The recent spike in the volume of spam traveling across the Internet, combined with the dangers of phishing and virus attacks that frequently accompany these messages, has forced corporations to reconsider how they determine which messages will be allowed into their network. For years, companies have addressed their email security needs through a mixture of third party software solutions designed to address specific areas of vulnerability. Today, however, this approach appears to be ineffective. New threats adapt to even the latest security technology, helping hackers and spammers stay a step ahead of most stand-alone protective measures. System administrators remain in a reactionary mode, waiting for the next attack and hoping their mixed bag of security software is up to the test.

The role of email in Sarbanes-Oxley compliance cannot be overstated. The Sarbanes-Oxley Act of 2002 and associated rules adopted by the Securities and Exchange Commission (SEC) require certain businesses to report on the effectiveness of their internal controls over financial reporting. Effective internal controls ensure information integrity by mandating the confidentiality, privacy, availability, controlled access, monitoring and reporting of corporate or customer financial information. Companies that must comply with Sarbanes-Oxley include U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt. U.S. companies with market cap greater than $75M and on an accelerated (2004) filing deadline are required to comply for fiscal years ending on or after Nov. 15, 2004. All others are required to comply for fiscal years ending on or after April 15, 2005.

Because the bulk of information in most corporations is created, stored, transmitted and maintained electronically, IT departments are responsible for ensuring that sound practices, including corporate wide information security policies and enforced implementation of those policies, are in place for employees at all levels. Information security policies should govern the following items:

• Network security
  

• Access controls
  

• Authentication
  

• Encryption
  

• Logging
  

• Monitoring and alerting
  

• Pre-planning coordinated incident response
  

• Forensics
  

Most of us would agree that today email is the primary internal and external communication tool for corporations. Unfortunately, it is also one of the most exposed areas of a technology infrastructure. Email systems are critical to ensuring effective internal control over financial reporting, encryption of external messages and active policy enforcement, all essential elements of compliance. Companies must install a solution that actively enforces policy, stops offending mail both inbound and outbound and halts threats before internal controls are compromised, as opposed to passively noting violations as they occur. An effective email security solution must address all aspects of controlling access to electronically stored company financial information. Given the wide functionality of email, ensuring appropriate information access control for all of these points requires:

• A capable policy enforcement mechanism to set rules in accordance with each company?s systems of internal controls;
  

• Encryption capabilities to ensure privacy and confidentiality through secure and authenticated transport and delivery of email messages;
  

• Secure remote access to enable remote access for authorized users while preventing access from unauthorized users;
  

• Anti-spam and anti-phishing technology to prevent malicious code from entering a machine and to prevent private information from being provided to unauthorized parties.
  

On a final note, some clear guidelines for a good and effective email policy include the following points: a) Emails should comply with the proper RFC protocols for email, 2) Employees should not attempt to obscure content or messages in emails, 3) Companies should post privacy policies where they can be read and understood, prior to submission of a request, 4) Employees should not send email to unverified or nonexistent email addresses, 5) Companies should offer users opportunities to opt-out of programs.

Given that developments in email and the Internet are changing so rapidly, it is essential to review the email policy at least once every quarter. Keep an eye on new developments in email and Internet law so that you are aware of any new regulations and opportunities. When you release new updates, it is preferable to have each user sign as acknowledgment of their receipt of the policy.

With all of this said, if you want to reduce electronic risks in the workplace you must take the initiative. Electronic disasters can ruin businesses, sink careers, send stock prices plummeting, and generate public relations nightmares. Do not wait for a disaster to strike; prevention is always your best defense. Visit www.AntiSpamLeague.org and they will help you develop and implement written email usage and privacy policies that clearly reflect your organization's expected standards of electronic behavior, along with privacy and monitoring policies.

The purpose of the Anti SPAM League is to help consumers and business owners reduce the amount of SPAM they receive. In addition, our Anti SPAM organization believes that educating site owners in the area of SPAM prevention and ways to successfully and responsibly market their sites, is key in making a difference.

mike@anti-spam-league.org