In this Issue:
- Perspective: Security Administrators and Email Management
- Coming this Month
- May 2007 Articles in Print-Friendly Format
- The Security Pro VIP Forum
- Share Your Security Tips and Get $100
Perspective: Security Administrators and
As a security administrator, how involved are you in setting policies and implementing solutions for email security, archival, and retrieval? It seems to me that this is one of those areas in which many people from various functional areas in the company—senior management, the legal department, IT, email administrators, and security administrators—need to have a say. Some will be involved in determining policy and communicating that policy to employees, others will be charged with purchasing or developing and then deploying solutions.
I'm wondering what your role as a security administrator has been in this area. How much time have you spent setting policies for whether or how much employees can use the corporate email system for personal use? Or what types of attachments are allowed? Or which messages should be encrypted?
How involved have you been in determining what to archive, how long to archive it, and what process and system to use to archive it? Have you had to help retrieve email messages to meet a legal request?
Where is your company at in the process of managing email in this new era of compliance requirements? Do you feel you have good email policies, procedures, and solutions in place already? Are you getting there? Are you just beginning the discussion?
No matter how far along you are, you might find "Reshaping Information Security: The Convergence of Content & Security in Corporate Messaging" to be an interesting summary of conversations on the topic among 40 security professionals (conducted by MessageGate, which provides email governance solutions, and The Roundtable Network).
The "Reshaping Information Security" report identifies some key findings, which it calls "drivers in reshaping information security." The following five points are verbatim from the report:
1. Information Security and IT are now being required to build expertise in record retention, electronic discovery, and legal matters to better respond to internal requests from legal and compliance.
2. The end-user is a critical variable for both content and security-related issues in the enterprise. How people use the technology available to them and their awareness of authorized usage is more of a concern than the underlying technology.
3. The next generation of workers will come to the workplace with a mobile device and laptop versus having to have them provided by the company. This will create a whole new level of information access, control, and security issues.
4. Email is not going to be displaced by another mechanism of communication, but it will be augmented. The definition of enterprise messaging must be expanded to include instant messaging (IM), text messaging, and other forms of internet-enabled communication and collaboration.
5. The company must have the organizational will to embrace these issues and be proactive in addressing them versus treating them as bad news to be avoided. Being proactive now will alleviate overwhelming burden and costs later on.
As "Reshaping Information Security" points out, one important aspect of managing email for regulatory compliance is storing messages for the required amount of time and being able to retrieve them on request. Following is a list of articles about managing email storage and retrieval. Note that all these articles are available only to Windows IT Pro subscribers or Exchange and Outlook Pro VIP (formerly Exchange & Outlook Administrator) subscribers. Some of you subscribe to those publications, but many don't. Let me know if email governance is a topic you'd like to see covered in Security Pro VIP. You can reach me at firstname.lastname@example.org or on the Security Pro VIP forum.
The Exchange & Outlook Administrator article "Build an Email-Discovery Plan," June 2006, covers organizing your email stores so that you can produce emails in response to a legal request.
The Windows IT Pro article "Email Archiving for Compliance," May 2006, is a comparative review of six email archiving products.
The Exchange & Outlook Administrator article "Regulatory Compliance," September 2005, discusses some of the main provisions in the most relevant pieces of compliance legislation and translates them into practical advice for Exchange system administrators.
The Windows IT Pro Buyer's Guide: "Exchange Archiving Tools," July 2005, is a broad survey of the field and a feature-comparison table.
The Windows IT Pro article "Get a Grip on Exchange Data Management," April 2005, explores the considerations surrounding the storage and retrieval of increasing amounts of email data. This article also includes a listing of related articles on the Windows IT Pro Web site.
—Renee Munshi, Security Pro VIP Editor
Coming this Month
"NTFS Secrets" by Mark Burnett
Seven nuggets of information about how the Windows file system actually works in practice will save you time and frustration when working with file permissions.
This article is now live on the Web.
"Fight Spam Using Exchange 2007’s Edge Server Role" by Jan De Clercq
The Edge Transport server role gives a needed boost to Microsoft Exchange’s message hygiene capability, adding or enhancing features such as connection and content filtering, Sender ID, and transport rules.
Coming June 14.
Toolbox: "Virtual Machines and Live CD" by Jeff Fellinge
Get comfortable using VMs—a must-have tool for security administrators—by using VMware Server to run the Linux distribution BackTrack, which provides you with more than 300 security tools.
Coming June 21.
Randy Franklin Smith answers your Windows security questions.
Coming June 28.
Reader to Reader: "Use a Server HOSTS File to Block Malware" by Rob John
People have been using HOSTS files to block malicious and annoying programs on their PCs for quite some time. However, you can also use them on some servers.
Coming June 28.
May 2007 Articles in Print-Friendly Format
If you're someone who prefers your newsletters in printed form, check out this .pdf file. It contains all the security articles posted on the Security Pro VIP Web site in May. Print and enjoy!
The Security Pro VIP Forum
The Security Pro VIP forum is your place to ask questions about security topics and about articles posted on the Security Pro VIP Web site and to get answers from other forum members, including Orin Thomas, forum moderator, and article authors. Let's talk!
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to email@example.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.