Home CTR Exclusives Best Practices and Procedures for Building Effective Email Policies

Best Practices and Procedures for Building Effective Email Policies

Tuesday, 12 January 2010 08:45 Denny Russell, Sherpa Software

Sherpa Software, email managementImplementing email retention, compliance or e-Discovery software can be one of the most important tasks an organization performs.  Without a solid policy behind the software investment, companies risk wasting time and money.

IT professionals have a critical role in ensuring the success of email retention, compliance, or e-Discovery software implementations.  The first step is to decide who should be involved in defining your organization’s email policies.  Understand how your business is affected by various government and industry standards, and then take the time to carefully think out your policy, documenting each step.

Typically, there are two reasons an organization buys a third-party product to enforce email policies; space requirements (archiving) or legal issues (e-Discovery and/or compliance rules and regulations).  Regardless of which need is driving your purchase decision, you’ll want to begin by developing an email policy.

There are several steps to creating an email policy, regardless of where an organization stands in reference to having a solution to implement it.  The first step is to have a firm grasp of the makeup of the organization and its IT environment.  Consider this research the foundation of an email policy. This foundational research is essential because if the internal infrastructure can’t handle what the policy is asking of it, the policy is useless and will not hold up.  The following questions are a great place to start:

  • What is driving your policy?
  • Who is backing your policy?
  • What data will I need?
  • Where do I keep the information?
  • How is it stored?  -- Original format or a proprietary store?
  • Who will use the data?
  • How will it be used?
  • When will it be needed?
  • What if I don’t have the data?
  • Can I easily retrieve the data?
  • Can I search the data?

The following addresses each of these important questions in greater detail.

What is driving your policy?

Typically, space concerns or legal need is the driver for an archiving/compliance tool.  Previously, space was the major driving force for this type of purchase.    While space may still be part of your needs, it is necessary to be cognizant of other factors that affect your business.  Managing user mail files for size will help improve their efficiency when users are opening their inboxes and will speed up backup times, but that shouldn’t be the only factor considered.

Many businesses today are affected by compliance laws/rulings like HIPPA, Sarbanes-Oxley, and Federal Rules of Civil Procedure – among others.  Having this knowledge will help you determine what needs to be kept and for how long.  The following sites should help point you in the right direction.

Spend the time to understand these laws and how they affect your business.  The time you spend now will save you later in legal fees and penalties.

An IT person may be thinking, “I need my space back and why in the world do they need this email from 6 years ago?”

The legal stakeholder may be thinking, “How is that 6 year old document going to save me 3 years from now?”

Two people working for the same company, but two completely different ways of thinking.

Companies that do not ask these questions in advance may find themselves in bigger trouble later on when they are not able to produce necessary data to support a legal case.  It takes longer to build and document an email retention policy than it does to configure the software to enforce it.  As a result, many questions need to be asked and answered before you can effectively implement this policy.

Who is backing your policy?

Someone needs to be ultimately responsible for the enforcement of an email policy.  Is it the IT department or Legal/Human Resources or both? If it is both, then you could be in for a long struggle as each side tries to make their case for what's best.  In either case, you need cooperation from both legal and IT.  Otherwise, the policy will always be changing and you may find yourself doing more work trying to figure out what to keep, and what to get rid of.

If you are from Legal/HR, you need to be thinking about the affect of this data on your company today, a month from now and even years from now.  You need to know and understand what rules and regulations your company falls under. 

If you are from IT, your job is to find the best tool that meets the requirements of Legal/HR and present the options that are available.  This is where having the conversation of your policy before selecting your software will help.

What data will I need?

What data must be kept, and what can be disposed of?  There are several factors that determine the answer.  Only a true understanding of your retention policy will help you make that call.

  • Is it driven by the age of the documents?  If so, what date value, when the document was first created or when it was last modified?
  • Is it the contents of the documents?  Maybe you are looking for certain keywords or phrases that must be kept because they contain confidential information.
  • It may be determined by where the document exists in the mail file (inbox, sent or a personal folder).  Are there going to be “protected” folders that users can place documents in that will not be archived?
  • Who needs to be included and who can be excluded?  You may determine that only certain departments or groups of people apply to specific policies. Therefore, you'll need to address their information differently. Some of users may not fall under any compliance laws, and you'll be able to take a more aggressive approach to managing their email.

Where do I keep the information?

Knowing where data is stored and who has access to it becomes a huge concern if you are ever involved in litigation.  This is one of the biggest concerns when going through e-discovery.

