Thursday, April 17, 2008

Information Security - Email Management

I've just finished a fascinating tranche of work on mail management, in my particular clients case, using MIMESweeper which works by a "stop" list, i.e. a list of banned words/phrases/regular expressions. First issue to understand was legal compliance, secondly, effective operational procedures leveraging the features of the tool. Below is a Freemind map of the overall process:

Language Coverage

We have a diverse workforce who speak many languages including: Hindi, Finnish, Russian, Bulgarian etc. Deciding which languages should cover was a simple conundrum to the in-house legal expert - we only need to cover the languages in which we conduct our business, (in the clients case) namely English, French, German and Japanese.

The stock English dictionary supplied with MIMESweeper contained mainly anatomical parts and the usual canonical profanity. The strategy of this particular stop list seemed to be male, heterosexual, white, American and lower class. I believe this is where the fecund British mind can add value: there are several online dictionaries are sources of expletives and profanity (e.g. The Alternative Dictionaries, Roger's Profanisaurus etc.) Other interesting sources are SMS acryonyms which are increasingly being used by the younger generation. There are even translation sites which can change English into "text speak". and several words used by the slightly more educated such as onanist. In the latter case, it would be hard to argue that any of these words, phrases and acronyms have any place in business communications.

UK Legislative Changes

The legislative environment in the area or employment law, company regulation, data protection and human rights has changed so radically of late that there is a significant gap between practitioner perception and legal reality. Therefore, it may be wise to address address this chasm in order to "provide a safe working environment" for staff. To that end,
I've tried to cover all bases here in a succinct yet comprehensive statement in the Email and Instant messaging policy to reflect this intent:
  • the creation or distribution of any disruptive or offensive messages, including offensive comments about race, statements about gender, hair colour, disabilities, age, religious beliefs and practise, political beliefs, national origin, sexual orientation, sexist remarks, sexual candour or voyeurism
Email Governance - Data Protection, Human Rights and RIPA

Contrary to the widely held belief, employees do have rights under the Data Protection and Human Rights Acts in the UK. Therefore, an explicit governance framework must be in place to control access to email, user data and calendar information:

Email Analysis Using MIMESweeper

And lastly, once we have our email, we need to be able to analyse it in a way which does not necessarily mean we need to read the contents.

To be continued