Weitere ähnliche Inhalte Ähnlich wie The Policy Survey Project: Fall 2011 Ähnlich wie The Policy Survey Project: Fall 2011 (20) Mehr von Osterman Research, Inc. Mehr von Osterman Research, Inc. (20) Kürzlich hochgeladen (20) The Policy Survey Project: Fall 20111. WHITE PAPER
The Policy Survey Project
ON An Osterman Research White Paper
Published December 2011
onsored by
!
!
SPON
!
sponsored by
Osterman Research, Inc.
P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA
Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • info@ostermanresearch.com
www.ostermanresearch.com • twitter.com/mosterman
2. The Policy Survey Project – Fall 2011
Executive Summary
WHAT IS THE POLICY SURVEY PROJECT?
The Policy Survey Project is a semi-annual survey program focused on the evolution of policies
and controls around email, archiving and compliance. This semi-annual survey is designed to
address the concerns of four key executive roles – Human Resources, IT, Legal and Operations
– within organizations of various sizes. The goals of the program are three-fold:
• Gauge the current state of corporate policies and the deficiencies or risks that need to be
addressed.
• Map the evolution of how policies and controls are designed, implemented and monitored
over time.
• Understand the policy “temperature” in the corporate market as a reflection of the intent
to invest in better risk management technology, services and processes.
OVERVIEW
Virtually every aspect of messaging management must follow a set of policies that are dictated
by corporate best practice, legal requirements, regulatory obligations or industry standards. For
example, every organization should address a growing number of sometimes-difficult issues
focused on their messaging infrastructure:
• Which communication technologies are allowed in the workplace and which are not?
• How will personal devices used for work purposes be managed?
• How will content be managed for long periods to satisfy legal, regulatory and other
requirements?
• What constitutes “acceptable use” of corporate communications resources and what does
not?
• Should different employees be subject to different policy requirements based on their role in
the organization?
• To what extent does an organization have the right to dictate what employees tweet or post
on Facebook?
The answers to these questions, and the technologies and practices that organizations
implement to address them, are critically important to minimize corporate risk, maximize
employee productivity and generally advance the cause of the organization.
BACKGROUND AND METHODOLOGY
During summer and early fall 2011, Osterman Research conducted a total of 472 online surveys
with individuals in four functional areas: IT, Human Resources, Operations and Legal in
organizations of various sizes. Most of the surveys were conducted with organizations in North
America.
©2011 Osterman Research, Inc. 1
3. The Policy Survey Project – Fall 2011
We made the decision to make this white paper a primarily quantitative discussion of the
research findings, presenting the detailed results of the research in the form of the questions
that were asked of the various groups and the research findings themselves. To make the data
easier to access, we have color coded the graphics in this report to correspond with the groups
that were surveyed, as shown in the following figure, although the groups surveyed are
identified in each of the graphics in this report.
Human Resources IT Legal Operations
ABOUT THIS WHITE PAPER
This white paper represents the first in a series of semi-annual reports focused on messaging
policy-related issues. It was sponsored by Dell, Messaging Architects and Contoural;
information on all three vendors is provided at the end of this white paper.
Key Findings – Fall 2011
• A divergence of opinions
Our research found that there are significant differences of opinion between the various
functions that we surveyed. We ascribe much of this to two important factors: a) a lack of
communication between key stakeholders that arises primarily from lack of familiarity with
other groups within a company, as well as b) divergent interests between the functions. For
example, while legal may have a critical need to ensure that business records are retained
for e-discovery, legal hold or regulatory compliance purposes; IT has a primary interest in
the technology to preserve these records, not the reasons for which they are being retained.
• Basic security policies are widely implemented
While virtually all organizations have deployed anti-malware and anti-spam technologies, we
also found that 85% of organizations automatically update applications attached to email to
protect them from viruses, malware and unwanted content. Moreover, nearly two-thirds of
organizations give email users the ability to self service access for purposes of managing
their quarantined spam, white lists, black lists, etc.
• Most organizations have implemented an acceptable use policy for email
Five out of six organizations surveyed have implemented an acceptable use policy for email.
However, fewer have actually deployed a control system for this policy, such as through an
employee signature or other formal acknowledgement program. The good news, however,
©2011 Osterman Research, Inc. 2
4. The Policy Survey Project – Fall 2011
is that three out of four organizations have a documented and clearly understood process
for dealing with breaches of the policy.
