E-mail compliance is a process, not a technology

It`s not just local legislative requirements that are making e-mail compliance an extremely important corporate objective at the moment. Growing incidents of confidential data theft and costly, reputation-damaging litigation are making South African organisations of all sizes take the issue very seriously. Hennie Moolman, Managing Director of network security expert, Africa SD, outlines some of the key considerations.

Most of us have little difficulty accepting research that suggests as much as 60% of an organisation`s critical information can be found in its e-mail traffic. Aside from the sensitive documents that are routinely exchanged, e-mail is increasingly the only form of written communication that exists between a company and its clients and suppliers.

This state of affairs, coupled with local legislation that dictates that companies must securely store all e-mail sent or received for up to 10 years1 and the growing trend of using e-mail evidence in lawsuits, has made e-mail compliance an extremely important corporate objective.

In many organisations, the responsibility for achieving this goal is handed to the IT department and can prove much more of a headache than initially anticipated, considering the wide variety of ways of addressing this particular requirement and different systems that can be employed to help do so. Nonetheless, there are several universal considerations that will need to be taken into account, regardless of the specific solution employed, and these are outlined in this article.

E-mail compliance covers the lifecycle of corporate messages - from creation and distribution to management, storage and, eventually, disposal. As such, it should be viewed as a process, rather than a technology, and so the first step is to draw up an appropriate policy to govern the process.

An e-mail compliance policy is a set of formal guidelines governing the use of e-mail within the organisation. As a minimum, the policy should establish what constitutes acceptable e-mail behaviour. To do so, it needs to specify what will be deemed unsuitable language and content and how attachments, especially potentially sensitive documents, should be handled. To ensure regulatory compliance, the policy should also clearly explain the organisation`s e-mail monitoring, storage and disposal processes.

Once a suitable policy has been finalised, it is important to make sure every member of the organisation is aware of it and understands it. It should be included in employee handbooks and posted on the intranet if possible. It is also a good idea to require staff to confirm they have reviewed the policy by signing to that effect.

The last observation to make regarding policies is that they are, invariably, only as effective as their enforcement is. That is why it pays to automate as much of the policy enforcement burden as possible and to make sure that the enforcing is extremely visible throughout the organisation.

Choosing the best infrastructural set-up is the most important practical consideration. While it can vary greatly and, ultimately, depends upon an organisation`s particular needs and likely exposure based on the regulations, the best way to implement e-mail archiving is, typically, on a localised server dedicated to the task.

This arrangement is recommended for performance and security reasons. Archiving e-mails to a separate server helps maintain the efficiency of the organisation`s messaging servers since it prevents the rapid consumption of local disk space - as the primary corporate communications channel, e-mail traffic volumes grow at an exponential rate within most businesses - and allows the servers to focus on filtering and delivering e-mails, releasing them from the frequently heavy burden of archiving.

A separate, dedicated local archiving server can also ensure better security against tampering and makes ongoing maintenance a simpler task. It is a set-up that also allows the messaging and archiving servers to be backed up separately, ensuring a safer operational environment and minimising the risk of complete data loss because the one backup can be used to retrieve e-mail data and quickly recover the other.

It`s often overlooked, but the ongoing maintenance and administration of the chosen solution is another important consideration. It is prudent to ensure the solution features a user-friendly search facility that can be accessed and used by authorised personnel outside the IT department as well. The obligations of an e-Discovery request can be onerous and allowing legal counsel to conduct searches without the help of IT can make the process faster and easier for both departments.

To remain relevant and effective, policies typically require continuous updating and an e-mail compliance policy is no exception. So it is also a good idea to make sure any solution that is implemented permits non-technical staff, such as compliance officers, to access and make changes to the policy guidelines and detail directly.

E-mail compliance is not something organisations can afford to ignore. Nor is it simply a question of being fined for not meeting corporate governance and regulatory requirements. Organisations that don`t achieve compliance leave themselves and their employees vulnerable to theft of confidential data, commercial fraud and costly, reputation-damaging litigation.