The Policy Survey Project: Fall 2011

585 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
585
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The Policy Survey Project: Fall 2011

  1. 1. WHITE PAPER The Policy Survey ProjectON An Osterman Research White Paper Published December 2011 onsored by ! ! SPON ! sponsored by Osterman Research, Inc. P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • info@ostermanresearch.com www.ostermanresearch.com • twitter.com/mosterman
  2. 2. The Policy Survey Project – Fall 2011Executive SummaryWHAT IS THE POLICY SURVEY PROJECT?The Policy Survey Project is a semi-annual survey program focused on the evolution of policiesand controls around email, archiving and compliance. This semi-annual survey is designed toaddress the concerns of four key executive roles – Human Resources, IT, Legal and Operations– within organizations of various sizes. The goals of the program are three-fold:• Gauge the current state of corporate policies and the deficiencies or risks that need to be addressed.• Map the evolution of how policies and controls are designed, implemented and monitored over time.• Understand the policy “temperature” in the corporate market as a reflection of the intent to invest in better risk management technology, services and processes.OVERVIEWVirtually every aspect of messaging management must follow a set of policies that are dictatedby corporate best practice, legal requirements, regulatory obligations or industry standards. Forexample, every organization should address a growing number of sometimes-difficult issuesfocused on their messaging infrastructure:• Which communication technologies are allowed in the workplace and which are not?• How will personal devices used for work purposes be managed?• How will content be managed for long periods to satisfy legal, regulatory and other requirements?• What constitutes “acceptable use” of corporate communications resources and what does not?• Should different employees be subject to different policy requirements based on their role in the organization?• To what extent does an organization have the right to dictate what employees tweet or post on Facebook?The answers to these questions, and the technologies and practices that organizationsimplement to address them, are critically important to minimize corporate risk, maximizeemployee productivity and generally advance the cause of the organization.BACKGROUND AND METHODOLOGYDuring summer and early fall 2011, Osterman Research conducted a total of 472 online surveyswith individuals in four functional areas: IT, Human Resources, Operations and Legal inorganizations of various sizes. Most of the surveys were conducted with organizations in NorthAmerica.©2011 Osterman Research, Inc. 1
  3. 3. The Policy Survey Project – Fall 2011We made the decision to make this white paper a primarily quantitative discussion of theresearch findings, presenting the detailed results of the research in the form of the questionsthat were asked of the various groups and the research findings themselves. To make the dataeasier to access, we have color coded the graphics in this report to correspond with the groupsthat were surveyed, as shown in the following figure, although the groups surveyed areidentified in each of the graphics in this report. Human Resources IT Legal OperationsABOUT THIS WHITE PAPERThis white paper represents the first in a series of semi-annual reports focused on messagingpolicy-related issues. It was sponsored by Dell, Messaging Architects and Contoural;information on all three vendors is provided at the end of this white paper.Key Findings – Fall 2011• A divergence of opinions Our research found that there are significant differences of opinion between the various functions that we surveyed. We ascribe much of this to two important factors: a) a lack of communication between key stakeholders that arises primarily from lack of familiarity with other groups within a company, as well as b) divergent interests between the functions. For example, while legal may have a critical need to ensure that business records are retained for e-discovery, legal hold or regulatory compliance purposes; IT has a primary interest in the technology to preserve these records, not the reasons for which they are being retained.• Basic security policies are widely implemented While virtually all organizations have deployed anti-malware and anti-spam technologies, we also found that 85% of organizations automatically update applications attached to email to protect them from viruses, malware and unwanted content. Moreover, nearly two-thirds of organizations give email users the ability to self service access for purposes of managing their quarantined spam, white lists, black lists, etc.• Most organizations have implemented an acceptable use policy for email Five out of six organizations surveyed have implemented an acceptable use policy for email. However, fewer have actually deployed a control system for this policy, such as through an employee signature or other formal acknowledgement program. The good news, however,©2011 Osterman Research, Inc. 2