• Technology has been deployed to support acceptable use policies for email
Most organizations have deployed at least some capabilities in support of their acceptable
use policies for email. For example, 86% can block or allow certain domains or senders:
66% have established filtering policies based on keywords or other parameters for inbound
email: and 59% can apply filtering policies at the domain, group or user level.
• Many organizations do not have a formal email retention policy
Our research found that only 54% of organizations have implemented a formally
documented email retention policy and have trained their employees on it. Representing
more risk, however, is the fact that only 53% of organizations can guarantee that messages
are being preserved for the time set in their retention policies, and that only 62% of
organizations report that their message retention policies are applied to their corporate
message stores as required by company policy.
• Content is often not stored in a central location
Only about one-quarter of organizations have implemented controls to prevent users from
creating their own archives on a local storage device. While activities like e-discovery and
data mining can still be effective on widely distributed data, many organizations have not
implemented the tools to enable the necessary data gathering from distributed sources,
making them vulnerable to an inability to produce all required data during e-discovery, early
case assessment or regulatory audits.
• Most organizations do not use WORM storage for content archives
Our research found that only 36% of organizations have storage capabilities that support an
archiving solution with Write Once Read Many (WORM) functionality. This is generally not a
requirement outside of the financial services industry, but it can be considered a best
practice to prevent tampering and erasure of critical business records.
• Many organizations do not readily encrypt content
Despite the availability of very good encryption capabilities both on-premise and in the
cloud, only one-half of the organizations surveyed report that it is possible for their end
users to encrypt sensitive messages or have their emails automatically encrypted based on
content – in fact, only one-third of IT-focused respondents report that automatic encryption
has been implemented. This represents not only a serious potential risk for unauthorized
access to confidential or sensitive information, but also a potential for statutory violations in
jurisdictions that require encryption, such as Nevada and Massachusetts.
• Many organizations cannot search security logs after a data breach
Our research found that 70% of organizations can search security logs following a breach of
their email acceptable use policy, but 30% cannot. This leaves many organizations
vulnerable to not being able to fully analyze the cause and extent of data breaches,
increasing their risk of non-compliance.
• HR content filtering is deployed in only about one-half of organizations
Our research found that only 52% of organizations have implemented policies for automatic
©2011 Osterman Research, Inc. 3
5. The Policy Survey Project – Fall 2011
detection and filtering of confidential HR information, such as salary information, Social
Security numbers, address lists and similar types of sensitive content. Perhaps explaining
the relatively low level of content filtering is that almost the same proportion of
organizations have conducted and implemented a categorization of electronic information
based on security and confidentiality levels. This reveals that many organizations have a
great deal of work to do in the context of protecting their sensitive data assets.
• Filtering for other purposes is sorely lacking
Our research found that only slightly more than one-quarter of organizations are filtering
outbound content that may be going to the domains of known competitors. This leaves
organizations vulnerable to the loss of sensitive or confidential competitive information from
disgruntled employees or those who send content to competing firms by mistake.
Moreover, only 56% of organizations’ email systems support the filtering and quarantine of
inbound or outbound content that could lead to legal disputes, such as insider knowledge,
sexual or racial harassment, or inappropriate content in attachments.
• Monitoring and compliance are lacking
Most organizations surveyed are not filtering outgoing email based on keywords or lexicons
for libelous, inappropriate or defamatory content. Moreover, only one-third of organizations
have established automatic triggers that set off an alert when email policies are violated.
Here again, this leaves organizations vulnerable to risks of non-compliance and legal
culpability in the event of a data breach, sexually harassing content sent through email, or
some other violation of corporate policy or the law.
However, our research also found that most organizations have not even conducted a risk
assessment for the types of digital content that are sent or received through their corporate
email system, making them even more vulnerable owing to the lack of insight about traffic
flows and associated risks.
• There are a variety of e-discovery vulnerabilities
In only one-half of organizations have employees been formally trained to understand the
legal status that an email message holds in a court of law. On a more positive note,
however, 82% of organizations believe they have the ability to meet the requirements of an
e-discovery request for their email records, while 65% believe that an e-discovery request
can be performed both rapidly and with a minimum of disruption to the organization.
