In Understanding Email Encryption Part 1 I covered not only why encrypting email is important, but also the two different types of email encryption: asymmetrical and symmetrical.

There was another section that briefly mentioned some of the barriers that impede buy-in from management when it comes to an encryption solution. But these were only touched upon.

Unfortunately when it comes to making a pitch for encryption, those who understand the need for it are an easy sell. Those who either don’t understand it or see the need for it often cite one or more of these stigmas that are attached to email encryption as reason to avoid it.

Should you find yourself being stonewalled when giving your reasons for email encryption, here are a few points you can make to counter any disbelievers.

Of course the consequences that come from disputing your boss in front of others is something that encryption can’t protect against, so use them at your own risk.

Encryption makes us look paranoid

In the previous post I quoted a survey respondent as saying: “normal people don’t encrypt normal email messages” when asked about adopting encryption for email.

The problem is that society does tend to raise an eyebrow at those who act paranoid. Let’s be honest here, they are outright ridiculed.

And no one wants to be made fun of. But that is playground thinking. As a customer, client or employee I want to know that my personal or confidential information is being protected. Email encryption can make me look silly if I am sending a joke to a friend and I use DES cryptography, but if account information is being sent from my bank I want to see a bit of protection put in place.

One way to counter this is to ask, “would you rather someone think you a bit paranoid, or would you rather be in the news like the Oak Ridge Laboratory, CitiGroup, Sony, Target, Chase, etc.”

Encryption is too complicated for most users

15 years ago, email was too complicated for most users. There was a time when the telephone was complicated technology.

And yes, there was a time when cryptography for email messages was quite a bit of work but now it is rather simple and solutions operate seamlessly with your company’s email client.

Outlook offers two separate methods of encrypting email messages. You can encrypt a single message, using 3DES by going to the Message tab in the Options group and click on the Encrypt Message Contents and Attachments button.

After that you simply write your message and send it on its way.

Encrypting all messages can be done as well but that requires all recipients to have your digital ID to decrypt the contents.

Still, that doesn’t seem too difficult now does it?

Encryption is too expensive for us

Another stigma is that encryption is for large companies, not small or medium sized businesses – this isn’t entirely accurate.

Sure, an organization can spend a good deal of money on an expensive appliance that requires add-ons and plug-ins. But you don’t have to spend that much.

With Software as a Service models, even the smallest company can purchase a service contract for only what they need. Be it one user or a thousand.

There are even companies that cater these services to smaller organizations specifically to keep costs within reason.

Software as a Service solutions can also help negate the belief that encryption will be too much of an undertaking for your IT staff as well. Since the company is buying the service, there is nothing for the IT people to set up, configure, troubleshoot, monitor, etc.

Encryption, like any other technology, has changed over the years. But so has the need for it. There was a time when email wasn’t such a lucrative target for attackers. There was a time when regulations mandated certain security baselines be put in place. There was a time when using encryption required a Master’s Degree in Computer Engineering. But all that has changed. Let your company know it’s about time their mentality regarding protecting email messages does as well.

Understanding Email Encryption (Part 2)

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When looking at solutions on securing email, many people don’t take into consideration the type of business environment they work in. All too often, after spending a great amount of time and money, small to medium-sized enterprises find out that what works for a company the size of Bank of America doesn’t quite work for them.

To better help SMBs find solutions scaled to their needs when it comes to email security, I have compiled a list of 5 tips that address the risks and restraints that they face.

1. Get the right solution

Email security can come in any number of packages. Security solutions can be software based, deployed through an appliance or even in a hosted environment. Each type has a variety of advantages, but there may be some disadvantages based on your company size or industry so it is important that you weigh your options carefully.

It is also important to look to solutions that can provide the protection your company needs at a cost that works. Too many times people are under the impression that security appliances are seriously out of reach for most small to medium sized businesses. This isn’t the case. There are many solutions that organizations find affordable and feature rich.

Make content filtering a standard practice

Content filtering needs to be a two way street. Of course, you want to filter out inappropriate content from being received by employees and certain types of attachments need to be blocked to prevent the spread of malware and expose vulnerabilities. However how often do you consider filtering what leaves your business via email?

Many industries nowadays are highly regulated and sending sensitive, or even financial, information out through email can not only bring compliance issues to your business, but it may also give competitors an edge. Filtering what users send out can be just as important as filtering what they receive when it comes to securing your company’s email.

Practice recovery as well as backup and archiving

Do you brush just half of your teeth? Then why would you only test half of your backup and recovery solution? Many companies find out, only when it is too late, that their backup and recovery solution was not configured properly or that there is some sort of problem.

This can be alleviated by regularly testing the recovery portion of your backup. By simply setting up a server (or virtual server) on which you can replicate your email system you can frequently test the validity of your backups in a way that will not disrupt your current email process.

Create fair policies that management will enforce

One of the biggest mistakes that SMBs make when it comes to email security is to take an overly aggressive approach. Without the manpower and resources to fine tune security policies, it becomes easier to just restrict anything that could be a perceived threat. This becomes especially true in small IT departments because they are tasked with so many other responsibilities.

When creating policies, it is important to bring other departments to the table so that these policies do not restrict anyone from getting their work done efficiently and effectively. Involving others at the management level also helps them better understand the reasons behind email policies and the ramifications for not following them. Gaining this support will help when it comes time to enforce these policies and discipline those who violate them.

Educate your staff

When it comes to security, it is a common misconception that bigger, state of the art, expensive solutions provide the best protection. Even though this isn’t true, SMBs often feel that they are at a disadvantage when it comes to email security because they cannot afford to deploy such solutions.

What many SMBs don’t see is that they have a distinct advantage over their larger counterparts when it comes to educating end users. When you have a smaller number of employees to train you have the advantage of being able to spend more time with them to make sure they understand the material you are delivering. You also have the opportunity to be readily available to answer questions or address any concerns or issues that your users may have.

Developing a solid training series for email security can also help free up time for IT departments that find themselves tasked with too many responsibilities because users who are informed and educated require less oversight and less attention.

5 Essential Tips for SMB Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Advanced persistent threats make email security a necessity

Most email administrators consider security to be a large part of what they do. With so many laws and regulations governing the storage, discovery and retrieval of email messages, security has become a second job to many.

Unfortunately, many administrators either forget, or simply aren’t aware, that securing email requires much more effort than hardening the email servers against attack. In order to fully protect your organization’s email and their contents the mailbox also needs to be defended. Especially when you consider how popular Advanced Persistent Threats are becoming with large cyber crime syndicates who use email not only as a way to harvest sensitive information, but also as a method of attack through phishing and social engineering.