  4. 4. The Policy Survey Project – Fall 2011 is that three out of four organizations have a documented and clearly understood process for dealing with breaches of the policy.• Technology has been deployed to support acceptable use policies for email Most organizations have deployed at least some capabilities in support of their acceptable use policies for email. For example, 86% can block or allow certain domains or senders: 66% have established filtering policies based on keywords or other parameters for inbound email: and 59% can apply filtering policies at the domain, group or user level.• Many organizations do not have a formal email retention policy Our research found that only 54% of organizations have implemented a formally documented email retention policy and have trained their employees on it. Representing more risk, however, is the fact that only 53% of organizations can guarantee that messages are being preserved for the time set in their retention policies, and that only 62% of organizations report that their message retention policies are applied to their corporate message stores as required by company policy.• Content is often not stored in a central location Only about one-quarter of organizations have implemented controls to prevent users from creating their own archives on a local storage device. While activities like e-discovery and data mining can still be effective on widely distributed data, many organizations have not implemented the tools to enable the necessary data gathering from distributed sources, making them vulnerable to an inability to produce all required data during e-discovery, early case assessment or regulatory audits.• Most organizations do not use WORM storage for content archives Our research found that only 36% of organizations have storage capabilities that support an archiving solution with Write Once Read Many (WORM) functionality. This is generally not a requirement outside of the financial services industry, but it can be considered a best practice to prevent tampering and erasure of critical business records.• Many organizations do not readily encrypt content Despite the availability of very good encryption capabilities both on-premise and in the cloud, only one-half of the organizations surveyed report that it is possible for their end users to encrypt sensitive messages or have their emails automatically encrypted based on content – in fact, only one-third of IT-focused respondents report that automatic encryption has been implemented. This represents not only a serious potential risk for unauthorized access to confidential or sensitive information, but also a potential for statutory violations in jurisdictions that require encryption, such as Nevada and Massachusetts.• Many organizations cannot search security logs after a data breach Our research found that 70% of organizations can search security logs following a breach of their email acceptable use policy, but 30% cannot. This leaves many organizations vulnerable to not being able to fully analyze the cause and extent of data breaches, increasing their risk of non-compliance.• HR content filtering is deployed in only about one-half of organizations Our research found that only 52% of organizations have implemented policies for automatic©2011 Osterman Research, Inc. 3
  5. 5. The Policy Survey Project – Fall 2011 detection and filtering of confidential HR information, such as salary information, Social Security numbers, address lists and similar types of sensitive content. Perhaps explaining the relatively low level of content filtering is that almost the same proportion of organizations have conducted and implemented a categorization of electronic information based on security and confidentiality levels. This reveals that many organizations have a great deal of work to do in the context of protecting their sensitive data assets.• Filtering for other purposes is sorely lacking Our research found that only slightly more than one-quarter of organizations are filtering outbound content that may be going to the domains of known competitors. This leaves organizations vulnerable to the loss of sensitive or confidential competitive information from disgruntled employees or those who send content to competing firms by mistake. Moreover, only 56% of organizations’ email systems support the filtering and quarantine of inbound or outbound content that could lead to legal disputes, such as insider knowledge, sexual or racial harassment, or inappropriate content in attachments.• Monitoring and compliance are lacking Most organizations surveyed are not filtering outgoing email based on keywords or lexicons for libelous, inappropriate or defamatory content. Moreover, only one-third of organizations have established automatic triggers that set off an alert when email policies are violated. Here again, this leaves organizations vulnerable to risks of non-compliance and legal culpability in the event of a data breach, sexually harassing content sent through email, or some other violation of corporate policy or the law. However, our research also found that most organizations have not even conducted a risk assessment for the types of digital content that are sent or received through their corporate email system, making them even more vulnerable owing to the lack of insight about traffic flows and associated risks.