George Wrenn, CISSP
Published: 30 Aug 2005
Where would business be without email? It's an essential tool that, in many cases, has displaced phones, "snail mail" and faxes as the primary means of communication.
The ubiquity and standardization of email has also made it one of the most exploited applications: It's a perfect vehicle for propagating viruses, spam, directory harvesting attacks, spyware and phishing scams. And, email has become the digital archive of corporate America, retaining (or capturing) evidence for regulatory compliance, contractual obligations and civil and criminal proceedings.
A Privilege, Not a Right
Users rarely think about ownership when sending photos, party invitations or gossip from their company email accounts. This makes the establishment of ownership an essential element of an enterprise's email policy.
While it may seem elementary, the first step in creating an email security policy is defining what email is: the message, regardless of format (SMTP, HTML, RTF, etc.), attachments (documents, images, applications, etc.) and supporting infrastructure (the servers that transmit and store e-mail).
While laws vary by jurisdiction, most states recognize that users don't own the e-mails they create, send or receive using the corporate system. Ownership grants enterprises the right to access, monitor and audit user accounts to enforce policies and take disciplinary action.
Most enterprises--with the exception of regulated industries like financial services--permit some personal email usage. It's far better to include a limited "personal-use clause" than it is to ignore the issue. The general rule: Personal use shouldn't be excessive or more voluminous than business usage.
Users, on the other hand, can access private accounts through Web mail. The email security policy should either provide acceptable use guidelines for private accounts, such as Yahoo! and Hotmail, or prohibit them altogether.
But, there's some benefit to allowing Web-based email use. Since the company doesn't own the e-mail system, it doesn't have the same degree of liability for its misuse.
It also gives users an alternative communication channel when the corporate email system is unavailable. To guard against Web-based email abuse, the company can assert its right to monitor all Web and network traffic.
Unfortunately, Web-based e-mail has a number of risks: It's a common virus and spyware carrier, and it's difficult to monitor, which makes it harder to detect intellectual property leaks.
Make Common Sense Explicit
E-mail policies are chock-full of seemingly obvious statements: Don't open attachments from unknown parties. Don't harass fellow users. Don't use profane or degrading language. Don't include or attach confidential materials.
Enterprises need to be explicit about the "do's and don'ts" of email security and usage.
Attachments. Users need to know the disciplinary consequences of opening attachments from unknown parties or unsolicited email from coworkers.
Protecting intellectual property. Email gives rogue or hapless users an easy way to expose trade secrets, financial statements and other sensitive material. The policy should indicate which material shouldn't be sent electronically. This won't stop corporate espionage, but it will help keep honest users from inadvertently leaking vital data to their entire address book.
Acceptable language. The common definition of improper and illicit content includes pornography, racist remarks and hate propaganda, as well as material leading to or resulting in illegal acts, gambling or discriminatory statements (such as remarks on age, gender, sexual orientation, national origin, disability, religion or political belief). In some cases, companies are required to report violations to law enforcement authorities. Security managers should also make it clear that users are responsible for reporting questionable e-mail content to the security or HR departments.
Identification and authentication. Email is the easiest medium to forge. An e-mail policy must include strong I&A provisions and prohibit spoofing. Users should only be able to send email under their own user name, and, if they're sending emails on behalf of another user, it should include a "send on behalf of" preamble.
Broadcast messages and spam. Email gets a little dicey when a person sends one message to dozens or hundreds of people. Some email monitors may interpret the blast as spam and blacklist the enterprise's domain. To preserve email channels, a policy should include a clause that restricts the use of lists and prohibits broadcast messages.
It's a good idea to configure email servers to restrict access to global lists to a few users and to monitor for sudden spikes in outbound email traffic. This not only guards against spam, but also could detect an email virus infection.
Email security policies should outline the roles and responsibilities of those managing the email system. They set expectations as to how security managers, email admins and other department managers respond to email issues and security.
Auditing email usage and policy enforcement. There's no good way to check email policy compliance other than real-time monitoring and random sampling of archived messages. The policy should establish parameters for monitoring and auditing email accounts and define how investigations will take place, how evidence is collected and retained and how policy violations will be resolved (reprimand, termination or referral to law enforcement). In some cases, reporting a suspected email-based crime, such as conveyance of child porn, to authorities is mandatory.
Encryption. Requiring users to protect intellectual property and proprietary information is meaningless without giving them the proper security mechanism. For email, security usually means encryption.
An e-mail security policy should include the types of accepted encryption, when it should be used and how it will be implemented. For instance, installing PGP on executive client machines should protect routine documents, while network-based encryption tools are likely more appropriate for users who exchange sensitive information.
Protecting electronic information exchanges is essential in financial services and health care firms, which must comply with the security requirements of GLBA and HIPAA, respectively. Some companies may also choose mandatory encryption policies to comply with Sarbanes-Oxley.
Access control. Only users with a need for e-mail access should be granted credentials, and those credentials should be revoked as soon as that need ends. Make sure files, mailboxes and other artifacts are backed up for future reference.
Disclaimers. Enterprises should consider adding a disclaimer statement to the end of each e-mail, informing recipients of the sending organization's policy, the nature of the e-mail (such as "For Official Use Only") and what material it disavows. For instance, a securities trading firm may include in its disclaimer that it accepts no responsibility for falsely or improperly sent messages, and that any violation should be reported to a security manager.
A disclaimer puts the onus on recipients to act responsibly when receiving improperly disclosed information. One such disclaimer reads: "This message is intended only for the use of the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately."
Disclaimers offer no guarantee of compliance, but they do establish a legal standing for making claims against those who perpetuate a security violation.
Retention and Liabilities
E-mail is a store-and-forward technology, meaning that a copy of every sent and received message is archived for a period of time. Government regulations may dictate how long an enterprise must store emails for compliance checks and evidentiary discovery; an enterprise's email security policy should reflect the retention and destruction requirements of any applicable regulations.
Much of the prosecution of corporate executives is fueled by evidence gathered from email stores. One high-profile case involved Frank P. Quattrone, a star investment banker at Credit Suisse First Boston, who sent an email to 400 subordinates telling them to clean up their email accounts. Federal prosecutors used that e-mail as evidence of a cover-up of improper trading at CSFB, and Quattrone was convicted of obstruction of justice.
For unregulated industries, it's generally best to purge noncritical email from applications and servers every six months, since it reduces the administrative and hardware costs associated with storage. Codifying the purging process demonstrates a routine procedure for destroying emails and precludes questions of conspiracy during investigations and civil litigations.
An email security policy is worthless unless users are presented and periodically reminded of it. Best practice is to give new employees a copy of the policy when they are hired. Enterprises should treat email security policies as dynamic documents that evolve to meet changing legal and operating conditions, technologies and threats. Annual reviews and revisions will ensure the policy keeps up with changing needs.
About the Author:
George Wrenn, CISSP (email@example.com), is a technical editor for Information Security and a security director at a financial services firm. He's also a fellow at the Massachusetts Institute of Technology.
This article orginally appeared in Information Security magazine.