WHITE PAPER

ON
onsored by

The Policy Survey Project

An Osterman Research White Paper

Published October 2011

! !

SPON

sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 info@ostermanresearch.com www.ostermanresearch.com twitter.com/mosterman

The Policy Survey Project Fall 2011

Executive Summary
WHAT IS THE POLICY SURVEY PROJECT?
The Policy Survey Project is a semi-annual survey program focused on the evolution of policies and controls around email, archiving and compliance. This semi-annual survey is designed to address the concerns of four key executive roles Human Resources, IT, Legal and Operations within organizations of various sizes. The goals of the program are three-fold:
Gauge the current state of corporate policies and the deficiencies or risks that need to be addressed. Map the evolution of how policies and controls are designed, implemented and monitored over time. Understand the policy temperature in the corporate market as a reflection of the intent to invest in better risk management technology, services and processes.

OVERVIEW
Virtually every aspect of messaging management must follow a set of policies that are dictated by corporate best practice, legal requirements, regulatory obligations or industry standards. For example, every organization should address a growing number of sometimes-difficult issues focused on their messaging infrastructure: Which communication technologies are allowed in the workplace and which are not? How will personal devices used for work purposes be managed? How will content be managed for long periods to satisfy legal, regulatory and other requirements? What constitutes acceptable use of corporate communications resources and what does not? Should different employees be subject to different policy requirements based on their role in the organization? To what extent does an organization have the right to dictate what employees tweet or post on Facebook?

The answers to these questions, and the technologies and practices that organizations implement to address them, are critically important to minimize corporate risk, maximize employee productivity and generally advance the cause of the organization.

BACKGROUND AND METHODOLOGY

During summer and early fall 2011, Osterman Research conducted a total of 472 online surveys with individuals in four functional areas: IT, Human Resources, Operations and Legal in organizations of various sizes. Most of the surveys were conducted with organizations in North America.
2011 Osterman Research, Inc. 1

The Policy Survey Project Fall 2011

We made the decision to make this white paper a primarily quantitative discussion of the research findings, presenting the detailed results of the research in the form of the questions that were asked of the various groups and the research findings themselves. To make the data easier to access, we have color coded the graphics in this report to correspond with the groups that were surveyed, as shown in the following figure.

Human Resources

IT

Legal

Operations

ABOUT THIS WHITE PAPER

This white paper represents the first in a series of semi-annual reports focused on messaging policy-related issues. It was sponsored by Dell, Messaging Architects and Contoural; information on all three vendors is provided at the end of this white paper.

Key Findings Fall 2011

Basic security policies are widely implemented While virtually all organizations have deployed anti-malware and anti-spam technologies, we also found that 85% of organizations automatically update applications attached to email to protect them from viruses, malware and unwanted content. Moreover, nearly two-thirds of organizations give email users the ability to self service access for purposes of managing their quarantined spam, white lists, black lists, etc. Most organizations have implemented an acceptable use policy for email Five out of six organizations surveyed have implemented an acceptable use policy for email. However, fewer have actually deployed a control system for this policy, such as through an employee signature or other formal acknowledgement program. The good news, however, is that three out of four organizations have a documented and clearly understood process for dealing with breaches of the policy. Technology has been deployed to support acceptable use policies for email Most organizations have deployed at least some capabilities in support of their acceptable use policies for email. For example, 86% can block or allow certain domains or senders: 66% have established filtering policies based on keywords or other parameters for inbound email: and 59% can apply filtering policies at the domain, group or user level. Many organizations do not have a formal email retention policy Our research found that only 54% of organizations have implemented a formally
2

