Email security policies are one of those must-haves for every organization, but not always as high on the priority list as they should be.Information security expert Kevin Beaver of Principle Logic LLC recently tackled some frequently asked questions about defining policies for midmarket companies.
Who should enforce email policy rules? Is it better to have more than one person do this, or
Beaver: There should be a centralized security committee that's responsible for policy oversight. However, the policies should ultimately be enforced by the human resources department, which should be working closely with the various managers.
Our company has a very casual style. A formal email policy would go against our company
culture. How do we suddenly implement a policy like this when we've never been so formal?
Beaver: The short answer is, if you need it, I think you can gradually ease into the policy by talking about what your email systems and corporate assets are up against and then show the benefits of such a policy. Awareness is key to getting buy-in, especially in a smaller company.
How do you distinguish what is a policy and what is an invasion of privacy?
Beaver: I strongly believe (and court cases have proven so) that for the most part, companies have the right to say what can and cannot be done on company time. I think you've got to be reasonable and fair and have
What are some of the hidden costs to an email security policy? What can my company expect to
Beaver: Managing the technology that helps enforce policies is probably the biggest issue. It's impossible to say how much a company will have to spend. Start simple at first and only buy into expense solutions if necessary. Many small and midsize businesses don't have an in-house IT staff, so be sure to consult with an expert before you implement any software or service to ensure your time and money is well-spent.
Should instant messaging be tied in to an email policy?
Beaver: Excellent point! Yes, don't forget about instant messaging. It's essentially the same as email in many respects -- it just uses a different technology. So, you could incorporate IM and call your policies "messaging" policies.
Are there particular laws we should be aware of, perhaps by state, that could prevent us from
enforcing or including particular rules in an email security policy?
Beaver: There are various federal laws covering privacy and employee rights. I'm not aware of any state laws other than the CA S.B. 1386 that could apply. Again, this is where getting a lawyer and HR expert involved can really come in handy.
I have a small, privately owned business with just a handful of computers, a network and
basic Internet connectivity. What value will an email policy add to my organization?
Beaver: First of all, it's simply good business practice and the right thing to do. Email policies will show your customers that you take their information seriously. Your business partners will see that your organization is worth doing business with. Plus, they can keep you out of hot water if you end up with an HR issue on your hands. They can also keep you on the government's good side too, if your business falls under one of the many state and federal regulations.
How much time will it take to create my email policies?
Beaver: Well, that depends on the size of your organization, the complexity of your information systems, and the outcome of your risk assessment, to name a few. Make sure you don't reinvent the wheel. There are many resources that can save you a ton of time. The actual process of creating policies really shouldn't take any more than a day or two. It's the preliminary and follow-up work that'll take more time. Remember, email security policies are not just an IT issue, the process should involve other departments as well.
Who should I have review my security policies?
Beaver: Preferably, an unbiased outsider who has experience developing security policies. This might only take a day or two or could take a week or longer depending on the complexity of the policy. Consider it as you would for a lawyer reviewing important contracts. It's not going to be inexpensive, but it'll be a very worthwhile investment given what's at stake.
What's the difference between an email security policy and the security policy I have setup
in my firewall that allows inbound/outbound email?
Beaver: Great question. This often generates a lot of confusion. When working with firewalls, we talk about policies; a firewall policy is basically the business rules that permit or deny a specific type of traffic. This could be email coming from or going to specific systems such as SMTP for your email server or POP3 for your workstations. A firewall policy is essentially the technical implementation of your overall written security policy or policies.
My business is considered a HIPAA covered entity. How many policies will it take for us to
become compliant with the HIPAA security rule?
Beaver: It's hard to say, since this depends on your risk assessment. Again, you must do risk assessment first to figure out where your weaknesses are and then write your policies accordingly. For HIPAA, you'll likely have one or more email policies in addition to various other policies related to access controls, backups, passwords, etc.
Should my email policy document be part of my employee handbook?
Beaver: You should integrate your policy statement or statements (not your entire document) into your handbook and then make reference the full policy document for more information.
Kevin Beaver is the founder and principal consultant of the information security services firm Principle Logic LLC in Atlanta, where he specializes in information security assessments and incident response. He has more than 16 years of experience in IT and is the author of several books on information security, including Hacking For Dummies by Wiley Publishing. Let us know what you think about this tip; email firstname.lastname@example.org.
This was first published in March 2005