Interestingly, we found a discrepancy between what legal and IT respondents told us about
their e-discovery capabilities. While 82% of legal-focused respondents believe that their
organization has the ability to meet the requirements of an e-discovery request for email
records, only 56% of IT-focused respondents believe that their organization has
implemented the processes necessary to produce every required email in the event of an e-
discovery request. This seeming disconnect may be due to a lack of communication
between the legal and IT functions in many organizations (the missing “legal-IT
handshake”), or it may be due to a lack of legal’s understanding of the tools that IT has
deployed – or not deployed.
• Some e-discovery capabilities may be incomplete
We found that in 56% of organizations, IT believes it can satisfy all e-discovery requests as
©2011 Osterman Research, Inc. 4
6. The Policy Survey Project – Fall 2011
if they were still in the system in native format, with none of the original header information
altered and all metadata, such as tracking or status flags, kept completely intact. However,
in four out of 11 organizations, IT does not believe it has the ability to satisfy e-discovery
capabilities this completely.
Moreover, only three out of five organizations believes its email capabilities provide
adequate support for litigation holds, while only 54% believe that such a hold can be
deployed confidentially across email, contact lists, task lists and calendar items. This leaves
organizations vulnerable to spoliation of evidence, a serious problem given the severity of
judgments handed down in a variety of cases in the recent past.
• Two-thirds of organizations have policies for auditing employee email
Our research found that slightly more than two-thirds of organizations have implemented
clear policies that establish who can audit an employee’s email. Further, the same
proportion of organizations has policies in place to prevent unauthorized possession of the
personal archives of employees who are dismissed or voluntarily leave.
• Many are vulnerable to data loss from lost or misplaced mobile devices
More than 70% of organizations have established clear security policies to prevent the
unauthorized access to email records that are stored on a laptop or smartphone if the
device is lost or stolen. However, nearly 30% have not established these policies, making
them subject to data breaches and other fairly nasty consequences arising from the loss of
mobile devices.
However, among organizations that have clear security policies to prevent the unauthorized
access of email records present on a laptop or a smartphone if the device is lost or stolen,
79% of these organizations have formalized these policies and monitor their compliance.
• Two-thirds of organizations have email acceptable use training programs
Our research found that two-thirds of organizations have implemented a training program to
make employees aware of the potential reputation damage that could ensue if email is
misused. Further, three out of five organizations’ employees have been formally trained to
understand the consequences of misusing the email system.
• Two in five organizations have not implemented email redundancy
Only three in five organizations have implemented redundancy into their email
infrastructure. Given the critical importance of email as both a communications and a file
transport infrastructure in most organizations, the lack of redundancy leaves organizations
vulnerable to even minor outages caused by power disruptions or localized inclement
weather.
• Disaster recovery planning needs some work
Our research found that four out of five organizations have a business disaster and
continuity plans for their email systems, but that only 63% of organizations have
implemented systems and procedures to restore their email system as documented in these
plans. Among those organizations that have implemented systems and procedures to
restore their email system, only 71% have documented and rehearsed their procedures.
©2011 Osterman Research, Inc. 5
7. The Policy Survey Project – Fall 2011
Among organizations that have a business disaster and continuity plan for email, 22%
report that it cannot restore service in less than 24 hours.
• Most organizations are not enforcing their code of business ethics
The vast majority of organizations surveyed have implemented a code of business ethics,
but fewer than two in five organizations with such a code are enforcing it through email
monitoring. This leaves organizations open to significant risk, not only because of the lack
of monitoring, but also because of the disconnect between the implication of ethical
behavior and the perceived lack of effort in enforcing it.
• Many organizations have an anonymous “whistle-blower” account
Our research found that slightly more than one-half of organizations have implemented an
anonymous whistle-blower account for reporting suspected abuses.
SUMMARY
Our research clearly demonstrates that organizations of all sizes have serious policy issues, both
in a lack of sufficient policies to address key areas around retention, encryption, disaster
recovery and other important areas; as well as in enforcement of the policies that they have
developed.
Recommendations
Although detailed recommendations about corporate policies must be made on a case-by-case
basis, we can offer some high level recommendations about where improvements can be made
in most organizations, particularly those that are quite large and/or that are geographically
distributed:
• The need for a “meet-and-greet”
Our research clearly demonstrates that IT, HR, Operations and Legal are not always fully
informed about the activities and perceptions of one another. As but one case in point, our
research indicated a significant difference in the perceived readiness for e-discovery
between legal and IT.
