stipulated that professional, business-oriented email and a limited
               amount of personal email can be sent and received. Specific

               restrictions are usually placed on performing personal business (that
               is, work for another organization, including self-employment) and
               sending or receiving illegal, immoral, or offensive communications as
               well as on engaging in any other activities that would have a
               detrimental effect on productivity, profitability, or public relations.

               Access control over email should be maintained so that users have

               access only to their specific inbox and email archive databases. An
               extension of this rule implies that no other user, authorized or not, can
               gain access to an individual’s email. Access control should provide for
               both legitimate access and some level of privacy, at least from other
               employees and unauthorized intruders.

               The mechanisms and processes used to implement, maintain, and
               administer email for an organization should be clarified. End users

               may not need to know the specifics of email management, but they do
               need to know whether email is considered private communication.
               Email has recently been the focus of numerous court cases in which
               archived messages were used as evidence—often to the chagrin of the
               author or recipient of those messages. If email is to be retained (that
               is, backed up and stored in archives for future use), users need to be
               made aware of this. If email is to be reviewed for violations by an

               auditor, users need to be informed of this as well. Some companies
               have elected to retain only the last three months of email archives
               before they are destroyed, whereas others have opted to retain email
               for years. Depending upon your country and industry, there are often
               regulations that dictate retention policies.


               Understand Email Security Issues


               The first step in deploying email security is to recognize the
               vulnerabilities specific to email. The standard protocols used to
               support email (i.e., SMTP, POP, and IMAP) do not employ encryption
               natively. Thus, all messages are transmitted in the form in which they
               are submitted to the email server, which is often plain text. This makes

               interception and eavesdropping easy. However, the lack of native
               encryption is one of the least important security issues related to