A clearly defined E-mail Usage Policy can mitigate the risk of liability.. Critical E-m mail Usage Policy elementsIntroduction An E-mail Usage Policy’s introduction should briefly explai
Trang 1Case Document
Build Your Own:
E-mail Usage POlicy
Trang 2Why an E-m mail Usage Policy is important
E-mail is undoubtedly one of the greatest communication tools we have today Employees, vendors, cus-tomers, executives, and other corporate users have all benefited from the advancements made to e-mail over the years However, e-mail has also created many problems for IT professionals with the spread of viruses, Spam, and worms In addition, e-mail has spawned many lawsuits from users offended by the mail received
in their corporate inbox While the law on Internet e-mail is still vague, the courts are clear about one thing— employers that have an E-mail Usage Policy read and signed by employees can protect themselves from many claims
Typically, a company should develop an E-mail usage policy that is consistent with other communication media such as fax or letter mail While e-mail requires less effort to distribute than these more formal means
of communication, the company’s name still goes out on the header of the message This company “sta-tionery” makes it the responsibility of the company to ensure the intended recipients of employee’s e-mail are not offended or damaged by the content
In addition, an effective E-mail Usage Policy can help you maintain the integrity of your system against viruses, and prevent lawsuits from violations of intellectual property, anti-spam laws, sexual harassment, wrongful termination, and more
A final area of concern is employee privacy Many employees that have been dismissed for sending inappro-priate e-mails have brought litigation claims against former employers for invasion of their privacy A clearly defined E-mail Usage Policy can mitigate the risk of liability If employees have been properly trained on the e-mail system and have signed the usage policy, then it will be difficult for them to claim they were not aware
of your capabilities for monitoring
This is an alpha version of TechRepublic’s Build Your Own E-mail Usage Policy.
Please provide TechRepublic’s editors with feedback on what you found helpful in this
document, as well as anything you may not have found beneficial Be sure to also let
our editors know if you feel a particularly important component or element has been
omitted that should be included Feedback may be sent directly to the team
develop-ing this document at mailto:content1@cnet.com.
This is an alpha version of TechRepublic’s Build Your Own E-mail Usage Policy As
such, this specific IT policy addresses appropriate end user e-mail use Please send
your suggestions for other IT policies or template topics you would find helpful to
TechRepublic editors directly at mailto:content1@cnet.com.
Trang 3Critical E-m mail Usage Policy elements
Introduction
An E-mail Usage Policy’s introduction should briefly explain the purpose for the policy as well as define a few
of the elements the company considers to be “e-mail” For instance, e-mail may be defined as mail sent from
a MAPI client software package like Outlook, an instant messaging service, a peer-to-peer file exchange, or some combination thereof
A comparison to other forms of written communication and the company’s expectation of standards for e-mail should be presented Most E-e-mail Usage Policy introductions reinforce the stricter guidelines that e-e-mail
is a tool used only for business communications, but some leave open the possibility of personal use if the company’s culture desires it The introduction should also clearly state that e-mail exchanged on its systems
is considered the property of the company, which gives it the right to monitor accounts for policy compliance
Guidelines for authorized use
Acceptable use of e-mail should be clearly defined If your organization permits reasonable personal use, the policy should clearly state such use must not interfere with the performance of work responsibilities The fol-lowing are other guidelines typically seen in e-mail usage policies in the authorized use section:
z Subscribing to distribution lists and other forms of e-mail subscription services related to your job function
is allowed If the service does not pertain to your job function, seek manager approval before signing up
z Passwords are your best defense against unauthorized use of your e-mail account Do not compromise your account by giving it to others or displaying it in public view
z The encryption of e-mail is not necessary for most situations, but all confidential messages should contain some form of encoding If in doubt, contact your manager
z Users should take care in addressing messages so it reaches the appropriate recipient Also, spelling and grammar should be checked by the e-mail client before sending the message
z Long term message retention is important only if it is relevant for business or legal purposes If you desire
to keep less important messages for longer than X days, please archive the e-mail to your allotted server storage space The e-mail system is designed to delete messages older than X number of days
z Avoid sending company- or department-wide messages E-mail “blasting” can cause a system to slow down and affect performance If you have a company- or department-wide message to deliver, first send it
to a user who has access to the “all company” e-mail grouping
z Large e-mail attachments can drastically slow system performance Attachments that exceed X MB in size will be removed by the server and not sent
Prohibited use of e-mail
An E-mail Usage Policy should clearly state what is not allowed on the system While some items are obvi-ous, you should try to list as many offences as possible to make the policy more enforceable should the need arise The following are just a sample of prohibited activities you should consider when creating your policy:
z Creating or exchanging offensive or obscene messages of any kind, including pornographic material
z Sending e-mail that promotes discrimination on the basis of race, gender, national origin, age, marital status, sexual orientation, religion, or disability
z Sending e-mail that contains a threatening or violent message
z Exchanging proprietary information, trade secrets, or other confidential information with anyone not