2011 Osterman Research, Inc.

The Policy Survey Project Fall 2011

documented email retention policy and have trained their employees on it. Representing more risk, however, is the fact that only 53% of organizations can guarantee that messages are being preserved for the time set in their retention policies, and that only 62% of organizations report that their message retention policies are applied to their corporate message stores as required by company policy. Content is often not stored in a central location Only about one-quarter of organizations have implemented controls to prevent users from creating their own archives on a local storage device. While activities like e-discovery and data mining can still be effective on widely distributed data, many organizations have not implemented the tools to enable the necessary data gathering from distributed sources, making them vulnerable to an inability to produce all required data during e-discovery, early case assessment or regulatory audits. Most organizations do not use WORM storage for content archives Our research found that only 36% of organizations have storage capabilities that support an archiving solution with Write Once Read Many (WORM) functionality. This is generally not a requirement outside of the financial services industry, but it can be considered a best practice to prevent tampering and erasure of critical business records. Many organizations do not readily encrypt content Despite the availability of very good encryption capabilities both on-premise and in the cloud, only one-half of the organizations surveyed report that it is possible for their end users to encrypt sensitive messages or have their emails automatically encrypted based on content in fact, only one-third of IT-focused respondents report that automatic encryption has been implemented. This represents not only a serious potential risk for unauthorized access to confidential or sensitive information, but also a potential for statutory violations in jurisdictions that require encryption, such as Nevada and Massachusetts. Many organizations cannot search security logs after a data breach Our research found that 70% of organizations can search security logs following a breach of their email acceptable use policy, but 30% cannot. This leaves many organizations vulnerable to not being able to fully analyze the cause and extent of data breaches, increasing their risk of non-compliance. HR content filtering is deployed in only about one-half of organizations Our research found that only 52% of organizations have implemented policies for automatic detection and filtering of confidential HR information, such as salary information, Social Security numbers, address lists and similar types of sensitive content. Perhaps explaining the relatively low level of content filtering is that almost the same proportion of organizations have conducted and implemented a categorization of electronic information based on security and confidentiality levels. This reveals that many organizations have a great deal of work to do in the context of protecting their sensitive data assets. Filtering for other purposes is sorely lacking Our research found that only slightly more than one-quarter of organizations are filtering outbound content that may be going to the domains of known competitors. This leaves organizations vulnerable to the loss of sensitive or confidential competitive information from

2011 Osterman Research, Inc.

The Policy Survey Project Fall 2011

disgruntled employees or those who send content to competing firms by mistake. Moreover, only 56% of organizations email systems support the filtering and quarantine of inbound or outbound content that could lead to legal disputes, such as insider knowledge, sexual or racial harassment, or inappropriate content in attachments. Monitoring and compliance are lacking Most organizations surveyed are not filtering outgoing email based on keywords or lexicons for libelous, inappropriate or defamatory content. Moreover, only one-third of organizations have established automatic triggers that set off an alert when email policies are violated. Here again, this leaves organizations vulnerable to risks of non-compliance and legal culpability in the event of a data breach, sexually harassing content sent through email, or some other violation of corporate policy or the law. However, our research also found that most organizations have not even conducted a risk assessment for the types of digital content that are sent or received through their corporate email system, making them even more vulnerable owing to the lack of insight about traffic flows and associated risks. There are a variety of e-discovery vulnerabilities In only one-half of organizations have employees been formally trained to understand the legal status that an email message holds in a court of law. On a more positive note, however, 82% of organizations believe they have the ability to meet the requirements of an e-discovery request for their email records, while 65% believe that an e-discovery request can be performed both rapidly and with a minimum of disruption to the organization. Interestingly, we found a discrepancy between what legal and IT respondents told us about their e-discovery capabilities. While 82% of legal-focused respondents believe that their organization has the ability to meet the requirements of an e-discovery request for email records, only 56% of IT-focused respondents believe that their organization has implemented the processes necessary to produce every required email in the event of an ediscovery request. This seeming disconnect may be due to a lack of communication between the legal and IT functions in many organizations (the missing legal-IT handshake), or it may be due to a lack of legals understanding of the tools that IT has deployed or not deployed. Some e-discovery capabilities may be incomplete We found that in 56% of organizations, IT believes it can satisfy all e-discovery requests as if they were still in the system in native format, with none of the original header information altered and all metadata, such as tracking or status flags, kept completely intact. However, in four out of 11 organizations, IT does not believe it has the ability to satisfy e-discovery capabilities this completely. Moreover, only three out of five organizations believes its email capabilities provide adequate support for litigation holds, while only 54% believe that such a hold can be deployed confidentially across email, contact lists, task lists and calendar items. This leaves organizations vulnerable to spoliation of evidence, a serious problem given the severity of judgments handed down in a variety of cases in the recent past.

2011 Osterman Research, Inc.

The Policy Survey Project Fall 2011

Two-thirds of organizations have policies for auditing employee email Our research found that slightly more than two-thirds of organizations have implemented clear policies that establish who can audit an employees email. Further, the same proportion of organizations has policies in place to prevent unauthorized possession of the personal archives of employees who are dismissed or voluntarily leave. Many are vulnerable to data loss from lost or misplaced mobile devices More than 70% of organizations have established clear security policies to prevent the unauthorized access to email records that are stored on a laptop or smartphone if the device is lost or stolen. However, nearly 30% have not established these policies, making them subject to data breaches and other fairly nasty consequences arising from the loss of mobile devices. However, among organizations that have clear security policies to prevent the unauthorized access of email records present on a laptop or a smartphone if the device is lost or stolen, 79% of these organizations have formalized these policies and monitor their compliance.

