Policy is the most important part of any protection. Without thinking out a security policy and without implementing and maintaining it on a highest level it's impossible to talk about corporate security. You can find a good guidelines on corporate security policy in RFC2196, Site Security Handbook ftp://ftp.isi.edu/in-notes/rfc2196.txt And few NIST publications: NIST: Guide for Developing Security Plans for Information Technology Systems http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF NIST: An Introduction to Computer Security: The NIST Handbook, http://csrc.nist.gov/publications/nistpubs/800-12/ NIST: Generally Accepted Principles and Practices for Securing Information Technology Systems http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf I will just remind youn and ann few new key moments significant for protection against e-mail attacks: 1. You SHOULD have written users instruction for using e-mail. Instruction should contain information on what can and what can't user expect to receive via e-mail and whom he have to contact in case of unexpected e-mail. 2. You SHOULD have AUP (Acceptable Usage Policy), the document where users are explained what they can and they can't do, what kind of resources they can access and what kind of files they can send or receive via e-mail. All users (including administrators) should sign AUP and have a printed copy. 3. Have a corporate addressbook. Your policy MUST specify who can add or edit addresses in corporate address book. You should have a policy to send all confidential documents only to entries from corporate addressbook. 4. Have a registries for private/confidential/secure documents. For each registry specify a borders for distribution of this documents, including possible groups from corporate address book. 5. Deny your system administrators to use e-mail from administrative accounts. Only accounts without elevated privileges should be used to access e-mail or Internet (remember, that users from Power Users group have very high privileges). Normally administrators should work under non-privileged account and use administrative privileges only for administration. Under Windows 2000 this can easily be achieved by using "Run As" service. 5. You MAY have a policy to only allow Internet or E-mail access from guest accounts or from leased workstations without connection to internal network. 6. Train and check your users. Try to imitate e-mail attacks against users and see how they react. It will help you to find weak places before they being exploited. You can also do a classroom training and internal certification for your staff. Certification may be required to access confidential documents. You can also make moderate training and certification for users who failed test during attack imitation. Training policy SHOULD be a part of security policy. 7. Limit access to corporate network and confidential information from mobile and home computers. Normally you can't control settings on home computers of your users. If you allow them to access confidential information from home all your security gives nothing to protect against possible attack. You may have a policy to "certify" all computers with access to confidential information. For example: "all home and mobile computers accessing or storing confidential information should be certified at least once in 2 month by system administrator, all software installation should be done under control of system administrator". "Certification" procedure should be clearly declared. 8. Remember that executives and managers ARE users. And they most likely to be attacked. It will be very hard to control executives or managers if you have not signed paper allowing you to do that. That's why it's important to mention that in security policy, because security policy is a document signed by executives :) 9. Make all software uniform. Don't allow users to use different MUAs, because it gives an impact for administration. It's much more easier to maintain 1000 computers in same configuration than 100 hosts with unique configuration for each one. Be subscribed to security lists (like ISS X-Force, Bugtraq, Securiteam) to learn and correct vulnerabilities in your software before they become familiar to hackers. Check for availability of updates. You MUST have a policy for implementing security fixes. This policy should garantee that only tested updates are installed in production environment and all security-related fixes are installed in a short time. Sometimes it's very hard to find a balance between these two requirements.