  • How is the data stored – Organization of data from the beginning will make e-Discovery and removal of old data an easier process.
  • Single Store vs. Personal Stores – While each has their advantage, it comes down to what drives your policy. Single stores will allow for de-duplication of the data, but all this is going to do is save space.  It may not address ease of use concerns. Personal archives, while they may take up more space, will provide ease of use.  Take the time to explore each and determine what works best in your environment.
  • Format – Is data kept it in the native email format? If not, how is data integrity verified?  An IT person may be thinking, “I don't care how it's stored, as long as I get my space back.”  Legally, you may want to reconsider this stance and make sure the data integrity is not altered.
  • Restore Capabilities - Can the data be restored to its original state?  Many things may cause you to restore the data, so be sure it can be done.
  • Access -   Depending on what drives your policy, this can vary. Will the end-users have access?  If so, what level and what will they be allowed to do? Will only legal need access?  If so, does it make sense to have one archive for all data, as opposed to individual stores for each user?
  • Organization - Organization of data becomes as important as the need to manage this data in the future. Does it all go to one store, or can it be easily managed by year, by server or anything else you may find useful? If legal makes a request to search all of 2005 data for certain criteria, you would not want to search everything you've ever archived. If you are driven by compliance regulations, removing data after a certain amount of time can be easy if it’s organized in a way to allow for removal of old data. The process of backing up data is easier if it is organized to conform to a consistent, unchanging policy.  If you archive data by year, once you complete your backups, you'll never have to backup that data again.

Here are some things you may want to think about as you look for the software needed to manage your email retention and compliance policies:

Flexibility in Configuration – With most retention policies, one size may not fit all.  Just because one company has set up their policy one way, that does not mean the same policy will work for your company.  Considerations include:

  • Will it allow for rules to be applied to different people in any number of ways such as name, group membership, or mail file size?
  • Can the users be notified ahead of time what will be archived, allowing them to take action on their data or clean up old non-business related emails?
  • What about the location of the email message?  A good system should allow for locating messages in particular folders and managing them appropriately.
  • Does it allow you to exclude documents from being archived based on the folders they are located in, or the content that may exist within the email?
  • What about users who are on leave?  Will it allow for their messages to be skipped while they are gone?

End-user Experience – This may not seem important, but the last thing you want is unhappy users and a flooding of help desk calls when you roll out your solution.

  • Does it allow for easy access?  How does the user get to their archived data?  Do they have to search to find the archives, or is a link left behind in the email message?
  • What will the archived email look like in the mail file?
    • Do the original icons (like the attachment) stay behind?
    • Will there be a link for the user to click on to access?
    • What about web or mobile users?  Will they have access?
  • Can the user easily search their mail files and archives?
  • If the user is allowed to work from within the archive (create new mail, reply, etc.), is the data stored in a format the user will be able to use?

Keys to Success

There are several things to remember as you begin to implement your email retention policy and solution.  First, be ready to deal with exceptions.  With most policies, there will always be people or groups who need to be treated differently.  Find a tool that allows for flexibility and easy configuration.  Flexibility is important.  You may build the perfect email policy today, but you may have to tweak it over time.  You'll need to review your policy as laws and industry standards evolve to ensure you are not impacted and that your current policy is not negatively affecting your organization.

When it comes to electronic information management, determining what gets kept, where it is kept, and how it is stored can be a real struggle.  If you do your homework, plan out your process, and follow the steps outlined above, you can create a policy that works for your organization.  At that point, selecting a software package to implement it should be the easy part.

Denny Russell is a senior product specialist for the Domino products at Sherpa Software. He is a regular contributor to the Sherpa Software Blog (http://blog.sherpasoftware.com/), an Administrator for the Lotus Notes/Domino environment (including Sametime and Blackberry Enterprise Server for Notes) and the webmaster for Sherpa's official web site, http://www.sherpasoftware.com.

 

 

White Papers

Achieving Rapid Data Recovery for IBM AIX Environments

The Benefits of Data Replication in HACMP/PowerHA AIX Cluster Management Implementations

Introduction to High Availability for IBM System i High Availability

Five Reasons Why Smaller Organizations Should Consider High Availability

The Benefits of Continuous Data Protection (CDP) for IBM i5/OS and AIX Environments 

State of Resilience of IBM Power Systems (AIX and i5/OS)

Journaling and High Availability - Understanding IBM i Data Protection

Breakthrough Data Recovery for IBM AIX Environments - How New Technologies Are Making Data Protection, Recovery and High Availability Easier and More Affordable

High Availability in an SAP Environment- Keep mission-critical SAP operations running no matter what

How to Solve Downtime Challenges to Manufacturing and Supply Chain Operations

Information Availability: What Every Health Organization Should Know      


Computer Technology News
  See current issue or subscribe below

Subscribe to CTN