E-mail Security Policy

 Back to Main Index
What needs to be in an E-mail Security Policy

Every organization, large or small, needs a solid IT E-mail security policy.

The following is a checklist of the policy items that need to be considered. For each point a comment has been made in an effort to highlight why it is necessary. For many organisations this checklist will provide confirmation that they have taken appropriate steps to deal with issues associated with management of e-mail.

  • Document the level of storage that will be required for each e-mail user. Determine what will be the consequences when an e-mail user exceeds their quota (such as preventing them from sending and/or receiving email)

    Comment: Most organisations have implemented this policy as a means to control the overall growth and size of e-mail databases. The driver here is that if the e-mail system was to fail the size of the database determines the length of time it will take for the IT staff to perform a Disaster Recovery of the e-mail system. Since e-mail systems rate as some of the more mission critical in business today this is of a high concern, therefore the Disaster Recovery window needs to remain small.

  • Control external access to internal distribution lists (such as "all employees")

    Comment: When creating distribution lists that will be accessible for internal staff use make sure that they are not accessible to external use. Some organisations strictly control who can use particular distribution lists internally by security

  • Consider performing e-mail content control to prevent trade secrets or confidential information from exiting the company

    Comment: This will be determined by the nature of the business and sensitivity of data that is being handled by e-mail. Some organisations only allow e-mail to external parties from particular users of their network. In other words they provide e-mail for internal communication purposes but strictly control who can send and receive external e-mail.

  • Implement a corporate e-mail anti-spam program

    Comment: The focus of many organisations over the last two years has been to implement mechanisms that attempt to eliminate unsolicited e-mail (or spam). Many have successfully implemented products which have typically reduced the level of spam by 80% to 90%. Further development of anti-spam software should see the amount of unsolicited e-mail continue to fall in the coming years.

  • Educate users on the proper use of e-mail and how to prevent their e-mail address being disclosed to companies that might send them spam. Educate users on what to do if they do receive spam.

    Comment: Many users are still naive about the mechanisms that the e-mail spammers use to catch e-mail addresses. There should be clear steps that a user takes when spam is received. For example forward the piece of spam email to the IT staff so they can configure the anti-spam software to block future e-mails from a particular sender or that has include specific content.

  • Implement e-mail antivirus scanning.

    Comment: From the moment that the "I Love You" e-mail struck a few years ago, e-mail has been the virus delivery mechanism of choice. This and subsequent e-mail borne viruses drove businesses to implement thorough anti virus strategies which included desktop, server, e-mail and e-mail gateway anti-virus products. All current e-mail solutions maintain currency by automating the update process thus minimising the risk of exposure. We all depend on our anti-virus vendor to produce updated virus definitions quickly in the advent of a new e-mail borne virus. Some organisations maintain two different anti-virus solutions so that if one company updates their virus definitions before the other they get better protection

  • Implement an email archiving program. Depending on the legal advice to your organisation, the archive program may be used more to destroy email at set expiration dates instead of preserving email. You may need store all e-mail for a period of time to satisfy your statutory and compliance obligations. Regular archiving will assist in controlling the size of the email database.

    Comment: Most organisations have yet to satisfactorily address this issue and are exposing themselves to significant business risk by their failure to comply with statutory requirements. Many organisations have implemented file based archives (like the use of PST files in Outlook) which extract e-mail from the e-mail database and disburse the e-mail to multiple effectively unknown locations (either local drives or home directories). As many users are governed by an e-mail size limit (as discussed earlier) many users are simply deleting critical corporate e-mail when these limits are reached in an effort to reclaim disk space so that they can continue using their e-mail system. The sting in the tail is that at some future point the business may be required to produce e-mails to satisfy a compliance issue. Failure to do so could lead to significant legal and probably financial risk for the business.

  • Develop a policy on using company e-mail for personal use (including the forwarding of jokes and chain letters) and decide what is "acceptable use." Educate users on this policy.

    Comment: Increasingly business will be less tolerant of the use of business e-mail accounts for personal use. An e-mail culture has developed particular in Australia where people are using business e-mail increasingly for personal e-mail. Many organisations overseas and now some in Australia are banning the use of e-mail for personal use as it has proven to be a significant time waster for some employees.

  • Educate users on "phishing" scams to help prevent identity theft.

    Comment: "Phishing" is defined as "the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. Many e-mail users are still being caught providing their e-mail address inadvertently via websites.

    To summarise: Many of the policies on this checklist are being satisfactorily dealt with by most organisations. The standout issue that needs addressing more effectively is e-mail archiving. The Quill Consultancy can assist organisations to further developing their e-mail policies and can provide advice on e-mail archiving strategies. The Quill Consultancy is a reseller of Zantaz Enterprise Archive Solution, which provides automated archive services for both Microsoft Exchange and IBM Lotus mail Systems. This product can relieve the compliance issues that your organisation may face.