To begin to resolve these issues, all organizations should have at least occasional meetings
between key members of key corporate functions. The goal of these meetings should be to
establish – at a minimum – informal relationships so that managers of each function can
know who to contact when they have questions or when issues arise.
• Use appropriate communication and social media channels
It is also important to implement the appropriate technologies to facilitate cross-functional
communication. For example, implementing an internal social media capability that can
enable employees to find one another based on a search of expertise, background, etc. can
be invaluable in building bridges between functions within a company. For example, a tool
like Lotus Atlas for Connections can build visual chains from one individual to another,
facilitating introductions and communications in ways that traditional email or other tools
cannot.
©2011 Osterman Research, Inc. 6
8. The Policy Survey Project – Fall 2011
• Implement a comprehensive plan
Finally, it is critical to develop a corporate plan for e-discovery, content management, digital
rights management, content filtering, appropriate use of email and other tools, etc. The key
here is a) to implement a plan at the corporate level instead of at individual functional
levels, and b) obtain buy-in from all key stakeholders in IT, HR, Operations, Legal, senior
management, outside legal counsel, and the like. Many organizations develop departmental
plans that are not as integrated with one another as they need to be, leading to conflicts
between larger organizational goals and the goals of the individual stakeholders.
Moreover, it is critical to implement a feedback mechanism so that a) policies can be
created, b) enforced, c) monitored and d) updated when needed.
Create
Update Enforce
Monitor
Acceptable Use Policies
KEY POINTS
• Most organizations have acceptable use policies
Our research found that the vast majority of organizations have acceptable use policies
(AUPs) in place, with five out of six HR organizations reporting that they have been
implemented.
• However, these tend to be basic policies without significant underlying support
The research also found that among organizations that have these policies there is not as
much underlying “support” as their should be. For example, while 84% of HR organizations
report have an AUP, only 69% have systems in place for employee acknowledgement of
them; only 76% have documented processes for dealing with AUP breaches; and
©2011 Osterman Research, Inc. 7
9. The Policy Survey Project – Fall 2011
significantly fewer of these organizations’ IT departments have implemented specific
controls around content protection and filtering.
• HR and IT need to be more in sync
Our research finds that HR and IT departments, while not completely out of sync with
regard to AUPs, need to work more closely together so that content filtering and protection
supports HR’s AUPs. Moreover, it is important for HR itself to work on implementing control
systems for updating and ensuring compliance with AUPs.
“Has your organization
implemented an
acceptable use policy
for email?”
Human Resources
n = 68 out of
70 total responses
©2011 Osterman Research, Inc. 8
10. The Policy Survey Project – Fall 2011
“Have you
implemented a control
system whereby
employees sign or
otherwise formally
acknowledge your
organization's
acceptable usage
policy for email?”
Human Resources
n = 70 out of
70 total responses
“IF YOU HAVE AN
ACCEPTABLE USE
POLICY FOR EMAIL:
Does a documented
process exist for
dealing with breaches
of your Acceptable
Email Usage policy and
is it clearly
understood?”
Human Resources
n = 59 out of
70 total responses
©2011 Osterman Research, Inc. 9
11. The Policy Survey Project – Fall 2011
“IF YOU HAVE AN
ACCEPTABLE USE
POLICY FOR EMAIL:
Has your organization
implemented a
process to update
users on any changes
to the acceptable
email use policy?”
Human Resources
n = 59 out of
70 total responses
“Has your organization
implemented a
documented
procedure for the
creation of new user
mailboxes and the
permissions they
should allow?”
Human Resources
n = 68 out of
70 total responses
©2011 Osterman Research, Inc. 10
12. The Policy Survey Project – Fall 2011
“Have you implemented email filter settings to match your
organization’s acceptable email usage policy to cover the
following elements? Please check all that apply.”
IT, n = 122 out of 132 total responses
“In the event of an
email acceptable use
policy breach are you
able to search security
logs?”
IT
n = 132 out of
132 total responses
©2011 Osterman Research, Inc. 11
13. The Policy Survey Project – Fall 2011
Policies Focused on Encryption and Sensitive Content
KEY POINTS
• Organizations are at serious risk
Our research clearly indicates that organizations are at serious risk for losing sensitive or
confidential content through email and other communication tools.
• Key risk factors
Among the leading causes of risk to organizations in this regard is the fact that fewer than
one-half of organizations have conducted a risk assessment for digital content flowing
through their email systems, fewer than one-half are filtering email for potentially damaging
keywords, and only one-third trigger alerts when email policies are violated.
