For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Subscribe to
Computerworld 40 years of the most authoritative source of news and information for IT leaders.
Top 10 tips for setting a secure communications policy
or
Other Security Stories
|
|
|
|
January 22, 2003 (Computerworld) -- Employee misuse of corporate e-mail has been a source of liability for numerous organizations, and many are now moving to develop policies that define appropriate usage. Businesses are also increasingly adopting policies to ensure that government regulations are met, sensitive business data is secure and customer privacy is protected.
Below, in no particular order, are the top 10 things IT policy-makers should consider when developing corporate e-mail policies.
1. Clearly outline all personal use restrictions.
One of a company's paramount concerns when developing a corporate e-mail policy should be to explicitly define what constitutes acceptable use of the organization's e-mail system. The policy should clearly state whether personal use is permitted, and if so, how much (number of e-mail messages, percentage of hours in the office, etc.). If employees are granted personal use, steps should be taken to outline what types of correspondence and content will be considered unacceptable or offensive.
Ken Beer is product line manager of Tumbleweed Communications, a Redwood City, Calif.- based provider of secure messaging applications. He can be reached at ken.beer@tumbleweed.com
Electronic versions of company business plans, human resource files and product development road maps have rapidly replaced physical materials as an organization's most valuable corporate assets. Leading analyst groups estimate that between 70% and 90% of a company's intellectual capital now exists in digital form, and Gartner Inc. values the loss of business information through e-mail at more than $24 billion per year. It's vital that every employee understand the critical seriousness of transmitting the company's digital assets and know that it isn't permitted without specific consent.
3. Be aware of industry-specific government regulations.
The Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act represent a pair of government-mandated privacy regulations that are dramatically changing the way health care organizations and financial services firms can use e-mail. Both acts detail specific measures that regulated companies must take to adequately protect patient/customer data in transit. The Securities and Exchange Commission also has a set of auditing and privacy requirements that regulated companies must adhere to, including the archiving of particular e-mails based on the sender, recipient or content contained therein.
4. Inform employees that their e-mail activities may be monitored.
In recent years, there have been a handful of cases where employees tried to bring legal proceedings against their employers for monitoring what they thought were private e-mail conversations. However, the company is the one that bears the burden for any employee misuse of corporate e-mail and is therefore entitled to responsibly monitor, review and inspect their employees' communications. This right should be articulated in a company communications policy, and each employee should be required to sign a waiver, acknowledging acceptance of the conditions. This also absolves the company of any legal culpability given the Consent Exemption clause of the Electronic Communications Privacy Act of 1986.
5. Implement tools to enforce the policies you've created.
Policy without enforcement isn't much better than no policy at all, and training alone can't ensure employee compliance. When evaluating compliance solutions, the following attributes help facilitate holistic policy enforcement:
- Policy driven. The policy should be written in such a way that the reader can easily determine if/then rules that apply to all inbound and outbound e-mails.
- Centralized administration. All policies should be accessible and alterable from a dashboard console, with the capability to apply ad hoc changes to any number of distributed mail servers.
- Content specific. The solution should offer, or easily integrate with, applications that can scan messages and attachments, and then block, quarantine, archive or allow messages with designated keywords. Other important features include the ability to secure messages determined to contain privileged information, scan messages and attachments for viruses, and eliminate spam, chain letters or virus hoaxes.
6. Carefully define what content can and cannot leave your organization.
To limit corporate liability, filters should be established to look for potentially profane, sexually explicit, racist or defamatory statements in both internal and external company e-mail. To ensure the safety of digital assets, all outbound mail should be scanned for project names and other keywords that might indicate that confidential content may be about to leave the organization. Messages that are flagged by the content filter should be blocked outright, stripped of their attachments or quarantined for review.
7. Employ "intelligent" policy enforcement.
A comprehensive secure-communications policy should define graduated levels of privilege for users within the organization and assign related sensitivity levels to groups of digital assets. When developing rules for the policy engine, IT administrators should leverage this categorization and apply contextual logic to groups of content. For example, different types of sensitive corporate content should demand different levels of clearance to be approved for e-mail distribution, and apply a greater or lesser degree of security to the message depending on the identity of the recipient.
8. Protect sensitive business data from the vulnerability of plain-text e-mail.
Decentralized organizations often demand that users in remote locations exchange sensitive documents via e-mail with one another or with outside business partners. To preserve the confidentiality of this content, hard and fast rules should be established to secure any digital asset that is cleared for transmission above a certain sensitivity threshold (e.g., HR-related personnel data, M&A materials, business plans, etc.).
9. Establish a secure public network.
Policy can also be used to leverage an existing messaging infrastructure and establish a trusted communications channel between distributed sets of users and eliminate the need for a costly VPN deployment. Based on the identity of the sender and the recipient, policy rules can be created to secure all communications between particular individuals (for example, CEO and chief financial officer) or specified groups of users (remote finance departments, legal division and outside law firm, executive management and R&D, etc.).
10. Ensure the privacy of your customers' data.
The only corporate asset that rivals the worth of an organization's intellectual property is the trust of its customers. Given that, corporate communications policies should dictate that any customer data that employees transmit when messaging with one another, business partners or customers themselves should be protected in transit. Failure to secure this data can result in loss of customer goodwill, government-imposed fines and legal repercussions.
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
 |
|
All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone |
 See your link here
|
 |
||||||||
| ||||||||
| ||||||||
| ||||||||
|
Why SaaS is Vital to Email and Web Security
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
Get this white paper now!
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
- Elgan: You can be Batman, too
- Study: IT jobs will drop in 2009
- RIM fixes critical BlackBerry Enterprise Server bug
- More top stories
Security Management ZoneSecurity management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones
|
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
"Security Directions" virtual trade show2008's Code-Red Security Issues for Protecting the EnterpriseWebcasts, white papers, demos, and more. Presented in a unique 3-d environment. Enter our show right now! Click here to enter
|
 In SecurityStripping away the trappings of applications, systems and networks, information is the core asset of most organizations. Our columnist describes how asserting the importance of information governance is crucial to making that asset tangible, addressable and protected. Click here to read the latest column by Jon Espenschied |
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDG Connect
IDG World Expo
Infoworld
The Industry Standard
ITworld
JavaWorld
LinuxWorld
MacUser
Macworld
Network World
PC World
Playlist
Copyright © 2008 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission of Computerworld Inc. is prohibited.
Computerworld and Computerworld.com and the respective logos are
trademarks of International Data Group Inc.
|
