Email Security Policies
- Rules for Using Email
- Administration of Email
- Use of Email for Confidential Communication
This sample chapter is excerpted from Writing Information Security Policies.
We are quick to embrace new technologies when they improve the ability to communicate. The explosion of email is the most recent testament to that. But email is not the panacea everyone believes. Aside from its ability to improve communications, email can be used to transmit proprietary information, harass other users, engage in illegal activities, and be used as evidence against the company in legal actions.
Over the last few years, there have been quite a few lawsuits that relied on evidence gathered from email archives. Recently, in the antitrust trial United States versus Microsoft, the government's attorneys used archived email from Microsoft executives as evidence against Microsoft. This focused the attention on many organizations' policies regarding how email is used and treated once transmitted.
Email is the electronic equivalent of a postcard. Because of this, it requires special policy considerations. From archiving to content guidelines, organizations have much to consider when writing email policies.
Rules for Using Email
Email has been around since the birth of the Internet. Messages are sent in near real-time and are not that obtrusive. The recipient does not have to read the message immediately, so it is not as an intrusion like a telephone call. It also gives the writer a chance to word the message carefully.
But this time-honored transmission comes with some responsibilities, which should not be lost on policy writers. In fact, when creating email policy, I recommend that the general rules and guidelines that users need to abide by should appear first in the email policy document. One client decided that in order to grab the attention of the users, he would include a "Ten Commandments of Email." Using email policy statements such as this is a creative way of expressing policy that gets noticed. Although they are edited to protect my client's confidentiality, here are those commandments1:
Thou shalt demonstrate the same respect thou gives to verbal communications.
Thou shalt check thy spelling, thy grammar, and read thine own message thrice before thou send it.
Thou shalt not forward any chain letter.
Thou shalt not transmit unsolicited mass email (spam) unto anyone.
Thou shalt not send messages that are hateful, harassing, or threatening unto fellow users.
Thou shalt not send any message that supports illegal or unethical activities.
Thou shalt remember thine email is the electronic equivalent of a post card and shalt not be used to transmit sensitive information.
Thou shalt not use thine email broadcasting facilities except for making appropriate announcements.
Thou shalt keep thy personal email use to a minimum.
Thou shalt keep thy policies and procedures sacred and help administrators protect them from abusers.