When it comes to compliance and messaging, there's no such thing as half measures. Best IT practices dictate that companies implement technology, processes, and policy. So while content monitoring and filtering may be the beginning of the story for detecting and preventing information leaks, it's by no means the whole story.

As the dominant form of corporate communication, e-mail has become an important repository and record of corporate transactions and intellectual property. As such, today's businesses bear the responsibility for protecting the enterprise against the risks associated with data leakage, or sensitive information that leaves the company.

The task is daunting. An Internet Security Threat Report recently released by Symantec Corp. reports that the current Internet threat environment is characterized by an increase in data theft, data leakage, and the creation of targeted, malicious code for the purpose of stealing confidential information. The report goes on to state that data breaches and the potential use of confidential information for identity theft can result in a loss of public confidence, legal liability, or costly litigation.

For companies that haven't addressed data leakage, the time to act is now.

There are currently more than 700 federal and state privacy laws in effect. Privacy initiatives such as the Gramm-Leach Bliley Act, state data privacy acts, and HIPAA, for example, mandate protection of non-public personal information like social security numbers, credit card numbers, and driver's licenses as well as protected health information, such as prescription drugs, treatment codes, and disease name.

The good news, according to industry data, is that less than one percent of data leakage is malicious. Most data leakage occurs by accident or because of poor business processes, such as human resources sending employee information in a spreadsheet to a 401K provider, for example. The bad news is it doesn't matter. When it comes to regulatory compliance, businesses are responsible for having security mechanisms in place that are up to audit.

More is Better
According to Gartner Inc., content monitoring and filtering (CMF) is an adolescent market for detecting and preventing information leaks. Despite the overall immaturity of tools in this space, many provide immediate value in protecting corporate intellectual assets and consumer privacy.

Symantec recently upped the ante for e-mail compliance with the introduction of Symantec Premium Content Control (PCC). Designed as an add-on subscription service for the Symantec Mail Security 8200 and 8300 Series Appliances, PCC helps organizations manage risks associated with data leakage, regulatory compliance, and internal governance for inbound and outbound e-mail traffic.

"The product offers a complete workflow for implementing an e-mail compliance solution," said Daniel Freeman, director of product management at Symantec.

Symantec Premium Content Control provides organizations with a set of tools that can be used to demonstrate internal controls to support company data security policies and best practices, as well as external e-mail-related regulations.

"The PCC module provides policy templates and premium resources that enable customers to quickly develop, customize, and deploy policies that reduce the threats to mitigate regulatory violations," said Freeman.

The module also provides templates and resources for Acceptable Use (such as inappropriate language, violence and weapons, or gambling), Confidential Data Protection (e.g., confidential documents, competitor communications, and source code), and Customer and Employee Data Protection (i.e., U.S. social security numbers and U.K. tax I.D. numbers).

Ahead of the Pack
Gartner defines CMF products as those that, as a core function, perform deep packet inspection on inbound and outbound network communications traffic, track sessions, and perform linguistic analysis to detect and/or block specific content based on rules or policies.

The true value of CMF, according to Gartner's technology insight experts, lies in helping management identify and correct faulty business processes and accidental disclosures, or identify bad practices that put corporate data at risk rather than preventing malicious individuals from stealing data.

In short, organizations need to understand what's going on in their messaging environment and then take action. And they need robust tools to support the process.

"The truth of the matter is that most organizations don't know how much sensitive data is leaving the company," said Freeman.

Working with SMS 8200 and 8300, Symantec's PCC offers enhanced workflow, from stopping spam, viruses, and other e-mail-borne threats at the SMTP gateway to providing content filtering capabilities, incident management, and reporting, which enables business users to easily and accurately define and implement compliance policies as well as analyze and manage violations. Version 5, second-generation software for the Symantec SMS 8200 and 8300 is required for PCC, as is an antispam and/or antivirus subscription.

One of the key differentiators that set PCC apart from its competitors is incident management. Incident management allows companies to see and analyze policy violations or incidents then take action to reduce the threats of data loss and regulatory noncompliance.

How Does It Work?
PCC allows IT to set up group policies. So, for example, a group policy is created at a call center. Any deviations from the group policy by individuals in the call center go into a special incident folder that has rules-based access. Administrators can review the incident that comes in from the group and advance to remediation. Remediation may entail data forensics, searching more e-mail messages, or setting up a unique policy for that individual.

The workflow goes a step further with reports and alerts. A code red incident may send an alert that may trigger reporting around the violation. Incident reports can be sent to an incident folder or to archive with a searchable tag for retrieval.

Incident management does not just reuse quarantine, but provides tools for the compliance officer or incident review team to analyze and reduce threats.

PCC forces encryption, archive, incident management, and notification.

Messaging compliance is about protecting and keeping intellectual property safe and secure as well as delivering auditable proof for companies concerned with regulatory compliance around data privacy standards. It's also about creating a workflow to ensure successful implementation of e-mail compliance processes.