By implementing the following tips into your security plan you can help protect against these, and the many other threats that your organization may face:

Create email policies to regulate the communication of confidential information

Email communication has become second nature in the workplace. It is quick, easy and it gives us a record of our conversation so we can refer back to any information at a later date. However, if the conversation contains sensitive information like login credentials, financials, personal information, and the like, then it can be extremely valuable to anyone who may harvest those emails.

By simply setting up, and enforcing, policies that restrict certain information from being sent via email you can mitigate the damage done if emails are exposed. At the very least, your policy should state that user logins and passwords (and/or PINs) not be communicated via email.

Teach users to encrypt their messages

One of the best analogies I have seen to describe the need for encrypting emails is one that compares email to a postcard. Basically, anyone who comes across it can read the contents if they want. This can be stopped by encrypting emails to prevent eavesdropping.

Encryption is a hard thing for many people. It requires additional steps, training and, in some cases, third-party software (such as PGP) yet it is really the only way to keep your messages private in transit.

Encryption shouldn’t be limited to sending and receiving messages alone. Any email that is stored on a hard drive (think personal folders), a network drive, backup servers or archive systems should also be protected from any prying eyes.

Get rid of old email

A long time ago, storage space was a precious resource. Nowadays inboxes can be easily scaled to hold enormous amounts of data. Unfortunately that provides a greater possibility that an attacker will find something valuable.

Email should be moved, or deleted, when their life cycle is up. Make sure to check with any regulations regarding discovery and archiving before getting rid of the old stuff, but if you combine this with encryption you will be taking great strides to protect older emails.

Practice good network security habits

Make sure that desktops are continually scanned for malware that could possibly expose email login credentials, filter Internet content to protect against malicious websites, understand how to properly use a firewall and update server and client software as needed.

In addition to the employing technology to help secure your email systems you should also consider human factors as well. One of the ways that people first discover that their systems have been compromised is by noticing an anomaly. Be on the lookout for log-ins that just don’t seem right whether it be the IP address, the time of day or even the length of time.

This can be one of the most tedious tasks to undertake when it comes to security but it is by far the most important.

Put the right solutions in place

In many small and medium-sized enterprises, the email administrator alone cannot be as vigilant as he or she would like. Even in organizations where there is team of professionals dedicated to security use necessary security tools to help them do their jobs. Smaller companies need to understand this as well.

By employing technologies that help manage email, backup and recovery, archiving and security, you are plugging the little holes that provide that chink in the armor most attackers are looking for.

No one said that email security is going to be an easy task, but it is one that cannot be ignored just because it’s too hard or it costs too much.

Tips for Better Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Getting your co-workers to adhere to policies that govern the use of email in the workplace can be tough. Despite your best efforts, email is still used to send jokes, chain letters, pictures, slide shows and other inappropriate content.

For whatever reason, people don’t quite get that not only are email policies in place to protect them and the company brand, but there are consequences for violating these policies. Unfortunately, the only time when people begin to comprehend just how serious email policies are is when it is too late.

To better help your co-workers and employees understand why it is important to adhere to email regulations and company policies, here are a few real life examples that you can use to get the point across:

Sarah Palin

The mistake: Using personal email to conduct business.

Nothing of note was found when her official email archives were released to the press recently but remember back when her personal Yahoo! account was cracked? She had to answer questions regarding the use of her personal email to conduct state business instead of her official account that is subject to laws and regulations regarding public records.

Mark Foley

The mistake: Sending inappropriate messages while intoxicated.

The congressman from Florida was caught up in an email scandal when he sent a message to a former Congressional page requesting a photo. Although the email was sent from his personal account it did open up the floodgates and it was found that he had also sent suggestive text messages to the same young man. Foley later explained that he had a drinking problem and that the messages were all sent when he was intoxicated. After all this surfaced he was told to either resign or he would be expelled from the House of Representatives.

Neal Patterson

The mistake: Expectations that emails are private communications and bad etiquette.

Whenever a paper trail exists there should be no expectation that the communication will remain private. In 2001 Neal Patterson, CEO of the Cerner Corporation, learned this when an email he sent out to his senior staff was leaked.

The email, which berated and threatened managers by stating, “As managers, you either do not know what your EMPLOYEES are doing or you do not CARE. In either case, you have a problem and you will fix it or I will replace you,” caused a 22 percent drop in the company’s stock.

Climate Research Unit, England

The mistake: Confirming a cover-up using email.

Much of the research from the CRU is used by the United Nations for its global climate reports so when an email surfaced from Phil Jones, the head of the CRU, that read, “I’ve just completed Mike’s [science journal] Nature trick of adding in the real temps to each series for the last 20 years and from 1961 for Keith’s to hide the decline,” you can imagine what happened to the credibility of this group.

Galleon Group

The mistakes: Fake emails to cover up security fraud.

Galleon founder, Raj Rajaratnam told employees to create a fake email trail to make it appear to the SEC that some of his recent stock purchases were based on price rather than inside information he had received.

“You just have to be careful, right?” Mr. Rajaratnam told the former Galleon employees in a taped conversation. He later explained that he would send an email asking about a stock “so that we just protect ourselves.”

He was found guilty on 14 counts of conspiracy and securities fraud and faces sentencing on July 29^th.

Lee Abrams

The mistake: Sending offensive content via his company’s email system.

The chief innovation officer of the Tribune Co. resigned in 2010 because he sent an email memo with a link to a video that he thought was funny. Some of the people who received the email didn’t quite see it in the same light. In fact, they found it offensive and complained. Originally, Abrams was suspended by the company indefinitely but later left his position.

As you can see, and hopefully your co-workers understand, that when it comes to the inappropriate use of email the intent isn’t taken into consideration. Even something that the sender views as harmless often carries the same consequences as something done maliciously.

Email Scandals That Should Make Us Think Twice

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In just one week Google, the International Monetary Fund and Citigroup have all made headlines as a result of email associated with them being under attack. The reason we continue to see companies make the news as a result of email attacks is that email security is sometimes ignored when it comes to training users properly and making good decisions. In some cases, having the latest and greatest when it comes to security tools even creates a false sense of security that causes us, and our users, to overlook the little things. A multi-layered defense that has been properly configured with all the best technology can be rendered useless if the little things are forgotten.

This list displays some of the most common mistakes that are made when it comes to email security and a brief description of what you can do to prevent them.

