Originally published 09 Feb 2001. Republished with permission from WatchGuard Technologies, Inc.
WatchGuard

Corporate E-mail: What’s Your Policy?

by Fred Avolio, Avolio Consulting, Inc.

E-mail security has hit the news in a big way over the last year, with several prominent viruses spreading primarily through e-mail. Most recently, the Privacy Foundation revealed that HTML e-mails can contain JavaScript code that lets the originator snoop on comments the receiver adds when forwarding the e-mail to someone else. 

E-mail vulnerabilities make us focus on specific fixes and technologies designed to block exploits. But we must remember that no remedy will help if users ignore it, or if users misuse e-mail in other ways. So in this article, let’s step back from the urgent and view e-mail in light of the important: establishing a sound “acceptable use” policy at your business. An acceptable use policy is sometimes called a usage “guide,” but that sounds too much like a soft “it-would-be-nice-if” suggestion. What I recommend in this article are rules you should apply to your end users, policies that explain which actions are permitted and which are prohibited. My recommendations are not meant to be exhaustive. Rather, they should be a platform for you to build on for your company’s unique requirements.

Goals of Business E-Mail Usage 

Let’s begin at the beginning: why do we have e-mail in our businesses? Obviously, to support the company’s mission. As professionals and network administrators, here’s what we want. We want to make sure that employees use e-mail in a way that matches the business objectives, while recognizing the security requirements and adhering to the security measures. We want our people to handle e-mail in a way that limits its potential misuse by an outsider (for example, as an avenue for computer viral attack). We want e-mail used in a way that limits its use as a vehicle for exposing sensitive corporate information to the unauthorized. And, though not directly a security issue, we want to protect against e-mail being a source of embarrassment or legal liability to the enterprise. If your e-mail policy addresses the above, you’re off to a great start. 

Next, let’s consider some rules for internal and external e-mail systems. By “internal e-mail systems,” I mean the e-mail system deployed throughout an enterprise for the use of all employees in support of the mission. This may include e-mail user agents deployed on teleworkers’ home (business use) systems or the notebook PC of the road warrior. By “external,” I mean users’ own “home ISP” e-mail accounts or “free” e-mail accounts.

Rules for Internal E-mail Systems 

  • All business-related e-mail is sensitive e-mail. Therefore, all e-mail will be encrypted and signed. I’ve argued for this in a previous editorial, so I won’t reiterate the arguments here.

  • An enterprise e-mail system is primarily for business use. Notice, I did not write “exclusively,” but “primarily.” A few years ago, the only e-mail people had was at work. I used to argue that it was unnecessary, and probably foolish, to try to prevent people from using e-mail for the occasional personal message. They would ignore the policy in the interest of keeping in touch with family. Nowadays, e-mail accounts are inexpensive and within reach of most people. There is no great need for someone to use a corporate mail address for personal business. Nevertheless, it is sometimes convenient. Permitting some non- business e-mail stops people from accessing their personal e-mail accounts through the corporate firewall (which I will discuss shortly). Corporate e-mail, however, is still primarily for business use. We do not want people running a home business through our corporate e-mail systems. We do want them to be able to receive an emergency message from their freshman daughter in college.

  • On our enterprise e-mail servers, external e-mail addresses will be obvious. Assuming our company e-mail domain is example.com, if you see an e-mail header addressed to joe@example.com, mary@example.com, and to mike@hotmail.com, it should be obvious to anyone that Mike is an outsider (not an employee). This means we do not have the MIS group create mail addresses that look like employee addresses, where mike@example.com automatically forwards to the Hotmail account. That is a dangerous practice, and leads us to the next policy. 

  • Take care when sending e-mail to a mixed audience of inside and outside recipients. It is very easy for an e-mail “discussion” to start off innocuously, but end up discussing sensitive corporate information. Users should be in the habit of reading the distribution list of e-mail before they respond to it. Users should know to whom they are replying. They may not think of these points unless you educate them.

  • MIS staff will configure antivirus software to scan all e-mail at the e-mail gateway. This applies to incoming and outgoing, message body and attachments. Users should configure their desktop antivirus software to do the same. And, of course, antivirus software will be periodically updated. This is too obvious to discuss much. As Peter Tippett, CTO of TruSecure Corporation recommends in the January 2001 Information Security Magazine, “Filter out e-mail attachments — including .exe, .scr, .pif and .vbs — and you’ll have no problem from these ‘surprise’ viruses [such as the Happy 99 virus], even if you haven’t updated your AV definitions in months. In rare cases, users have a legitimate business need for receiving such attachments; but in most cases, they do not. Users who actually need these file types can get the sender to zip them or ask their e-mail administrator to manually forward them.”

  • All e-mail initiated by an employee and sent through an enterprise e-mail system will adhere, in content, to all HR department communication guidelines and all state and national laws. As a final catchall, your e-mail policy should point to other acceptable use policies that are relevant in the corporation. 

Rules for External E-mail Systems 

  • Employees will not use outside e-mail systems to send or receive corporate e-mail. How can we say we are protecting our assets if they are stored on e-mail servers outside our enterprise’s control? How can we enforce policies on e-mail the company never “handles”?

  • Employees will not retrieve e-mail from, or send e-mail to, external e-mail servers through enterprise gateways. So, for example, employees should not use enterprise computers to download personal e-mail from personal e-mail accounts. The reason I recommend it as a policy has to do with peripheral issues. If we allow employees to contact their ISP mail servers through our firewalls, it may require us to allow extra services through our firewalls — services our business requirements do not dictate. Adding additional services always affects security negatively. This may generate the most complaints from employees, but you probably won’t have to give in, because it’s hard for an employee to justify this service “requirement.” 

Next Steps 

Some of the rules I discussed are enforceable with mechanisms. A combination of the right firewall rules and e-mail gateway configurations will get us far. Other rules are only enforceable through educating users about what is permitted and denied, with a clear delineation of the consequences of non-compliance. 

E-mail is the number one entry point for attacks from the Internet. Acceptable use policies help our users become part of the solution, instead of continuing to be part of the problem. # #


 

Copyright © 1996 – 2001 WatchGuard Technologies, Inc. All rights reserved.