... enforce virus and worm scanning at the email server, as well as at the network perimeter; this guarantees that internal email messages are properly scanned for malicious content.
Reconsider using SSL to pass sensitive data online
Many IT pros incorrectly assume their information is secure if they submit information using SSL. These two points are true: SSL encryption makes it much more difficult (perhaps with SSL V3 it may be close to impossible) to make use of data if it's intercepted; and SSL is more secure as a data transmission method over clear text. However, once the data is received and decrypted on the other side of the SSL connection, you no longer have any real control over it. Or, if your Windows system is infected with a keylogging Trojan, typing your credit card into a SSL session on a browser isn't going to prevent it from being stolen.
The general belief of SSL providing security is precisely why many of the newer phishing scams that use SSL are tricking people into giving up personal information. SSL does not provide more than simple data transmission security. The real question is: What happens to the data afterwards?
Encrypt email using archivers
Secure email is another area where corporations need some education. Most corporations do not need the level of email security provided by PGP or built-in public key encryption in most email systems.
When someone needs to send a Word document or Excel spreadsheet securely, I usually suggest they use the data encryption features of archivers such as WinZip or WinRAR, and send the secure data as an attachment to a regular text email. When the recipient gets the email, they decrypt the archive using a previously established decryption password. While this is far from perfect, it's generally secure enough to lower the risk to minimal levels.
Summary
I must stress that data encryption is only one of the tools in a comprehensive Internet security setup. Regardless of the sales pitches, remember that the lowest common denominator in Internet security is people not technology.
Talkback
Encryption without AAA is meaningless. Meaning that if you encrypt something but don't log and monitor the Authentication, Authorization and Auditing events of it all you might as well don't bother with it. Since you're not slowing down the real bad guys (both external and internal), in fact, you're not even noticing them, but you are slowing down users authorized to access that data.
Another thing to keep in mind: (disaster) recovery. You might want to make sure that at least certain encrypted data can be restored and/or accessed by others in certain situations (e.g., Mr. No Good has been kicked out of the company but he encrypted what he could before his account was disabled).
As for VPN (SSL). If people worldwide would truly understand how much money was pumped into that and how much additional security it actually added a lot of people would be asking very difficult questions indeed.
Security, in reality, is about slowing down the bad guys long enough for you to notice them and taking the right actions before they become a problem. Along with being able to recover in full from whatever situation as far as risk assessment decisions at higher levels permit. And a bunch of other things.
One last thing to think about. Whatever your feelings about encryption, DRM, whatever are. Everything that is out of your total physical and everything else total control is truly out of your control. Think about that before investing into solutions that claim to give you control. Really, I've seen guys, more then once, claiming that they could prevent others from printing, copying, editing and doing what not with documents 'protected' by their security solutions. I took out my PDA, made a photograph of the screen and said: stop me from doing this. End of discussion. Tons wasted on false security saved.
Really, decision makers should start to learn to find, identify and listen to those who actually know what they're talking about and don't have a hidden agenda. That would save such tremendous amounts of money and failure most people wouldn't believe it. Simply because the quantity of an opinion says absolutely nothing about the quality of such an opinion and in itself nothing about the validaty of that opinion. In other words, the whole world could agree on something and still one person could be right. History is filled with such moments plenty of times.