In my first post this week, I covered what a good Internet policy should look like. In this post, I plan to cover an e-mail policy. This policy has evolved quite a bit throughout the years. I don't want to date myself, but years ago, we didn't worry what we put into e-mail. Today, we have regulations like HIPAA that prevent us from putting personal health care information in e-mail without reasonable protection. In addition, the attacks on our e-mail systems have increased and have become more sophisticated.
Let's be realistic, a policy -- any policy -- will not fix these problems. Policies have to be implemented with education, monitoring and technology. In the case of e-mail, filtering would act as a monitor. Most filtering software can scan for certain words, phrases and numbers such as a Social Security number, an account number or a street address. Of course, if you do need to include personal information as part of your business model, then it absolutely needs to be encrypted, no ifs ands or buts.
Included within an e-mail policy is usually how a business will deal with retention. Many organizations allow users to archive their own e-mail. However, e-mail can take up a lot of room on a desktop or file share if there are attachments. Typically, companies back up e-mail on the e-mail server. So the question is: How long should it be held? I have heard arguments on both sides. One side says you hold all e-mail for seven years. Your industry might require more or less retention. The argument here is that e-mail can come back to bite you. Look at Microsoft: Old e-mail was used in several cases against the company. It can, however, save you as well. If you said something in e-mail that was in your favor, then it can work for you. On the flip side, people can make an argument for a short retention time. If you don't have the e-mail, then it cannot be used against you, right?
I don't want to side-step a recommendation, but I suggest that you decide on a policy that fits your business and legal requirements, nothing more and nothing less. IT Business Edge's Lora Bentley made a great post about learning from Boston's E-Mail Retention Mistakes.
If you need help with an archive strategy, the IT Business Edge has a free paper that can help entitled, "Email Archiving: A Business-Critical Application." If you are interested in how to better enforce your e-mail policy, then download, "Not Just Words: Enforce Your Email and Web Acceptable Usage Policies", also from the IT Business Edge. I plan to close my series with a software usage policy.