As a security administrator, how involved are you in setting policies and implementing solutions for email security, archival, and retrieval? It seems to me that this is one of those areas in which many people from various functional areas in the company—senior management, the legal department, IT, email administrators, and security administrators—need to have a say. Some will be involved in determining policy and communicating that policy to employees, others will be charged with purchasing or developing and then deploying solutions.
I'm wondering what your role as a security administrator has been in this area. How much time have you spent setting policies for whether or how much employees can use the corporate email system for personal use? Or what types of attachments are allowed? Or which messages should be encrypted?
How involved have you been in determining what to archive, how long to archive it, and what process and system to use to archive it? Have you had to help retrieve email messages to meet a legal request?
Where is your company at in the process of managing email in this new era of compliance requirements? Do you feel you have good email policies, procedures, and solutions in place already? Are you getting there? Are you just beginning the discussion?
No matter how far along you are, you might find "Reshaping Information Security: The Convergence of Content & Security in Corporate Messaging" to be an interesting summary of conversations on the topic among 40 security professionals (conducted by MessageGate, which provides email governance solutions, and The Roundtable Network).
The "Reshaping Information Security" report identifies some key findings, which it calls "drivers in reshaping information security." The following five points are verbatim from the report:
1. Information Security and IT are now being required to build expertise in record retention, electronic discovery, and legal matters to better respond to internal requests from legal and compliance.
2. The end-user is a critical variable for both content and security-related issues in the enterprise. How people use the technology available to them and their awareness of authorized usage is more of a concern than the underlying technology.
3. The next generation of workers will come to the workplace with a mobile device and laptop versus having to have them provided by the company. This will create a whole new level of information access, control, and security issues.
4. Email is not going to be displaced by another mechanism of communication, but it will be augmented. The definition of enterprise messaging must be expanded to include instant messaging (IM), text messaging, and other forms of internet-enabled communication and collaboration.
5. The company must have the organizational will to embrace these issues and be proactive in addressing them versus treating them as bad news to be avoided. Being proactive now will alleviate overwhelming burden and costs later on.
As "Reshaping Information Security" points out, one important aspect of managing email for regulatory compliance is storing messages for the required amount of time and being able to retrieve them on request. Following is a list of articles about managing email storage and retrieval. Note that all these articles are available only to Windows IT Pro subscribers or Exchange and Outlook Pro VIP (formerly Exchange & Outlook Administrator) subscribers. Some of you subscribe to those publications, but many don't. Let me know if email governance is a topic you'd like to see covered in Security Pro VIP. You can reach me at firstname.lastname@example.org or on the Security Pro VIP forum.
The Exchange & Outlook Administrator article "Build an Email-Discovery Plan," June 2006, covers organizing your email stores so that you can produce emails in response to a legal request.
The Windows IT Pro article "Email Archiving for Compliance," May 2006, is a comparative review of six email archiving products.
The Exchange & Outlook Administrator article "Regulatory Compliance," September 2005, discusses some of the main provisions in the most relevant pieces of compliance legislation and translates them into practical advice for Exchange system administrators.
The Windows IT Pro Buyer's Guide: "Exchange Archiving Tools," July 2005, is a broad survey of the field and a feature-comparison table.
The Windows IT Pro article "Get a Grip on Exchange Data Management," April 2005, explores the considerations surrounding the storage and retrieval of increasing amounts of email data. This article also includes a listing of related articles on the Windows IT Pro Web site.