Problem solve Get help with specific problems with your technologies, process and projects.

E-mail monitoring as a security policy issue

A look at the legal issues involved with implementing e-mail monitoring into your security policy.

While not strictly required by law, it is always a good idea to put into writing your e-mail monitoring practices. E-mail monitoring is simply the recording, storage and review of all e-mail messages transmitted through your organization's e-mail system. This is often used to enforce compliance with security policy, verify compliance with acceptable use policies and even track down evidence for computer crimes. Unfortunately, the recording and reading of e-mail can be considered a violation of privacy.

In order to avoid as many legal issues as possible, take the time to develop an e-mail monitoring policy that all employees must agree to and sign (typically as part of their employment contract).

This policy should include details about what is considered acceptable use for e-mail transmitted over company resources. Personal mail is often acceptable as long as it does not seriously affect productivity nor cause problems such as wasting resources, sexual or racial harassment, or distributing inappropriate content (e.g., pornography, political, religious, violent).

The policy should define how users are regularly informed that their online communications are being recorded and monitored. This can take the form of a logon banner that appears each time the user logs into the system, a flash screen that displays at random intervals when their e-mail application is in use, an e-mail message that serves as a reminder, or even a paper memo that is regularly distributed among all employees. The key issue here is that even though the employees will have agreed to the monitoring process at employment (or at the implementation of the policy), they must be reminded of the monitoring for it to have an affect as a deterrent and not just have usefulness as a detective measure.

The policy should detail how long e-mail messages are to be retained, such as a certain number of years or indefinitely. It should also clearly define who will be responsible for reviewing, reading and extracting information from the archived messages. The e-mail archive should be access restricted so only the proper auditor or InfoSec officer is able to access the contents of the messages. This will help to ensure some level of privacy even in the event that archived messages must be examined for evidence.

The policy should be applied consistently to all individuals within the organization. It is not lawful to retain e-mail records for some employees and not others. If you deploy an e-mail monitoring and archiving solution, it must be universally enforced.

About the author
James Michael Stewart is a partner of ITinfo Pros, Inc., a technology-focused writing and training organization.

This was last published in December 2002

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.