Email Classification - Why Should it Matter to You?

Email Classification - Why Should It Matter to You? A Best Practice White Paper

Written by Grant Lindsay,

Product Manager, Sherpa Software

456 Washington Avenue, Suite 2 Bridgeville, PA 15017 www.SherpaSoftware.com [email protected]

Email Classification – Why Should It Matter to You?

P a g e | 2

I N T R O D U C T I O N

What is email classification you ask? And should it be on your radar? For this discussion, let's define email classification as the process of tagging email messages with labels to assist in managing those messages as they either move through or rest in the email environment. For example, a message might be classified as “privileged,” “confidential,” “secret,” “private,” or “business relevant.” A message with a “business relevant” classification may be retained for three years, whereas a message classified as “personal” may be purged after thirty days. A message marked “secret” may be restricted from leaving the organization’s email environment unless it is encrypted.

The reasons for classifying email vary, but may include: grouping like messages together for electronic discovery [e-discovery], applying security and access control to messages of a certain type, and managing the life-span of messages, based on their relevancy to the business or to regulations.

Email classification like this can aid the e-discovery process1 because searches can be targeted to only the messages classified “business relevant” or “privileged” and leave out other messages not pertinent to the search, which can greatly reduce the search run-time. In other cases, message classifications may be hierarchical or relevant to only some people in the organization.

Classifying or tagging emails can be done through several methods. The process of applying these tags (i.e., classifying) may be either:

▪ Manual: The message custodian, a human, applies the classification when the message is either created or received

▪ Automatic: A computer applies the classification, based on rules or contextual analysis

▪ Hybrid: Combining both manual and automatic methods.

I S T H E R E A N E E D F O R C L A S S I F I C A T I O N ?

At a high level, the purposes for classifying unstructured data, like email, could include:

▪ Organizing data into groups: For business reuse and e-discovery retrieval

▪ Tracking and managing data: For access control and retention windows

1 For more information about the e-discovery process, check out the E-discovery Reference Model (http://www.edrm.net)


P a g e | 3

The decision whether to classify email data lies with each individual organization, but it is a question you should be asking. Other questions pertinent to email classification include:

▪ Will having classified messages speed up e-discovery requests?

▪ Is your organization under industry or government regulations that require us to implement email classification?

▪ Will email classification help us in other ways, like reducing storage costs or getting the big picture about feedback on our products or services?

Email is just one component of an organization's unstructured data that might need to be managed with a classification policy. However, it is an important component. Email often comprises the majority of an organization's communications, both internal and external. As such, it also constitutes a large part of its unstructured data.

W H E R E A N D W H Y S H O U L D E M A I L C L A S S I F I C A T I O N B E A P P L I E D ?

Classifying email is complicated by the fact that not all email messages are relevant from a business perspective, and would not necessarily need to be kept. Some experts estimate as much as 60% of email messages held are not related to business. These are the “where do you want to go for lunch?” and “there is cake in the break room” types of messages. Should those messages be kept? If so, would they be under the same retention rules as other, more relevant messages, like a product quote or support question? This is where a strategic email classification policy could come in handy because these non-business-related emails can be broadly classified and dealt with by an email archiving system or other email management technology en masse.

If classifying email makes sense in your organization, there are some details to work out. For example, different schemes are available to classify email such as:

▪ Security or sensitivity (e.g., privileged, secret, etc.)

▪ Retention period (e.g., “keep until...”, “delete after...”)

▪ Locations at various levels (e.g., EMEA, US, Chicago, etc.)

▪ Product lines (e.g., “gizmo,” “widget,” “gizmo 2.0”) By classifying messages in a way that makes sense for your organization, you can more easily group this data together for e-discovery, retention, protection, etc. For example, a product company that makes "gizmos" may want to classify any inbound messages that have "gizmo" in the body with a header called X-Product and a value of "gizmo". Later, all such messages can be discovered easily in a search (e.g., find all messages where X-Product = "gizmo"). Additionally, the tagged


P a g e | 4

messages may be collected together into a journal to comply with industry or government regulations or to help Product Management see feedback from customers and prospects on the gizmo product, regardless of the source or the recipient. In a similar way, the confidentiality of a new product, "gadget," can be protected using classification by having the mail router reject any message for external recipients where the header X-Product has the value "gadget". However, before any procedure or technology can be applied to the job of classifying email, a policy must be created. Relevant elements of the email classification policy would include:

▪ Definitions, procedures, regulations

▪ Roles, responsibilities

▪ Actions, monitoring, accountability

H O W S H O U L D E M A I L C L A S S I F I C A T I O N B E A P P L I E D ?