Leaky emails

There are many times when sensitive information is passed along via email. If everything is encrypted properly you, and your users, often assume that it will only be seen by the appropriate people. Unfortunately this isn’t always the case. Too many times a recipient may answer an email with sensitive information and hit the reply all button without checking to see who will be receiving the email.

The fix: Put a policy in place that addresses sensitive emails and reply to emails. However a policy alone isn’t enough. Make users aware of the policy through training and keep a record that all users were trained/informed of the policy and repercussions of not adhering to it.

Trusting others

When we receive emails from family, friends and business colleagues we often blindly open them without much concern. Especially if they are contacts we communicate with on a regular basis. However malware can easily be spread through emails by attachment or embedded code and links.

The fix: HTML in emails should be blocked if this is a concern, as should the ability for your users to receive attachments that are scripts or executable files.

Passwords that are easy to guess

Remember when Sarah Palin’s personal email account was breached? It was because her password was easy to guess using information the attacker found on her Wikipedia page. Companies often list information on corporate sites that provide attackers enough information to guess passwords as well.

The fix: Enforce strong passwords or password phrases for all users. Also, make sure that people don’t give up information that may be used to guess their passwords when providing bios.

Ignoring malware protection on the desktop

While scanning all emails for malware needs to be done, the desktop should not be ignored. And all too often it is. Malware definitions are outdated, software is not configured to run properly or protection is completely left to the user.

Even if you have a policy that enforces strong passwords, a keystroke logger can easily give up even the most complex password combination.

The fix: Email administrators should work closely with IT security to make sure that the desktop and network security isn’t lax so passwords are tougher to expose.

Failing to check on backups

Some companies and industries are required, by law, to back up and archive emails for a set period of time. Others are not required to do so. Regardless of the laws, every person and company should be in the practice of backing up emails. Emails often provide important records and information that could be lost.

But what happens if you need to restore your emails and find that something went wrong? Maybe the backup was incorrectly configured or the backup location was insecure. In any event, the inability to restore emails from a backup can render the entire solution useless.

The fix: Frequently test the ability of your backup solution, and staff, to restore emails.

These five tips may seem basic and simple. But that is the point. Working in IT we often gravitate towards the more complex issues and ignore simple techniques and solutions until it is too late. By taking the time to do the little things when it comes to security, we build an even stronger foundation for all the bells, whistles and technologies that really impress us and our bosses.

5 Simple Mistakes When it Comes to Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Developments in cloud based computing have shown quite a bit of excitement and promise, especially when it comes to small to medium sized businesses. Those who evangelize the cloud will often cite the many benefits of moving to a cloud based email service. The litany of favorable reasons to examine moving email services off site that are oft quoted fall into line with the reasons used to move to any new technology:

• Ease of scalability
• Ease of software updates
• Email access anywhere
• Better disaster recovery
• Ease of implementation
• And of course, reduced costs

So when a vendor, or even someone in your own organization, throw these at management looking to save money and increase productivity then it seems like the question moves from why should we move to the cloud? to why has it taken us so long to move our email to the cloud?

Is it really that easy?

Cloud based email services make a whole lot of sense for many organizations. By doing a bit of research, you are certain to find at least one case study on how moving your email to the cloud helped someone in your specific industry. Yet even with good reasons and plenty of research to support this decision, nothing should be done without considering every angle because over the years if we have learned one thing, when it comes to IT nothing is risk-free.

So what does an interested SMB need to consider when all the arrows point to moving to the cloud? Let’s take a look.

1. Control

When your email resides on servers that are housed at your location, you are responsible for configuring the software, maintaining the hardware, updating and patching the server(s), cooling the room, etc. But you also have complete control over your email and backups. Moving to the cloud means you are giving up control and possibly ownership. This lack of control can lead to real world problems. For instance, if your organization has a one year deletion policy, is your cloud provider able to adhere to that? Conversely, if you have a no delete policy can this be achieved as well?

A rarer occurrence, but one that has much harsher repercussions is the event that an investigation needs to take place. Will emails be available for forensics when needed? If so, will there be any issues with the chain of custody and proving that the investigation was tamper proof?

2. Availability

Unless you have been living under a rock you are well aware of the attacks against Gmail over the recent months. The decision to move email services to a cloud provider should always be based on how well the provider can ensure that mail servers will deliver an acceptable percentage of uptime. Of course it’s one thing to say that you guarantee 99.9999 percent uptime and quite another to deliver so when a cloud provider makes a claim regarding availability, make sure your IT team speaks with the sales engineers, not just the salesperson, to see what exactly is in place to eliminate things like interruptions and denial of service attacks.

3. Security and Spam Protection

One of the biggest draws to the cloud for email is the fact that the provider will take care of security and anti-spam. Again, this is something that you are entrusting to the provider and giving up control over. If you are unhappy with the amount of spam that gets by the filters, or if the false positive rate is higher than an acceptable rate you can’t simply switch to a different solution.

This should be at the forefront of any discussions you have with potential email service providers. Find out what solutions they have in place and research them just as if you were buying the protection for your own servers.

4. Cost

Of course cost is always the number one reason SMBs look to the cloud. It is hard to find anyone who will say that a cloud based solution isn’t less expensive in the long run than running, securing and maintaining your own email servers. However the numbers may not always equal the level of service you expect. Costs may not always be transparent. A cloud provider may charge extra for business grade anti-spam protection. Perimeter security or virus scanning may also require additional costs. Finally, storage is never a one size fits all solution so this will always present itself as a variable.

The cloud is definitely a solution worth looking into for a number of reasons, however as a smart business move it would be equally prudent to look at all of the considerations as well prior to signing any type of contract.

4 Considerations for Cloud Based Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Recently a close family member spent some time in the hospital. Luckily everything turned out okay and they have since returned home. But while there I noticed that the hospital staff was very rigorous in their guarding of patient’s privacy and of their records in particular.

Only immediate family members were understandably allowed to be in the room. Information was freely given which helped us to understand our family member’s illness. But never were any hospital records left in our view. And even at the nurse’s station all records and patient related information were out of view.

All medical documents have to be completed and protected as per the laws which govern patient’s privacy. And anything electronic must also meet requirements and standard for the medical industry. Likewise, email for that field must conform to rules and regulations that protect patient information.

Protection and compliance with privacy laws is not just for the healthcare field alone. All email administrators must be aware of the email laws and regulations that are specific to their own business fields as well. Luckily there are many technologies that can be used for the various industries. Those technologies include:  authentication, encryption, content filtering, hardened message server software, and archiving, as well as anti-spam and anti-virus software.

