With practically every business relying on e-mail to make things happen, e-mail policy clichÉs are quite the talk these days. From "you can't send this" to "don't open that" to "our computers aren't for personal use," we've likely witnessed every possible way to go about improperly managing and enforcing e-mail policies. Many network managers insist that e-mail introduces a ton of security vulnerabilities and if they don't micromanage and rule with an iron first, federal regulations will be violated and information will be compromised. While e-mail does pose a disproportionate set of risks compared to other IT systems, micromanagement and strict rules are not the best ways to enforce your e-mail policies with the end goal of securing your messages.
Establishing effective enforcement
Put it in writing
So, what are the secrets to effectively enforcing e-mail policies? It's actually pretty simple. First, you need to have a well-written e-mail policy -- one that outlines what's expected of your users and what the consequences of violation will be. Rather than taking a "cost-saving" cookie cutter approach to creating policies, you need to step back and understand what's at risk, and what threats and vulnerabilities exist. In the end, you'll likely have several statements that outline what can and cannot be done, how to deal with unsolicited e-mails, how to handle sensitive information, attachments, etc., all tailored to fit your organization's needs.
What sets effective e-mail policies apart from others is their approach, their wording and -- most importantly -- their reasonableness. Too often, e-mail policies are written in the tone and style of a dictator. Users want to be treated with dignity and respect, and harshly written policies that get in the way of them doing their jobs are not good -- not good for securing e-mail or for business. People will find a way around unrealistic policies and you'll likely be oblivious to what's going on. Establish a positive tone in your e-mail policies (and all other security policies) and communicate right from wrong in a way that educates instead of offends. This has proven to be a winning philosophy for effectively enforcing policies.
Put policy before technology
The next critical aspect of e-mail policy enforcement is having the right technologies in place. Many organizations put the cart before the horse here. They let technology drive their e-mail policies by trying to tailor what their e-mail security solution can accomplish to what they think needs to be done. It should be the other way around. Create your e-mail policy and then implement the appropriate technical systems to help enforce it. This will likely include host-based security software and settings, as well as an e-mail firewall or an ASP-based e-mail security service. These solutions can offer up features such as server or perimeter-based message encryption, centrally-managed malware protection, and server or perimeter-based content filtering to keep spam out and confidential information in. The bottom line -- keep security decisions and enforcement out of the hands of your users wherever possible.
Certain aspects of e-mail policy enforcement, such as personal use of e-mail, will be difficult to manage using technology alone. For these issues, make it known what is acceptable and unacceptable. Train your users -- over and over again -- so that secure messaging practices become habit and part of their daily routine.
Penalties for policy violations should be carried out consistently by someone outside the IT and security departments. Most IT shops are the judge, jury and executioner when it comes to e-mail policy management and enforcement. This is the wrong approach. IT and security should only be involved with policies to provide input -- ideally to a policy committee consisting of HR, management, legal, etc. -- and technical implementation and support services for the technologies used to enforce those security policies. IT and security personnel should never be in charge of employee monitoring and enforcing e-mail policies -- period.
Most importantly, if a policy violation occurs, make sure the policy committee consistently carries out sanctions. Also, make sure a peppering of logic and a dash or two of flexibility are built in to the sanction process based on the circumstances of the violation. This is no place for zero-tolerance.
Setting users' expectations in a fair and reasonable way is at least half the battle towards successfully enforcing your e-mail policies. A realistic e-mail policy combined with the proper enforcement technologies, consistency and common sense cover the rest. Master these items and you'll be well on your way to effective policy enforcement. In my next tip, I'll talk about specific sections and information to include in security policy documents to make sure your organization gets the most out of them.
About the author: Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic, LLC where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He is author and co-author of several information security books including the The Definitive Guide to E-mail Management and Security (Realtimepublishers.com), Hacking For Dummies (Wiley), and the upcoming Hacking Wireless Networks For Dummies. Kevin can be reached at email@example.com.