• Encryption is lacking
Only one-half of organizations enable users to manually encrypt sensitive content, while
only one-third automatically encrypt messages based on corporate policies.
• Sensitive content is not being detected and filtered
Moreover, sensitive content like HR documents are not being detected and managed when
sent through email in nearly one-half of organizations. In fewer than one-third of
organizations is content being scanned that might be going to competitors.
•
“Which of the following is true in your organization? Please check
all that apply.”
Operations, n = 154 out of 162 total responses
©2011 Osterman Research, Inc. 12
14. The Policy Survey Project – Fall 2011
“Has your organization
conducted a risk
assessment for the
types of digital
content being sent or
received via email?”
Legal
n = 107 out of
108 total responses
“Is it possible for end
users to encrypt
sensitive messages, or
can they be
automatically
encrypted if a certain
keyword is detected?”
Operations
n = 160 out of
162 total responses
©2011 Osterman Research, Inc. 13
15. The Policy Survey Project – Fall 2011
“Can your email
system automatically
trigger encryption of
content based upon
policies for sender,
recipient or specific
content?”
IT
n = 130 out of
132 total responses
“Has your organization
implemented policies
for automatic
detection and filtering
of confidential or
sensitive HR
documents (salary
information, Social
Security Number,
address list)?”
Human Resources
n = 69 out of
70 total responses
©2011 Osterman Research, Inc. 14
16. The Policy Survey Project – Fall 2011
“Has your organization
conducted and
implemented a
categorization of
electronic information
based upon security
and confidentiality
levels?”
Operations
n = 132 out of
162 total responses
“Is your organization
filtering outgoing
messages that may be
going to the domains
of known
competitors?”
Operations
n = 162 out of
162 total responses
©2011 Osterman Research, Inc. 15
17. The Policy Survey Project – Fall 2011
“Will messages
containing sensitive
content only be
released with formal
and signed consent?”
Operations
n = 160 out of
162 total responses
Security Policies
KEY POINTS
• Basic security is reasonable
Our research found that the vast majority of organizations do a reasonable job at
automatically updating against security threats like malware, viruses and spam. While there
is always room for improvement in this regard, most organizations are doing a reasonable
job here.
• Other areas need improvement
However, the security of content when employees leave the company or to protect content
from unauthorized access are not as robust. For example, nearly one-third of organizations
does not have clear security policies that spell out what happens when a mobile device is
lost or stolen. Training programs could be better given that one-third of organizations
report no such program to educate users about damage to the corporate reputation if email
is misused.
©2011 Osterman Research, Inc. 16
18. The Policy Survey Project – Fall 2011
“Are the applications
attached to your email
system automatically
updated against
security threats from
virus, malware and
unwanted content?”
IT
n = 132 out of
132 total responses
“Has your organization
implemented clear
policies for who can
allow the audit of an
employee's email?”
Human Resources
n = 70 out of
70 total responses
©2011 Osterman Research, Inc. 17
19. The Policy Survey Project – Fall 2011
“In the case of
employee dismissal or
voluntary departure,
are there policies in
place to prevent
unauthorized
possession of personal
archives?”
Human Resources
n = 69 out of
70 total responses
“Do you have clear
security policies to
prevent the
unauthorized access to
email records present
on a laptop or a
smartphone if the
device is lost or
stolen?”
Human Resources
n = 68 out of
70 total responses
©2011 Osterman Research, Inc. 18
20. The Policy Survey Project – Fall 2011
“If you have clear
security policies to
prevent the
unauthorized access to
email records present
on a laptop or a
smartphone if the
device is lost or stolen,
are these policies
written and
monitored?”
Human Resources
n = 43 out of
70 total responses
“Have you
implemented a
training program to
make employees
aware of the
reputation damage to
your organization if
your email system is
(mis)used to send
inappropriate or
confidential content?”
Human Resources
n = 70 out of
70 total responses
©2011 Osterman Research, Inc. 19
21. The Policy Survey Project – Fall 2011
“Do email users have
the ability to self
service access to
manage their
quarantined spam,
white lists, black lists
etc.?”
IT
n = 132 out of
132 total responses
Archiving and Backup Policies
KEY POINTS
• More organizations need email retention policies
Our research found that nearly one-half organizations do not have a formally documented
email retention policy on which users have been trained. This, despite the fact that virtually
all organizations have an obligation to retain email and other business records for long
periods.
