Benefits of Cloud Computing http://fitnessfuture.com/

Effective email policies: Why enforcing proper use is critical to security

August 12th, 2010

Acceptable use policy and IT security

While banning staff from sending or receiving personal emails is unrealistic, organizations can set boundaries that define reasonable, excessive or inappropriate use, through a comprehensive, updated and enforced email acceptable use policy (AUP). A well-articulated email AUP addresses four core security and operational areas:

Compliance

Safe working environment

Data leakage

Asset abuse.

A framework for corporate governance

According to IDC Research 97 billion emails are sent worldwide each day1, and it is estimated that 80 percent of an organization's operational records are stored within the email infrastructure.

Governments around the world have responded to email's growing use as a business-critical tool by introducing increasing levels of legislation governing the security, storage and retrieval of email. Falling foul of such legislation not only damages an organization's reputation, but can lead to fines, market de-listings and, in extreme cases, prosecutions and prison sentences for senior management.

Keeping abreast of such legislation is challenging, and an AUP can help by providing a formal framework that is easily reviewed, audited and enforced to ensure compliance.

Increasing compliance

Email is now central to the day-to-day operation of practically all organizations, regardless of size or sector. Yet, while it is far too important to lock down, email poses a large enough risk where it cannot be left unregulated, especially as nearly all employees expect a certain level of personal email use while at work. According to employers, however, it is their own workforces that pose the greatest threat to security (figure 1).

Effective email policies: why enforcing proper use is critical to security

Creating a safe working environment

An email AUP will promote a safe, productive working environment where employees can operate without fear of exposure to illegal, abusive, inappropriate or malicious material, such as pornography, jokes, harassment or threats. By removing ambiguity and ensuring all employees work to the same rules, the policy sets clear expectations on what constitutes acceptable email content.

Preventing leakage of confidential information

According to IDC email is the number one source of leaked business information2. Additional research confirms that most organizations are concerned about the loss of sensitive data via email.

Most of the time this can be accidental (thanks to functions like Autofill) with research showing that half of employees have sent a message containing sensitive or potentially embarrassing information by mistake3. In addition, analysts The Radicati Group found that 77 percent of users have forwarded business emails to their personal accounts in order to complete work when away from the office4. Even this most innocent of practices can leave an organization in breach of compliance regulations and can place commercial information in unauthorized hands.

Preventing asset abuse

Excessive and/or inappropriate personal use of email wastes bandwidth and places

storage archives under strain, impacting on an organization's ability to use its email infrastructure.

This is particularly problematic when employees circulate non-critical attachments, such as family photos or videos. Prohibiting or restricting this practice preserves the integrity of the email system and can extend the life of storage solutions. It also ensures that IT staff remain focused on their core responsibilities and do not spend time clearing personal emails from the system.

What an AUP should cover

An AUP should set out exactly how an employee is expected to use an organization's email system, containing prescriptive advice on best practice and clearly defining prohibited behavior.

It is essential that regulations are explicitly stated and easily understood. The content of an AUP will vary between organizations, reflecting their regulatory environment, email quantity, IT resources and culture. Some may choose to incorporate rules governing email use into a wider AUP that covers all technology use, from telephones to web browsing to photocopying.

use is critical to security

However, in general, an email AUP covers three

main elements:

Appropriate and inappropriate email use

Policy enforcement

Policy sanctions.

Areas that should always be covered include:

Inbox management

In response to the continued growth in email use, organizations should attempt to limit the volume of messages stored in employee mailboxes. The number of emails held in archiving systems that capture both internal and external mail should also be limited, ensuring resources are not overloaded and allowing for easy message retrieval.

Circulation of attachments

Users commonly view email as a quick method of sharing content with colleagues. However, this practice needlessly uses up bandwidth and archive space. Instead, all attachments should be removed before an email is stored and saved on an appropriate server. Additionally, employees should be instructed on how to use shared network folders to circulate files internally, rather than attaching them to emails. Consider that one person sending a 5 MB attachment to five other employees results in more than 25 MB of email server storage requirements. Placing this file on a shared server and circulating a link to its location not only greatly reduces the size of the email, it prevents unnecessary duplication of files across multiple locations.

Remote access of email services

Rules should be set governing remote access to the corporate email network, both from employees' own computers and over the internet/public Wi-Fi networks. Some organizations ban this practice altogether, while others permit it only if the computer accessing the network is certified as secure by, for example, a network access control (NAC) solution.

Personal/non-business critical use of email

File types categorized as non-business critical (for example, JPEGs, MP3s, executables and anything considered potentially malicious) should not be received or sent. The dissemination of illegal, offensive or other inappropriate content should also be prohibited. Employees should understand that companies are obliged to report any unlawful behavior to the authorities, and that inappropriate activity can invoke disciplinary proceedings. Some organizations may also choose to block access to web-based email services, such as Hotmail and Gmail.

