5 Questions, 10 Tips to Help Create Effective Acceptable-Use Policies for E-Communications

Early this week, security vendor Proofpoint released its fourth annual “Outbound E-Mail and Content Security in Today’s Enterprise” survey. The report concluded that smart organizations are increasingly creating specific acceptable-use policies to address security threats associated with employee use of consumer IT applications and services such as blogs, message board, Web mail and instant messages.

“Clear, well-articulated policies and employee education are probably the number-one thing that CIOs can champion to ensure the security of all of their organizations’ sensitive content,” said Keith Crosley, director of market development for Proofpoint.

The creation of effective acceptable-use policies for e-communications starts with brainstorming sessions and interviews with the appropriate personnel, including representatives from the executive suite, finance, legal, IT, security and human resources, according to Crosley.

Here are five questions that Crosley suggests asking once all the necessary parties are in the room.

1. When is it OK to send information outside the enterprise via e-mail, blogs and message boards, IM and media sharing?
2. When is it not?
3. What types of information are prohibited in the e-mail system? Transactional data? Customer data? Intellectual property documents? Internal memos?
4. What types of procedures will be necessary to discourage risky behavior and enforce established policies? Punishment? Termination?
5. What is our process for reviewing and revising policies in the event that changes occur or policies fail to work as expected?

Crosley also assembled a list of 10 steps for organizations to follow when crafting acceptable-use policies:

1. Understand your business and what digital assets are important based upon what you do, what external forces drive your business, and what intellectual property you own. Don’t forget to think about “new media,” employee-generated content and new communications channels as you go through this exercise.
2. Create policies that consider business assets, processes and employee access to files.
3. Understand what your confidential/valuable information is and where it resides.
4. Define risk and develop a list of possible security countermeasures.
5. Evaluate security measures (physical and network-related) and potential technology solutions.
6. Implement e-mail security technology, multi-protocol data loss prevention technology and “real-world” security processes. Many vendors (Proofpoint included) offer evaluations or audits that will help you understand which protocols are most risky and what types of sensitive information are flowing out of your organization.
7. Monitor and enforce policy via security technology and human oversight.
8. Conduct audits to analyze risk and identify trouble spots.
9. Train the organization to recognize risks and refrain from insecure behaviors.
10. Treat your policies as living documents that may change over time. Regularly evaluate the effectiveness and sensibility of your policies and make adjustments if necessary.