• Better processes are needed
Similarly, nearly one-half of organizations cannot guarantee that messages are retained for
the length of time set in their retention policies, and more than one-third are not applying
retention policies to message stores as required by company policy.
• Backup procedures are reasonably sound
Relatively speaking, however, IT backup storage procedures are being applied to reflect
corporate policies in most cases.
• Users are not being managed properly
Our research also found that only about one in four organizations has implemented controls
to prevent users from creating their own archives on local storage devices, resulting in
potentially severe e-discovery problems if content cannot be identified and captured quickly.
©2011 Osterman Research, Inc. 20
22. The Policy Survey Project – Fall 2011
“Has your organization
implemented a
formally documented
email retention policy
and have your
employees been
trained on it?”
Operations
n = 159 out of
162 total responses
“Is policy information
stored in a central
directory service
where it is secure and
backed up?”
IT
n = 131 out of
132 total responses
©2011 Osterman Research, Inc. 21
23. The Policy Survey Project – Fall 2011
“Can you guarantee
that messages are
being preserved for
the time set in your
organizations
retention policy?”
IT
n = 131 out of
132 total responses
“Are your message
retention policies
applied on your
message stores as
required by company
policy?”
IT
n = 130 out of
132 total responses
©2011 Osterman Research, Inc. 22
24. The Policy Survey Project – Fall 2011
“Are your message
retention policies
applied on your
message stores as
required by company
policy?”
IT
n = 130 out of
132 total responses
“Are your IT backup
storage procedures
applied to reflect your
organization's
policies?”
IT
n = 131 out of
132 total responses
©2011 Osterman Research, Inc. 23
25. The Policy Survey Project – Fall 2011
“Have you
implemented the
controls to stop users
from creating their
own archives on a
local storage device?”
IT
n = 129 out of
132 total responses
“Does your storage
system support an
archiving solution with
Write Once Read Many
storage capability that
is non-erasable and
tamper proof?”
IT
n = 130 out of
132 total responses
©2011 Osterman Research, Inc. 24
26. The Policy Survey Project – Fall 2011
E-Discovery and Litigation Support Policies
KEY POINTS
• More training is in order
We found that only in one-half of the organizations surveyed are employees being formally
trained to understand the legal status of email, despite the fact that email is now routinely
used as evidence in legal actions of all types.
• E-discovery capabilities could use work
Despite the fact that more than four in five organizations claims it can meet the
requirements of an e-discovery request for records, significantly fewer claim that such a
response can be met with rapidity and minimal disruption.
• A disconnect between legal and IT
Interestingly, while 82% of legal respondents told us that their organization can meet e-
discovery requirements for email, only 56% of IT departments told us they can produce any
required email in the event of e-discovery. This clearly represents an disconnect either in
the understanding of the two functions, or in the interpretation of what satisfied a full and
complete response to e-discovery.
• Litigation holds need work
Only three in five legal departments told us they have the technology to implement a legal
hold, putting these organizations at serious risk in legal cases of all types.
“Have your employees
been formally trained
to understand the
legal status that an
email message holds
in a court of law?”
Legal
n = 108 out of
108 total responses
©2011 Osterman Research, Inc. 25
27. The Policy Survey Project – Fall 2011
“Does your
organization have the
ability to meet the
requirements of an e-
discovery request for
email records?”
Legal
n = 107 out of
108 total responses
“If so, can this
response be
performed both
rapidly and with
minimal disruption?”
Legal
n = 101 out of
108 total responses
©2011 Osterman Research, Inc. 26
28. The Policy Survey Project – Fall 2011
“Have you
implemented the
processes to able to
produce any required
email in the event of
an e-discovery
request?”
IT
n = 130 out of
132 total responses
“Can all e-discovery
results be produced as
if they were still in the
system in native
format, none of the
original header
information altered,
and all metadata like
tracking or status
flags kept completely
intact?”
IT
n = 129 out of
132 total responses
©2011 Osterman Research, Inc. 27
29. The Policy Survey Project – Fall 2011
“Does your
organization’s email
technology and
systems provide
support for litigation
holds?”
Legal
n = 105 out of
108 total responses
“Can a litigation hold
be confidentially
deployed, and can it
include support for
email, contacts, to do
lists and calendar
items?”
