Effective email policies: Why enforcing proper use is critical to security
ensuring resources are not overloaded and allowing for easy message retrieval.
Circulation of attachments
Users commonly view email as a quick method of sharing content with colleagues. However, this practice needlessly uses up bandwidth and archive space. Instead, all attachments should be removed before an email is stored and saved on an appropriate server. Additionally, employees should be instructed on how to use shared network folders to circulate files internally, rather than attaching them to emails. Consider that one person sending a 5 MB attachment to five other employees results in more than 25 MB of email server storage requirements. Placing this file on a shared server and circulating a link to its location not only greatly reduces the size of the email, it prevents unnecessary duplication of files across multiple locations.
Remote access of email services
Rules should be set governing remote access to the corporate email network, both from employees’ own computers and over the internet/public Wi-Fi networks. Some organizations ban this practice altogether, while others permit it only if the computer accessing the network is certified as secure by, for example, a network access control (NAC) solution.
Personal/non-business critical use of email
File types categorized as non-business critical (for example, JPEGs, MP3s, executables and anything considered potentially malicious) should not be received or sent. The dissemination of illegal, offensive or other inappropriate content should also be prohibited. Employees should understand that companies are obliged to report any unlawful behavior to the authorities, and that inappropriate activity can invoke disciplinary proceedings. Some organizations may also choose to block access to web-based email services, such as Hotmail and Gmail.
AUP enforcement
The email AUP must be enforced if employees are to adhere to its rules. If they realize that their messages are reviewed and stored – and then retrieved if needed – employees might think twice before misusing the email system. An AUP should provide total transparency about how an organization intends to police its email system, ensuring that there are no surprises in the event of disciplinary action being invoked.
Enforcement through technology
The key to enforcement is the deployment of IT security solutions capable of auditing everyday email use, spotting and tracking potential or confirmed violations and notifying the appropriate managers if a violation has occurred. Although it is not necessary to inform staff about the actual technology behind the solutions deployed, it is worth explaining their top-level capabilities.
*This is an example only. You should seek formal legal guidance when developing your own AUP.
Effective email policies: why enforcing proper use is critical to security
Gateway email protection. Commonly deployed to block spam and malicious emails from entering networks, gateway protection is highly effective at stopping suspicious or unwanted file attachments, offensive content and sensitive corporate information. The leading solutions scan outbound and inbound messages and attachments, ensuring that no unauthorized content leaves the network. Organizations can choose either to block or quarantine these emails, and administrators are automatically notified of attempted violations.
Email server protection. Security solutions at the email server level protect against the internal circulation of unwanted content. By scanning inter-departmental emails for jokes, photos, chain letters, malware and confidential information which the recipient has no authority to access, organizations can further bolster their email security. As with gateway protection, any violation will be flagged up to the relevant managers.
Endpoint protection. Organizations that permit access to web-based mail over the corporate network should ensure that all endpoint computers – desktops, laptops and mobile devices – are running up-todate security software. Emails from webmail accounts bypass corporate gateway defences, and so have an unobstructed route into an organization. Endpoint protection closes this loophole by picking up any malicious or unwanted content that employees attempt to download from this source.
Procedures for reporting misuse
Employees should be encouraged to report the alleged misuse of email resources and a clear and anonymous procedure must be put in place to facilitate this.
Sanctions for breaching AUP regulations
All users must understand the potential consequences of not complying with the email
AUP. These consequences will depend on several factors, including whether the abuser is a first or repeat offender, whether the