Here then is a list of the various email compliance laws that exist for a majority of businesses and industries:

1. HIPAA – The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed by congress to ensure that the healthcare industry handled patient information in a secure manner. Many of the requirements affected how securely information was communicated. HIPAA mandated that healthcare organizations must protect email messages that contain health information whether they are encrypted or not. Even email messages that are referenced from unencrypted links must be protected. It also specifies that sender and recipient identities must be authenticated and verified. Both stored information and transmitted information must be protected to adhere to HIPAA standards. Security technologies such as encryption are used to protect electronic health information from unauthorized access.
2. SOX – The Sarbanes-Oxley Act (SOX) was enacted on July 30, 2002. The Sarbanes-Oxley Act was named after its sponsors, Senator Paul Sarbanes and Representative Michael Oxley. Its main purpose was to ensure that a high level of accountability and transparency was maintained by public companies. It defined significant financial reporting and auditing practices for publicly traded companies. There are two sections of the legislation which affect the transmission of electronic messages: sections 302 and 404. Taken together, these sections specify the secure measures that must be applied to the electronic message systems of publicly traded companies. These security requirements include: Identification of information that must be kept confidential; Identification of individual message senders; Secure transmission of email; Hardening of email servers that store confidential information; Tracking and logging of message communications; Auditing capabilities; Message indexing; archiving; and retention.
3. GLBA – The Gramm-Leach Bliley Act (GLBA) was signed in 1999 and became fully effective in 2001. It is specific to the financial services industry and is meant to protect consumers’ private financial data. The act defines private data as “Nonpublic Personal Information”, also known as NPI. The GLB is similar to the HIPAA security requirements with respect to data that is stored and in transit – both data states must be encrypted. Within the GLBA are several rules which apply to the security of email traffic. For instance the Safeguards Rule refers to tools that can help to encrypt or block email traffic based on sender, recipient, and content. It describes the process by which companies must take actions to protect NPI data. Companies must also demonstrate logging and reporting capabilities, anti-spam, anti-phishing and protection from viruses.  The Financial Privacy Rule allows for opt-out policies, privacy notices and basically the collection and use of NPI data.
4. The securities industry is governed by the Securities Exchange Commission (SEC) and National Association of Securities Dealers (NASD). Both organizations have enacted regulations mandating the archival, indexing, and storing and retrieval of electronic communications including email.
5. The hedge fund industry is also governed by the Securities and Exchange Commission (SEC). Hedge funds, also known as private investment pools, must meet security requirements related to the securing, managing and archiving of all electronic communication, including email and instant messages.

In addition, the OCC Advisory on Electronic Record Keeping mandated security standards for electronic retention systems that are to be implemented by the banking industry.

5 Email Compliance Mandates and Regulations

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Welcome to part two in a series on securing email. In part one we introduced the challenge, and three influences; compliance, technology, and support.

In this post, we’re going to look at two of the prevailing methods for securing email exchanges between servers… the way two businesses might wish to secure the email exchanges between them to prevent eavesdropping or interception on the Internet. We’ll look at SMTP/TLS and at routing SMTP over a VPN connection, and look at the pros and cons of each method.

In server to server solutions, we are looking at securing email exchanges between the MTAs controlling email for two different companies. These companies do not share email systems, or private network connections between them, so all SMTP mail will move from server to server using the Internet.

SMTP/TLS

One standard method of securing email is SMTP/TLS. This secures the transmission of SMTP messages between servers that support this using a session key securely exchanged by the servers using a certificate; much like HTTPS transmissions are secured.

Pros:

• As a standard, it is growing in acceptance, and most major mail servers include support for the technology today.
• Certificates from public CAs are readily available, and trusted.
• There are varying levels of encryption available.
• This is seamless to the user, and requires no client configuration.

Cons:

• Managing certificates requires knowledge and some degree of administrative overhead, and is often considered the responsibility of the information security department.
• Troubleshooting network issues is more complicated since all of the traffic after the certificate exchange is encrypted.
• Email messages between the client* and their mailbox server are not protected, and can be accessed by the email administrators, network engineers, or others with access to the internal networks at either company.
• Many companies use either self-signed, or internally generated certificates. You may have to ‘trust’ these certificates, which requires additional configuration on your server as well as a willingness to relax your security posture, or obtain an exception to policy.
• Encryption does require additional processing power, and this will have to be handled by your SMTP edge server, which may also be doing anti-x, and content screening.

Routing SMTP traffic over a VPN tunnel

Another method is to establish a VPN connection between enterprises and route the SMTP traffic between entities over this tunnel. VPNs are a robust and widely accepted method of encrypting data in transit, and companies may already have a VPN in place for extranet access.

Pros:

• Practically all companies with an Internet connection have the necessary hardware to support a VPN connection.
• Offloading the encryption to the firewall/router/vpn concentrator reduces the load on the mail system.
• Troubleshooting network issues is easier.

Cons:

• In most companies, this will require the network team or the information security team’s involvement to set up, maintain, and support the VPN.
• Email messages between the client* and their mailbox server are not protected, and can be accessed by the email administrators, network engineers, or others with access to the internal networks at either company.
• Troubleshooting issues can be delayed if the multiple departments involved do not immediately engage and work together towards resolution.
• Unless routing is carefully implemented (policy-based routing of only SMTP, or using /32 addresses) problems with traffic not intended for the VPN tunnel like DNS queries and HTTP traffic can be adversely affected.

Whether using SMTP/TLS or VPN, you will likely find yourself working with at least one other group within your IT team. Ensuring that everyone involved understands the chosen technology, the importance of supporting the solution, and the need to work together will help minimise any issues and ensure a quick and successful resolution to any issues.

*Email messages between the client and their server may be protected separately, using encrypted MAPI (Outlook to Exchange) or TLS/SSL protected versions of SMTP, POP3, and IMAP.

Be sure to check back for part three of this series, where we’ll look at the pros and cons of two client side solutions, PGP and S/MIME.

Securing Email Part Two-Server to Server

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Most users will agree that email is a mission critical business tool. Confidential business information, proposals, and contracts are sent via email daily all over the Internet, and most of our users never give a second thought to the sensitive, privileged, and sometimes even critical information that they are sending over an unencrypted transmission, there for anyone with a protocol analyser to read.

They may not even realise that they could be violating company policy, contractual obligations, or even legal statutes regarding the transmission of confidential information. All companies should have policies regarding the transmission of sensitive information through email. While a policy that prohibits any such information being sent using email could greatly reduce the chance of disclosure, the reality of business communications is that this is not a practical approach.

