Introduction
Email compliance, security and content policy enforcement is a growing priority for organizations of all sizes. Many companies have formal policies that govern generally acceptable use and content for corporate email systems. More recently, companies have also become subject to scrutiny and audit to ensure their compliance with a wide range of external regulatory and legal obligations.
However, the mere existence of corporate policies does not ensure compliance. Policies without proactive measures for enforcement are little more than window dressing. Email content control solutions have evolved to provide real-time scanning of inbound, outbound and, in a few cases, internal email traffic. These solutions provide the foundation for proactive, real-time enforcement of regulatory and corporate policies as they pertain to email content.
The single most important benefit delivered by email compliance oriented products is their ability to actually prevent compliance violations from occurring by blocking delivery, or taking some other action on, messages that run afoul of corporate or regulatory policies.
To be effective such systems require:
a way to embody or interpret corporate policy (such as content criteria or distribution restrictions)
a method of content analysis to determine whether a particular message does, or with a high degree of probability likely, violate some policy, and
the real-time ability to take the appropriate action or countermeasure to enforce the policies and thereby prevent violations
Unfortunately, the approach followed by most vendors to implement these capabilities result in a significant, and costly, administrative burden on those responsible for managing the system.
The Challenges of "Policy" Administration
The two biggest challenges that create the administrative nightmare for anyone responsible for managing an email compliance and content control solution are:
how to define, and reflect within the system, comprehensive and complex corporate policies in a way that preserves flexibility, manageability yet allows for change
how to define and accurately detect within email messages and their attachments the information concepts that are subject to control under one or more policies
The Elements of Policy Definition
Whether for internal corporate or external regulatory requirements, an effective policy must define three essential elements. They are the:
Content — what kind of information to look for (i.e. confidential information, credit card or account numbers, proprietary product information, financial results, harassing language, etc.)
Conditions — what other restrictions or criteria apply (i.e. when, where, to whom does the policy apply – only to certain recipients or senders, to outbound messages only, etc.)
Actions — what to do if a policy is triggered (i.e. delete the message, quarantine it, encrypt and digitally sign it, copy it, archive it, etc.)
When all three elements are properly defined, combined and represented to the email control system in some way, a "policy" can be enforced.
Policy Management, Maintenance & Administration
The challenges related to maintaining and administering policies for email compliance and control relate to:
-- the policies themselves – policies evolve, change and new ones are added. To guarantee proper enforcement the policies must be kept current which may require frequent changes and updates to the system – how often might you have to edit multiple rules simply because of a change in the required action?
-- defining and fine tuning content definitions – variously referred to as content filters, key word lists or templates that identify the information that should be detected. Despite advances in technology, to some degree false positive and false negative detections will always be a fact of life—more so with some products and approaches than others, but no system is totally immune. The policy content definitions, therefore, require constant fine tuning and adjustment to improve their accuracy. In addition, customized or personalized filters (i.e. those not supplied by the vendor) often require adjustment over time to tune the results they generate to more precisely match the policy criteria – how many times have you had edit key word lists in dozens of rules to fine tune the results or add additional criteria?
changes in the business environment – changes in personnel, individual responsibilities, organizational structure, business processes and a myriad of other possibilities all contribute to the administrative burden of managing an email control and compliance system. For instance, a simple change in personnel may mean dozens of policies must be updated to change where policy violation notifications or copies of messages are sent.