Legal
n = 107 out of
108 total responses
©2011 Osterman Research, Inc. 28
30. The Policy Survey Project – Fall 2011
“Does your email
system support the
filtering and
quarantine of
information (sent or
received) that could
lead to legal disputes.
Common examples
include insider
knowledge, sexual or
racial harassment and
inappropriate content
in attachments.”
Legal
n = 105 out of
108 total responses
Disaster Recovery and Business Continuity Policies
KEY POINTS
• Disaster recovery plans are in place, but...
Four out of five operations respondents reported that there is an email-focused disaster
recovery and continuity plan in place for their corporate email systems, but significantly
fewer IT departments report that the required systems and procedures have been put in
place to support these plans.
• Email outages can be lengthy
Our research also found that nearly one-quarter of organizations report that their disaster
recovery and business continuity plans and technologies will not restore email within 24
hours, revealing a serious gap in both the plans and technology implementations within
many organizations.
©2011 Osterman Research, Inc. 29
31. The Policy Survey Project – Fall 2011
“Does your
organization have a
disaster and continuity
plan for your email
systems?”
Operations
n = 153 out of
162 total responses
“Have you
implemented systems
and procedures to
restore your email
system as documented
in your organization’s
disaster or business
continuity plans?”
IT
n = 121 out of
132 total responses
©2011 Osterman Research, Inc. 30
32. The Policy Survey Project – Fall 2011
“If you implemented
systems and
procedures to restore
your email system as
documented in your
organizations disaster
or business continuity
plans, have you
documented and
rehearsed the
procedure?”
IT
n = 80 out of
132 total responses
“If your organization
has a business
disaster and continuity
plan for your email
systems, will it restore
service in less than 24
hours?”
Operations
n = 115 out of
162 total responses
©2011 Osterman Research, Inc. 31
33. The Policy Survey Project – Fall 2011
Management Policies
KEY POINTS
• Automatic disclaimers are not as common as they should be
We found that only slightly more than one-half of organizations can automatically append a
disclaimer on all outbound emails.
• Organizations are at risk of copyright violations
Moreover, we found that only about one-third of organizations have implemented filters to
prevent copyrighted materials from being accepted into or distributed using the corporate
email system. This puts organizations at serious risk of violating others’ copyrights and
adds to corporate risk exposure significantly.
“Has your organization
implemented an
anonymous whistle-
blower account for
reporting suspected
abuses?”
Human Resources
n = 70 out of
70 total responses
©2011 Osterman Research, Inc. 32
34. The Policy Survey Project – Fall 2011
“Have you
implemented
automatic appending
of email disclaimers on
all outbound sent
items?”
Legal
n = 107 out of
108 total responses
“Have your employees
been formally trained
to understand the
consequences of
misuse of the email
system?”
Legal
n = 104 out of
108 total responses
©2011 Osterman Research, Inc. 33
35. The Policy Survey Project – Fall 2011
“Has your organization
implemented filters to
prevent copyrighted
content from being
accepted into or
distributed using your
email system?”
Legal
n = 106 out of
108 total responses
Miscellaneous Issues
KEY POINTS
• Most have implemented a code of business ethics
The good news is that the vast majority of organizations have implemented a code of
business ethics, thereby mitigating their risk on a number of levels. However, only about
two in five organizations can enforce their code through email monitoring.
• Monitoring and management could be improved
Our research also found that most organizations have implemented redundancy,
documented procedures for regular system maintenance, and monitoring for system
availability. However, we believe these figures should be much close to 100% than they are
given the mission-critical nature of email and other communication and content
management systems.
©2011 Osterman Research, Inc. 34
36. The Policy Survey Project – Fall 2011
“Which of the following is true in your organization today? Please
check all that apply.”
IT, N = 123 out of 132 total responses
“Has your organization
implemented a Code
of Business Ethics?”
Human Resources
n = 65 out of
70 total responses
©2011 Osterman Research, Inc. 35
37. The Policy Survey Project – Fall 2011
“If your organization
has implemented a
Code of Business
Ethics, is it enforced
through email
monitoring?”
Human Resources
n = 47 out of
70 total responses
©2011 Osterman Research, Inc. 36
38. The Policy Survey Project – Fall 2011
Sponsors of This White Paper
The right storage strategy can transform data into a
strategic asset — not an IT maintenance headache.
