Does your organization have a formal email security policy in place? If that question makes you snicker and mutter to yourself, “Well, duh! Of course, we do,” congratulations. You’re a good and smart IT Manager. Of all the IT policies in all the gin joints in all the world, a strong email security policy is one you can’t afford to be without.
Download our email security policy, please
If you’ve been too busy to implement an IT policy program — you know, because you’re putting out fires, hiring and managing good technicians, analysts, DBAs, programmers, and call center professionals, and configuring your Storage Area Network to keep up with an ever-growing mountain of user data and email messages — start today. The folks at Toolkit Café will make it easy for you to get started. Just download our Email Security Policy. It’s part of the Ultimate IT Policies Toolkit, and it’s easy to customize for your shop.
How to use the email security policy
The sample email security policy consists of five rules. The first four rules put all employees on notice that corporate email isn’t private and will be monitored and scanned for viruses. (If you’re not currently monitoring email activity or scanning incoming messages for viruses, I’ll talk about what you should be doing in another rant.) If you’re also scanning incoming or outgoing messages for sensitive information, you can customize this template to include a rule that informs users that outgoing messages will be scanned for content. If you want users to encrypt messages before they send sensitive information, you can add that rule, too.
The fifth rule prohibits using the company email system for “illegal, offensive, or harassing communications.” If your company doesn’t currently have a Code of Conduct or human resources policy that defines what constitutes illegal, offensive, or harassing communications, you can delete that rule.
After you customize the email security policy template, get it approved by your senior management team. Then publish that policy where your users can see it.
Whither email retention?
You might notice that the sample email policy is silent on how long copies of corporate email messages should be stored. That’s intentional, because most shops answer the question of “How long do we keep email messages?” in their Data Retention and Destruction policy. If you don’t have a data retention and destruction policy, by all means, add a rule to your Email Security policy that establishes how long your company is going to retain email messages. Depending on your industry, you may have to keep everything forever, or you may be able to delete all emails when they reach two years and one day old.
On another note: Whither Web mail?
I consult for a company whose management recently asked the question, “Do we need to offer Web mail?” An audit of the Information Technology function included a finding that offering Outlook Web Access (OWA) posed a security risk, because employees can download and print company-owned documents from any computer with Internet access, using the Web mail portal.
After listening to a lot of whining from the lines of business, the IT manager determined that the risks of Web mail outweighed the benefits, and his company’s senior managers agreed. They turned off the OWA site and implemented a program that allows employees to request smart phone access or a company-issued laptop when they absolutely, positively MUST check their work email accounts when out of the office.
Does your company offer Web-based access to the company email system? Post your thoughts in a comment below or drop me a line, and I’ll share the most interesting comments in another blog post.
Download The Email Security Template for Free!
This download is free to all Toolkit Cafe Registered Members. Please login to download
Not Registered Yet? Click below to “Join Us At Toolkit Café”!
(Once you have logged in, return to this page and refresh your browser to access your free download)