Montana Department of Corrections CIO John Daugherty says that when it comes to monitoring internal e-mail, technology must be paired with human intervention.
“E-mail filtering tools are not sophisticated enough today to distinguish between a report taken on an inmate that uses graphic language or has a graphic tattoo and employees who are exchanging graphic language and graphic images, so you’d waste your time with a lot of false positives internal mail would create,” he says.
Instead, he says agencies would be better served drafting clear and concise acceptable-use policies that explain to employees what they can and cannot do with government resources.
As an example, Daugherty points to an incident at the Montana State Prison that resulted in 74 employees being disciplined for e-mail misuse last December. Earlier that year, he says an employee told a supervisor that a message “of a pornographic nature” was offensive. After a detailed forensics investigation of employee mailboxes, department officials identified who had forwarded and/or commented on the message and carried out disciplinary action that ranged from counseling about appropriate e-mail use to verbal and written warnings to days off without pay. One employee resigned after the incident.
Daugherty credits the department’s two policies surrounding acceptable use of IT resources and unlawful use of computers — which all employees have to read and sign — as a basis for the investigation.
The Department of Corrections does not have e-mail monitoring tools in place, but Daugherty contends they probably would have missed the violation because the messages involved a combination of text and images. “When you get to a place like this where e-mail is being passed around internally, technology can only catch so much. You need the human element,” he says.
John Burke, principal research analyst at New York–based Nemertes Research, agrees, adding that many organizations — public and private — do not have e-mail filtering technology for communications inside the firewall. “There is often an assumption that we trust each other. Therefore, we don’t want to put extraneous work on IT to sort through the false positives that this type of software can generate,” he says.
In addition, e-mail filtering can result in message-delivery delays. “It can be a lot of overhead for not a lot of gain internally,” he says. Where agencies can see a return is in the forensics, archiving and logging technology they use to reconcile claims and lawsuits regarding e-mail misuse. “Even if you don’t filter e-mail going amidst employees, you should archive it,” Burke says.
Daugherty is also a proponent of forensics and archiving technology. He uses a tool that enables him to search text and images within .pst files. However, he believes that IT should play as minimal a role as possible in e-mail misuse investigations. Instead, he encourages his human resources and legal teams to become familiar with the software and terminology used in e-mail forensics so they can carry out inspections themselves.
Crafting an Acceptable-Use Policy
At one time, the Montana Department of Corrections had entertained the idea of banning all personal use of the state’s e-mail system. However, CIO John Daugherty says this was unrealistic because employees working late hours needed a way to communicate with their families.
Instead, the department turned its attention to creating an acceptable-use policy that would clearly convey to employees e-mail use parameters. Here are some pointers on creating an acceptable-use policy.
- Convene a cross-functional team of department leaders to set expectations for how e-mail, Internet and computer resources are to be used relative to business goals.
- Create a detailed document that defines what you consider to be appropriate — and inappropriate — behavior. Don’t assume that your users know what you consider to be the difference between personal and professional messages.
- Explain the consequences for violating the policy within the document. For instance, if misuse of the e-mail system will result in termination, say so.
- Notify employees that you will be performing random, periodic audits of their mailboxes. Experts say this alone can be a great deterrent for misuse.
- Present the document to all employees at several times during their tenure, including hiring, reviews, and staff meetings. Allow time for them to ask questions and provide clear answers. Have them sign a written statement confirming they have read and understand the policy.