E-mail monitoring as a security policy issue

While not strictly required by law, it is always a good idea to put into writing your e-mail monitoring practices. E-mail monitoring is simply the recording, storage and review of all e-mail messages transmitted through your organization's e-mail system. This is often used to enforce compliance with security policy, verify compliance with acceptable use policies and even track down evidence for computer crimes. Unfortunately, the recording and reading of e-mail can be considered a violation of privacy.

In order to avoid as many legal issues as possible, take the time to develop an e-mail monitoring policy that all employees must agree to and sign (typically as part of their employment contract).

This policy should include details about what is considered acceptable use for e-mail transmitted over company resources. Personal mail is often acceptable as long as it does not seriously affect productivity nor cause problems such as wasting resources, sexual or racial harassment, or distributing inappropriate content (e.g., pornography, political, religious, violent).

The policy should define how users are regularly informed that their online communications are being recorded and monitored. This can take the form of a logon banner that appears each time the user logs into the system, a flash screen that displays at random intervals when their e-mail application is in use, an e-mail message that serves as a reminder, or even a paper memo that is regularly

    Requires Free Membership to View

distributed among all employees. The key issue here is that even though the employees will have agreed to the monitoring process at employment (or at the implementation of the policy), they must be reminded of the monitoring for it to have an affect as a deterrent and not just have usefulness as a detective measure.

The policy should detail how long e-mail messages are to be retained, such as a certain number of years or indefinitely. It should also clearly define who will be responsible for reviewing, reading and extracting information from the archived messages. The e-mail archive should be access restricted so only the proper auditor or InfoSec officer is able to access the contents of the messages. This will help to ensure some level of privacy even in the event that archived messages must be examined for evidence.

The policy should be applied consistently to all individuals within the organization. It is not lawful to retain e-mail records for some employees and not others. If you deploy an e-mail monitoring and archiving solution, it must be universally enforced.

About the author
James Michael Stewart is a partner of ITinfo Pros, Inc., a technology-focused writing and training organization.

This was first published in December 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.