• There are a variety of e-discovery vulnerabilities In only one-half of organizations have employees been formally trained to understand the legal status that an email message holds in a court of law. On a more positive note, however, 82% of organizations believe they have the ability to meet the requirements of an e-discovery request for their email records, while 65% believe that an e-discovery request can be performed both rapidly and with a minimum of disruption to the organization. Interestingly, we found a discrepancy between what legal and IT respondents told us about their e-discovery capabilities. While 82% of legal-focused respondents believe that their organization has the ability to meet the requirements of an e-discovery request for email records, only 56% of IT-focused respondents believe that their organization has implemented the processes necessary to produce every required email in the event of an e- discovery request. This seeming disconnect may be due to a lack of communication between the legal and IT functions in many organizations (the missing “legal-IT handshake”), or it may be due to a lack of legal’s understanding of the tools that IT has deployed – or not deployed.• Some e-discovery capabilities may be incomplete We found that in 56% of organizations, IT believes it can satisfy all e-discovery requests as©2011 Osterman Research, Inc. 4
  6. 6. The Policy Survey Project – Fall 2011 if they were still in the system in native format, with none of the original header information altered and all metadata, such as tracking or status flags, kept completely intact. However, in four out of 11 organizations, IT does not believe it has the ability to satisfy e-discovery capabilities this completely. Moreover, only three out of five organizations believes its email capabilities provide adequate support for litigation holds, while only 54% believe that such a hold can be deployed confidentially across email, contact lists, task lists and calendar items. This leaves organizations vulnerable to spoliation of evidence, a serious problem given the severity of judgments handed down in a variety of cases in the recent past.• Two-thirds of organizations have policies for auditing employee email Our research found that slightly more than two-thirds of organizations have implemented clear policies that establish who can audit an employee’s email. Further, the same proportion of organizations has policies in place to prevent unauthorized possession of the personal archives of employees who are dismissed or voluntarily leave.• Many are vulnerable to data loss from lost or misplaced mobile devices More than 70% of organizations have established clear security policies to prevent the unauthorized access to email records that are stored on a laptop or smartphone if the device is lost or stolen. However, nearly 30% have not established these policies, making them subject to data breaches and other fairly nasty consequences arising from the loss of mobile devices. However, among organizations that have clear security policies to prevent the unauthorized access of email records present on a laptop or a smartphone if the device is lost or stolen, 79% of these organizations have formalized these policies and monitor their compliance.• Two-thirds of organizations have email acceptable use training programs Our research found that two-thirds of organizations have implemented a training program to make employees aware of the potential reputation damage that could ensue if email is misused. Further, three out of five organizations’ employees have been formally trained to understand the consequences of misusing the email system.• Two in five organizations have not implemented email redundancy Only three in five organizations have implemented redundancy into their email infrastructure. Given the critical importance of email as both a communications and a file transport infrastructure in most organizations, the lack of redundancy leaves organizations vulnerable to even minor outages caused by power disruptions or localized inclement weather.• Disaster recovery planning needs some work Our research found that four out of five organizations have a business disaster and continuity plans for their email systems, but that only 63% of organizations have implemented systems and procedures to restore their email system as documented in these plans. Among those organizations that have implemented systems and procedures to restore their email system, only 71% have documented and rehearsed their procedures.©2011 Osterman Research, Inc. 5
