Example of Email security Policy

1         Overview

Electronic email is pervasively used in almost all industry verticals and is often the primary communication and awareness method within an organization. At the same time, misuse of email can post many legal, privacy and security risks, thus it’s important for users to understand the appropriate use of electronic communications.

2         Purpose

The purpose of this email policy is to ensure the proper use of XXX email system and make users aware of what XXX deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within XXX Network.

3         Scope

This policy covers appropriate use of any email sent from a XXX email address and applies to all employees, vendors, and agents operating on behalf of XXX.

4         Policy

4.1 Email Security

  1. All use of email must be consistent with XXX policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices. 
  2. XXX email account should be used primarily for XXX business-related purposes; personal communication is permitted on a limited basis, but non-XXX   related commercial uses are prohibited.
  3. All XXX data contained within an email message or an attachment must be secured according to the Data Protection Standard.
  4. Email should be retained only if it qualifies as a XXX business record.
  5. Email is a XXX business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
  6. The XXX email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any XXX employee should report the matter to their supervisor immediately.
  7. XXX employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
  8. XXX may monitor messages without prior notice. XXX is not obliged to monitor email messages.
  9. Do not use email:
    • To send confidential/sensitive information, particularly over the Internet, unless it is first encrypted by an encryption system approved by Information Security;
    • To create, send, forward or store emails with messages or attachments that might be illegal or considered offensive by an ordinary member of the public i.e. sexually explicit, racist, defamatory, abusive, obscene, derogatory, discriminatory, threatening, harassing, or otherwise offensive;
    • To commit the organization to a third party for example through purchase or sales contracts, job offers, or price quotations, unless you are explicitly authorized by management to do so (principally staff within Procurement and HR). Do not interfere with or remove the standard corporate email disclaimer automatically appended to outbound emails;
    • For private or charity work unconnected with the organization’s legitimate business;
    • In ways that could be interpreted as representing or being official public statements on behalf of the organization, unless you are a spokesperson explicitly authorized by management to make such statements;
    • To send a message from anyone else’s account or in their name (including the use of false ‘from:’ addresses). If authorized by the manager, a secretary may send an email on the manager’s behalf but should sign the email in their own name per pro (‘for and on behalf of’) the manager;
    • To send any disruptive, offensive, unethical, illegal, or otherwise inappropriate matter, including offensive comments about race, gender, color, disability, age, sexual orientation, pornography, terrorism, religious beliefs and practice, political beliefs or national origin, hyperlinks, or other references to indecent or patently offensive websites and similar materials, jokes, chain letters, virus warnings and hoaxes, charity requests, viruses or other malicious software;
    • For any other illegal, unethical or unauthorized purpose.
  10. Apply your professional discretion when using email, for example abiding by the generally accepted rules of email etiquette. Review emails carefully before sending, especially formal communications with external parties.
  11. Do not unnecessarily disclose potentially sensitive information in “out of office” messages.
  12. Emails on the corporate IT systems are automatically scanned for malicious software, spam, and unencrypted proprietary or personal information. Unfortunately, the scanning process is not 100% effective (e.g. compressed and encrypted attachments may not be fully scanned), therefore undesirable/unsavory emails are sometimes delivered to users. Delete such emails or report them as security incidents to the IT Help/Service Desk in the normal way.
  13. Except when specifically authorized by management or where necessary for IT system administration purposes, employees must not intercept, divert, modify, delete, save or disclose emails.
  14. Limited personal use of the corporate email systems is permitted at the discretion of local management provided always that it is incidental and occasional, and does not interfere with business. You should have no expectations of privacy: all emails traversing the corporate systems and networks are subject to automated scanning and maybe quarantined and/or reviewed by authorized employees.Non-work related email shall be saved in a separate folder from work related email.  Sending chain letters or joke emails from a XXX email account is prohibited.
  15. Do not use Gmail, Hotmail, Yahoo, or similar external/third-party email services (commonly known as “web-mail”) for business purposes. Do not forward or auto-forward corporate email to external/third-party email systems. [You may access your own web-mail via corporate IT facilities at local management discretion provided that such personal use is strictly limited and is not considered private.
  16. E-mail shall only be used for business purposes, using terms, which are consistent with other forms of business communication. E-mail guidelines are intended to help users make the best use of the electronic mail facilities at their disposal. When using the organization’s electronic mail facilities, users should comply with the E-mail guidelines.

