Risk Management for Enterprise Email Best business practices & economic considerations Risk assessment and how to manage them. Denis de Wit Sales Engineer, MA Cédric De Meulder R&D Manager, OPNS September, 2006
It s all about perspective 99% It s a really good score!!!
A different perspective If 99% was good enough then by the end of this seminar: 4000 pieces of mail would be lost. 250 checks would be deposited in the wrong bank accounts. 5 babies would be dropped during delivery. 120 flights would land in the wrong cities. If 99% was good enough then in the next 12 months: Your email servers will suffer at least 18 hours of unplanned downtime during business hours. It will cost your organization a minimum of 1000/employee in lost productivity.
What is Risk Management? Risk: Function: noun 1 (a) : possibility of loss or injury (b) : liability for loss or injury if it occurs. 2 : the chance of loss to the subject matter also : the degree of probability of such loss compare PERIL. 3: an insurance hazard from a specified cause or source, i.e. a war risk. Risk Management: a) The process of analyzing exposure to risk and determining how to best handle such exposure. b) Establishing the consequences of said risks.
The Basics of Risk Assessment Step 1 Formal Identification Legal vectors: Discovery, Compliance, Fines. Storage vectors: Uptime, Growth, Manageability. Security vectors: Espionage, Privacy, Theft. Performance vectors: Disaster Recovery, Business Continuity. Step 2 Establish the Scope Critical (Yes/No), Population (# affected), Recovery Speed (Fast/Slow). Value & Cost category (hard vs. soft). Dollarize everything (not ROI). Step 3 Record & Review Establishes the baselines for policy decisions. Documentation for change management. Step 4 Take measurements and implement
Risk assessment in the message flow Incoming And outgoing Messages Mail Repository Storage
Risk assessment in the message flow Incoming And outgoing Messages Risk Risk Mail Repository Risk Risk Storage
Risks Lost productivity due to: Mail processing by end users of unsolicited messages (Spam, Phishing) Downtime by viruses received by mail Downtime due to (too) long disaster recovery Compliance/Legal liabilities Compliance: Sarbanes-Oxley, Basel 2, etc. Confronted with claims where email is used as proof or as basis. Email is increasingly considered as communication of agreements Espionage and theft with (unsecured) outgoing messages Discovery / retention Cost and effort of finding back/recovering the information required.
The Result of Poor Assessment 2005 - SEC fined 5 top Wall Street Firms a total of $8.2M for failure to comply with Rule 17a-4. 2004 - Phillip Morris USA Inc. sanctioned $2.75 million after employees failed to preserve emails, as was required by the company s retention policy. Chevron paid $2.2 million to settle a lawsuit originated by the circulation of sexually offensive emails.
What should be included in dealing with risk management? Policy Compliance Security Crypto Content Filtering Archiving Storage Identity Etc
Product positioning in message flow SMTP (SMS) Fax Mail Repository GroupWise / Exchange Storage
For today focus on: Policy Security Archiving
Why need a policy E-Mail Abuse Study: 86% of employees send and receive personal e-mail at work. 60% of employees send or receive offensive e-mail at work. Potential risks mitigation against: Workplace Lawsuits (sexual and racial harassment/discrimination, wrongful termination, hostile work environment, defamation, invasion of privacy the list goes on) Lost Productivity Theft of Confidential Data, Business Interruption Public Relations Nightmares And of course, fines and settlements
Policy check list Does your policy meet these requirements: Written. Understood (certification test). Dated & signed by all employees. Matches your content filtering software settings. Informs that you may archive content. Sets no expectation of privacy. Establishes guidelines for personal use. Is regularly monitored & tested.
Fulfillment of security Only receive filtered and scanned email No cluttering of systems, only receiving validated mail No lost productivity of people spending time reading it No security hazards (Phishing) Unsolicited mail is kept outside of your messaging environment No downtime of problems due to viruses Optional PostX integration Policy/rule based encryption of outgoing emails without any desktop software
Optimizing email storage First make distinction between messaging for: Communication Support for day-to-day business processes Typically up to one year Online storage (expensive) Searching & Discovery Long term Large volume storage Flexibility
Archiving solves Storage Management Performance & Integrity Cross platform archiving solution Information retention requirements Information discovery Information recovery & access
GWArchive Intelligent storage and compliance Benefits: Compliance & Discovery GroupWise System Stability and Data Integrity Time savings of Centralized Management GWArchive specific: edirectory & GroupWise integration easy to create, manage & deploy policies WebAccess integration Integration of fax archiving Data portability simple & powerful no dependencies, no databases, no problem Encryption and single instance storage with Nexsan And more: Cross-platform storage integration and information life cycle management through partnerships with leading vendors like NetApp, StorageTek and EMC Client testimonials & deployment white paper
Archiving system Overview Archive Repository 3 U GroupWise Servers GWArchive Server(s) Archiving Indexing Web Access Optical/DVD/CD Exporting Users Auditor Hard Drive Grooming Deletion Settings Records Management edirectory Web Administration Administrator
Email Archiving Components Centralized Management edirectory/identity based policy management Mailbox Management (Archiving) Copying Messages from Mail System Data Accessibility Providing Access to Archived Messages (XML) Data Discovery & Export Finding and Copying Relevant Records Information Lifecycle Management Long-Term Management of Data
Compliance & Storage Management features CAS Single instance storage Retention period (WORM) Encryption Replication and self-healing Scalability Deletion
Archiving Project tasks Know your business requirements Access to information and Collaboration requirements Know your legal requirements Know your discovery requirements Who, what and how needs access(ing) Know your environment Remote sites, legacy data Know your users Develop your policies Email usage policy, retention policy, deletion policy Plan your architecture Repository, Remote locations, storage Prepare your groupware system Preparing and executing the plan Proof of concept, deployment
What everyone asks Is it more risky to save email or throw it away? Early destruction of e-mail is increasingly dangerous - it raises suspicions in the legal system. Courts now impose severe fines for spoliation & obstruction of justice. What is the best retention period for my employees? Your policies for electronic records need to mirror how you handle and dispose paper based records.
What everyone asks Does every company really need to archive email? Yes Do I need to retain email for all users? Yes What really happens if email messages are destroyed or lost? You may need to settle out of court or pay fines.
Risks Productivity Loss - end users - system down Compliance/Legal liabilities Discovery / retention
Risks Productivity Loss OK - end users OK - system down OK Compliance/Legal liabilities OK Discovery / retention OK
Questions? Answers
Thanks for your attention September, 2006
Next sessions after the break... In this Room A : Mobile Mail In the other Room B : Application Firewall