E-mail security policies are one of those must-haves for every organization, but not always as high on the priority...
list as they should be. Here, information security expert Kevin Beaver, of Principle Logic LLC, answers readers' frequently asked questions on e-mail security policies.
Who should enforce e-mail policy rules? Is it better to have more than one person do this, or department managers?
There should be a centralized security committee that's responsible for policy oversight. However, the policies should ultimately be enforced by the human resources department, which should be working closely with the various managers.
Our company has a very casual style. A formal e-mail policy would go against our company culture. How do we suddenly implement a policy like this when we've never been so formal?
The short answer is, if you need it, I think you can gradually ease into the policy by talking about what your e-mail systems and corporate assets are up against and then show the benefits of such a policy. Awareness is key to getting buy-in, especially in a smaller company.
How do you distinguish what is a policy and what is an invasion of privacy?
I strongly believe (and court cases have proven so) that for the most part, companies have the right to say what can and cannot be done on company time. I think you've got to be reasonable and fair and have a checks and balances system in place to make sure employees aren't getting picked on. This is definitely something everyone should candidly discuss with their lawyer and HR representative to make sure everything is in line.
What are some of the hidden costs to an e-mail security policy? What can my company expect to spend?
Managing the technology that helps enforce policies is probably the biggest issue. It's impossible to say how much a company will have to spend. Start simple at first and only buy into expense solutions if necessary. Many small and midsize businesses don't have an in-house IT staff, so be sure to consult with an expert before you implement any software or service to ensure your time and money is well-spent.
Should instant messaging be tied in to an e-mail policy?
Excellent point! Yes, don't forget about instant messaging. It's essentially the same as e-mail in many respects -- it just uses a different technology. So, you could incorporate IM and call your policies "messaging" policies.
Are there particular laws we should be aware of, perhaps by state, that could prevent us from enforcing or including particular rules in an e-mail security policy?
There are various federal laws covering privacy and employee rights. I'm not aware of any state laws other than the CA S.B. 1386 that could apply. Again, this is where getting a lawyer and HR expert involved can really come in handy.
I have a small, privately-owned business with just a handful of computers, a network and basic Internet connectivity. What value will an e-mail policy add to my organization?
First of all, it's simply good business practice and the right thing to do. E-mail policies will show your customers that you take their information seriously. Your business partners will see that your organization is worth doing business with. Plus, they can keep you out of hot water if you end up with an HR issue on your hands. They can also keep you on the government's good side too, if your business falls under one of the many state and federal regulations.
How much time will it take to create my e-mail policies?
Well, that depends on the size of your organization, the complexity of your information systems, and the outcome of your risk assessment, to name a few. Make sure you don't reinvent the wheel. There are many resources that can save you a ton of time. The actual process of creating policies really shouldn't take any more than a day or two. It's the preliminary and follow-up work that'll take more time. Remember, e-mail security policies are not just an IT issue, the process should involve other departments as well.
Who should I have review my security policies?
Preferably an unbiased outsider who has experience developing security policies. This might only take a day or two or could take a week or longer depending on the complexity of the policy. Consider it as you would for a lawyer reviewing important contracts. It's not going to be inexpensive, but it'll be a very worthwhile investment given what's at stake.
What's the difference between an e-mail security policy and the security policy I have setup in my firewall that allows inbound/outbound e-mail?
Great question. This often generates a lot of confusion. When working with firewalls, we talk about policies; a firewall policy is basically the business rules that permit or deny a specific type of traffic. This could be e-mail coming from or going to specific systems such as SMTP for your e-mail server or POP3 for your workstations. A firewall policy is essentially the technical implementation of your overall written security policy or policies.
My business is considered a HIPAA covered entity. How many policies will it take for us to become compliant with the HIPAA security rule?
It's hard to say since this depends on your risk assessment. Again, you must do risk assessment first to figure out where your weaknesses are and then write your policies accordingly. For HIPAA, you'll likely have 1 or more e-mail policies in addition to various other policies related to access controls, backups, passwords etc.
Should my e-mail policy document be part of my employee handbook?
You should integrate your policy statement or statements (not your entire document) into your handbook and then make reference the full policy document for more information.
This article originally appeared on SearchSMB.com.
Dig Deeper on Exchange Server Security