  7. 7. The Policy Survey Project – Fall 2011 Among organizations that have a business disaster and continuity plan for email, 22% report that it cannot restore service in less than 24 hours.• Most organizations are not enforcing their code of business ethics The vast majority of organizations surveyed have implemented a code of business ethics, but fewer than two in five organizations with such a code are enforcing it through email monitoring. This leaves organizations open to significant risk, not only because of the lack of monitoring, but also because of the disconnect between the implication of ethical behavior and the perceived lack of effort in enforcing it.• Many organizations have an anonymous “whistle-blower” account Our research found that slightly more than one-half of organizations have implemented an anonymous whistle-blower account for reporting suspected abuses.SUMMARYOur research clearly demonstrates that organizations of all sizes have serious policy issues, bothin a lack of sufficient policies to address key areas around retention, encryption, disasterrecovery and other important areas; as well as in enforcement of the policies that they havedeveloped.RecommendationsAlthough detailed recommendations about corporate policies must be made on a case-by-casebasis, we can offer some high level recommendations about where improvements can be madein most organizations, particularly those that are quite large and/or that are geographicallydistributed:• The need for a “meet-and-greet” Our research clearly demonstrates that IT, HR, Operations and Legal are not always fully informed about the activities and perceptions of one another. As but one case in point, our research indicated a significant difference in the perceived readiness for e-discovery between legal and IT. To begin to resolve these issues, all organizations should have at least occasional meetings between key members of key corporate functions. The goal of these meetings should be to establish – at a minimum – informal relationships so that managers of each function can know who to contact when they have questions or when issues arise.• Use appropriate communication and social media channels It is also important to implement the appropriate technologies to facilitate cross-functional communication. For example, implementing an internal social media capability that can enable employees to find one another based on a search of expertise, background, etc. can be invaluable in building bridges between functions within a company. For example, a tool like Lotus Atlas for Connections can build visual chains from one individual to another, facilitating introductions and communications in ways that traditional email or other tools cannot.©2011 Osterman Research, Inc. 6
  8. 8. The Policy Survey Project – Fall 2011• Implement a comprehensive plan Finally, it is critical to develop a corporate plan for e-discovery, content management, digital rights management, content filtering, appropriate use of email and other tools, etc. The key here is a) to implement a plan at the corporate level instead of at individual functional levels, and b) obtain buy-in from all key stakeholders in IT, HR, Operations, Legal, senior management, outside legal counsel, and the like. Many organizations develop departmental plans that are not as integrated with one another as they need to be, leading to conflicts between larger organizational goals and the goals of the individual stakeholders. Moreover, it is critical to implement a feedback mechanism so that a) policies can be created, b) enforced, c) monitored and d) updated when needed. Create Update Enforce MonitorAcceptable Use PoliciesKEY POINTS• Most organizations have acceptable use policies Our research found that the vast majority of organizations have acceptable use policies (AUPs) in place, with five out of six HR organizations reporting that they have been implemented.• However, these tend to be basic policies without significant underlying support The research also found that among organizations that have these policies there is not as much underlying “support” as their should be. For example, while 84% of HR organizations report have an AUP, only 69% have systems in place for employee acknowledgement of them; only 76% have documented processes for dealing with AUP breaches; and©2011 Osterman Research, Inc. 7
  9. 9. The Policy Survey Project – Fall 2011 significantly fewer of these organizations’ IT departments have implemented specific controls around content protection and filtering.• HR and IT need to be more in sync Our research finds that HR and IT departments, while not completely out of sync with regard to AUPs, need to work more closely together so that content filtering and protection supports HR’s AUPs. Moreover, it is important for HR itself to work on implementing control systems for updating and ensuring compliance with AUPs.“Has your organizationimplemented anacceptable use policyfor email?”Human Resourcesn = 68 out of70 total responses©2011 Osterman Research, Inc. 8
  10. 10. The Policy Survey Project – Fall 2011“Have youimplemented a controlsystem wherebyemployees sign orotherwise formallyacknowledge yourorganizationsacceptable usagepolicy for email?”Human Resourcesn = 70 out of70 total responses“IF YOU HAVE ANACCEPTABLE USEPOLICY FOR EMAIL:Does a documentedprocess exist fordealing with breachesof your AcceptableEmail Usage policy andis it clearlyunderstood?”Human Resourcesn = 59 out of70 total responses©2011 Osterman Research, Inc. 9
  11. 11. The Policy Survey Project – Fall 2011“IF YOU HAVE ANACCEPTABLE USEPOLICY FOR EMAIL:Has your organizationimplemented aprocess to updateusers on any changesto the acceptableemail use policy?”Human Resourcesn = 59 out of70 total responses“Has your organizationimplemented adocumentedprocedure for thecreation of new usermailboxes and thepermissions theyshould allow?”Human Resourcesn = 68 out of70 total responses©2011 Osterman Research, Inc. 10
