When you are doing a Business Impact Analysis or a Risk Assessment, you will often find that email, be it internal or external, is one of the systems that people think they cannot live without. They might even be right. Email systems are being used as communications tool, storage system, social calendar, gossip line, attack vector, etc. The expectation that an email has been received, read and is being acted on, within minutes of it being sent, is much higher than it was a few years ago. Woe if for some reason the message is delayed. Now there are lots of reasons why emails can be delayed, but I want to have a look at how people manage their email as the content management system is often the point where things go wrong and not necessarily because of technology.
Typically organisations have something that filters all the inbound and often outbound email. Known viruses are blocked, SPAM is blocked and depending on a number of rules, emails are blocked based on content. What is blocked depends from organisation to organisation and that is probably there one of the main issues starts. What should you block inbound?
Known viruses and SPAM are easy, but there is so much more around in PDF, excel, word, exe, scr, pif, cmd, com, bat, URLs, undesirable images, etc. So should all attachments be blocked, regardless of what they are? It probably depends on your risk profile. Certain organisations, as we’ve seen with the Tibetan issue, are more likely to receive targeted malicious content and they may need to implement something as strict as blocking every attachment.
Dealing with blocked messages also varies from organisation to organisation. In some, the answer is just no, others allow users to release emails themselves and rely on the users’ integrity to not release emails that should not be sent or received. Some ask staff to contact the helpdesk or security group when a message needs to be released. Another choice is for the security group to regularly check blocked emails and release messages that are business related.
Outbound messages are often allowed out without some sort of verification, however in quite a number of countries companies can be held responsible for the activities of their employees, so it an important control point. Outbound messages should be treated at least, if not more strenuously as inbound email.
So if you have been tasked with reviewing your mail content management here are some of the things that you should be asking:
A few of the things to look out for. If you have additions, let me know.
Mark - Shearwater
Mar 30th 2008
Mar 30th 2008
1 decade ago