E-mail AUPs and monitoring

Last week I discussed “The Seven Ugly Dwarves,” a name coined by Elizabeth Charnock, CEO of Cataphora, for e-mail content that reveals dirty secrets and behaviors. After relating some examples, I mentioned the need for acceptable-use policies and mail-retention policies and threatened to return to these subjects. Well, here we are. First we’ll tackle AUPs.

I suspect that many of you have AUPs in place that specify what your users are allowed to do and what they are not allowed to do. That’s the whole point – in the context of your business’s practical, ethical and legal foundations, your AUP should act as a training aid, a best practices guide and an insurance policy.

In organizations that take these things seriously, employees are often required to sign a document saying they have read and will abide by the AUP, while companies that are really committed reinforce the authority of the AUP through mandatory training sessions.

But where many companies fall short is enforcing these policies. It doesn’t matter what you tell people or what commitments they make; if you aren’t keeping an eye open for problems and violations, you might never know what disasters are waiting for you until they happen. In other words, trust but verify.

One of the first things to keep an eye on is the flow of messages. This will tell you if users are abusing the mail system according to the terms of the AUP. A sudden upswing in the number of messages sent by an individual could mean he is spamming, is mail-bombing, has a worm or virus infection that is acting as a spam relay, or has become a zombie for a hacker. A significant upswing in the number of messages a user receives could mean he needs help learning not to reply to spam solicitations or has subscribed to too many lists.

But if you’re really serious, you should also be watching who is communicating with whom. A sudden increase in the number of messages exchanged or new exchanges between individuals who have no normal need to communicate could mean something is going on that needs to be monitored.

Next comes content monitoring. As messages pass through servers they should be scanned for telltale words and phrases that could be indicative of non-compliance with laws and or corporate policies.

Content monitoring is crucial if you are in a regulated industry. For example, if your business comes under the shadow of the Health Insurance Portability and Accountability Act, which legislates the privacy and security of personal health information and medical records, then you have some serious corporate responsibilities to live up to.

The same considerations apply to the Sarbanes-Oxley Act, which legislates what is and is not acceptable regarding the retention of records electronic or otherwise for public companies, executives and the general population.

But there are two key problems with content monitoring. The first is scale – scanning 20 messages per user, per day, in a 10,000-seat organization requires real horsepower. The second problem is even more tricky – what to do with messages that trigger the filters. Do you stop suspicious messages to prevent damage from being done but introduce a serious delivery delay if it is a false positive, or do you send the message on and act after damage might have been done? The choice you make will depend on the type of business you are in.

There’s also the manpower overhead, as someone has to stay on top of the monitoring. Whoever is monitoring has to read and judge content that is trapped and act upon what they read.

So, monitoring is not an insignificant commitment. But what about e-mail retention? How long should you keep e-mail around? That’s something we’ll retain for next week . . .

Hold nothing back by sending your AUP thoughts to backspin@gibbs.com.