  12. 12. The Policy Survey Project – Fall 2011“Have you implemented email filter settings to match yourorganization’s acceptable email usage policy to cover thefollowing elements? Please check all that apply.” IT, n = 122 out of 132 total responses“In the event of anemail acceptable usepolicy breach are youable to search securitylogs?”ITn = 132 out of132 total responses©2011 Osterman Research, Inc. 11
  13. 13. The Policy Survey Project – Fall 2011Policies Focused on Encryption and Sensitive ContentKEY POINTS• Organizations are at serious risk Our research clearly indicates that organizations are at serious risk for losing sensitive or confidential content through email and other communication tools.• Key risk factors Among the leading causes of risk to organizations in this regard is the fact that fewer than one-half of organizations have conducted a risk assessment for digital content flowing through their email systems, fewer than one-half are filtering email for potentially damaging keywords, and only one-third trigger alerts when email policies are violated.• Encryption is lacking Only one-half of organizations enable users to manually encrypt sensitive content, while only one-third automatically encrypt messages based on corporate policies.• Sensitive content is not being detected and filtered Moreover, sensitive content like HR documents are not being detected and managed when sent through email in nearly one-half of organizations. In fewer than one-third of organizations is content being scanned that might be going to competitors.•“Which of the following is true in your organization? Please checkall that apply.” Operations, n = 154 out of 162 total responses©2011 Osterman Research, Inc. 12
  14. 14. The Policy Survey Project – Fall 2011“Has your organizationconducted a riskassessment for thetypes of digitalcontent being sent orreceived via email?”Legaln = 107 out of108 total responses“Is it possible for endusers to encryptsensitive messages, orcan they beautomaticallyencrypted if a certainkeyword is detected?”Operationsn = 160 out of162 total responses©2011 Osterman Research, Inc. 13
  15. 15. The Policy Survey Project – Fall 2011“Can your emailsystem automaticallytrigger encryption ofcontent based uponpolicies for sender,recipient or specificcontent?”ITn = 130 out of132 total responses“Has your organizationimplemented policiesfor automaticdetection and filteringof confidential orsensitive HRdocuments (salaryinformation, SocialSecurity Number,address list)?”Human Resourcesn = 69 out of70 total responses©2011 Osterman Research, Inc. 14
  16. 16. The Policy Survey Project – Fall 2011“Has your organizationconducted andimplemented acategorization ofelectronic informationbased upon securityand confidentialitylevels?”Operationsn = 132 out of162 total responses“Is your organizationfiltering outgoingmessages that may begoing to the domainsof knowncompetitors?”Operationsn = 162 out of162 total responses©2011 Osterman Research, Inc. 15
  17. 17. The Policy Survey Project – Fall 2011“Will messagescontaining sensitivecontent only bereleased with formaland signed consent?”Operationsn = 160 out of162 total responsesSecurity PoliciesKEY POINTS• Basic security is reasonable Our research found that the vast majority of organizations do a reasonable job at automatically updating against security threats like malware, viruses and spam. While there is always room for improvement in this regard, most organizations are doing a reasonable job here.• Other areas need improvement However, the security of content when employees leave the company or to protect content from unauthorized access are not as robust. For example, nearly one-third of organizations does not have clear security policies that spell out what happens when a mobile device is lost or stolen. Training programs could be better given that one-third of organizations report no such program to educate users about damage to the corporate reputation if email is misused.©2011 Osterman Research, Inc. 16
  18. 18. The Policy Survey Project – Fall 2011“Are the applicationsattached to your emailsystem automaticallyupdated againstsecurity threats fromvirus, malware andunwanted content?”ITn = 132 out of132 total responses“Has your organizationimplemented clearpolicies for who canallow the audit of anemployees email?”Human Resourcesn = 70 out of70 total responses©2011 Osterman Research, Inc. 17
  19. 19. The Policy Survey Project – Fall 2011“In the case ofemployee dismissal orvoluntary departure,are there policies inplace to preventunauthorizedpossession of personalarchives?”Human Resourcesn = 69 out of70 total responses“Do you have clearsecurity policies toprevent theunauthorized access toemail records presenton a laptop or asmartphone if thedevice is lost orstolen?”Human Resourcesn = 68 out of70 total responses©2011 Osterman Research, Inc. 18
  20. 20. The Policy Survey Project – Fall 2011“If you have clearsecurity policies toprevent theunauthorized access toemail records presenton a laptop or asmartphone if thedevice is lost or stolen,are these policieswritten andmonitored?”Human Resourcesn = 43 out of70 total responses“Have youimplemented atraining program tomake employeesaware of thereputation damage toyour organization ifyour email system is(mis)used to sendinappropriate orconfidential content?”Human Resourcesn = 70 out of70 total responses©2011 Osterman Research, Inc. 19
