Policy Compliance: Keep it Simple, Stupid!

Are you getting pressured to provide some sort of regulatory compliance rules to your business that will affect your network configuration, your email flow and your end users? Do you have to deal with SOX or HIPAA or GLBA, or ‘Oh Lord, not another Acronym’ regulation (we’ll call it the OLNAA) whose apparent sole purpose is to complicate your life?

And what exactly are these compliance rules asking you to do? If you’ve tried reading the actual regulations, like I have, you’ve probably found that, a) you need a lawyer to interpret the language for you, b) they’re often short on concrete guidelines, and c) they’re a fantastic remedy for insomnia.

While government officials are trying to ‘do the right thing’ in protecting our privacy, personal and/or proprietary information, and basically trying to prevent another Enron, it has resulted in a very loose, wide-ranging interpretation of the rules, producing very mixed results.

If you’ve been in the market for a compliance-based program, I’m sure you’ve discovered that the term compliant has suddenly been stamped on everything. But when you look closely at what these products have to offer, the ‘solutions’ can be mind-boggling. I’ve seen every interpretation of the word compliance to mean basic spam, virus and attachment scanning, to overly complex content rules and an interface that practically requires a computer engineering degree just to navigate through the settings to produce some rule that won’t stop the mail flow entirely! Oh, and let’s not forget that you’ll have to add various appliances to your setup: one for encryption, another for archiving, another for audit logging, and on, and on, and on!

So, in keeping with the KISS principle, the key requirements for email handling really aren’t that complicated. Your chosen solution should be able to do the following:

1. Keep junk mail and malware from getting in to users’ Inboxes
2. Prevent local users from sending junk / malware out
3. Allow you to create custom content rules to scan inbound and/or outbound messages for sensitive information specific to your particular business (such as credit card numbers, social insurance numbers, health care information, proprietary information, etc.)
4. Allow you to set different message handling behavior based upon those content rules:
   – Block the message (bounce or quarantine it)
   – Redirect to a moderator for review (who has options to release or block the message)
   – Allow delivery to the intended recipient(s), with an option to notify the moderator of potential content violations
   – Specify that certain content be encrypted before attempting delivery
   – Audit specific message transactions
   – Archive specific content (and you don’t necessarily need a separate server with fancy e-discovery functionality to do this: you just basically need to store copies of certain messages somewhere, keep track of where the archives are located, and be able to access them if ever required)
5. Allow you to easily set these rules for specific users, groups of users, and to create exceptions

What you don’t want is something that’s so complex and daunting that people won’t want to use it, not to mention the disastrous potential for completely blocking email flow.

Are you looking for a compliance solution or do you already use one? I’d like to hear what you like or don’t like about them, and what if anything prevented you from buying or using a solution.