Security Policy Management: Email Risk Controls

E-policy is a corporate statement and set of rules to protect the organization from casual or intentional abuse that could result in the release of sensitive information, IT system failures or litigation against the organization by employees or other parties.

As email has become increasingly commonplace and informal in its usage, it is especially important to ensure that security policy is enforced and integrated with your email systems for high levels of certainty, and low reliance on user interactions.

First line security defenses include virus controls, firewalls and password usage, but email security is all too frequently left unmanaged, and leaves the organization open to an increasing level of risk associated with communications.

Support for e-policy specifically for email can include forced password security for email attachments, and enforced encryption of email content and attachments. Email content searching and attachment removal, plus mailbox access-permissions audit and house-keeping are other policy ingredients.

Why is it needed?

With the growth of email usage and ease of access to the internet, it is easy for employees to send out confidential or copyrighted documents that could be commercially damaging or may result in a legal process. Emailed material, perhaps gathered from outside the company, could lead to other employee action (e.g. jokes and attachments leading to sexual harassment charges). It is also easy to receive external documents containing viruses, which could harm or seriously damage your system and cause severe disruption to the organization. Finally employees may ignore e-policy and send unprotected emails and attachments to third parties.

Equally, with temporary workers coming and going, plus internal staff changes, access to departments' public folders can be compromised without regular and automated house-keeping of permissions. Individuals' mailbox security can also be compromised through 'Send on Behalf of Rights' granted to, for example a temporary PA account.

Of course, technology is only part of the solution and can only help you enforce your e-policy, but when used appropriately it can substantially decrease the risk inherent in email usage. Enforcing e-policy can also help you to clean up your email system with regard to excess storage space taken up by unwanted or un-needed attachments, whether work-related or personal.

Implementing an effective e-policy

The responsibility for successful e-policy lies with both management and employees. Management needs to decide what is appropriate to the organization, lay down a set of rules or guidelines (a policy) and inform all employees of this. Employees need to understand the risks to the organization and ramifications of not following the procedures laid down.

There are a number of steps you can take to implement a policy:

  • Monitor messaging and internet activity, prior to implementing a policy. Try to understand how your system is being used. This will enable you to focus on the key issues.
  • Produce guidelines and a methodology of working that will define the organization's requirements for an e-policy.
  • Get buy-in and participation from all senior management.
  • Use your staff training set-up or Human Resources department to put together a formal education program for employees to make them aware of the issues and the consequences to the organization and its employees of policy breaches. This will result in a statement of acceptable behavior.
  • Give employees an addendum to their contract, or add a section to the employee handbook, that lays out what they should and should not do and the consequences of contravening the rules.
  • Ensure your employees understand how enforcement will take place, and have formal procedures for discipline and grievances.
  • Monitor your system after implementation of a policy and make sure employees understand this is happening.
  • Ensure you are not placing unrealistic expectations on your staff in the management of your system security. For example, if you are using email encryption, ensure that key management is properly structured in personnel terms, not just left to a junior technician to manage.
  • Measure your results.

Of course, your organization needs to be aware of external influences on e-policy. These may include

  • local laws (on privacy for example);
  • viruses and the use of email attachments: the damage they can do, and how you can prevent them (at the desktop, server or gateway).;
  • copyright material: your company's own trade secrets and copyright material as well as other company's copyrighted material;
  • privacy: employees' rights and expectations;
  • spoofing and spamming: changes in laws and how offenders can be tracked down;
  • inappropriate content and/or inappropriate destination of emails: methods of enforcing and tracking this and the use of disclaimers.

"Some of this seems petty!"

Perhaps, but with the electronic age, the internal office is changing rapidly. The concept of workgroups - where a group of co-workers on a project may reside in different countries or continents - is common business practice. However, these groups change over time and your organization needs to have a practice to check and manage access to, for example, email public folders. We have heard of instances where whole directories of departments' work have been deleted (by mistake or intentionally) by someone who should not have had access to them. Also, responsibilities may change and someone who has access to, for example, the MD's mailbox and calendar as a PA, should not retain that after moving to a different role.

Finally, whether you think tolerances in your own country are liberal or puritanical, they are likely to be very different from other countries. Political, sexual and religious beliefs and rights vary widely, and cannot and must not be taken for granted. At best an inappropriate joke on email may cause offence, at worst it could lead to claims against your organization. Laws vary from country to country and email abuse is being taken very seriously, with legal action being taken against offending organizations and individuals.

What technology do you need?

There are a number of software packages around to help you counter these points, but not all of these are addressed in one product. In the context of the increasing usage of email, you will probably require software that can provide the following:

  • Content searching to check and act on the content of emails by granular rules based on your e-policy.
  • Permissions auditing and correction systems for regular security and occasional house-keeping of email system.
  • Enforced password protection and encryption for email attachments.

In conclusion, e-policy enforcement in the context of email is a new and evolving issue, but one that requires addressing and increased awareness before policy becomes too lax and users open up the organization to elements of risk.

Ann James is marketing manager for C2C Systems (
C2C Systems Ltd are exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.