known, strong, trusted algorithm, such as advanced encryption standard. The external provider should not be able to access your data in the archive. Also, in the event of a system breach, the email won't be disclosed if it is protected by strong encryption.
The second concern is sensitive data leaking in emails being sent outside the firewall. To control risk, you need to define the types of data that fit this classification. This won't stop corporate espionage, but it will help keep honest users from inadvertently leaking financial data to their entire global address list.
Your data protection policy or data classification framework plays an important role in policy enforcement. Many of the email data leakage products available require a concept of classification.
The first layer of defense in secure email proxy tools is often keyword or expression matching to prevent data leakage. For example, social security numbers may take the form 000-00-0000 through 999-99-9999, a proxy would detect this pattern and block the message, perhaps triggering an event or alarm for the security administrator to review. Similarly keyword systems may catch words like "sell short" and "hot stock" and block these types of messages. These approaches can be hit or miss and can produce false positives, inhibiting the flow of legitimate email.
To help, a second layer of defense is often required. Tagging data, documents or messages with classification levels can prevent sensitive, restricted information from leaving the company mail system. Many appliance-based tools offer a combination of technologies to prevent deliberate or accidental data leakage from emails send beyond the firewall.
If you must send sensitive data outside the firewall, a policy requiring users to protect intellectual property and proprietary information is meaningless without giving them the proper security mechanism. Protecting electronic information exchanges is essential for financial services firms. For email, security usually means encryption.
An email security policy should include the types of accepted encryption, when it should be used and how it will be implemented.
Use disclaimers for damage control
A disclaimer statement should be added to the end of each email, informing recipients of the sending organization's policy, the nature of the email (such as "For Official Use Only") and what material it disavows. For instance, a securities trading firm may include that it accepts no responsibility for falsely or improperly sent messages, and that any violation should be reported to a security manager. A disclaimer puts the onus on recipients to act responsibly when receiving improperly disclosed information.
Disclaimers offer no guarantee of compliance, but they do establish a legal standing for making claims against those who perpetuate a security violation.
Governance is key
Email security policies should outline the roles and responsibilities of those managing the email system. Set expectations as to how security managers, email administrators and other department managers respond to email issues and security.
An email security policy is worthless unless users are presented and periodically reminded of it. Best practice is to give new employees a copy of the policy when they are hired. Enterprises should treat email security policies as dynamic documents that evolve to meet changing legal and operating conditions, technologies and threats. Annual reviews and revisions will ensure the policy keeps up with changing needs.
The financial services sector has one of the most difficult email security challenges of any industry. Follow these proven best practices that can help mitigate your regulatory email risks through sound policy, secure archiving, supervisory review practices, audit reporting and data leakage prevention.
About the author:
George Wrenn, CISSP, ISSEP, is frequent contributor to SearchSecurity.com and Information Security magazine, he served as a Director of Security in the financial services industry and is now a consulting security expert. He's also a Six Sigma Black Belt, a Harvard grad and was trained in cryptography at MIT. He can be reached at firstname.lastname@example.org.