  21. 21. The Policy Survey Project – Fall 2011“Do email users havethe ability to selfservice access tomanage theirquarantined spam,white lists, black listsetc.?”ITn = 132 out of132 total responsesArchiving and Backup PoliciesKEY POINTS• More organizations need email retention policies Our research found that nearly one-half organizations do not have a formally documented email retention policy on which users have been trained. This, despite the fact that virtually all organizations have an obligation to retain email and other business records for long periods.• Better processes are needed Similarly, nearly one-half of organizations cannot guarantee that messages are retained for the length of time set in their retention policies, and more than one-third are not applying retention policies to message stores as required by company policy.• Backup procedures are reasonably sound Relatively speaking, however, IT backup storage procedures are being applied to reflect corporate policies in most cases.• Users are not being managed properly Our research also found that only about one in four organizations has implemented controls to prevent users from creating their own archives on local storage devices, resulting in potentially severe e-discovery problems if content cannot be identified and captured quickly.©2011 Osterman Research, Inc. 20
  22. 22. The Policy Survey Project – Fall 2011“Has your organizationimplemented aformally documentedemail retention policyand have youremployees beentrained on it?”Operationsn = 159 out of162 total responses“Is policy informationstored in a centraldirectory servicewhere it is secure andbacked up?”ITn = 131 out of132 total responses©2011 Osterman Research, Inc. 21
  23. 23. The Policy Survey Project – Fall 2011“Can you guaranteethat messages arebeing preserved forthe time set in yourorganizationsretention policy?”ITn = 131 out of132 total responses“Are your messageretention policiesapplied on yourmessage stores asrequired by companypolicy?”ITn = 130 out of132 total responses©2011 Osterman Research, Inc. 22
  24. 24. The Policy Survey Project – Fall 2011“Are your messageretention policiesapplied on yourmessage stores asrequired by companypolicy?”ITn = 130 out of132 total responses“Are your IT backupstorage proceduresapplied to reflect yourorganizationspolicies?”ITn = 131 out of132 total responses©2011 Osterman Research, Inc. 23
  25. 25. The Policy Survey Project – Fall 2011“Have youimplemented thecontrols to stop usersfrom creating theirown archives on alocal storage device?”ITn = 129 out of132 total responses“Does your storagesystem support anarchiving solution withWrite Once Read Manystorage capability thatis non-erasable andtamper proof?”ITn = 130 out of132 total responses©2011 Osterman Research, Inc. 24
  26. 26. The Policy Survey Project – Fall 2011E-Discovery and Litigation Support PoliciesKEY POINTS• More training is in order We found that only in one-half of the organizations surveyed are employees being formally trained to understand the legal status of email, despite the fact that email is now routinely used as evidence in legal actions of all types.• E-discovery capabilities could use work Despite the fact that more than four in five organizations claims it can meet the requirements of an e-discovery request for records, significantly fewer claim that such a response can be met with rapidity and minimal disruption.• A disconnect between legal and IT Interestingly, while 82% of legal respondents told us that their organization can meet e- discovery requirements for email, only 56% of IT departments told us they can produce any required email in the event of e-discovery. This clearly represents an disconnect either in the understanding of the two functions, or in the interpretation of what satisfied a full and complete response to e-discovery.• Litigation holds need work Only three in five legal departments told us they have the technology to implement a legal hold, putting these organizations at serious risk in legal cases of all types.“Have your employeesbeen formally trainedto understand thelegal status that anemail message holdsin a court of law?”Legaln = 108 out of108 total responses©2011 Osterman Research, Inc. 25
  27. 27. The Policy Survey Project – Fall 2011“Does yourorganization have theability to meet therequirements of an e-discovery request foremail records?”Legaln = 107 out of108 total responses“If so, can thisresponse beperformed bothrapidly and withminimal disruption?”Legaln = 101 out of108 total responses©2011 Osterman Research, Inc. 26
  28. 28. The Policy Survey Project – Fall 2011“Have youimplemented theprocesses to able toproduce any requiredemail in the event ofan e-discoveryrequest?”ITn = 130 out of132 total responses“Can all e-discoveryresults be produced asif they were still in thesystem in nativeformat, none of theoriginal headerinformation altered,and all metadata liketracking or statusflags kept completelyintact?”ITn = 129 out of132 total responses©2011 Osterman Research, Inc. 27
  29. 29. The Policy Survey Project – Fall 2011“Does yourorganization’s emailtechnology andsystems providesupport for litigationholds?”Legaln = 105 out of108 total responses“Can a litigation holdbe confidentiallydeployed, and can itinclude support foremail, contacts, to dolists and calendaritems?”Legaln = 107 out of108 total responses©2011 Osterman Research, Inc. 28
  30. 30. The Policy Survey Project – Fall 2011“Does your emailsystem support thefiltering andquarantine ofinformation (sent orreceived) that couldlead to legal disputes.Common examplesinclude insiderknowledge, sexual orracial harassment andinappropriate contentin attachments.”Legaln = 105 out of108 total responsesDisaster Recovery and Business Continuity PoliciesKEY POINTS• Disaster recovery plans are in place, but... Four out of five operations respondents reported that there is an email-focused disaster recovery and continuity plan in place for their corporate email systems, but significantly fewer IT departments report that the required systems and procedures have been put in place to support these plans.• Email outages can be lengthy Our research also found that nearly one-quarter of organizations report that their disaster recovery and business continuity plans and technologies will not restore email within 24 hours, revealing a serious gap in both the plans and technology implementations within many organizations.©2011 Osterman Research, Inc. 29
  31. 31. The Policy Survey Project – Fall 2011“Does yourorganization have adisaster and continuityplan for your emailsystems?”Operationsn = 153 out of162 total responses“Have youimplemented systemsand procedures torestore your emailsystem as documentedin your organization’sdisaster or businesscontinuity plans?”ITn = 121 out of132 total responses©2011 Osterman Research, Inc. 30
  32. 32. The Policy Survey Project – Fall 2011“If you implementedsystems andprocedures to restoreyour email system asdocumented in yourorganizations disasteror business continuityplans, have youdocumented andrehearsed theprocedure?”ITn = 80 out of132 total responses“If your organizationhas a businessdisaster and continuityplan for your emailsystems, will it restoreservice in less than 24hours?”Operationsn = 115 out of162 total responses©2011 Osterman Research, Inc. 31
  33. 33. The Policy Survey Project – Fall 2011Management PoliciesKEY POINTS• Automatic disclaimers are not as common as they should be We found that only slightly more than one-half of organizations can automatically append a disclaimer on all outbound emails.• Organizations are at risk of copyright violations Moreover, we found that only about one-third of organizations have implemented filters to prevent copyrighted materials from being accepted into or distributed using the corporate email system. This puts organizations at serious risk of violating others’ copyrights and adds to corporate risk exposure significantly.“Has your organizationimplemented ananonymous whistle-blower account forreporting suspectedabuses?”Human Resourcesn = 70 out of70 total responses©2011 Osterman Research, Inc. 32
  34. 34. The Policy Survey Project – Fall 2011“Have youimplementedautomatic appendingof email disclaimers onall outbound sentitems?”Legaln = 107 out of108 total responses“Have your employeesbeen formally trainedto understand theconsequences ofmisuse of the emailsystem?”Legaln = 104 out of108 total responses©2011 Osterman Research, Inc. 33
  35. 35. The Policy Survey Project – Fall 2011“Has your organizationimplemented filters toprevent copyrightedcontent from beingaccepted into ordistributed using youremail system?”Legaln = 106 out of108 total responsesMiscellaneous IssuesKEY POINTS• Most have implemented a code of business ethics The good news is that the vast majority of organizations have implemented a code of business ethics, thereby mitigating their risk on a number of levels. However, only about two in five organizations can enforce their code through email monitoring.• Monitoring and management could be improved Our research also found that most organizations have implemented redundancy, documented procedures for regular system maintenance, and monitoring for system availability. However, we believe these figures should be much close to 100% than they are given the mission-critical nature of email and other communication and content management systems.©2011 Osterman Research, Inc. 34
  36. 36. The Policy Survey Project – Fall 2011“Which of the following is true in your organization today? Pleasecheck all that apply.” IT, N = 123 out of 132 total responses“Has your organizationimplemented a Codeof Business Ethics?”Human Resourcesn = 65 out of70 total responses©2011 Osterman Research, Inc. 35
  37. 37. The Policy Survey Project – Fall 2011“If your organizationhas implemented aCode of BusinessEthics, is it enforcedthrough emailmonitoring?”Human Resourcesn = 47 out of70 total responses©2011 Osterman Research, Inc. 36