Generally, there are two ways to classify email: automatically by a computer or manually by a human. Additionally, using a hybrid combination of these two methods might be considered.

Automatically—Machine Assisted

With this kind of classification, a computer process scans message headers and bodies to make a determination as to what classifications may apply to it and update the headers accordingly. It makes these decisions in various ways, but in essence it follows a set of rules.

Advantages

▪ Limited human involvement: Once configured, the machine does all the heavy lifting. Potentially, all inbound, outbound, and internal messages can be processed automatically.

▪ Consistent decisions: Assuming the rules don’t change, the computer will be faithful in applying the same classifications to like messages without deviation. However, some systems employ a kind of learning or adapting logic that, in some way or another, bases current decisions on past results. While some inconsistency may be evident early on, the intent is to make these systems more accurate at classifying messages over time.

Disadvantages

▪ Computers can’t reason: They only do what they are told. This leads to various degrees of accuracy when classifying messages based purely on content or addresses, even when sophisticated and expensive learning systems are employed.


P a g e | 5

Manually—User Applied

This involves the sender applying a suitable classification to a message during composition before it is sent. Sometimes, the email client software may be able to assist the author in selecting a classification or it may prevent a message from being sent if the classification is missing. Received messages (e.g., from external sources) may also need to be classified after the fact by the recipient.

Advantages

▪ People can reason: Presumably the message author can make the best determination as to the nature of the message and, therefore, what classifications it needs. Or, if the message arrived unclassified from an external source, the recipient may be able to make that determination.

Disadvantages

▪ Increased workload: Besides additional and on-going training, there is additional work on the email author’s part to consider and apply classifications.

▪ Inconsistencies: Are users being thoughtful and careful each and every time they classify an email? Are the policies clear enough that everyone will arrive at the same determination about a given message's classifications? Inconsistencies can muddy the waters when trying to manage the messages later as a group of a given type.

M O V I N G F O R W A R D

There are several options for moving forward with an email classification system. Once you have identified the organizational needs for classifying email, there are several steps Sherpa Software experts recommend before moving forward with implementing.

Get Buy-in

Business needs should drive any classification effort. If the initiative begins with the Leadership team or a department like Legal or Governance, Risk Management and Compliance (GRC,) then adoption has a higher level of likelihood. Additionally, these other departments may have important insight into crafting an email classification policy or strategy. For instance, if the goal of an email classification strategy is to secure confidential emails from leaving the organization, the Governance, Risk Management and Compliance team can direct the email administrator to look out for the right keywords or patterns (e.g. patent or credit card numbers).


P a g e | 6

Draft an Email Classification Strategy

Before you begin shopping for the right kind of technology to support an email classification strategy, it is vital to write the strategy down and determine what and how you are going to classify emails in your environment. This will help greatly when researching technologies.

Research Supporting Technology

Identify opportunities present in your existing tools. You may have all the pieces already in place. If not, understand gaps that will need to be filled by new technologies so that you can compare products based on just the features you will need. One such tool is Sherpa Software’s Compliance Attender for Lotus Notes which contains an email classification module. Compliance Attender can classify email messages based on a wide array of criteria including message content, metadata, message size, etc. Compliance Attender is a module-based email compliance system for Lotus Notes environments; available modules include journaling, filtering and ToneCheck (automated tone/sentiment analysis).

As you can see, the answer to the question, should email classification matter depends. But for many organizations, that answer is an empathetic yes. For others, it may not be as clean cut, but the questions raised here will help you determine if classification is a good fit for your organization. Regardless of how you answer, you need to be asking the questions.

A B O U T T H E A U T H O R - G R A N T L I N D S A Y

As the Product Manager for Compliance Attender for Notes, Grant is responsible for product research and development, pre‐sales technical support (e.g., Demos), post‐sales technical support and competitive research.

Grant joined Sherpa Software in 2007 with 15 years of experience in Information Technology. Of those, more than 14 were spent building applications with Lotus Notes and Domino. He worked with a wide range of company sizes and across several industries including insurance, consulting, venture capital, manufacturing, software and more.

Grant is an IBM Certified Advanced Application Developer and an expert in email management and compliance, LotusScript, Notes Formula Language, application design, and security. He is also skilled in C/C++ and Java Application Programming Interfaces (APIs) for Notes and Domino. Grant is accomplished in web delivered technologies: HTML, CSS, and JavaScript.


P a g e | 7

He graduated in 1995 from the Career Development Institute with a Programmer Analyst Diploma. Grant spends his time with his wife, Lydia, of 16 years and his two retired greyhound racers, Rio and Wavorly.