Administration of Email
What your organization does with its handling of email is just as important as your users' usage of the system. The policies and procedures that are put into place can become subjects of lawsuits, grievances, or other procedures that could embarrass the organization or the users.
The ramifications that come from email, whether it is content or how it is handled, do not appear to be taken seriously. This is a real concern because of the high-profile cases and security problems with email. Email policies should promote appropriate due diligence for both the user and administrator.
As you might have noticed, this section assumes that your organization manages its own email services. If your organization outsources its email services, you can check the contract to ensure that the service provider can manage the service to comply with the policies. However, if your organization uses an online service provider, such as AOL, your policy will concentrate on usage and have little to say on administration.
Establish the Right to Monitor Email
The Internet's most ubiquitous application also can be its most dangerous. Email can be used to transmit sensitive data, harassment, and security problems. All of these can be mitigated if your organization monitors email for traffic and content as well as archive messages so that problems can be investigated. If you are worried, you should consult an attorney to see what is legal in your area. Otherwise, the right to monitor is setting policies for the overall handling of the email, archiving user messages; and scanning can be the basis for these policies.
Handling of Email
A client was worried about its email policy following a lawsuit filed by a former employee. It was a small company, less than 70 users, and it was concerned about adding architecture information in its policy. After questioning this request, I was handed a copy of a deposition that was taken of its System Administrator. The plaintiff's attorney questioned how the system handled the routing of email and if that was part of the security policy.
I reviewed the deposition and other supporting documentation. I became concerned that even best-practice architectures could be used as evidence against an organization. The challenge I faced was to write a policy statement that would allow the organization to architect a system yet protect themselves from being prosecuted for those technical decisions. Following is what I came up with:
Network and Security Administrators shall architect the email system in a way that will allow the proper delivery of messages both within the organization and to the Internet. This system shall be allowed to use, but not be limited to use, proxy, forwarding, gateway, and manual services to operate this service.
Although this is a very broad statement that could be used for any architectural policies, it satisfied the organization's attorneys.
Do not take the storage and retention of archived email lightly, because if Microsoft had followed its policy, the messages that were used by the government would not have existed. This is not to say that I support using email for allegedly illegal activities; but if your organization is going to have a policy, it should be realistic and should be followed.
Archiving and retention policies have two components. The first is to say that email will be archived. The other is to define some parameters for the length of time that email could be archived. As with other policies, it might be best to defer the storage types and some of the retention lengths to the implementation documents. However, you should include some guidance in the policy document:
The organization shall retain and archive all email messages that pass through its servers. The archive shall be retained on an online storage medium. Administrators shall archive messages to an offline storage medium every six months and purge those messages from the online stores.
The organization shall retain that offline storage medium for at least two years but may retain it for longer periods at the discretion of management. The offline medium shall be erased or destroyed in a manner commensurate with its technology.
Some larger organizations, especially government contractors, could have problems with creating a single policy for archiving and retention. They might be contractually required to implement a policy that is different form the one you are writing. If this is the case, the organization can include the following in its policy statement:
The organization shall alter its policy to comply with contractual obligations on an as-needed basis and without policy review. These changes shall only affect those users who perform work for that contract, and the organization shall notify those users of the changes prior to their implementation.
Over the last few years, email has been used to spread computer viruses around the Internet. To combat this problem, many administrators have installed virus-scanning capabilities to their networks. This can be good, but is there a policy to do this? In this litigious world, you would probably not be allowed to do anything with information gathered without a policy.
Content-scanning policies allow the organization to look at the content of the messages. For whatever reason, some organizations feel they need to monitor email content to prevent embarrassment or proprietary information from being disseminated. The problem is that content-scanning policies are just not nice. They read like the organization is looking over the shoulder of its users because they are not trusted. For some organizations that project a "family" atmosphere, I can see how the culture might frown upon this practice. For others, it could be a necessary evil.
The concept is to write a policy statement that will allow your organization to scan all email in a manner consistent with the organization's business goals. If your organization is scanning for viruses and other problems, the policy should say this. If your organization will be doing content scanning, then the policy should say it. Regardless of the policy, if your organization chooses to scan email, there should be something, such as a publicly accessible document, that explains what is being scanned.
For virus scanning, you can have a policy that reads:
The organization shall scan every email message that passes through its server to check for computer viruses, worms, or other executable items that could pose a threat to the security of the network. Infected email shall not be delivered to the user.
Administrators shall have procedures in place for handling infected email messages.
When content scanning, one policy I helped write read:
The organization shall be allowed to scan the content of every email message that passes through its servers based on a predetermined criterion. If the message does not pass the criteria, the message shall not be delivered to the user.
Administrators shall have procedures in place for handling rejected messages.
Management shall have procedures for enforcing these policies, including, but not limited to, disciplinary procedures for users or involving law enforcement for non-users.
Finally, either section may add the following:
The organization shall make available the list of items being scanned at the server.
Limiting the Size of Email
Email clients have made it easy for users to create fancy messages and transmit large amounts of data by attaching files stored on the system or the network. With each new file format, the amount of data filling network bandwidth increases. One well-known university estimated that over half of the email messages sent through its servers contained attachments of a newly popular audio file format.
The problem is not limited to universities. Some organizations are finding that users have been sending documents to colleagues via email rather than using network file servers as a single storage location. To manage resources used for email, some organizations have updated their policies to include a limit on the size of the file transmitted.
Email size restriction policies can be as simple as everyone being limited to a particular size message. However, there could be cases where exceptions need to be made. In one organization I worked for, a person acting as a librarian was required to send and receive large messages from customers. They wanted a policy that was more flexible than limiting everyone to one size. Their solution was to create a policy with a statement that said there could be an exception if reviewed by a manager. That policy read:
Email messages sent to and from users shall not exceed 40 kilobytes in total size. Exceptions shall be made for users with requirements that cannot be meet within those limits. The user's manager shall review these exceptions individually.