2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org
http://it-toolkits.org/blog/?p=67 1/8
Email Policies: Tools to Govern Usage, Access and
Etiquette - IT-Toolkits.org
Email is a fast, easy and readily accessible means of business communication. It has changed the
way we communicate. These are the obvious rewards – but they are also the basis of every risk.
Whenever email content is ill-advised, inappropriate, or even gets into the wrong hands, negative
consequences can follow, including legal liability, regulatory penalties, confidentiality breaches,
damage to corporate reputation, public embarrassment, internal conflicts, and all the related losses in
productivity and performance that these circumstances can cause. Further, data loss and damage to
technology assets can be realized through the transmission of malicious code, spam and computer
viruses.
Perform the “What-if” Analysis: What are the risks to my organization of email abuse and/or
misuse, and what are the likely consequences if these risks are not properly addressed? The next
step is to weigh the costs and complications of all mitigating actions, and to then strike an
appropriate balance between risk and probability.
To eliminate email usage is impractical and even unthinkable – so the goal has to be to minimize the
risks through the best means possible – and that is through the use of physical security precautions
and practical, relevant and enforceable email policy. To realize all of the intended goals and
objectives, related policies (which will integrate closely with data security and internet usage policies)
must encompass four (4) key governance needs:
1. Email Usage : To determine the circumstances under which email can and will be used within a
given organization, whether there will be any limits and/or restrictions on the types of information
that can be transmitted via email, as well as any limits and/or restrictions on the use of business
email systems for personal communications.
2. Email Oversight: To establish that emails are official company records and to determine the
manner in which email usage will be monitored and controlled, including the “ownership” of email
content transmitted on business email systems.
2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org
http://it-toolkits.org/blog/?p=67 2/8
3. Email Etiquette : To establish formatting, content and usage guidelines designed to minimize the
risk that email content will be deemed unprofessional, offensive, inappropriate or subject to ridicule
and criticism.
4. Email Management: To establish and implement appropriate technical controls to limit the risks
of inbound email spam, virus and malicious code, and to establish automated procedures for email
backup, storage and retention.
As a whole, usage, oversight, etiquette and management parameters must be combined to formulate
“policy” that is aligned with business and technical needs, realistic considering actual communication
needs, and enforceable considering corporate culture and related technical abilities.
Key Questions for Policy Scope and Content
To ensure that all usage, oversight, etiquette and management needs can be met, adopted email
policies must be designed according to anticipated email usage, corporate culture, characteristics,
business requirements, legal requirements, technical requirements and internal capabilities for
enforcement. The list below provides a head start for policy planning, listing the key questions to be
considered and addressed as part of the policy development process:
Policy Purpose
What are the specific goals of this email policy?
Why has the policy been created (considering the background events leading to policy
development)?
What will the policy accomplish considering email usage, access, etiquette and management
goals and objectives?
Policy Basis
What is the underlying authority and/or organizational basis for this email policy (considering
internal guidelines and/or external regulatory requirements)?
Do you have sufficient executive support to sufficiently enforce compliance with all of the policy
provisions?
Policy Scope
What are the organizational targets of the policy considering company-wide applicability,
division specific application, departmental application or location specific application?
Policy Stakeholders
Who are the policy stakeholders considering both individuals and groups who have a vested
interest in the policy and ability to influence the outcome?
What are the specific roles and responsibilities required to implement, administer and enforce
all policy terms, including all stated compliance obligations?
Email Management
What are the means and methods to be utilized to manage and secure all email systems
considering access, standards for email addresses, restrictions on attachment size, remote
2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org
http://it-toolkits.org/blog/?p=67 3/8
access, spam and junk mail limitations and related management controls?
Compliance and Enforcement Guidelines
What are established guidelines for email policy compliance?
Will there be any exceptions and/or waivers with regard to policy compliance? If so, what are
the terms under which exceptions and/or waivers will be granted?
How will compliance be enforced and what are the consequences for a failure to comply?
How will employees be provided with training relating to email policy compliance?
What types of auditing procedures will be used to monitor and promote email policy
compliance?
