Corporate E-mail: What's Your Policy?
by Fred Avolio, Avolio
E-mail security has hit the
news in a big way over the last year, with several prominent viruses spreading
primarily through e-mail. Most recently, the Privacy Foundation revealed
on comments the receiver adds when forwarding the e-mail to someone else.
E-mail vulnerabilities make
us focus on specific fixes and technologies designed to block exploits.
But we must remember that no remedy will help if users ignore it, or if
users misuse e-mail in other ways. So in this article, let's step back
from the urgent and view e-mail in light of the important: establishing
a sound "acceptable use" policy at your business. An acceptable use policy
is sometimes called a usage "guide," but that sounds too much like a soft
"it-would-be-nice-if" suggestion. What I recommend in this article are
rules you should apply to your end users, policies that explain which actions
are permitted and which are prohibited. My recommendations are not meant
to be exhaustive. Rather, they should be a platform for you to build on
for your company's unique requirements.
Goals of Business E-Mail Usage
Let's begin at the beginning:
why do we have e-mail in our businesses? Obviously, to support the company's
mission. As professionals and network administrators, here's what we want.
We want to make sure that employees use e-mail in a way that matches the
business objectives, while recognizing the security requirements and adhering
to the security measures. We want our people to handle e-mail in a way
that limits its potential misuse by an outsider (for example, as an avenue
for computer viral attack). We want e-mail used in a way that limits its
use as a vehicle for exposing sensitive corporate information to the unauthorized.
And, though not directly a security issue, we want to protect against e-mail
being a source of embarrassment or legal liability to the enterprise. If
your e-mail policy addresses the above, you're off to a great start.
Next, let's consider some rules
for internal and external e-mail systems. By “internal e-mail systems,”
I mean the e-mail system deployed throughout an enterprise for the use
of all employees in support of the mission. This may include e-mail user
agents deployed on teleworkers’ home (business use) systems or the notebook
PC of the road warrior. By “external,” I mean users' own “home ISP” e-mail
accounts or “free” e-mail accounts.
Rules for Internal E-mail Systems
All business-related e-mail is
sensitive e-mail. Therefore, all e-mail will be encrypted and signed.
I’ve argued for this in a
editorial, so I won't reiterate the arguments here.
An enterprise e-mail system
is primarily for business use. Notice, I did not write “exclusively,”
but “primarily.” A few years ago, the only e-mail people had was at work.
I used to argue that it was unnecessary, and probably foolish, to try to
prevent people from using e-mail for the occasional personal message. They
would ignore the policy in the interest of keeping in touch with family.
Nowadays, e-mail accounts are inexpensive and within reach of most people.
There is no great need for someone to use a corporate mail address for
personal business. Nevertheless, it is sometimes convenient. Permitting
some non- business e-mail stops people from accessing their personal e-mail
accounts through the corporate firewall (which I will discuss shortly).
Corporate e-mail, however, is still primarily for business use.
We do not want people running a home business through our corporate e-mail
systems. We do want them to be able to receive an emergency message from
their freshman daughter in college.
On our enterprise e-mail servers,
external e-mail addresses will be obvious. Assuming our company e-mail
domain is example.com, if you see an e-mail header addressed to email@example.com,
firstname.lastname@example.org, and to email@example.com, it should be obvious to anyone
that Mike is an outsider (not an employee). This means we do not have the
MIS group create mail addresses that look like employee addresses, where
firstname.lastname@example.org automatically forwards to the Hotmail account. That is
a dangerous practice, and leads us to the next policy.
Take care when sending e-mail
to a mixed audience of inside and outside recipients. It is very easy
for an e-mail “discussion” to start off innocuously, but end up discussing
sensitive corporate information. Users should be in the habit of reading
the distribution list of e-mail before they respond to it. Users should
know to whom they are replying. They may not think of these points unless
you educate them.
MIS staff will configure antivirus
software to scan all e-mail at the e-mail gateway.
This applies to incoming and outgoing, message body and attachments. Users
should configure their desktop antivirus software to do the same. And,
of course, antivirus software will be periodically updated. This is too
obvious to discuss much. As Peter Tippett, CTO of TruSecure Corporation
recommends in the January 2001 Information Security Magazine, "Filter
out e-mail attachments -- including .exe, .scr, .pif and .vbs -- and you'll
have no problem from these 'surprise' viruses [such as the Happy 99 virus],
even if you haven't updated your AV definitions in months. In rare cases,
users have a legitimate business need for receiving such attachments; but
in most cases, they do not. Users who actually need these file types can
get the sender to zip them or ask their e-mail administrator to manually
All e-mail initiated by an
employee and sent through an enterprise e-mail system will adhere, in content,
to all HR department communication guidelines and all state and national
laws. As a final catchall,
your e-mail policy should point to other acceptable use policies that are
relevant in the corporation.
Rules for External E-mail Systems
Employees will not use outside e-mail systems
to send or receive corporate e-mail. How can we say we are protecting our
assets if they are stored on e-mail servers outside our enterprise's control?
How can we enforce policies on e-mail the company never "handles”?
Employees will not retrieve
e-mail from, or send e-mail to, external e-mail servers through enterprise
gateways. So, for example,
employees should not use enterprise computers to download personal e-mail
from personal e-mail accounts. The reason I recommend it as a policy has
to do with peripheral issues. If we allow employees to contact their ISP
mail servers through our firewalls, it may require us to allow extra services
through our firewalls -- services our business requirements do not dictate.
Adding additional services always affects security negatively. This may
generate the most complaints from employees, but you probably won't have
to give in, because it's hard for an employee to justify this service "requirement."
Some of the rules I discussed
are enforceable with mechanisms. A combination of the right firewall rules
and e-mail gateway configurations will get us far. Other rules are only
enforceable through educating users about what is permitted and denied,
with a clear delineation of the consequences of non-compliance.
E-mail is the number one entry
point for attacks from the Internet. Acceptable use policies help our users
become part of the solution, instead of continuing to be part of the problem.#