Messaging News - December 2008 - (Page 28) EMAIL POLICY MANAGEMENT is and is not actually sent,” he explains. “To say, ‘We have a policy in place,’ without visibility is no longer sufficient. The government is (getting more) aggressive in their prosecution efforts, especially with the many public leaks we have seen lately.” Adds Michael Osterman, principal of Osterman Research, “You need paper policies to say ‘Hey, don’t do stupid things’ but then you also need good protection against what gets sent through email. You need some sort of a system that will look at the content that’s flowing through the email system and at a minimum, provide a pop-up to the liabilities we have, these are the laws on the books, these are the things we need to comply with from a corporate best practices standpoint’”. Amir Lev, CTO of Commtouch feels that communications policies should also address acceptable Web use in order to ensure a safe and harassment-free work environment. “Viewing hate sites, pornography, or other offensive content should be prohibited outright to avoid legal and security risks.” When it comes to adding compliance to EPM, things get a little more challenging. Federal and Najaf Husain, founder, CEO and president of AppAssure. “At a minimum, a next generation email protection solution should be deployed to provide proactive email retention management, access to historical email, and application protection from data corruption. This will go a long way toward an effective EPM strategy while reducing cost and management oversight. Our advice is to look for areas of cost optimization within your application infrastructure and deploy best of breed, purposebuilt solutions that improve user productivity and reduce the risk of application failures and loss of mission-critical data.” “Customers need to classify their data and understand its acceptable use before they can create an email policy for protecting it.”—Glen Kosaka, Trend Micro, Inc. sender saying, ‘This file is in violation of corporate policy 124. Knock it off’.” Defining and Implementing EPM Most experts agree that a successful EPM starts with figuring out what needs to be protected. The review process should address the needs of all internal stakeholders— IT, legal, HR, and management— and should, at the very least, detail what types of content should and should not travel through the corporate email, IM, and Web mail systems. “Customers need to classify their data and understand its acceptable use before they can create an email policy for protecting it,” says Kosaka, “Once they’ve taken that step, the challenge is cutting through the vendor hype to find a solution offering effective monitoring and enforcement, yet easy management for the email security admin.” Osterman agrees, “You start with the policies before the technology because you’ll need to sit down with legal counsel and senior managers and say, ‘these are the state compliance requirements differ greatly depending on the type of industry. A thorough EPM must be flexible and comprehensive enough to ensure adherence to all regulations that may apply. “There are various industries that have specific compliance issues such as HIPAA for healthcare and Sarbanes Oxley for financial services,” says Lev. “Of course, a company can have all the written policies in the world, but they certainly need technology to enforce them.” Kosaka adds that EPM solutions should provide protection at all layers within the infrastructure— cloud, gateway, servers, and endpoint—and they should share and correlate information across all threat vectors (email, Web mail, PDAs and IM), to provide better and more immediate protection. In sketchy economic times, many organizations must pick and choose between being proactive and making do with what they have. “In many cases, the implementation and maintenance of EPM is costly and resource intensive,” explains Osterman adds that companies must define and address three key issues in their EPM: appropriate use of email, content/message encryption, and archiving. What’s at Stake? Companies that take a wait-andsee approach to EPM aren’t necessarily ignorant of the risks, believes Osterman. “They may have other priorities on the IT wish list or they may not have money to spend on what they feel are theoretical risks.” However, in the era of polymorphous viruses, targeted phishing, drive-by downloads and more, it’s surprising that any risks would be considered “theoretical.” So what’s at stake? “Given that most companies don’t have enforceable policies, the risks include accidental and malicious data leaks, attacks containing malicious URLs, lawsuits for inappropriate use, and failure to address U.S. e-Discovery requirements,” says Kosaka, “According to the Ponemon Institute, the cost of a data breach now exceeds $6.3 million USD per incident. The government is 28 MESSAGING NEWS DECEMBER 2008
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.