You may also like
We all know that I.T. stands for “information technology” and that’s no accident. In fact, it’s a
reflection of the primary mission of every I.T. organization – to provide the means and methods for
creating, storing, transmitting, printing and retrieving business related information. By design, this
operational mission is driven by the need to “protect”, which also includes preventing unauthorized
access, uncontrolled modification and unwarranted destruction. The priorities are self evident – data
integrity is vital, and vital needs must be met with purpose and committment. The tricky part is to
balance vital interests with the associated costs and operational overhead. This is the higher
purpose of data security and the goal of related policy development.
2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org
http://it-toolkits.org/blog/?p=67 4/8
Data Security Practices and Policy Purpose
As discussed, “data security” provides the means by which business data and related information is
protected and preserved. This is realized in multiple ways, as listed below:
Data security technology and practices provide the means by which data can be safely created,
stored, transmitted, printed and retrieved.
Data security technology and practices provide the means by which data accuracy and integrity is
ensured and maintained.
Data security technology and practices provide the means to prevent and control unauthorized
access, modification and destruction.
Data security technology and practices provide the opportunity to minimize the risks and costs
associated with data loss, data corruption and unauthorized access.
Of course, the physical means of “securing data” are essential to the process. You must have the
technical ability (through hardware and software) to physically meet each of the above listed
objectives. But that will only take you part of the way. To realize all of the intended benefits,
data security practices must be “institutionalized” – i.e. integrated into the corporate
culture and made part of how a given organization works. This is achieved through the
development and implementation of effective “data security policy”. Policy is a governance
mechanism, used to translate tangible security objectives into organizational terms that can be
implemented and enforced. In the case of data security, related policies provide the “how, what, and
why” to communicate security objectives and promote expected compliance.
To fulfill this mission, data security policy must be developed and documented to reflect the following
components and answer the underlying formative questions:
Policy Purpose
What are the specific goals of this data security policy?
Why has the policy been created (considering the background events leading to policy
development)?
What will the policy accomplish considering data security goals and objectives?
Policy Basis
What is the underlying authority and/or organizational basis for this data security policy
(considering internal guidelines and/or external regulatory requirements)?
Do you have sufficient executive support to sufficiently enforce compliance with all of the policy
provisions?
Policy Scope
What are the organizational targets of the policy considering company-wide applicability,
division specific application, departmental application or location specific application?
What are the data targets of the policy considering the types of files, records, information and
applications covered by the policy?
2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org
http://it-toolkits.org/blog/?p=67 5/8
Policy Stakeholders
Who are the policy stakeholders considering both individuals and groups who have a vested
interest in the policy and ability to influence the outcome?
What are the specific roles and responsibilities required to implement, administer and enforce
all policy terms, including all stated compliance obligations?
Security Means and Methods
What are the means and methods to be utilized to realize all identified data security
requirements, including data encryption, data access restrictions, security monitoring, data
classifications, userid requirements, password requirements, data storage mechanisms, and
related matters?
Compliance and Enforcement Guidelines
What are established guidelines for data security compliance?
Will there be any exceptions and/or waivers with regard to policy compliance? If so, what are
the terms under which exceptions and/or waivers will be granted?
How will compliance be enforced and what are the consequences for a failure to comply?
How will employees be provided with training relating to data security compliance?
What types of auditing procedures will be used to monitor and promote data security
compliance?
Take an Inclusive Approach to Policy Development
Every data security policy will benefit from an inclusive approach to development and implementation.
It takes a partnership between all of the interested and invested stakeholders to fully realize policy
relevance and enforcement. In the collaborative approach, the end-user partner defines the need
(the data to be protected and the business basis behind the security requirements). The IT partner
provides the technical means (and capability) by which the identified data security needs can be met.
These needs and means are then combined to form actionable policy through an “inclusive”
development process, characterized by input and collaboration at every stage:
Policy planning relies on input and information relating to data security needs and policy
objectives.
Policy preparation relies on the review of policy drafts, negotiation, and feedback relating to
specific terms and related obligations,
Policy implementation relies on the documented acceptance (and approval) of policy terms and
compliance obligations on the part of decision making stakeholders.
As policy development unfolds, checkpoints should be established to ensure that all decision making
stakeholders have been sufficiently engaged in the development process. Considering the long term
benefits of collaborative policy development (compliance is more readily secured when you have
advance buy-in), it’s always a good idea to create a “policy team” or committee as the organizational
vehicle for policy development. This policy team or committee should include members from all sides
– the end-user community, IT department, Legal department, Human Resources and any other
2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org
http://it-toolkits.org/blog/?p=67 6/8
appropriate department with something to contribute. This will help to ensure that the policy delivered
represents all interests, incorporates all concerns, and has the greatest chance to succeed.
