Best Practices - Email Policies

justanotherdayintheoffice · ‎06-20-2011

Hi Everyone!

Good day!

I do understand that every company has their own requirements on email policies but I was just wondering if there is a "best practices guide", an example -a guide, that we can use and customize according to our own company requirements.

Thanks

viahmed · ‎06-20-2011

Greetings Karl,

IronPort has a default policy which basically applies to all users unless there are any special user based requirements. These special policies are called as User-Based Policies.

User-based policies in Email Security Manager are designed to allow you to create the policies that satisfy the different and sometimes disparate security needs of all users within your organization.

For example, using this feature, you can quickly create policies to enforce the following conditions:

• Disable IronPort Anti-Spam scanning for all email to the Sales organization. Enable it for the Engineering organization with a moderate policy: tag the subject lines of suspected spam and legitimate marketing messages, and drop positively identified spam. For the Human Resources organization, enable anti-spam scanning with an aggressive policy: quarantine suspected spam messages, quarantine legitimate marketing messages, and drop positively identified spam.

• Drop dangerous executable attachments for all users except those in the System Administrator group.

• Scan and attempt to repair viruses in messages destined for the Engineering organization, but drop infected attachments for all messages sent to the address jobs@example.com.

• Scan all outgoing messages using RSA Email DLP for possible confidential information. If a message matches, quarantine the message and send a blind-carbon copy to the Legal department.

• If an incoming message contains an MP3 attachment, quarantine the message and send a message to the intended recipient with instructions for calling the Network Operations Center to retrieve the message. Expire such messages after 10 days.

• Include a disclaimer to all outgoing mail from the Executive Staff with the company’s newest tag line, but include a different “forward-looking statements” disclaimer to all outgoing mail from the Public Relations organization.

• Enable the Virus Outbreak Filters feature for all incoming messages, but bypass scanning for messages with attachments whose file extension is .dwg.

Hope that helps!

Regards,

Viquar

Customer Support Engineer

justanotherdayintheoffice · ‎06-21-2011

Hi Viahmed,

Thanks for the post above. I wonder if there are still some more User-Based Policies that i can use as a guide and customize according to my organizations needs?

Thank you.

-karl

Andreas Mueller · ‎06-21-2011

Hello Karl,

I think the backround of your question is to find out how other companies usually filter and process their email, which attachments they allow and which not, some exceptions for user groups etc. From my experiences the requirements are different by every customer, and something like a best practice does not really exists. In addition to Viahmed's post I suggest you to look first at the IronPort appliance the way they are - security appliance and email gateways, and their main tasks are to process email, block spam and messages containing viruses. That should be your main priorities when setting up the appliance. Any other kind of user policies, filters, etc. are optional, and you should only use them if your local IT policies require that, for instance, certain kind of attachments may not enter or leave the network, that a disclaimer needs to be included on outgoing messages or confidential information may not leave the network. And that's something very specific and far from generic.

Some basic things on configuruation that come to my mind though:

When applying inbound policies, rather use recipient policies than using recipient condition in filters. Keyword here is splintering, a filter condition for a single recipient will affect other recipients of a message as well, while with spintering, the policy only applies to that specific recipient.

When it comes to outbound mail, only allow your internal mailservers to relay messages trough the appliances. So rather put single IPs in your relaylist than whole networks.

Before applying any filters or actions on the appliance to modify or filter outbound mail, consider if the same action can be done on your mailserver as well.

Hope that helps,

Andreas

justanotherdayintheoffice · ‎06-21-2011

Hi Andreas,

Thanks for the input. Yes, you are correct. I am gathering policy setup of companies that i might be needed by my organization. These policies I have gathered will then be studied if its applicable to us. Yes I do understand that no two company have exact configuration.

"Before applying any filters or actions on the appliance to modify or filter outbound mail, consider if the same action can be done on your mailserver as well. "

With regards to the quoted message above, you meant to say that let's say, set the maximum attachment to 10mb in mail server as well as with the mail gateway?

Thanks for the inbound policy and relay input!

-karl

Andreas Mueller · ‎06-21-2011

Hello Karl,

glad I could help out a bit, about configuring message sizes accepted, this is actually a good example. First off, you don't need to configure this setting on both ends, the IronPort and the mailserver. As long as you have one maximum size for all users, it's not anything complicated on either end, however, when it comes to policies such as different allowed message sizes for different users (/or groups), things get a bit more complex on the IronPort, which does not mean it cannot be done. Yet mostly the internal mailserver that also contains a user database allows this size limitation to be set directly on a user or group base, so no additional configuration needed on the appliance. Of course, applies to outbound mail only.

Hope that makes sense,

Andreas