This is part one of a three part series, where we will discuss some of the issues that surround and influence securing email. In part two of this series, we will discuss the pros and cons of server side solutions; SMTP/TLS and routing email over VPN connections. And in part three, we will look at the pros and cons of client side solutions; PGP and S/MIME. If you’d like to understand more about why we would want to encrypt email, please read on.

To secure the email sent between organisations, you need to consider not only what capabilities your system has, but what your IT team can support, what your users can work with, and what your clients/customers/vendors have on their systems. While there are many different standards-based ways to protect email, there is no one single standard. We are still in the early “VHS versus Betamax” stages of seeing how the industry will shake this out, so we may find ourselves needing to support more than one standard unless we are in the position to dictate to our partners the standards to use. Be careful though; when working with customers, they may be doing the dictating, and when dealing with the public, you may find that there is no standard you can use unless you are prepared to support end users whose systems are outside your control.

Compliance

In the United States, HIPPA and Massachusetts 201 CMR 17 are both laws that include requirements for the transmission of Personally Identifiable Information (PII,) sometimes called Non-Public Information (NPI) and the need to protect this information from unauthorised access. For companies that accept credit cards, compliance with the Payment Card Industry standards (PCI) is a requirement.

You may also find yourself required to meet the contractual obligations of a vendor, customer, or business partner. Work with your legal team to determine what requirements affect your email systems to ensure that you meet all such laws and business agreements, and with your information security team to make certain that you understand and comply with any corporate policies. Raise awareness within the business of your capabilities, and ensure that you are involved in any discussions with partner organisations regarding messaging between your systems.

Technology

Review the capabilities of your current email system on both the server and the client to ensure that you fully understand what you can, and cannot do. Server standards like SMTP/TLS can help to secure server to server communications, but so too can routing SMTP traffic over a VPN. Most clients can support either S/MIME or PGP, but not all can, and both of these solutions can be costly, and require significant expenditures in licensing or certificates.

The flip side of this coin has to do with what encryption may mean as it pertains to your normal administration. Server to server encryption will make it more challenging to troubleshoot SMTP exchanges between servers, and will require more setup efforts, certificate management, and CPU cycles on your gateways. S/MIME or PGP encrypted messages may be secure, but they also cannot be screened for content or malware, so exceptions may be necessary on your protection mechanisms, and the associated risks will have to be understood and accepted.

Support

While securing email may seem to be strictly the task of the email team, your choice of solution(s) may involve others. In many companies, PKI Administration falls under the Information Security team’s purview. VPN connections may be handled by the network team. Client-side solutions may require the application or desktop support teams to deploy and support. When considering your options, involve all of these teams to ensure that the solution you choose does not run into a brick wall when another team will need to implement and/or support some part of it.

Consider these aspects, and stay tuned for part two of this series, where we will discuss server side solutions.

Securing Email Part One – The Challenges

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Thanks for sticking with us, and welcome to part three of this series on securing email. In part one we introduced the challenge, and three influences; compliance, technology, and support. And in part two, we looked at SMTP/TLS and routing SMTP over a VPN for server side solutions. In this final part, we’re going to look at client side solutions to ensure we are securing our email from sender to recipient.

There are two standard ways to do this. Both utilise the services of a PKI, and will require client side configurations. As such we may also find that we need to work with yet another part of the IT department; our desktop support team. They own the desktops and will likely be responsible for the client side configuration necessary with either of these solutions.

When securing email using client to client solutions, we may find this to be the most challenging approach for a number of reasons. We will need to ‘touch’ the clients, and we will need to ensure that we are implementing a solution that is compatible with the recipient systems. On the server side, we can split up our SMTP exchanges, sending some out to the Internet in the clear, others over a VPN, and still others using SMTP/TLS. When working with client side solutions, we need to make sure that what we implement on our clients is the same as what our partner organisation has implemented on their clients. If we have two partner organisations where one chose S/MIME and the other went with PGP, then we may need to purchase both for all the clients that must communicate with both partners.

S/MIME

Addressed in RFC 5751, S/MIME is designed as an end to end encryption mechanism for email, using PKI encryption with certificates obtained from a certificate authority.

Pros:

• S/MIME allows for digital signing, encryption, non-repudiation, and key escrow to prevent data loss.
• Can be used to protect emails between internal users as well.
• Data is protected from the original client through to the intended recipient, and cannot be viewed on the internal network or on any intermediate server.
• SMTP traffic between servers remains in the clear, so protocol messages can be seen for troubleshooting issues without compromising the integrity of the email contents.

Cons:

• Each user’s mail client must be configured to support S/MIME.
• To support both non-repudiation and key escrow, each user must have two different key pairs.
• Before a client can send someone an encrypted email, they must obtain the addressee’s certificate/public key.
• Most webmail applications (a critical need for many clients) cannot support S/MIME.
• Anti-malware and content screening cannot scan the contents of an S/MIME encrypted email. Exceptions must be configured to allow mail to pass uninspected, and you must accept the risk that such email may contain malicious code or content that violates policy.

PGP

PGP and its compatible GPG, uses key pairs to provide encryption and signing of email messages (and of files.) There are several open source products as well as commercial ones available for many common email clients.

Pros:

• PGP allows for digital signing, encryption, and non-repudiation.
• Can be used to protect emails between internal users as well.
• Data is protected from the original client through to the intended recipient, and cannot be viewed on the internal network or on any intermediate server.
• SMTP traffic between servers remains in the clear, so protocol messages can be seen for troubleshooting issues without compromising the integrity of the email contents.
• Certificates are not required.
• Several PGP key servers exist to facilitate key exchange between users.

Cons:

• Each user’s mail client must be configured to support PGP.
• To send an encrypted mail to a recipient, you must obtain their public key. Without a certificate authority to act as a trusted third party, you must arrange to obtain that key through a method you are willing to trust.
• Commercial products can be very costly at the enterprise level.
• Most webmail applications (a critical need for many clients) cannot support PGP.
• Anti-malware and content screening cannot scan the contents of a PGP encrypted email. Exceptions must be configured to allow mail to pass uninspected, and you must accept the risk that such email may contain malicious code or content that violates policy.

With either solution, you can securely send email between users without concern for any unauthorised users viewing the contents of the email; even your email system administrators. If this is a requirement for your organisation, then either of these solutions can help you to meet this requirement. Look at both, discuss what solutions may be in place with your existing partners, and determine which has the best fit for your organisation.