Companies are coping with an onslaught of digital information
that’s growing at exponential rates. But not all data deserves the
same treatment. As the deluge continues, it’s time to reduce the
uncertainty and costs of data management. Intelligent Data
Management (IDM) solutions from Dell can help.
Smarter Solutions: Intelligent Data Management Dell, Inc.
With the right tools, you can achieve enormous storage 300 Innovative Way
efficiencies. Open, capable and affordable IDM solutions from Suite 201
Dell can help you: Nashua, NH 03062
• Control expense — Enable your IT staff to implement a +1 800 WWW DELL
comprehensive data management strategy to access, www.dell.com
prioritize, preserve and protect data at an affordable,
predictable and sustainable cost.
• Create value — Transform data from an unsustainable burden into a valuable strategic
asset.
• Increase efficiency — Optimize data placement across storage tiers.
• Manage data growth — Make smart decisions about where and how you store data.
• Keep data accessible — Ensure data is readily available to meet compliance and business
unit requirements.
• Reduce risk — Eliminate costly data loss, deduplication errors, access problems and backup
challenges.
• Protect against disaster — Create data copies that can be cost-effectively stored and quickly
recovered.
• Address long-haul business requirements — Expand performance and capacity
simultaneously — and without disruption — over time.
Intelligent Data Management
Dell’s new Email and File Archive solution helps customers manage the information that is the
lifeblood to their organizations. Dell’s end-to-end solution capabilities can help customers
address storage optimization and compliance requirements, while alleviating burdens related to
design, implementation, and ongoing management through:
• Pre-configured reference architectures that ease solution design, while allowing for needed
customization based on customer specific requirements.
©2011 Osterman Research, Inc. 37
39. The Policy Survey Project – Fall 2011
• All ongoing maintenance and support from a single point of contact, including hardware and
software (ISVs included).
• Storage platforms that support massive scalability and ease of use, to protect customer
investments and enable them to keep up with rapid data growth.
Dell’s approach maintains customer choice with backup and archiving software providers,
preferred consumption model (cloud or on-premise) and the services needed to optimize their
IT environment and comply with data retention requirements.
Founded in 1995, Messaging Architects is a global
builder of infrastructure for Business Driven Email.
We provide software and services that deliver 100% Messaging Architects
uptime and compliance. Thousands of organizations
180 Peel Street
worldwide depend on our solutions for risk-free
Suite 333
messaging and collaboration. Our M+Platform
expertly bridges email security and compliance gaps Montreal, QC
by managing the complete lifecycle of email – from Canada H3C 2G7
the moment a message enters the organization to its
end of life destruction. +1 514 392 9220
www.messagingarchitects.com
The M+Platform includes: M+Guardian, a solution
that filters inbound and outbound email and
attachments for policy breaches, security threats, and data leaks; M+NetMail, a high-
performance email solution; M+Archive, a solution that archives your email records and enables
them to be quickly searched, retrieved, and presented on-demand; and M+SecureStore, a
solution for managing and storing your growing volume of corporate data.
Contoural is a leading independent provider of !
business and technology consulting services focused
on litigation readiness, compliance, information and
records management, and data retention strategy.
We sell no products nor take referral fees, offering Contoural, Inc.
our clients truly independent advice. 1935 Landings Drive
Mountain View, CA 94043
We believe that creating a consensus across our
client's organization is a cornerstone to an effective +1 650 390 0800
strategy. Our services encompass all electronically
www.contoural.com
stored information (ESI) including e-mail as well as
paper documents.
©2011 Osterman Research, Inc. 38
40. The Policy Survey Project – Fall 2011
With an average of 14 years industry experience, our team is comprised of attorneys, former
compliance officers, and records managers who have a deep understanding of legal, compliance
and business requirements for retaining and managing information combined with seasoned IT
professionals with expertise in archival, search, litigation management systems, data
classification and storage focused on program execution.
Our clients include more than 20% of the Fortune 500, as well as many small and mid-sized
industries across the U.S. with engagements throughout the world. Contoural's dramatic growth
is based on providing value to our clients; we have built a reputation for successful
engagements.
© 2011 Osterman Research, Inc. All rights reserved.
No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of
Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior
written authorization of Osterman Research, Inc.
Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document
or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws
(including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,
“Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws
referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the
information contained in this document.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS,
CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.
©2011 Osterman Research, Inc. 39