If you don’t have an email security policy, wake up! (and use our free sample policy)

Does your organization have a formal email security policy in place? If  that question makes you snicker and mutter to yourself, “Well, duh! Of course, we do,” congratulations. You’re a good and smart IT Manager.  Of all the IT policies in all the gin joints in all the world, a strong email security policy is one you can’t afford to be without.

Download our email security policy, please

email security policy live

If you’ve been too busy to implement an IT policy program — you know, because you’re putting out fires, hiring and managing good technicians, analysts, DBAs, programmers, and call center professionals, and configuring your Storage Area Network to keep up with an ever-growing mountain of user data and email messages — start today.  The folks at Toolkit Café will make it easy for you to get started. Just download our Email Security Policy.  It’s part of the Ultimate IT Policies Toolkit, and it’s easy to customize for your shop.


Click here to download the Email Policy Template

How to use the email security policy

The sample email security policy consists of five rules. The first four rules put all employees on notice that corporate email isn’t private and will be monitored and scanned for viruses.  (If you’re not currently monitoring email activity or scanning incoming messages for viruses, I’ll talk about what you should be doing in another rant.)  If you’re also scanning incoming or outgoing messages for sensitive information, you can customize this template to include a rule that informs users that outgoing messages will be scanned for content. If you want users to encrypt messages before they send sensitive information, you can add that rule, too.

The fifth rule prohibits using the company email system for “illegal, offensive, or harassing communications.” If your company doesn’t currently have a Code of Conduct or human resources policy that defines what constitutes illegal, offensive, or harassing communications, you can delete that rule.

After you customize the email security policy template, get it approved by your senior management team. Then publish that policy where your users can see it.

Whither email retention?

You might notice that the sample email policy is silent on how long copies of corporate email messages should be stored. That’s intentional, because most shops answer the question of “How long do we keep email messages?” in their Data Retention and Destruction policy.  If you don’t have a data retention and destruction policy, by all means, add a rule to your Email Security policy that establishes how long your company is going to retain email messages.  Depending on your industry, you may have to keep everything forever, or you may be able to delete all emails when they reach two years and one day old.

On another note: Whither Web mail?

I consult for a company whose management  recently asked the question, “Do we need to offer Web mail?” An audit of the Information Technology function included a finding that offering Outlook Web Access (OWA) posed a security risk, because employees can download and print company-owned documents from any computer with Internet access, using the Web mail portal.

After listening to a lot of whining from the lines of business, the IT manager determined that the risks of Web mail outweighed the benefits, and his company’s senior managers agreed.  They turned off the OWA site and implemented a program that allows employees to request smart phone access or a company-issued laptop when they  absolutely, positively MUST check their work email accounts when out of the office.

Does your company offer Web-based access to the company email system?  Post your thoughts in a comment below or drop me a line, and I’ll share the most interesting comments in another blog post.

Download The Email Security Template for Free!

This download is free to all Toolkit Cafe Registered Members. Please login to download

Not Registered Yet? Click below to “Join Us At Toolkit Café”!

Register Button Blue

(Once you have logged in, return to this page and refresh your browser to access your free download)

Round Up Them Telecommuters!

Managers, don’t let your telecommuters grow up to be cowboys! Or, to put it another way, before you start letting people work from home, you need to train them. Telecommuters need to know all the requirements and obligations – legal, financial and technological — that come along with the privilege of the work-from-home gig. The telecommuting employee should be trained in the following:Telecommuting Toolkit for IT - BIG

1. Understanding and completing the requisite paperwork.
2. Setting aside a dedicated workspace at the telecommuting location.
3. Ensuring adequate privacy and security for the workplace
4. Correctly installing the hardware, drivers and software required
5. Maintaining data and network security
6. Coordinating with other employees, attending necessary meetings in person or online

If you don’t want to create Training for Telecommuters from scratch, check out the Telecommuting Toolkit for IT, which includes a template Power Point Presentation you can customize to train your employees looking to move to a telecommuting arrangements.


You want to connect to the network on WHAT?

Who else remembers the good old days, when IT shops ruled their shops with  aluminum alloy fists and no one outside the IT department dared touch a cable or move a monitor? At the risk of sounding like a Luddite,  I don’t like the Bring Your Own Device (BYOD) movement, no, not one bit.  I like the control, consistency, and security of knowing my users connect to the corporate network using only company-provisioned machines.

Now people who don’t know a bit from a byte think they’re computer experts because they can tap-tap on their phones and surf the Web.  Big whoop.  And they all think they should be able to get their work email and connect to their work networks from their phones, too.

I understand the convenience of checking email anywhere, any time, but I doubt whether it’s efficient for anybody to try to do real writing and editing work on anything but a full-size keyboard.

But if the people want to “bring their own” tablets, phablets, smartphones, dumb phones, and Pong machines with them wherever they go so they can work any time, who are we — The Computer People — to judge them or to engage in an un-winnable battle to put the BYOD genie back in the bottle.

If you’re trying to figure out the best way to implement BYOD in your shop,  Toolkit Café has a product that can help:  The  BYOD Policies and Procedures Toolkit.  The BYOD toolkit includes  the tools and templates you need to lay down the BYOD law to your end users and create a paper trail of documentation for your next IT security audit. Try the BYOD kit risk-free for 30 days, and come back to this page and let us know what you think of it.