affiliated with the company
z Creating, forwarding, or exchanging spam, chain letters, solicitations, or advertising
z Creating, storing, or exchanging e-mail that violates material protected under copyright laws
Trang 4z Distributing corporate data to the organization’s
customers or clients without proper authorization
z Altering a message from other users without their
permission
z Opening e-mail without performing a virus scan
z Improperly using someone else’s e-mail account
as your own without permission
Factors affecting productivity
It is imperative that users understand how sending
e-mail to large distribution groups can overload a
sys-tem Many recipients do not need the e-mail and it
can get in the way of other more important
mes-sages Attachments are another big concern for IT
professionals, as the MB size continues to grow and
user inboxes fill with unneeded files One way to
combat attachment broadcasting is to centralize
stor-age with space on an Intranet Web site that users
can provide links to in their e-mail messages
Following the guidelines set forth in the E-mail
Usage Policy will help users understand the
impor-tance of sending well defined e-mails Perhaps
nowhere is this clarification more apparent than the
subject line Message handling is vastly improved
when subject lines are to the point and encompass
the major thrust of the e-mail message This will
ensure the message is not discarded before being
read and will be easier to sort
Security
E-mail is the easiest method for hackers to distribute
viruses, worms, and other forms of malicious
soft-ware Defending against these attacks is a major part
of any IT professional’s job Thus, the security
sec-tion of the E-mail Usage Policy can go a long way to
defining how restrictive an organization is with its
e-mail service The company may wish to limit e-e-mail
accounts only to individuals whose job descriptions
require a legitimate business use Others may define
a more liberal account structure, yet monitor usage
and deal with problem accounts according to the
E-mail Usage Policy
Privacy
E-mail Usage Policies should ensure users maintain
no expectation of privacy while using
company-owned or company-leased equipment Further, the
policy should make it clear that information passing
through or stored on company equipment can and will be monitored Users should also know the organi-zation maintains the right to monitor and review e-mail communications sent or received by users as necessary and that such communications should not
be considered private or secure
Violation penalties
E-mail Usage Policies must clearly state the conse-quences of improper use, which typically range from loss of e-mail account privileges to termination Policies should state how violations will be reviewed, such as on a case-by-case basis or on an every-case basis Policies should also describe the events that will trigger when a violation occurs
For example, a policy’s Violations section might read as follows:
Violations will be reviewed on a case-by-case basis
If it is determined that a user has violated one or more use regulations, that user will receive a repri-mand from his or her supervisor and his or her future use will be closely monitored If a gross violation has occurred, management will take immediate action Such action may result in losing e-mail account privi-leges, severe reprimand, or termination of employ-ment
Reporting
When violations occur, appropriate IT department staff and the offender’s managing supervisor should
be formally notified Depending upon your organiza-tion, it may be appropriate to copy Human Resources personnel on all messaging related to the violation And, if the organization monitors employee e-mail use, mail server log files should be saved as backup
IT staff should take care when reviewing monitored communications to ensure employees are aware e-mail use is being monitored IT staff should monitor users’ e-mail use only insofar as is required to sup-port operational, maintenance, auditing, security, and investigative activities Users should be told that IT staff may review individual employee’s communica-tions during the course of resolving a problem, but IT staff should be encouraged not to review specific employees’ e-mail habits out of personal curiosity or
at the behest of individuals who have not received proper approval to monitor employee e-mail use
Trang 5Organizational readiness
An E-mail Usage Policy will fail to curtail inappropriate e-mail use if the policy is not rolled out properly or enforced Employees should be required to sign a personal copy of the E-mail Usage Policy and state that they have read and understood the policy
E-mail Usage Policies must be enforced to be effective Violation reports must be followed up professionally, and offenders must be dealt with according to the policy’s direction
Length and language
There is no requirement that an E-mail Usage Policy be lengthy, contain legal jargon, or use excessive word-ing You are likely to be best served by clearly communicating which e-mail activities are acceptable, which are not, and what the penalties of noncompliance are succinctly and in language users understand
Lack of enforcement
Users will catch on quickly when an E-mail Usage Policy is not enforced Here IT staff members can lead by example by ensuring they refrain from using the organization’s systems to check e-mail in order to perform non-business related activities
When violations are discovered, the IT staff should work professionally with the offender, the offender’s supervising manager, and a Human Resources representative to ensure situations are resolved quickly
Important items
When preparing an E-mail Usage Policy, your organization needs to make difficult decisions regarding which e-mail activities are acceptable and which are prohibited Tough decisions must also be made when determin-ing the penalties for violations
Ensure your IT department and Human Resources staff agrees on the policy’s terms, especially for the fol-lowing items:
z Specific examples of acceptable e-mail usage
z Specific examples of unacceptable e-mail usage
z Penalties for first-time offenders
z Penalties for repeat offenders
To begin customizing the alpha version of TechRepublic’s Build Your Own E-mail Usage Policy, open the Excel spreadsheet included in the zip file with this case document.