2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org

http://it-toolkits.org/blog/?p=72 1/3

Email Policies: Tools to Govern Usage, Access and

Etiquette - IT-Toolkits.org

Email is a fast, easy and readily accessible means of business communication. It has changed the

way we communicate. These are the obvious rewards – but they are also the basis of every risk.

Whenever email content is ill-advised, inappropriate, or even gets into the wrong hands, negative

consequences can follow, including legal liability, regulatory penalties, confidentiality breaches,

damage to corporate reputation, public embarrassment, internal conflicts, and all the related losses in

productivity and performance that these circumstances can cause. Further, data loss and damage to

technology assets can be realized through the transmission of malicious code, spam and computer

viruses.

Perform the “What-if” Analysis: What are the risks to my organization of email abuse and/or

misuse, and what are the likely consequences if these risks are not properly addressed? The next

step is to weigh the costs and complications of all mitigating actions, and to then strike an

appropriate balance between risk and probability.

To eliminate email usage is impractical and even unthinkable – so the goal has to be to minimize the

risks through the best means possible – and that is through the use of physical security precautions

and practical, relevant and enforceable email policy. To realize all of the intended goals and

objectives, related policies (which will integrate closely with data security and internet usage policies)

must encompass four (4) key governance needs:

1. Email Usage : To determine the circumstances under which email can and will be used within a

given organization, whether there will be any limits and/or restrictions on the types of information

that can be transmitted via email, as well as any limits and/or restrictions on the use of business

email systems for personal communications.

2. Email Oversight: To establish that emails are official company records and to determine the

manner in which email usage will be monitored and controlled, including the “ownership” of email

content transmitted on business email systems.

2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org

http://it-toolkits.org/blog/?p=72 2/3

3. Email Etiquette : To establish formatting, content and usage guidelines designed to minimize the

risk that email content will be deemed unprofessional, offensive, inappropriate or subject to ridicule

and criticism.

4. Email Management: To establish and implement appropriate technical controls to limit the risks

of inbound email spam, virus and malicious code, and to establish automated procedures for email

backup, storage and retention.

As a whole, usage, oversight, etiquette and management parameters must be combined to formulate

“policy” that is aligned with business and technical needs, realistic considering actual communication

needs, and enforceable considering corporate culture and related technical abilities.

Key Questions for Policy Scope and Content

To ensure that all usage, oversight, etiquette and management needs can be met, adopted email

policies must be designed according to anticipated email usage, corporate culture, characteristics,

business requirements, legal requirements, technical requirements and internal capabilities for

enforcement. The list below provides a head start for policy planning, listing the key questions to be

considered and addressed as part of the policy development process:

Policy Purpose

What are the specific goals of this email policy?

Why has the policy been created (considering the background events leading to policy

development)?

What will the policy accomplish considering email usage, access, etiquette and management

goals and objectives?

Policy Basis

What is the underlying authority and/or organizational basis for this email policy (considering

internal guidelines and/or external regulatory requirements)?

Do you have sufficient executive support to sufficiently enforce compliance with all of the policy

provisions?

Policy Scope

What are the organizational targets of the policy considering company-wide applicability,

division specific application, departmental application or location specific application?

Policy Stakeholders

Who are the policy stakeholders considering both individuals and groups who have a vested

interest in the policy and ability to influence the outcome?

What are the specific roles and responsibilities required to implement, administer and enforce

all policy terms, including all stated compliance obligations?

Email Management

What are the means and methods to be utilized to manage and secure all email systems

considering access, standards for email addresses, restrictions on attachment size, remote

2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org

http://it-toolkits.org/blog/?p=72 3/3

access, spam and junk mail limitations and related management controls?

Compliance and Enforcement Guidelines

What are established guidelines for email policy compliance?

Will there be any exceptions and/or waivers with regard to policy compliance? If so, what are

the terms under which exceptions and/or waivers will be granted?

How will compliance be enforced and what are the consequences for a failure to comply?

How will employees be provided with training relating to email policy compliance?

What types of auditing procedures will be used to monitor and promote email policy

compliance?

You may also like