1. Email Management How hard can it be? Mark Rogers, Enterprise Architecture Team, IP Australia mark.rogers@ipaustralia.gov.aumark.rogers@ipaustralia.gov.au, (02) 6283 2247

2. Email is Pervasive 2001 est.12 Billion emails/day 2006 est.171 Billion emails/day Industry est. 70-81% are spam ~1 in 600 have a virus At IP Australia ~10 Million inward emails p.a.62% were spam ~2 Million outward emails p.a. ~2 Million internal emails p.a. (how many are work related?)

3. On Balance …. Pros Pervasive and popular Easy to use Asynchronous, and usually “immediate” (but don’t count on it) Cons Spam & Scams, Viruses, Spoofing ….. Not as secure as people assume Accounts usually personal (mark.rogers@), not roles-based Sloppy habits & poor etiquette common

4. Key Legislative Requirements (C’wealth) Privacy Act 1988 Telecommunications (Interception) Act 1979 Evidence Act 1995 Spam Act 2003 Electronic Transactions Act 1999 For APS Public Service Act 1999 (Code of Conduct) Archives Act 1983

5. Major Areas of Risk for Organisations for Email External threats (unsolicited and/or malicious) Inappropriate channel (security/privacy risk) Poor recordkeeping Staff behaviours Time wasting Offensive material Webmail? Personal holdings/ large holdings (see also recordkeeping) Large attachments/ multiple addressees/ attachment formats Inefficient practices/ Etiquette Style/ language Undocumented “back doors”

6. Chunking the Problem – External Threats Anti-spam appliance (+ process for monitoring) Virus protection (at multiple levels) Policy & process for monitoring & improving Security Advisory Management process Targeted Reviews Staff education & awareness about risks, threats & desired behaviours

7. Chunking the Problem – Inappropriate Channel Business Model? Whose risk is it to accept? Analysis of business risks & transaction types Policy & E-business Rules Secure channels? (eg. Fedlink) Connecting with business process – how? (eg automated capture, roles-based accounts) Staff and Customer education & awareness-raising of risks, threats & desired behaviours Perception management eg re government security markings We can discourage “risky” customer emails, BUT…. If the customer is prepared to accept the risk, will you accept their emailed transaction?

8. Chunking the Problem - Poor Recordkeeping Policy (Appropriate use, process, business rules, naming…) Process – WIIFM? - making the easy option the right option Automating capture into business systems Electronic Recordkeeping Solution Limiting options for local work-arounds (personal email account quotas, auto-delete) User education & awareness How would you know? (surveys, analysis)

9. Chunking the Problem – Staff Behaviours Topic means many different things……..eg. Familiarity with the tools Etiquette, formality, style Reply to All with attachments vs. Snipping & responding to a limited audience Links vs attachments Personal use Threats & risks, policies, business practices, recordkeeping & staff obligations Education & awareness raising

10. Impact of Email Quotas on Recordkeeping

11. Technical Solutions Vendors have email management solutions which simplify many aspects: BUT… Are often used as a stopgap for deficient/ non-existent business processes Technical solutions still require configuration and don’t eliminate having to think through requirements, outcomes and priorities. eg. Does it matter if email records are separate from other records? How long to store emails as records? Are they all the same value? Can you define rules that automatically categorise emails for different retention periods? Does it matter if you store them all for the same period? What is required of the users? Is it a “natural” behaviour?