4.2 Email Retention

4.2.1 Administrative Correspondence

XXX Administrative Correspondence includes, though is not limited to clarification of established company policy, including holidays, time card information, dress code, work place behavior and any legal issues such as intellectual property violations.   All email with the information sensitivity label Management Only shall be treated as Administrative Correspondence.  To ensure Administrative Correspondence is retained, a mailbox admin@XXX has been created, if you copy (cc) this address when you send email, retention will be administered by the IT Department.

4.2.2 Fiscal Correspondence

XXX Fiscal Correspondence is all information related to revenue and expense for the company.  To ensure Fiscal Correspondence is retained, a mailbox fiscal@XXX has been created, if you copy (cc) this address when you send email, retention will be administered by the IT Department.

4.2.3 General Correspondence

XXX General Correspondence covers information that relates to customer interaction and the operational decisions of the business.  The individual employee is responsible for email retention of General Correspondence.

4.2.4 Ephemeral Correspondence

XXX Ephemeral Correspondence is by far the largest category and includes personal email, requests for recommendations or review, email related to product development, updates and status reports.

4.2.5 Instant Messenger Correspondence

XXX Instant Messenger General Correspondence may be saved with logging function of Instant Messenger, or copied into a file and saved.  Instant Messenger conversations that are Administrative or Fiscal in nature should be copied into an email message and sent to the appropriate email retention address.  The Jabber Secure IM Client is the only IM that is approved for use on XXX computers.

4.2.6 Encrypted Communications

XXX encrypted communications should be stored in a manner consistent with XXX Information Sensitivity Policy, but in general, information should be stored in a decrypted format.

4.2.7 Recovering Deleted Email via Backup Media

XXX maintains backup tapes from the email server and once a quarter a set of tapes is taken out of the rotation and they are moved offsite.  No effort will be made to remove email from the offsite backup tapes.

4.2.8 General Standards

  1. Approved Electronic Mail:Includes all mail systems supported by the IT Support Team. These include, but are not necessarily limited to, [insert corporate supported mailers here…]. If you have a business need to use other mailers contact the appropriate support organization.
  2. Approved Encrypted email and files: Techniques include the use of DES and PGP. DES encryption is available via many different public domain packages on all platforms. PGP use within XXX is done via a license. Please contact the appropriate support organization if you require a license.
  3. Approved Instant Messenger:The Jabber Secure IM Client is the only IM that is approved for use on XXX computers.
  4. Individual Access Controls:Individual Access Controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner. On UNIX machines, this is accomplished by careful use of the chmod command (use man chmod to find out more about it). On Mac’s and PC’s, this includes using passwords on screensavers, such as Disklock.     
  5. Insecure Internet Links: Insecure Internet Links are all network links that originate from a locale or travel over lines that are not totally under the control of XXX.
  6. Encryption: Secure XXX Sensitive information in accordance with the Acceptable Encryption Policy. International issues regarding encryption are complex. Follow corporate guidelines on export controls on cryptography, and consult your manager and/or corporate legal services for further guidance.

Automatically Forwarded Email Policy

Employees must exercise utmost caution when sending any email from inside XXX to an outside network. Unless approved by an employee’s manager , XXX email will not be automatically forwarded to an external destination. Sensitive information, as defined in the Data Classification and Protection Policy, will not be forwarded via any means, unless that email is critical to business and is encrypted in accordance with the Acceptable Encryption Policy.

5  Policy Compliance

5.1 Compliance Measurement

The IT team will verify compliance to this policy through various methods, including but not limited to, periodic walk-through, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2  Exceptions

Any exception to the policy must be approved by the Infosec team in advance.

5.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Leave a Reply