Securing Email Part Three – Client to Client

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

IT managers must account for many demands on their time and resources. Storage is always an issue and having to estimate the growth needs of the company and all the various departments can be a time-consuming and sometimes thankless job.

Estimating email storage needs can be started by making assumptions about the average size in bytes that attachments will require, the hours of day that the email servers will be the busiest and the number of users per email server. Those three variables multiplied together are a good starting point in estimating how much storage to allocate for email servers.

And the same computations can also be used when estimating how much storage to allocate for archiving purposes.

Archiving email messages can save an IT data center in many ways. Some of the reasons for archiving email messages include:

1. Freeing up storage on email servers. Email clients and servers provide a valuable function in any corporation and employees have come to rely on them for not just sending and receiving email messages accompanied with large attachments but also now for collaboration with co-workers. Most email applications now have integrated address books, calendar functions, “to do” lists and some have also included instant messaging as part of their email package.  But with all of these newly added capabilities there has also been a corresponding growth in the storage needs of these more robust applications. IT departments can benefit by reducing their storage needs through the use of archival media.
2. Compliance regulations. Corporations must comply with many regulations within their industries as well as many governmental regulations such as the Sarbanes Oxley Act (SOX) of 2002. When companies find themselves having to provide information to various governmental agencies then they have to be able to rely on systems, policies and their IT departments to be able to retrieve the necessary data such as email messages in a timely manner. So IT departments have to stay current and be a part of all corporate discussions involving regulations and industry standards related to communications particularly related to email communications. In addition to SOX there are other government regulations to be made aware of such as: GLBA, SEC, FINRA, HIPAA, BASEL II, FOI, etc
3. Electronic discovery. As of December 1, 2006, Federal amendments went into effect which mandated that companies must be prepared to locate, retrieve, respond to data requests and be able to filter out data not necessary for a litigation action. Such data includes email messages, attachments and calendar entries. These amendments are known as the Federal Rules of Civil Procedure and apply to any organization that can be subject to litigation.
4. Disaster recovery. An added benefit of having email messages that are archived is that messages can be retrieved in the event that your primary server goes down and backups are not current. If your archival systems have been set up to replicate data continuously from the primary mail server then your loss of email messages can be almost eliminated.
5. Improved email management. An automated email archival system can improve the management of emails through the use of rules and policies that can be customized for any organization. The time it takes to store, search and retrieve email messages can be greatly improved when performed automatically as opposed to a manual process. Documents which are methodically saved and stored can expeditiously be retrieved and help to avoid potential lawsuits when time constraints are critical particularly in litigious matters.
6. Increased employee productivity. Most employees spend a lot of time managing their email folders and moving data from folders to local storage. All this time managing their email can and would be better spent working on company projects.
7. Reporting and monitoring of email. HR departments cannot enforce the corporate policies without knowing that all communications that occur in an organization are within the proper guidelines as mandated by company policy. Searches can be conducted that look for suspicious patterns within company emails which can be exposed through pattern recognition software and various monitoring tools that are offered as additional services by archival management systems.

An email archival system can help many businesses with their management and storage of all email messages both incoming and outgoing. Storage space savings, increased productivity, regulatory compliance, satisfaction of discovery mandates and guaranteed retrieval are all benefits of a well maintained and administered email archival system.

7 Reasons for Email Archiving

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

So you’re thinking of acquiring a new email archiving tool and need to craft an acquisition and implementation strategy. Here are some things you may want to consider.

Regulations, rules, requirements and product warranties can make buying archiving tools a minefield. By consulting with your corporate legal and compliance people, as well as your company’s business managers, you can get an idea about where those mines are buried. Moreover, you can use your efforts to educate yourself about what requirements must be met by your new tools to build support and acceptance among your legal and compliance people.

When garnering information from legal and business colleagues, it’s important not to lose sight of your role as a technology advocate. While it’s critical to know what your new archiving tools must do to meet compliance and warranty demands, it’s also crucial that those unschooled in the intricacies of storage management understand basic concepts, such as the distinction between backups and archiving and the hard and soft costs attached to storage.

Keep in mind that your new archiving tools need to do more that meet compliance requirements if they’re going to be accepted by your users. After all, you don’t want to trade one headache–jumping through compliance hoops–for another–a disgruntled user base that sees your new technology as an impediment to its doing its job.

The obvious way to get your users to buy in to a technology is to obtain one that’s as friendly as possible. When introducing a new system, many times “friendly” is just another word for familiar. A system that allows users to interact with something they’re familiar with–Lotus Notes, for instance, or Microsoft Outlook–will calm their anxiety about adopting something new.

Remote access to email archives has become increasingly important not only to road warriors but also to an organization’s rank and file who may be working from home as well as in the office. You should take that into consideration when evaluating new archiving tools. The last thing you want to happen after installing a new system is to have frustrated users creating caches on their office computers where they’re squirreling away copies of their emails because it’s the only way they can see their past messages when they’re away from the office.

Because every day there are reports of court cases decided on emails acquired through legal discovery, it’s easy to lose sight of the fact that anything electronically stored on a company’s computers is fair game for legal beagles. Moreover, regulators make no distinction between emails and unstructured data when they go hunting for information at a business. Unstructured data–data outside the email umbrella–can account for some 80 per cent of the bits and bytes stored on a company’s servers, personal computers and laptops. You need to take that into account when reviewing new archiving tools. They need to support archiving of multiple data types, such as instant messages, telephone logs and calendar items.

It’s also important when considering archival tools to consider how–once they’re in place– they will help you enforce system policies. For example, it’s crucial–although it won’t make you or your system popular–to avoid exceptions to archiving policies. There may be some political gain in giving in to a senior executive who wants his or her email account exempt from policy because he or she is disgruntled about the system’s purge cycle or is displeased with the way a system displays archived messages, but when the company gets embroiled in litigation and an opposing counsel starts raising questions about why policies weren’t followed, chances are you’ll be left hanging from a flag pole twisting in the wind alone.

Another policy you’ll want to implement is control of email stubs. You’ll want to trash stubs every 90 to 180 days. Retaining the stubs for too long can impact your system’s performance and the daily irritation of hearing a chorus of “Why is the system so slow?” wherever you go. Since not all archival products dump the stubs when files reach the end of their retention period, that’s a feature you may want to make sure is included in your new archival tool.

