Effective email policies: Why enforcing proper use is critical to security
breach represents illegal, offensive or merely wasteful behavior, the regulatory environment in which the company operates and the firm’s cultural outlook. The sanctions will relate to the severity of the offense, ranging from verbal and written warnings, and on to dismissals.
Who is responsible for the AUP?
The HR IT, and legal departments are all stakeholders in the creation and enforcement of an email AUP. Employees should also contribute to an AUP, enabling greater transparency and buy-in and ensuring that everyone is aware of its existence. At some organizations, the CEO or other board members may take an active involvement, as they can be held personally liable for email misuse by any employee. Typically, staff from all three departments should work together to develop the policy, with specific responsibilities divided as follows.
HR role
The HR department owns the overall process of developing an email AUP, taking responsibility for awareness, distribution and training. Using data provided by the IT department, and by responding to reports of alleged misuse, HR conducts audits to ensure that rules are observed, investigates suspected policy contraventions, and implements disciplinary procedures.
Effective email policies: why enforcing proper use is critical to security
IT role
By using the security solution’s reporting features, the IT team generates the forensic evidence needed to identify and log email abuse. The data gathered represents the company’s principal source of security intelligence, and can be pieced together to analyze each breach and pinpoint the staff responsible. This information can then escalated to HR.
The IT department also advises HR on the changing capabilities of the organization’s IT defenses. For example, if a new solution is deployed to scan outbound messages for sensitive material (e.g. credit card or social security numbers), the AUP might need to be amended and email users might require additional training.
Legal role
The in-house or external legal department ensures that the AUP is in line with legal and compliance requirements, and will advise HR to amend it if regulations change.
Summary
While the threat of spam and malware is usually linked to inbound emails, an organization’s own users can often cause just as much or more damage through the emails they send or share.
Employees can be responsible for data leakage,
the dissemination of inappropriate or offensive content, and consuming bandwidth through the unnecessary sharing of files, each of which represent a considerable threat to the email network. To ensure that employees recognize these risks, organizations should implement a comprehensive email acceptable use policy which, to be effective, requires enterprise-grade security solutions for the gateway, the email server and all endpoint computers.
Effective email policies: why enforcing proper use is critical to security
This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.