AUP enforcement

The email AUP must be enforced if employees are to adhere to its rules. If they realize that their messages are reviewed and stored ' and then retrieved if needed ' employees might think twice before misusing the email system. An AUP should provide total transparency about how an organization intends to police its email system, ensuring that there are no surprises in the event of disciplinary action being invoked.

Enforcement through technology

The key to enforcement is the deployment of IT security solutions capable of auditing everyday email use, spotting and tracking potential or confirmed violations and notifying the appropriate managers if a violation has occurred. Although it is not necessary to inform staff about the actual technology behind the solutions deployed, it is worth explaining their top-level capabilities.

*This is an example only. You should seek formal legal guidance when developing your own AUP.

Effective email policies: why enforcing proper use is critical to security

Gateway email protection. Commonly deployed to block spam and malicious emails from entering networks, gateway protection is highly effective at stopping suspicious or unwanted file attachments, offensive content and sensitive corporate information. The leading solutions scan outbound and inbound messages and attachments, ensuring that no unauthorized content leaves the network. Organizations can choose either to block or quarantine these emails, and administrators are automatically notified of attempted violations.

Email server protection. Security solutions at the email server level protect against the internal circulation of unwanted content. By scanning inter-departmental emails for jokes, photos, chain letters, malware and confidential information which the recipient has no authority to access, organizations can further bolster their email security. As with gateway protection, any violation will be flagged up to the relevant managers.

Endpoint protection. Organizations that permit access to web-based mail over the corporate network should ensure that all endpoint computers ' desktops, laptops and mobile devices ' are running up-todate security software. Emails from webmail accounts bypass corporate gateway defences, and so have an unobstructed route into an organization. Endpoint protection closes this loophole by picking up any malicious or unwanted content that employees attempt to download from this source.

Procedures for reporting misuse

Employees should be encouraged to report the alleged misuse of email resources and a clear and anonymous procedure must be put in place to facilitate this.

Sanctions for breaching AUP regulations

All users must understand the potential consequences of not complying with the email

AUP. These consequences will depend on several factors, including whether the abuser is a first or repeat offender, whether the breach represents illegal, offensive or merely wasteful behavior, the regulatory environment in which the company operates and the firm's cultural outlook. The sanctions will relate to the severity of the offense, ranging from verbal and written warnings, and on to dismissals.

Who is responsible for the AUP?

The HR IT, and legal departments are all stakeholders in the creation and enforcement of an email AUP. Employees should also contribute to an AUP, enabling greater transparency and buy-in and ensuring that everyone is aware of its existence. At some organizations, the CEO or other board members may take an active involvement, as they can be held personally liable for email misuse by any employee. Typically, staff from all three departments should work together to develop the policy, with specific responsibilities divided as follows.

HR role

The HR department owns the overall process of developing an email AUP, taking responsibility for awareness, distribution and training. Using data provided by the IT department, and by responding to reports of alleged misuse, HR conducts audits to ensure that rules are observed, investigates suspected policy contraventions, and implements disciplinary procedures.

Effective email policies: why enforcing proper use is critical to security

IT role

By using the security solution's reporting features, the IT team generates the forensic evidence needed to identify and log email abuse. The data gathered represents the company's principal source of security intelligence, and can be pieced together to analyze each breach and pinpoint the staff responsible. This information can then escalated to HR.

The IT department also advises HR on the changing capabilities of the organization's IT defenses. For example, if a new solution is deployed to scan outbound messages for sensitive material (e.g. credit card or social security numbers), the AUP might need to be amended and email users might require additional training.

Legal role

The in-house or external legal department ensures that the AUP is in line with legal and compliance requirements, and will advise HR to amend it if regulations change.

Summary

While the threat of spam and malware is usually linked to inbound emails, an organization's own users can often cause just as much or more damage through the emails they send or share.

Employees can be responsible for data leakage,

the dissemination of inappropriate or offensive content, and consuming bandwidth through the unnecessary sharing of files, each of which represent a considerable threat to the email network. To ensure that employees recognize these risks, organizations should implement a comprehensive email acceptable use policy which, to be effective, requires enterprise-grade security solutions for the gateway, the email server and all endpoint computers.

Effective email policies: why enforcing proper use is critical to security

MFrizzi

This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: Rate this Article:

0 / 5 stars - 0 vote(s) Print Email Re-Publish

About the Author:

This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.

Author: MFrizzi
Cloud Computing Benefits http://bestcloudapplications.com/