Finally, you’ll want to thoroughly vet how a potential archiving system will handle copies of local email files. These files are commonly stored in PST files for Microsoft Exchange and NSF for IBM Notes. Those files are scattered throughout your organization on users’ computers and can be a nightmare for your retention program. Not only is finding those files a horror show when an opponent’s lawyers appear on the doorstep during the discovery process but the information in them can be ticking time bombs. Some systems allow you to block the creation of such files, but if that’s done, you’ll want to make sure your archiving software can accommodate your users’ legitimate needs to access their historical emails.

Tips when making email archiving choices

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In my previous post I wrote about Los Angeles’ decision to consider Google Apps for email and other applications. Although it gets attention for cost savings, there are some real concerns with email in the cloud, especially in government organizations that are required to comply with security and privacy policies and regulations.

The World Privacy Forum’s letter to the Mayor of LA went into some detail about why they don’t think it’s a good idea. Let’s take a look at some of the major points in WPF’s letter. The first four points address medical and health-related information, domestic violence and sexual assault information, substance abuse information, and sensitive information in general. The Google/LA deal doesn’t address any of these areas, or any of the regulations such as HIPAA, Violence Against Women Act, or 42 CFR Part 2 (a California law that regulates confidentiality of substance abuse program clients). The legalities related to compliance with these sorts of statutes when using cloud computing for sending and storing data are still fuzzy, and could leave the city government open to liability.

The letter also addresses “classified data.” There may be conflicts with federal laws regarding classified data, if such data is held by the city for any purpose and is then stored in the cloud–and so federal law needs to be taken into account as well.

The letter also notes that different types of data may have different security requirements; for example, health information, defense information, and tax information, all have their own security rules. The security offered by the cloud provider may have to accommodate multiple rules with different requirements.

Another point says that Google is allowed to store the data wherever it maintains facilities, even in a foreign country–and if so, that data may become subject to the laws of a foreign country. And another curious point is that of ownership of data. Although the contract provides for giving the city a copy of the data if the contract is terminated, it doesn’t require the cloud provider to eliminate the data from its servers–any cloud contract should include such a clause.

Do you really want email in the cloud?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The benefits associated with archiving Microsoft Exchange email and associated data, creates many cost effective solutions. Archiving facilitates government regulatory or civil litigation searches for ediscovery requests. It also allows for more complete archive journaling, and provides storage benefits for both mailbox growth and the various storage devices that can be utilized.

Although lowering storage reduction costs is a common denominator for email archiving, compliance requirements are moving more companies to implementing archiving strategies. Depending on the motivation factors, cost savings on storage are subject to interpretation by different people.  For some people, compressing email could reduce licensing, as well as storage hardware costs.  For others it may mean creating a mailbox for end users, which has virtually unlimited space.

The majority of Microsoft Exchange Server archiving solutions have some form of compression that reduces the size of overall archived emails.  For an Exchange email administrator, an unlimited space mailbox really just means eliminating the user responsibility of being concerned about having to archive their email. This allows mailboxes to grow as long as there is more than adequate disk space real estate available to allow seamless expansion.  The limitations of unlimited mailboxes are usually determined by the archiving options provided by the archiving solution. According to the Ferris Research blog, Microsoft recommends against using stubbing techniques.  Microsoft further recommends using 3rd party email archiving solutions that allow configurations to move email messages completely out of the mailbox without leaving stubbing foot prints  inside the mailbox.

6 different stubbing techniques are provided below only for informational purposes, but are not best practices recommended by Microsoft.

1. Substitute body and attachment with a plain text Stub
2. Substitute body attachment with HTML Stub
3. Maintain plain text body only with deleted attachment
4. Maintain HTML message body only, with deleted attachment
5. Maintain HTML body and image with deleted attachment
6. Message attachment residing in the archives

Will your current archiving procedures or planned archiving solution meet all future email storage requirements?

Archive Stubbing Techniques Not Recommended

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

By the end of 2008, Canadian financial services firms were expected to become subject to tough, new email storage, retrieval and archiving laws. Those companies who were in non-compliance could face fines into the millions of dollars and face penalties that could land them into prison.

The Canadian Securities Administrators (CSA) organization had proposed legislation that would force securities dealers and portfolio managers to abide by stricter rules designed to force more secure archiving of emails. The costs of non-compliance included multi-million dollar fines, criminal indictments, and exorbitant e-discovery costs.

Canadian financial services firms – including securities dealers and portfolio managers – could incur these in the not to distant future if they violated the pending legislation proposed by the Canadian Securities Administrators (CSA).

Thirteen securities regulators of Canada’s provinces and territories make up the CSA forum that coordinates and regulates the Canadian capital markets.

The new, stricter proposal for e-mail storage and retrieval rules is known as National Instrument 31-103 (NI 31-103).

Registered firms must keep their records and electronic messages in a durable form such that a request for a record must be promptly provided to regulators within two years of its creation according to NI 31 -103. If after the two year creation date then the requested record must be delivered within a reasonable period of time. Records must be kept up to seven years after the departure of a client.

Concerns have been expressed about the costs of keeping the necessary amount of email archives to satisfy the requirements of NI 31-103. Some have said it is too difficult to develop the needed archival and retrieval system.

Simply maintaining backup copies of email servers may not be enough to satisfy the new archival laws.

There are scenarios where backup tapes do not include all email messages. It is possible for both a sender and a receiver of email to delete the emails before a backup can be initiated. The result is that the email thread can occur without ever being backed up on the servers. An additional burden on IT staff is that they have to produce specific emails on demand. The additional costs of e-discovery and having to prove the integrity of the e-mails retrieved can also add an extra burden to an already overburdened IT staff.

Canadian Securities Administrators

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Something smells fishy in New Orleans, and it’s not the etouffee.

Political email scandals seem to be more plentiful than ever, and the latest focus is on New Orleans mayor Ray Nagin. It seems there are actually two controversies. The first revolves around the city sanitation director, who gave an attorney emails of council members who had been critical of her job performance. Nagin only said that the director’s actions were “unusual.” However, city policy appropriately states that electronic records, including emails, should be reviewed by and provided by the city attorney’s office.

Nagin also took the opportunity to try to explain away why two years of council email was even available to the sanitation department. On to the second controversy: Curiously, the controversy over the release of emails came not too long after the mayor had stated that all of his communications for 2008 had been deleted to save space. To save space! Ray, you’ve got to be kidding. Are you really that computer illiterate? Do you think we’re actually going to buy that the city of New Orleans couldn’t afford to buy an extra backup drive, or even a handful of writable disks for archiving your emails? After all the controversy about politicians deleting emails, you still did it? Surely, the good mayor knew that the emails could have been easily archived, and surely, he knew that good governance demands that records be kept. I want to know what you have to hide.