Two-thirds of organizations have email acceptable use training programs Our research found that two-thirds of organizations have implemented a training program to make employees aware of the potential reputation damage that could ensue if email is misused. Further, three out of five organizations employees have been formally trained to understand the consequences of misusing the email system. Two in five organizations have not implemented email redundancy Only three in five organizations have implemented redundancy into their email infrastructure. Given the critical importance of email as both a communications and a file transport infrastructure in most organizations, the lack of redundancy leaves organizations vulnerable to even minor outages caused by power disruptions or localized inclement weather. Disaster recovery planning needs some work Our research found that four out of five organizations have a business disaster and continuity plans for their email systems, but that only 63% of organizations have implemented systems and procedures to restore their email system as documented in these plans. Among those organizations that have implemented systems and procedures to restore their email system, only 71% have documented and rehearsed their procedures. Among organizations that have a business disaster and continuity plan for email, 22% report that it cannot restore service in less than 24 hours.

Most organizations are not enforcing their code of business ethics The vast majority of organizations surveyed have implemented a code of business ethics, but fewer than two in five organizations with such a code are enforcing it through email monitoring. This leaves organizations open to significant risk, not only because of the lack of monitoring, but also because of the disconnect between the implication of ethical behavior and the perceived lack of effort in enforcing it.

2011 Osterman Research, Inc.

The Policy Survey Project Fall 2011

Many organizations have an anonymous whistle-blower account Our research found that slightly more than one-half of organizations have implemented an anonymous whistle-blower account for reporting suspected abuses.

SUMMARY
Our research clearly demonstrates that organizations of all sizes have serious policy issues, both in a lack of sufficient policies to address key areas around retention, encryption, disaster recovery and other important areas; as well as in enforcement of the policies that they have developed.

Acceptable Use Policies

Has your organization implemented an acceptable use policy for email?

2011 Osterman Research, Inc.

The Policy Survey Project Fall 2011

Have you implemented a control system whereby employees sign or otherwise formally acknowledge your organization's acceptable usage policy for email?

IF YOU HAVE AN ACCEPTABLE USE POLICY FOR EMAIL: Does a documented process exist for dealing with breaches of your Acceptable Email Usage policy and is it clearly understood?

2011 Osterman Research, Inc.

The Policy Survey Project Fall 2011

IF YOU HAVE AN ACCEPTABLE USE POLICY FOR EMAIL: Has your organization implemented a process to update users on any changes to the acceptable email use policy?

IF YOU HAVE AN ACCEPTABLE USE POLICY FOR EMAIL: Has your organization implemented a process to update users on any changes to the acceptable email use policy?

2011 Osterman Research, Inc.

The Policy Survey Project Fall 2011

Have you implemented email filter settings to match your organizations acceptable email usage policy to cover the following elements? Please check all that apply.

In the event of an email acceptable use policy breach are you able to search security logs?

2011 Osterman Research, Inc.

The Policy Survey Project Fall 2011

Policies Focused on Encryption and Sensitive Content

Which of the following is true in your organization? Please check all that apply.

Has your organization conducted a risk assessment for the types of digital content being sent or received via email?

2011 Osterman Research, Inc.

10

The Policy Survey Project Fall 2011

Is it possible for end users to encrypt sensitive messages, or can they be automatically encrypted if a certain keyword is detected?

Can your email system automatically trigger encryption of content based upon policies for sender, recipient or specific content?

2011 Osterman Research, Inc.

11

The Policy Survey Project Fall 2011

Has your organization implemented policies for automatic detection and filtering of confidential or sensitive HR documents (salary information, Social Security Number, address list)?

Has your organization implemented policies for automatic detection and filtering of confidential or sensitive HR documents (salary information, Social Security Number, address list)?

2011 Osterman Research, Inc.

12

The Policy Survey Project Fall 2011

Has your organization conducted and implemented a categorization of electronic information based upon security and confidentiality levels?

Is your organization filtering outgoing messages that may be going to the domains of known competitors?

2011 Osterman Research, Inc.

13

The Policy Survey Project Fall 2011

Will messages containing sensitive content only be released with formal and signed consent?

2011 Osterman Research, Inc.

14

The Policy Survey Project Fall 2011

Security Policies

Are the applications attached to your email system automatically updated against security threats from virus, malware and unwanted content?

Has your organization implemented clear policies for who can allow the audit of an employee's email?

2011 Osterman Research, Inc.

15

The Policy Survey Project Fall 2011

In the case of employee dismissal or voluntary departure, are there policies in place to prevent unauthorized possession of personal archives?

Do you have clear security policies to prevent the unauthorized access to email records present on a laptop or a smartphone if the device is lost or stolen?

