Did you know that you ALREADY have an e-mail policy?

re: Did you know that you ALREADY have an e-mail policy?

Dan Halford — Mon, 11 Sep 2006 06:42:45 GMT

Providing remote access to Outlook via Citrix, especialy when combined with two-factor authentication, should help mitigate against cache browsing and malware infecting email messages. It doesn't stop meat-layer vulnerabilities, of course, but it would provide another layer of security. Considering many large organisations already have Citrix in the enterprise, it's another method of access that can help reduce risk.

re: Did you know that you ALREADY have an e-mail policy?

joshmaher — Tue, 12 Sep 2006 03:53:42 GMT

The problem with the business being the sole decision maker without IT (or security) being involved is by the time they set their mind and budget on a policy, they usually have already overlooked the risks of their decision. I agree that the business needs should drive the decisions, although logical organization is not always the case and the lack of out of the box security leads to increased cost. This of course leads to frustration with the IT support function and ultimately leads to infrastructures that are not secure. (unfortunately that mess of a statement is not overstated)

I think it is important to involve the technologists early enough to influence the budgeting and decision making process. Just like city planners involve the businesses they will affect and business leaders involve their accountants when making accounting changes. The decision makers of these policies should involve technologists who know these types of answers.

Henrik Walther Blog » Blog Archive » Did you know that you ALREADY have an e-mail policy?

Tue, 12 Sep 2006 12:14:24 GMT

PingBack from http://blogs.msexchange.org/walther/2006/09/12/did-you-know-that-you-already-have-an-e-mail-policy/

re: Did you know that you ALREADY have an e-mail policy?

Paul Vincent — Thu, 14 Sep 2006 16:18:33 GMT

It used to be the case that the Business used to 'delegate' the grey art of Risk Analysis to technologists, but to be fair, are those in technology really the best ones to judge risk?
More and more I have seen examples recently where the Business has taken an active part in Risk Definition Workshops, in the IRAM process (Information Security Forum www.securityforum.org) and also many business partners are seeking professional accreditation such as the CISSP.
For proper Risk Management to take place, only the Business can define what is an unnacceptable risk. For example;

If a nefarious individual executes a DDOS against their customer facing web site, causing net losses of £25,000 is this an unnacceptable risk?

To a small retailler of squeaky toys, that could result in the closure of their business, to a large financial organistation netting 22 billion a year, maybe it's not such a big deal.

Also it is important to quantify the damage that could be caused by various threats agents taking advantage of vulnerabilities. Only then can solid decisions be made regarding the amount of protection that it makes sense to deploy (would you spend £30,000 on a firewall protecting assets with a value of £4-5000?).

Of course, there will always be occasions where technical staff will be able to offer their valuable experiance and knowledge. This is why it is always useful to have representation at Risk Workshops.

To go back to Steve's point initially, the appetite for risk a company is willing to take will be reflected in their overall security policy. Who signs off the policy? The business.

There are some very good security products out there that address issues around CIA, and strong auth. Company standards will define the ones that best support the overarching policy.

Of course if you don't have a policy, then you need to get one, if only to document the 'De-facto' policy that may be in place as SR mentions above

Weekend reading

subject: exchange — Sat, 23 Sep 2006 14:18:04 GMT

Is it my impression, or these lists are getting bigger? Setting Up Exchange 2007 Exchange Server 2007

re: Did you know that you ALREADY have an e-mail policy?

Sean Burgess — Sat, 23 Sep 2006 18:59:44 GMT

But it can be even worse/better than you have described in your 2 rules. My company is converting from having an email system that makes it's employees more productive to one that keeps it's data more secure. Although they have a web interface available to our mail servers, you need to be logged in via VPN or on the LAN to use it. And although our VPN is web based, you need to be on company hardware to get it to work. So our company's mail will now be extremely secure and basically unusable when you are not working in the office. Guess it will keep me from checking my mail when I am on vacation.

The one thing that you didn't talk about as an impact on productivity is mail quotas. How productive can a mail platform be if you are constantly having to move your mail from the server to a local archive? Is the savings in storage costs worth the lost time that managing local archives requires?

Sean---

re: Did you know that you ALREADY have an e-mail policy?

HiltonT — Mon, 25 Sep 2006 03:27:42 GMT

Hi Steve,

You may not be able to have both scenarios, but you can have certain people using one and others using the other. For example, you could only allow external access to emails to those people who have signed that particular part of the company security policy and who need external access - salespeople, management, remote workers, etc. They would be able to access this email from their laptop, PDA, home PC or whatever else is allowed for in the company security policy. All others would be denied this ability.

Also, as far as 2FA security options go, Dana Epp has released RWW Guard (http://www.scorpionsoft.com/products/rww-guard/) which allows for CryptoCard (and other) OTP devices to be used to help secure (yes, OK, authenticate) external RWW/OWA access. He's also working on an OEM-ed CryptoCard + RWW Guard + IAS product.