So why could the council’s emails be produced, but not the mayor’s? What are these supposed storage problems? The mayor was quoted on Nola.com as saying, “Why is this fishy?” And then, the mayor reported that the problem had been fixed, and said “you can have my e-mails–as many as you like.” Huh? I thought you said they had been deleted?

Politicians will just never learn: emails are public records that must be preserved and archived, and must not be deleted casually.

City emails treated casually in the Big Easy

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Today, most enterprises turn to Email Archiving and Management (EAM) to reduce costs and control information overload. With digital information, specifically email and messaging mushrooming faster than most enterprises can manage it, EAM projects have become a cost of doing business. EAM is fast becoming a business necessity.

The “Email Archiving and Management Report“,  published by CMS Watch, provides a clear strategy for your implementation team.

The domain of EAM is broad enough to touch multiple areas within your enterprise, including both technical and business departments. Managers have several common reasons to justify applying EAM technologies:

• To be proactive with legal requests and ediscovery requests
• To be in compliance with local governing requirements regarding information management
• To improve the performance of their e-mail environment (Exchange, Notes, or Groupwise)
• To reduce email volume on servers to reduce the need to buy more licenses
• To provide back up and disaster recovery for their e-mail system
• To improve storage management costs and needs

The marketplace keeps finding new reasons for applying EAM technologies. Compliance, for example, is a relatively new rationale. Traditionally, the sales and buying processes focused on systems management and storage requirements.

Most firms deploy EAM to address a single need, rather than meeting a range of needs to fully leverage the breadth of EAM offerings. In some cases, enterprises deploy EAM simply to provide a back up to an Exchange Environment; others use it to regulate and monitor the messaging of a particular subgroup within the organization.

While most enterprises deploy EAM related applications for a specific need or activity, all of these systems offer quite broad capabilities beyond their core focus elements. Some capabilities span across industries or  provide a more general purpose.

Many of these offerings have a lot in common as they respond to the market’s growing need to meet ever more complex requirements. In order to survive, most enterprises today depend on high volumes of email running efficiently through their system. Virtually all enterprises require that messaging be a part of the underlying IT infrastructure. Many decision makers describe systems such as Microsoft’s Exchange as the single most important communication and business application within their operation.  For these reasons email archiving and management solutions must be carefully implemented.  Email communication cannot be disrupted.

Applying Email Archiving and Management Technologies

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

FederalComputerWeek is reporting that a federal judge has ordered the White House to search the computers of people who worked there from 2003-2005 for millions of missing emails from that period. Here’s an excerpt:

 

Judge Henry Kennedy of United States District Court for the District of Columbia also ordered officials of that office to collect and preserve any e-mail messages that were sent or received during that period. EOP officials are also to collect from the office’s employees any electronic media that may contain e-mail messages from that time and preserve them.

The order comes just days before the inauguration, when presidential documents are to be handed over to the National Archives for safekeeping to comply with the Presidential Records Act.

Two separate organizations are suing the White House alleging they violated the Federal Records Act (FRA) by not properly archiving emails. The groups allege that many of the missing emails may contain information about the Iraq war, FEMA’s response to Hurricane Katrina, and the Valerie Plame leak investigation. A White House spokeswoman says they will comply with the order.

White House Ordered To Produce Emails

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The folks over at the LiveOffice blog are reporting that the SEC has sent a letter out to the CEOs of firms registered with them warning them to take email compliance and archiving seriously and not to try and cut corners due to the economy. Here’s an excerpt from the letter:

While many firms are considering reductions and cost-cutting measures, we remind you of your firm’s legal obligation to maintain an adequate compliance program reasonably designed to achieve compliance with the law. As SEC Chairman Cox noted recently, “[E]xperience has taught us again and again that giving short shrift to regulatory compliance subjects a company’s investors, employees, management, directors, and every other stakeholder to unacceptable risks….[C]ompliance programs have made huge strides in recent years in becoming more formalized and more robust…. Now more than ever, companies need to take a long-term view on compliance and realize that their fiduciary responsibility requires a constant commitment to investors. That means sustaining their support for compliance during this market turmoil, and beyond it as well.”

We agree. If you’re looking for ways to cut costs, don’t do so at the expense of your compliance program!

SEC Warns Companies Not To Skimp On Compliance

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Although ISO provides electronic standard document compliance in the healthcare industry, the most widespread and well-known piece of legislation is the United States Department of Health and Human Services’ Health Insurance Portability and Accountability Act (HIPAA).  As Kevin Beaver explains in his white paper ”E-mail Compliance Security Solutions for Regulatory Requirements“  HIPAA originated in 1996 under President Clinton. HIPAA affects the entire healthcare industry. This industry encompasses approximately 15 percent of the U.S. economy. The specific part of HIPAA we are referring to is called Administrative Simplification.  It contains documents in the fields of information technology and data utilization as these relate to the effective and efficient administration of the Medicaid program.

Administrative Simplification covers three major rules written to help ensure the privacy and security of protected health information (PHI), as it relates to individuals, as well as to standardize various electronic healthcare transactions and code sets. Organizations that must comply with HIPAA are called covered entities. This group includes hospitals, insurance providers, employer health plans, physicians, and more. In addition, any business associate of these covered entities that have access to or handles PHI on behalf of the covered entity such as lawyers, accountants, auditors, and billing companies must have a contract in place with the covered entities stating that they will protect PHI as well.

The two HIPAA rules that affect email security are the Privacy Rule and the Security Rule. The HIPAA Security Rule contains specific requirements that mirror the Privacy Rule, but goes into much more detail. The Security Rule was made effective on April 21, 2003 and was enforced for most covered entities by April 21, 2005. This rule primarily focuses on information security best practices and revolves around the security cornerstones of confidentiality, integrity, and availability.

Kevin covers the HIPAA Security Rule Standards in more detail within his white paper.  Below is an overview of compliance considerations required by HIPAA.

Administrative Safeguards
1. Security Management Process
2. Assigned Security Responsibility
3. Workforce Security
4. Information Access Management
5. Security Awareness and Training
6. Security Incident Procedures
7. Contingency Plan
8. Evaluation
9. Business Associate Contracts and Other Arrangement

Physical Safeguards
1. Facility Access Controls
2. Workstation Use
3. Workstation Security
4. Device and Media Controls

Technical Safeguards
1. Access Control
2. Audit Controls
3. Integrity
4. Person or Entity

17 Email Compliance Considerations required by HIPAA

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators