Assess e-info vulnerabilities

3. Do we have an archive of critical electronic messages?
An archive of corroborating documentation is essential today for legal compliance and litigation reasons. You must know if the IT system maintains an audit trail of incoming, outgoing, and internal electronic correspondences. Lawsuits can tarnish a business' reputation -- long-term, this could affect investor relations and erode stock value or undermine strategic business alliances. A negative image could even harm your company's ability to recruit top-notch employees, derailing future growth. In heavily regulated industries like finance and healthcare, failure to provide extensive documentation on demand can result in extremely stiff fines and potential jail time.

Archiving business e-mails to a database is one part of the solution. Recording and storing specific incoming, outgoing, and internal e-mails by user, group, or domain makes it easy to retrieve and review corroborating documents when needed.

"If a computer crime was found in your company, is it possible to absolutely prove to the court, media, and stockholders who committed the crime?" noted Sherizen. If the answer is no, your information security experts need to beef up your user identification and authentication methods as well. Sherizen suggests there are a number of biometric authentication tools (fingerprint and/or iris scan, voice recognition, etc.) and authorisation control technology packages that are worth investigating.

4. What's in place to stop malicious attacks?
Just because an attack hasn't happened yet doesn't mean it won't. You need to know if, and what, steps are being taken to prevent viruses from contaminating or destroying your company's electronic data, whether initiated from external, internal, or remote sources.

Sherizen said, "IT security people need to keep abreast of what's happening in information security in their industry. Look at the kinds of attacks that have occurred, and learn about the kinds of approaches being implemented to prevent or detect security breaches."

Also, IT security staff should be conducting ongoing evaluation of the latest e-information security techniques and tools, weighing the cost of implementing various strategies against corporate objectives.

On the most basic level, any IT system must be able to detect and block viruses. A number of tools on the market today can countermand intrusions by name pattern, file type, structure, or fingerprint.

"Management may have to make some strategic tradeoff decisions as to what's appropriate and what's not," said Sherizen. Limiting access to certain information may reduce the risk of security breaches. On the other hand, instituting restrictive roadblocks to sensitive information may hamper your company's agility to pursue unexpected business opportunities.

5. What is in place to limit legal culpability relating to e-mail?
You must take steps to contain your company's liability for the content of any communication originating from your messaging systems. Any instance of e-mail abuse over the corporate network, such as messages that may be construed as sexual harassment, for example, leaves your company wide open to charges.

In July of 2000, Dow Chemical fired 50 workers and disciplined another 200 for distributing, downloading, or saving pictures that were either pornographic or violent. The employees were found to have violated the company's harassment-free work environment policy. The repercussions from that event and subsequent disciplining were wide ranging. Besides the expense of terminating staff, and recruiting and training replacements, the company had to contend with poor morale, loss in productivity from the 200 workers, unpaid suspensions, and probations.

While many companies have corporate policies in place on "appropriate" Internet and e-mail use, this might not be sufficient to limit your company's liability. You also need a systematic approach to screening e-mail content to ensure compliance with corporate ethics.

Staying ahead of the security curve
Amy Kessler, vice president and general manager of GROUP Technologies, a developer of security software, offers five tips on ways CIOs can shore up security:

And maybe most importantly, experts say it's critical that CIOs don't become complacent about security. It's easy to develop and install safeguards and then forget about them -- especially if nothing bad happens. Complacency leads to security lapses as updates lag and new holes go uncovered. If you haven't had a breach in a long time, it's easy to think that you're safe forever. And if you believe that, it's probably only a matter of time before you find yourself in deep trouble.

For a weekly round-up of the enterprise IT news, sign up for the
Enterpise newsletter.

Find out what's where in the new Tech Update with our
Guided Tour.

Tell us what you think in the
Enterprise Mailroom.