You may also like
Experience has shown that good things happen when the right set of end-user technology standards
are appropriately planned and applied. Tangible benefits can be realized across a broad spectrum,
ranging from improved IT service quality, to lowered technology management costs, and more (as the
list below demonstrates):
1. By limiting the variety of hardware and software products in use, IT departments will have the
opportunity to develop focused, in-depth product expertise, thereby improving the quality and
responsiveness of essential technical support services.
2. By limiting the variety of products in use, IT departments can better test and manage product
compatibility, thereby reducing the number of platform conflict problems.
3. Standardization can lower technology acquisition costs through volume purchasing, bringing
discounted pricing, as well as greater leverage to negotiate more favorable maintenance and
training contracts.
4. With a focus on a specific set of technology products, the end-user community will have the
opportunity to develop in-depth product expertise – to enhance operational productivity and
maximize technology utilization.
5. Standardization can minimize the risks associated with an uncontrolled technology portfolio,
2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org
http://it-toolkits.org/blog/?p=67 7/8
facilitating disaster recovery planning, software licensing management, and security management.
This list is impressive, but by no means guaranteed. Standardization is not the answer to every
problem, and the best standards will amount to little more than “bureacracy” if not properly designed
and implemented. Under certain circumstances, standards can also backfire, creating more problems
than they solve. When standards are created simply for power and control, lacking sufficient flexibility,
and without full consideration of business needs, in all likelihood, they will be bypassed. This help no
one – not the business, not the end-users and certainly not the IT department.
Step by Step to Standards Planning
Step 1: Identify primary goals and objectives. What are your current needs and how will
standards help you meet your goals and objectives? This analysis will form the basis for your
standards justification needed to convince skeptical end-users and ambivalent managers.
Step 2: Identify requirements. What types of technology products (hardware and software) will be
addressed by these planned standards?
Step 3: “One Size Probably Does Not Fit All”. Make sure you provide sufficient alternatives within
any hardware or software product set, to accommodate different needs and preferences.
Step 4: Consider remote locations. Small satellite offices may have unique needs to which
established standards may not apply. You may need to create new standards for remote sites or
carve out appropriate exemptions.
Step 5: Be flexible. Create standards with sufficient flexibility, providing for a “waiver” process so
that “non-standard” products can be utilized whenever needed.
Step 6: Involve end-users in the standards process. Establish a workable process for standards
development and approval, which involves the end-user community.
Step 7: Communicate. Keep end-users sufficiently informed about all elements of the standards
process. You will need to let end-users know how standards are selected, what the current standards
are, how to request a waiver, and how to submit a desired product for standards review. You can do
this through a newsletter, policy manual, new employee orientation, training session, or through any
other marketing method available to you.
Step 8: Ask for feedback. Provide an open, publicized mechanism for feedback on your standards
selections and related processes. The more buy-in and participation you get the better. At least
people will be talking about the process, even if the standards themselves are in dispute.
Step 9: Enforce standards consistently. Standards will be meaningless if your end-users know
that they can be easily ignored (or bypassed). If standards are to deliver expected benefits, you must
have sufficient management support to enforce related policies and procedures. This level of
management support will be easier to come by if you maintain open communications with your end-
2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org
http://it-toolkits.org/blog/?p=67 8/8
users, and if you are prepared to justify standards decisions with “facts and figures”.
Step 10: Integrate standards guidelines and purchasing procedures. Standards will be easier
to control and maintain when they are supported by relevant purchasing procedures. If the IT
department is responsible for technology acquisition, standards can be more readily enforced.
However, depending upon organizational needs and considerations, it is not always feasible for the IT
organization to carry the burden of order processing. In these cases, you might ask your purchasing
department to forward non-standard purchase requests to IT for review.
Step 11: Don’t abdicate IT responsibility. If the only response given to a request for non-
standardtechnology is “no”, you’ll just end up with a fair number of unsupported products and a whole
lot of finger pointing. Collaborative approaches are far more effective, to work with end-users and to
find acceptable solutions to unique technology needs.
You may also like