2011 Osterman Research, Inc.

16

The Policy Survey Project Fall 2011

If you have clear security policies to prevent the unauthorized access to email records present on a laptop or a smartphone if the device is lost or stolen, are these policies written and monitored?

Have you implemented a training program to make employees aware of the reputation damage to your organization if your email system is (mis)used to send inappropriate or confidential content?

2011 Osterman Research, Inc.

17

The Policy Survey Project Fall 2011

Have you implemented a training program to make employees aware of the reputation damage to your organization if your email system is (mis)used to send inappropriate or confidential content?

2011 Osterman Research, Inc.

18

The Policy Survey Project Fall 2011

Archiving and Backup Policies

Has your organization implemented a formally documented email retention policy and have your employees been trained on it?

Is policy information stored in a central directory service where it is secure and backed up?

2011 Osterman Research, Inc.

19

The Policy Survey Project Fall 2011

Can you guarantee that messages are being preserved for the time set in your organizations retention policy?

Are your message retention policies applied on your message stores as required by company policy?

2011 Osterman Research, Inc.

20

The Policy Survey Project Fall 2011

Are your message retention policies applied on your message stores as required by company policy?

Are your IT backup storage procedures applied to reflect your organization's policies?

2011 Osterman Research, Inc.

21

The Policy Survey Project Fall 2011

Have you implemented the controls to stop users from creating their own archives on a local storage device?

Does your storage system support an archiving solution with Write Once Read Many storage capability that is non-erasable and tamper proof?

2011 Osterman Research, Inc.

22

The Policy Survey Project Fall 2011

E-Discovery and Litigation Support Policies

Have your employees been formally trained to understand the legal status that an email message holds in a court of law?

Does your organization have the ability to meet the requirements of an ediscovery request for email records?

2011 Osterman Research, Inc.

23

The Policy Survey Project Fall 2011

If so, can this response be performed both rapidly and with minimal disruption?

Have you implemented the processes to able to produce any required email in the event of an e-discovery request?

2011 Osterman Research, Inc.

24

The Policy Survey Project Fall 2011

Can all e-discovery results be produced as if they were still in the system in native format, none of the original header information altered, and all metadata like tracking or status flags kept completely intact?

Does your organizations email technology and systems provide support for litigation holds?

2011 Osterman Research, Inc.

25

The Policy Survey Project Fall 2011

Can a litigation hold be confidentially deployed, and can it include support for email, contacts, to do lists and calendar items?

Does your email system support the filtering and quarantine of information (sent or received) that could lead to legal disputes. Common examples include insider knowledge, sexual or racial harassment and inappropriate content in attachments.

2011 Osterman Research, Inc.

26

The Policy Survey Project Fall 2011

Disaster Recovery and Business Continuity Policies

Does your organization have a business disaster and continuity plan for your email systems?

Have you implemented systems and procedures to restore your email system as documented in your organizations disaster or business continuity plans?

2011 Osterman Research, Inc.

27

The Policy Survey Project Fall 2011

If you implemented systems and procedures to restore your email system as documented in your organizations disaster or business continuity plans, have you documented and rehearsed the procedure?

If your organization have a business disaster and continuity plan for your email systems, will it restore service in less than 24 hours?

2011 Osterman Research, Inc.

28

The Policy Survey Project Fall 2011

If your organization have a business disaster and continuity plan for your email systems, will it restore service in less than 24 hours?

2011 Osterman Research, Inc.

29

The Policy Survey Project Fall 2011

Management Policies

Has your organization implemented a documented procedure for the creation of new user mailboxes and the permissions they should allow?

Has your organization implemented an anonymous whistleblower account for reporting suspected abuses?

2011 Osterman Research, Inc.

30

The Policy Survey Project Fall 2011

Have you implemented automatic appending of email disclaimers on all outbound sent items?

Have your employees been formally trained to understand the consequences of misuse of the email system?

2011 Osterman Research, Inc.

31

The Policy Survey Project Fall 2011

Has your organization implemented filters to prevent copyrighted content from being accepted into or distributed using your email system?

2011 Osterman Research, Inc.

32

The Policy Survey Project Fall 2011

Miscellaneous Issues

Which of the following is true in your organization today? Please check all that apply.

Has your organization implemented a Code of Business Ethics?

2011 Osterman Research, Inc.

33

The Policy Survey Project Fall 2011

If your organization has implemented a Code of Business Ethics, is it enforced through email monitoring?

Do email users have the ability to self service access to manage their quarantined spam, white lists, black lists etc.?

2011 Osterman Research, Inc.

34

The Policy Survey Project Fall 2011

Has your organization implemented filters to prevent copyrighted content from being accepted into or distributed using your email system?

2011 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the readers compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

2011 Osterman Research, Inc.

35