  38. 38. The Policy Survey Project – Fall 2011Sponsors of This White PaperThe right storage strategy can transform data into astrategic asset — not an IT maintenance headache.Companies are coping with an onslaught of digital informationthat’s growing at exponential rates. But not all data deserves thesame treatment. As the deluge continues, it’s time to reduce theuncertainty and costs of data management. Intelligent DataManagement (IDM) solutions from Dell can help.Smarter Solutions: Intelligent Data Management Dell, Inc.With the right tools, you can achieve enormous storage 300 Innovative Wayefficiencies. Open, capable and affordable IDM solutions from Suite 201Dell can help you: Nashua, NH 03062• Control expense — Enable your IT staff to implement a +1 800 WWW DELL comprehensive data management strategy to access, www.dell.com prioritize, preserve and protect data at an affordable, predictable and sustainable cost.• Create value — Transform data from an unsustainable burden into a valuable strategic asset.• Increase efficiency — Optimize data placement across storage tiers.• Manage data growth — Make smart decisions about where and how you store data.• Keep data accessible — Ensure data is readily available to meet compliance and business unit requirements.• Reduce risk — Eliminate costly data loss, deduplication errors, access problems and backup challenges.• Protect against disaster — Create data copies that can be cost-effectively stored and quickly recovered.• Address long-haul business requirements — Expand performance and capacity simultaneously — and without disruption — over time.Intelligent Data ManagementDell’s new Email and File Archive solution helps customers manage the information that is thelifeblood to their organizations. Dell’s end-to-end solution capabilities can help customersaddress storage optimization and compliance requirements, while alleviating burdens related todesign, implementation, and ongoing management through:• Pre-configured reference architectures that ease solution design, while allowing for needed customization based on customer specific requirements.©2011 Osterman Research, Inc. 37
  39. 39. The Policy Survey Project – Fall 2011• All ongoing maintenance and support from a single point of contact, including hardware and software (ISVs included).• Storage platforms that support massive scalability and ease of use, to protect customer investments and enable them to keep up with rapid data growth.Dell’s approach maintains customer choice with backup and archiving software providers,preferred consumption model (cloud or on-premise) and the services needed to optimize theirIT environment and comply with data retention requirements.Founded in 1995, Messaging Architects is a globalbuilder of infrastructure for Business Driven Email.We provide software and services that deliver 100% Messaging Architectsuptime and compliance. Thousands of organizations 180 Peel Streetworldwide depend on our solutions for risk-free Suite 333messaging and collaboration. Our M+Platformexpertly bridges email security and compliance gaps Montreal, QCby managing the complete lifecycle of email – from Canada H3C 2G7the moment a message enters the organization to itsend of life destruction. +1 514 392 9220 www.messagingarchitects.comThe M+Platform includes: M+Guardian, a solutionthat filters inbound and outbound email andattachments for policy breaches, security threats, and data leaks; M+NetMail, a high-performance email solution; M+Archive, a solution that archives your email records and enablesthem to be quickly searched, retrieved, and presented on-demand; and M+SecureStore, asolution for managing and storing your growing volume of corporate data.Contoural is a leading independent provider of !business and technology consulting services focusedon litigation readiness, compliance, information andrecords management, and data retention strategy.We sell no products nor take referral fees, offering Contoural, Inc.our clients truly independent advice. 1935 Landings Drive Mountain View, CA 94043We believe that creating a consensus across ourclients organization is a cornerstone to an effective +1 650 390 0800strategy. Our services encompass all electronically www.contoural.comstored information (ESI) including e-mail as well aspaper documents.©2011 Osterman Research, Inc. 38
  40. 40. The Policy Survey Project – Fall 2011With an average of 14 years industry experience, our team is comprised of attorneys, formercompliance officers, and records managers who have a deep understanding of legal, complianceand business requirements for retaining and managing information combined with seasoned ITprofessionals with expertise in archival, search, litigation management systems, dataclassification and storage focused on program execution.Our clients include more than 20% of the Fortune 500, as well as many small and mid-sizedindustries across the U.S. with engagements throughout the world. Contourals dramatic growthis based on providing value to our clients; we have built a reputation for successfulengagements.© 2011 Osterman Research, Inc. All rights reserved.No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission ofOsterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without priorwritten authorization of Osterman Research, Inc.Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this documentor any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws(including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,“Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Lawsreferenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of theinformation contained in this document.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS,CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.©2011 Osterman Research, Inc. 39

×